BusinessKey Consult logo
BusinessKey Consult
ISO/IEC 27001
BGGet a quote
Methodology

ISO/IEC 27001 internal audit methodology

Risk-based and evidence-led approach: clear criteria, traceable evidence, and an output you can execute (not just archive).

Get a quoteSee the process

Principles

We combine clause-based (system) auditing with testing of key Annex A controls based on risk.

Risk-based planning

Focus on critical processes, assets, and control points that materially affect risk.

Evidence-first

Findings are grounded in verifiable evidence and clear audit criteria.

Actionable output

Practical recommendations and CAPA guidance that can be implemented and tracked.

Process

The steps below cover the full cycle: from scope and sampling to reporting and follow-up.

01
Kick-off & scope

Objectives, ISMS boundaries, criteria, and expected outcomes.

02
Planning & sampling

Audit program, tests, and risk-based sampling selection.

03
Evidence collection

Interviews, document/record review, and control testing.

04
Analysis & findings

Nonconformity grading and improvement opportunities.

05
Report & follow-up

Report, CAPA guidance, and verification of corrective actions.

What you get (deliverables)
  • Audit program/plan + scope-based checklist
  • Evidence traceability (audit trail)
  • Report: findings, grading, evidence, and recommendations
  • CAPA guidance and follow-up approach to closure
Want to apply this methodology to your scope?

Share your ISMS scope, locations/processes, and goal (certification or annual program) and we’ll come back with a plan and quote.

Contact us