A Day in the life of an ISO 27001 Internal Auditor Consultant

Cyber | Information Security Consulting

A Day in the life of an ISO 27001 Internal Auditor Consultant

July 1, 2019 Information Security 2

A Day in the life of an ISO 27001 Internal Auditor Consultant

The inspiration for writing this blog comes from people who are interested in knowing what I do on a daily basis. This is based on my own experiences and it should be noted that other consultants may have a different typical day.

Today I start with a typical day of ISO 27001 Internal Audit.

What is an Internal Auditor (IA)?

An internal auditor (IA) is a trained professional employed by companies to provide independent and objective evaluations of financial and operational business activities, including corporate governance.

Here we go;

I have been up since 5.00am so that I can conquer the M25 traffic urghh! I have a 3 hour journey ahead of me.

Pre-audit meeting


I arrive at the client’s site park and make my way towards to reception.

Why am I here?

The organisation has decided to certify and gain the ISO 27001 certification.  Before the internal audit will commences I verify that the ISMS has gone live for at least three months  –  well you cannot audit nothing can you?

My objective is to determine and understand the risks in regards to safety observe and talk to personnel.  I meet with assigned auditees in the conference room.

I am joined by the IT Security Manager and the Managing Director to confirm the audit program; in this meeting we discuss the scope (planning, reporting (distribution of report) and follow-up) the timings and the audit procedures.   Other aspects of site visit include review of the documentation and information relevant to the ISMS.

I confirm the plans of the audit activities, the department and individuals who are responsible and any follow-up actions are agreed.  This gives me the ability to fully understand the culture of the organisation.


Conducting the internal audit


I assess that the organisation’s management system meets the ISO 27001 standard, verify that the objectives of the organisation are been met.  Ensure that the system meets organisations legal and regulatory objectives.

  • Perform the audit by using an internal audit checklist and I use this form as a method to interview relevant personnel.
  • Use an observation form to record observations
  • Record audit finding I collected through examination of documentations, interviews and observations.
  • I evaluate the management system process and relevant controls according to the ISO 27001 standard.

Documents Review

11:00 am

I review the following documents:

  • Scope validity
  • Statement of Applicability (SOA) for the 114 controls in Annex A
  • Polices (Review of policies in line with A.5.1.2 and A.8.1.2)
  • Process descriptions and controls
  • Procedures
  • Work products
  • Evidence of conformity
  • Risk Assessment, methodology, and risk treatment plan and I further examine the risk tolerance levels of the organisation
  • Management Review
  • Roles and responsibilities and budgets
  • Competencies of personnel

Lunch 1.00pm

I take a walk to gather my thoughts and fresh air!! Bear in mind I have to make sure have not left any confidential documents behind.


I observe the technologies that the organisation uses for instance if it involves legacy technologies and this helps to correlate data.

Other considerations, any nonconformities and corrective actions,

  • Reports from internal and external audits.
  • Prepare evidence of continual improvements for instance dashboards, KPIs, trends and reports.
  • The findings outcomes, Major nonconformity, Minor nonconformity and improvements.
  • Root cause analysis and corrective actions.

I sample records and other documentation, invited some personnel the conference room for an interview.  To gather more evidence I also observe them whilst carryout tasks.

4.00pm – Closing meeting

At the closing meeting I begin by thanking the participants for cooperating with the audit. Revisit the audit objectives and present the conclusions and recommendations.

  • I usually present the Executive summary of the findings and the documented reports from the audit.
  • Any conformities and nonconformities are discussed and provide a step by explanation of the nonconformities and the reason why. This includes a description of the requirements where the nonconformity was detected and a description of the observed nonconformity.
  • I welcome questions from the auditees and discuss any outstanding issues.


I start drafting the report; the report will reference the scope, objectives, locations where the audit was conducted, conclusions, findings and opinions.

I also include in the report any recommendations, nonconformities and area of improvement.  I do not implement the solutions just report what area need improvement.

I will distribute the report at a later date as agreed within the time scale to the relevant parties as listed in the audit plan.

Follow up

  • I will check if any nonconformity has been addressed and are effective.
  • Discuss alternatives if the nonconformities cannot be addressed.
  • Verify any corrective actions.
  • Close the audit if all the corrective actions have been implemented and signed off.


M25 here I come!


2 Responses

  1. J says:

    Thanks well written

  2. christie O says:

    Thank you I appreciate your feedback.

Leave a Reply

Your email address will not be published.