ISO 27001 • Internal Audit • Certification Readiness • Audit Evidence • ISMS

Internal Audit Before Certification: What to Test Before Calling the External Auditor

Many organizations call the external auditor too early. A strong internal audit helps find gaps before certification, improve evidence quality, prepare control owners, and give leadership confidence before the external auditor arrives.

Quick Snapshot

Internal Audit Area What to Test Before Certification
ISMS Scope Is the scope clear, approved, and aligned with actual systems and services?
Risk Assessment Are risks identified, assessed, owned, treated, and reviewed?
Statement of Applicability Are control decisions justified and supported by evidence?
Policies and Procedures Are documents approved, current, communicated, and followed?
Annex A Controls Are selected controls implemented and evidenced?
Management Review Has leadership reviewed ISMS performance and decisions?

Why Internal Audit Matters Before Certification

Many organizations make the same mistake before ISO 27001 certification. They build policies, create a risk register, prepare the Statement of Applicability, collect some evidence, and then call the external auditor too early.

The result is predictable. The auditor finds gaps that should have been discovered internally. Evidence is incomplete. Control owners are not ready. Management review is weak. Corrective actions are still open. The certification timeline becomes stressful, expensive, and harder to manage.

An internal audit before certification is your final readiness test before an external certification body reviews your ISMS.

For growing companies, SaaS providers, MSPs, fintech firms, healthcare companies, AI startups, software companies, accounting firms, law firms, and SMBs, a strong internal audit can reduce certification risk and improve evidence quality.

Who This Guide Is For

  • SaaS companies preparing for ISO 27001 certification.
  • Canadian SMBs getting ready for their first external audit.
  • CTOs and IT managers responsible for audit evidence.
  • Compliance leads managing ISO 27001 implementation.
  • Founders and CEOs who need certification confidence.
  • Organizations using SharePoint or Microsoft 365 for ISMS evidence.
  • Companies that want to reduce certification audit surprises.

What Is an Internal Audit Before Certification?

An internal audit is an independent review of your ISMS against ISO 27001 requirements and your own policies, processes, and controls.

It should test whether:

the ISMS is designed properly
requirements are addressed
controls are implemented
evidence exists
owners understand responsibilities
risks are being managed
management is involved
issues are corrected

Practical rule: The internal auditor should not audit their own work. Independence matters.

What to Test Before Calling the External Auditor

1. ISMS Scope

The ISMS scope is one of the first things an external auditor will review. A weak scope creates problems throughout the audit.

What to Test Evidence to Review
Is the scope documented, approved, and aligned with real services, systems, people, and processes? ISMS scope document, organizational chart, system inventory, cloud diagrams, customer requirements, leadership approval record.

Practical rule: If the scope is vague, the entire certification audit becomes harder.

2. Context of the Organization

ISO 27001 expects organizations to understand internal and external issues, interested parties, and information security requirements. This section often gets treated too lightly.

  • Have internal and external issues been identified?
  • Are interested parties documented?
  • Are customer, legal, regulatory, contractual, and business requirements identified?
  • Are these requirements connected to the ISMS?
  • Has the organization reviewed changes in business context?

3. Leadership and Accountability

ISO 27001 requires leadership involvement. The internal audit should test whether leadership is actually engaged through decisions, approvals, ownership, resources, and management review.

Leadership Area Evidence to Review
Policy Approval Information security policy approval records.
Roles and Responsibilities ISMS owner, risk owner, and control owner matrix.
Objectives Security objectives, performance review, and action tracking.
Management Review Meeting minutes, decisions, risks, and follow-up actions.

4. Risk Assessment and Risk Treatment

Risk management is the core of ISO 27001. The internal audit should test whether risk work is complete, consistent, owned, reviewed, and actionable.

Evidence to review:

risk assessment methodology
risk register
risk treatment plan
risk acceptance approvals
risk review history
control mapping

Practical rule: A risk register should drive control decisions, not sit unused in a spreadsheet.

Need an Independent ISO 27001 Internal Audit?

