Get in touch
info@canadiancyber.ca
Rafia Rizwan
April 1, 2026
A real-world case study showing how an MSP transformed scattered ISO 27001 controls into a structured internal audit program that passed smoothly.
On the surface, the MSP looked fine. The certificate was in place. Policies existed. The original certification audit had been passed. From the outside, it looked like the compliance program was running.
But when the upcoming surveillance audit started to get closer, the internal picture told a different story. Controls were real, but evidence was scattered. Reviews had happened, but not consistently. Corrective actions had been discussed, but not always closed with proof. The issue was not whether the organization cared. The issue was whether the program was truly repeatable.
This is the story of how that MSP rebuilt its internal audit program, turned drift into structure, and gave the external auditor something far more convincing than a last-minute document hunt.
The company had earned its ISO 27001 certificate about eighteen months earlier. It served more than forty small and mid-sized clients and delivered the kind of services that naturally demand strong operational security: endpoint management, monitoring, incident response, and cloud administration.
Security was not a side concern for this MSP. It was central to the business. That is what made the state of the program more concerning once the vCISO began preparing for surveillance audit readiness.
None of this meant the controls were fake. In fact, many of them were operating in practice. But they were not operating inside a stable, evidence-backed system. The certificate had been earned through a hard push. After that, the program drifted.
That drift is one of the most common problems in MSP compliance environments. These are operationally intense businesses. Tickets, client requests, SLA pressure, platform changes, and staff turnover consume attention constantly. If a control has no clear owner, no recurring evidence rhythm, and no management follow-up, it will usually fade from view until an audit forces it back into focus.
Before changing anything, the vCISO stepped back and defined what a sustainable internal audit program should look like for an MSP of this size. The key point was simple: internal audit is not just the audit event. It is the operating model that makes the audit reliable.
The MSP had pieces of this model already. What it did not have was a single operating system that brought these pieces together in a consistent way.
The first phase was not a full ISO 27001 implementation gap analysis. That had already been done in the earlier certification cycle. This time, the question was narrower and more practical: what does the internal audit program look like today, in real operation, and where exactly is it breaking down?
The vCISO reviewed policy currency, risk register status, evidence availability, prior internal audit quality, and the state of corrective action follow-through. This quickly revealed that the biggest issue was not the existence of documentation, but the freshness and retrievability of evidence.
| Review Area | What They Found | Why It Mattered |
|---|---|---|
| Policy review status | Five out of fourteen policies were overdue | Lapsed approvals weaken audit confidence |
| Risk register | Business changes were not reflected | The ISMS no longer matched current reality |
| Control evidence | Roughly 30 percent of controls lacked refreshed evidence | Controls existed, but operation was harder to prove |
| Prior internal audit | Report existed, but closure evidence was inconsistent | The corrective action process looked weak |
This phase ended with something very useful: a short, prioritized remediation plan. Not a theoretical wish list. A practical list of what had to be fixed before the internal audit could be trusted again.
Once the gaps were visible, the vCISO shifted the work from diagnosis to cleanup. The goal was not to make the program look tidy for one audit week. The goal was to rebuild the evidence base so it reflected real operation over the previous twelve months.
The five outdated policies were reviewed, updated where needed, and moved through a documented approval process. Each one now had a review date, a named owner, and a clear expectation for the next review cycle.
The risk register was reviewed with operational leadership and updated to reflect new client onboardings, new tools, and staff changes that affected access control and delivery risk. Risk ownership was also reconfirmed, which made the register more useful for management review later.
One of the more important fixes was access review. The MSP had reviewed internal access fairly well, but administrative access into client environments had not been governed with the same discipline. That is a common MSP blind spot. Operational access tends to be treated as routine delivery work, rather than something that also needs audit evidence.
A structured review was run for both internal systems and client-facing administrative access. Each review had a sign-off sheet and a consistent evidence format.
Critical suppliers were reviewed, lapsed entries were updated, and a standardized questionnaire replaced the mix of forms and email-based judgments that had built up over time. The supplier register became current again.
The MSP had been reviewing logs, but not consistently documenting that review. A simple sign-off template changed this. Within a month, the organization had a timestamped, repeatable log review trail that was much easier to show during audit.
Open findings from the previous audit cycle were revisited one by one. Actions that were truly finished got closure evidence attached. Actions that had drifted were reassigned, re-dated, and pushed back into active tracking.
Once the evidence base had been repaired, the internal audit could be run with confidence. For an MSP, this requires more care than a typical office-based ISMS because managed service delivery introduces a boundary question: where does the organization’s own ISMS stop, and where do the controls it applies on behalf of clients begin?
The audit was structured in three parts so that governance, control operation, and MSP-specific delivery risks were all reviewed clearly.
Each audit section documented the controls reviewed, the evidence examined, the conformity decision, and, where applicable, the finding statement, root cause, and corrective action.
The good news was that the rebuild had worked. The program was much stronger. The better news was that the remaining issues were narrow, specific, and fixable.
These were all recorded as minor nonconformities. None represented a major control failure. More importantly, each one had a root cause, an owner, a due date, and a defined closure path. All three were closed within thirty days of the report being issued.
Fixing one audit cycle is not the same as building a program. Once the internal audit was complete, the vCISO worked with the operations lead to create a durable operating cadence so the same drift would not happen again.
| Cadence | What Happens | Why It Helps |
|---|---|---|
| Quarterly | Access reviews, supplier register checks, corrective action review | Prevents evidence drift and missed ownership |
| Annual | Policy review, risk register update, internal audit, management review | Keeps the full ISMS cycle alive and current |
| Continuous | Evidence stored in structured SharePoint by control and cycle | Makes retrieval fast and audit review smoother |
Control ownership was also clarified. Every ISMS control now had a named owner who understood that responsibility included not only doing the work, but keeping the evidence current and retrievable.
By the time the surveillance audit arrived, the experience felt very different from the prior year. Instead of chasing documents through inboxes and shared folders, the external auditor walked into a structured evidence environment.
The auditor reviewed the internal audit report, corrective action register, updated risk register, current policies, access review records, supplier assessments, management review minutes, and training records. The difference was not just that the documents existed. It was that they were current, connected, and easy to follow.
The MSP did not solve this by creating a huge volume of new documentation. It did not solve it by buying a new compliance platform. It solved it by changing the way internal audit was treated.
Before the rebuild, internal audit was an event. Controls were reviewed when needed. Evidence was gathered under pressure. Corrective actions were tracked loosely. After the rebuild, internal audit became a program. Controls had owners. Evidence had a cadence. Findings had closure proof. Leadership reviewed the results and made decisions based on them.
If you are an MSP working toward ISO 27001 or trying to maintain it, the patterns in this case are not unusual. Managed service environments introduce complexity that many generic implementation guides do not really address: client-environment access, service delivery controls, supplier dependencies, and changing evidence across a broad client base.
A checklist is not a program. A prior audit report is not a system. Certification is not maintenance. Internal audit is where these realities become visible.
If your internal audit is producing specific, evidence-backed findings and those findings are being closed properly, your next surveillance audit is much more likely to be calm. If internal audit is only being done because it has to be done, the external auditor will usually expose that weakness sooner or later.
An ISO 27001 certificate is earned once. The program behind it has to keep running.
The MSPs that maintain clean surveillance audits year after year are not relying on last-minute effort. They are running a system that is owned, scheduled, evidenced, and reviewed often enough that audit season feels like a checkpoint, not a rescue mission.
That is achievable. It is also a competitive advantage, because more clients are asking to see the program behind the certificate, not just the certificate itself.
