ISMS internal audit (draft)
ISO 27001 expects periodic internal audits of the ISMS. This page provides a minimal audit structure and templates.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 0.1 |
| Last updated | 2025-12-24 |
| Review cadence | Annual (or on audit approach changes) |
1. Purpose
Section titled “1. Purpose”Assess whether the ISMS is:
- implemented as planned (process compliance)
- effective for the defined scope (risk and control coverage)
- maintained through improvement actions
2. Scope and criteria
Section titled “2. Scope and criteria”- Scope follows ISMS scope (draft).
- Criteria may include: ISO/IEC 27001 requirements, the SoA, and internal policies/procedures.
3. Audit cadence (draft)
Section titled “3. Audit cadence (draft)”4. Independence (draft)
Section titled “4. Independence (draft)”Audits should be performed by people who are sufficiently independent of the area being audited.
5. Minimal audit flow
Section titled “5. Minimal audit flow”- Plan the audit (scope, criteria, schedule).
- Collect evidence (documents, records, interviews).
- Record findings (conformities, nonconformities, observations).
- Report results and agree corrective actions.
- Verify effectiveness and close findings.
6. Audit plan (template)
Section titled “6. Audit plan (template)”| Field | Value |
|---|---|
| Audit period | |
| Scope | |
| Criteria | |
| Auditor(s) | |
| Auditees | |
| Output location |