Canadian Cyber helps organizations perform independent ISO 27001 internal audits before certification so gaps are found before the external auditor arrives. For senior advisory support, you can also view Waqar Mehboob’s profile.

5. Statement of Applicability

The Statement of Applicability, often called the SoA, is one of the most important ISO 27001 documents. It explains which Annex A controls apply, which do not, and why.

What to Test Audit Concern
Is every Annex A control addressed? Missing controls create audit risk.
Are inclusion and exclusion justifications clear? Weak justifications may create findings.
Are selected controls linked to risks? Controls should connect to risk treatment.
Is evidence available for implemented controls? The SoA should match reality.

The SoA should not say a control is implemented unless evidence supports that claim.

6. Policy and Procedure Review

Policies should be approved, current, communicated, and followed. Internal audit should test both document control and real implementation.

Policy areas to review:

information security policy
access control policy
asset management policy
incident response policy
supplier security policy
backup policy
business continuity policy
secure development policy
data classification policy
remote work policy

Practical Annex A Control Testing Table

Control Area What to Test Evidence Examples
Access Control MFA, joiner/mover/leaver process, access reviews. MFA reports, access review sign-offs, offboarding tickets.
Asset Management Asset inventory and ownership. Device list, cloud asset inventory, owner records.
Supplier Management Critical vendor reviews. Vendor register, SOC 2 reports, DPAs, review records.
Incident Management Incident response process and testing. IR plan, tabletop report, incident log.
Backup and Recovery Backup operation and restore testing. Backup reports, restore test evidence.
Logging and Monitoring Alerts and log review. SIEM or EDR alerts, monitoring review records.
Secure Development Code review, change approval, vulnerability management. Pull requests, change tickets, scan reports.
HR Security Screening, onboarding, training, offboarding. Training records, onboarding checklist, termination evidence.
Cloud Security Admin access, backups, monitoring, configuration. Cloud screenshots, admin review, ISO 27017 evidence.

Evidence Quality and Traceability

Poor evidence creates audit delays. The internal audit should test evidence quality before the external auditor asks for it.

Evidence Quality Question Yes / No
Does the evidence have a clear file name?
Is it mapped to a control or requirement?
Does it show the relevant date or period?
Is the owner identified?
Is it approved or reviewed where needed?
Is confidential information protected?
Is it stored in the correct library or folder?
Can it be shown to an auditor confidently?

Practical rule: Audit evidence should be easy to find, easy to understand, and easy to connect to the control being tested.

Internal Audit Interviews

Internal audit should not only review documents. It should include interviews with control owners and process owners.

People to Interview Questions to Ask
Leadership, ISMS owner, IT manager, security lead, HR, vendor owner, operations, engineering, support, privacy, legal, risk owners, and control owners. What controls do you own? Where is your evidence stored? How often do you review access? How do you report incidents? How are vendors reviewed? What corrective actions are open?

Management Review Readiness

Management review is a required part of the ISMS. It should not be created at the last minute. It should show leadership decision-making, not just attendance.

Evidence to review:

management review agenda
meeting minutes
attendance record
risk updates
audit results
incident summary
corrective action tracker
leadership decisions

Corrective Actions and Nonconformities

Internal audit should produce findings. Those findings should be tracked, assigned, resolved, and verified.

Corrective Action Field Purpose
Finding ID Unique reference.
Finding Type Major, minor, observation, or OFI.
Requirement Clause or control reference.
Root Cause Why it happened.
Action Plan What will be done.
Owner and Target Date Accountability and deadline.
Closure Evidence Proof of correction.
Verification Confirms effectiveness.

Do not call the external auditor while critical corrective actions are still unresolved.

Internal Audit Readiness Checklist

Readiness Item Ready?
ISMS scope is approved and clear.
Context and interested parties are documented.
Information security policy is approved.
Roles, responsibilities, risk owners, and control owners are assigned.
Risk assessment methodology is documented.
Risk register is complete and reviewed.
Statement of Applicability is complete and accurate.
Policies and procedures are approved and current.
Annex A controls are implemented and evidenced.
Evidence is stored centrally and mapped to controls.
Internal audit findings are tracked.
Management review is completed and documented.
Corrective actions are closed or clearly managed.

