BusinessKey Consult logo
BusinessKey Consult
ISO/IEC 27001
BGGet a quote
Services / ISO 27001 internal audit

ISO/IEC 27001 internal audit

Independent assessment of your ISMS and control effectiveness, with evidence-led findings and a practical improvement plan.

Evidence-led findingsRisk-based samplingTraceable evidenceCAPA + follow-up
Request a quoteSee methodology

What’s included

Risk-based planning

Scope, criteria, key processes, and controls selected based on risk.

Sampling and testing

Risk-based sampling and test procedures aligned to control criticality.

Findings and grading

Nonconformities and improvements backed by clear evidence and rationale.

Report and CAPA guidance

Recommendations, prioritization, corrective action guidance and follow-up verification.

Helpful inputs to prepare

To run a fast and accurate audit, we typically request the following inputs:

  • ISMS scope: boundaries, locations, processes, key systems
  • Risk assessment / risk treatment (current versions)
  • Statement of Applicability (SoA) + control status
  • Key suppliers list and critical dependencies
  • Policies/procedures and representative evidence samples
Typical timeline

The duration depends on scope and number of locations/processes. A typical cycle looks like:

  1. 01
    Kick-off (0.5–1h)
    Objectives, scope, criteria, schedule, points of contact.
  2. 02
    Planning & sampling (1–2 days)
    Test selection and sampling based on risk/criticality.
  3. 03
    Fieldwork (2–5 days)
    Interviews, evidence review, control testing, traceability.
  4. 04
    Report (1–2 days)
    Findings, evidence, grading, recommendations and next steps.
  5. 05
    Follow-up (as agreed)
    CAPA guidance and corrective action verification.
Finding grading (example)
Major nonconformity

A significant failure / missing effective control or a systemic issue that can compromise ISMS objectives.

Minor nonconformity

A limited deviation that does not appear systemic but still requires corrective action.

OFI (Opportunity for improvement)

No formal nonconformity, but a clearly justified improvement opportunity.

Deliverables
  • Audit program/plan + scope-based checklist
  • Evidence traceability (audit trail)
  • Report: findings, grading, evidence, recommendations
  • CAPA guidance + follow-up approach to closure
FAQ
Can the audit be remote?

Yes—fieldwork is often remote if we can access records/systems and interview stakeholders.

How much time do you need from our team?

Typically 2–6 interviews of 30–60 minutes plus access to representative evidence samples.

Do you cover Annex A controls?

Yes—we combine clause-based auditing with risk-based testing of key Annex A controls.

What do we get at the end?

A report with grading, evidence, recommendations and CAPA guidance (plus follow-up if needed).

Want to start with scope and a plan?

Share your ISMS scope, locations/processes, and goal (certification or annual program).

Contact us