Common Mistakes to Avoid

  • Treating internal audit as a form. A weak checklist audit may miss issues that the external auditor will later find.
  • Auditing too late. If internal audit happens right before certification, there may not be enough time to close findings.
  • No independent auditor. The person who built the ISMS should not be the only person auditing it.
  • Ignoring evidence quality. Weak evidence can create audit findings even when controls exist.
  • No interviews. Document review alone is not enough. Interviews show whether owners understand responsibilities.
  • Weak management review. Management review should show decisions, performance review, risks, and improvement actions.
  • Calling the external auditor with open major gaps. Known major issues should be fixed before certification whenever possible.

How Canadian Cyber Helps

Canadian Cyber helps organizations prepare for ISO 27001 certification through independent internal audits, readiness reviews, evidence checks, and practical remediation planning.

We help companies move from scattered documents and uncertainty to structured audit readiness.

Canadian Cyber can support:

ISO 27001 internal audits
ISO 27001 implementation support
certification readiness reviews
gap assessments
risk assessment review
Statement of Applicability review
Annex A control testing
evidence quality review
management review preparation
corrective action tracking
vCISO services
ISMS SharePoint implementation

SharePoint ISMS for Internal Audit Readiness

Canadian Cyber’s ISMS SharePoint Solution can help organize policy libraries, risk registers, control registers, Statement of Applicability evidence, asset registers, vendor registers, access review evidence, incident response records, internal audit workspaces, finding trackers, corrective action trackers, management review dashboards, and auditor-ready evidence views.

This helps internal auditors, control owners, leadership, and external auditors work from a single structured evidence system.

Senior Advisory Support

For organizations that need senior guidance around ISO 27001 certification readiness, internal audit preparation, ISMS strategy, vCISO oversight, and cybersecurity governance, Canadian Cyber also provides advisory support.

View Waqar Mehboob’s Profile

Frequently Asked Questions

Is an internal audit required before ISO 27001 certification?

Yes. An internal audit is part of ISO 27001 requirements and should be completed before certification. It helps verify whether the ISMS is implemented and effective.

Who should perform the internal audit?

The internal audit should be performed by someone competent and independent from the area being audited. This can be an internal person who did not perform the work being audited or an external internal audit provider.

What should an ISO 27001 internal audit test?

It should test the ISMS scope, risk assessment, Statement of Applicability, policies, Annex A controls, evidence, management review, corrective actions, and whether processes are actually followed.

How long before certification should internal audit happen?

Internal audit should happen early enough to allow time for corrective actions. Many organizations plan it several weeks before the external certification audit, depending on scope and maturity.

What happens if internal audit finds gaps?

Gaps should be documented as findings, assigned to owners, given target dates, corrected, and verified. Serious gaps should be addressed before calling the external auditor.

Can Canadian Cyber perform an independent ISO 27001 internal audit?

Yes. Canadian Cyber can perform independent ISO 27001 internal audits, review evidence, test controls, identify findings, and help prepare corrective action plans before certification.

Takeaway

An internal audit before certification is your opportunity to find problems before the external auditor does. It should test the real ISMS, not just the documents.

Before calling the external auditor, make sure your scope, risks, Statement of Applicability, policies, controls, evidence, management review, and corrective actions are ready.

A strong internal audit can reduce certification stress, improve evidence quality, strengthen governance, and give leadership confidence.

Preparing for ISO 27001 Certification?

Canadian Cyber can help you test readiness before the external auditor arrives. We provide ISO 27001 internal audits, certification readiness reviews, evidence checks, corrective action planning, vCISO support, cybersecurity assessments, incident response tabletop exercises, and SharePoint ISMS implementation inside Microsoft 365. You can also learn more about senior advisory support through Waqar Mehboob’s profile.

Stay Connected With Canadian Cyber

Follow Canadian Cyber for practical guidance on ISO 27001 internal audits, certification readiness, ISO 27001 implementation, SOC 2, ISO 42001, ISO 27017, ISO 27018, SharePoint ISMS, audit evidence, and vCISO support.