In many SMEs, information security is built piece by piece: access rights are managed somehow, backups mostly work, and instructions exist here and there. The problem arises at the latest when a customer asks for evidence, management wants an overview, or preparations for certification begin. Then a systematic way is needed to verify what is actually done and whether the activities meet the requirements of the ISO 27001 standard.
In this article, we walk you through how to practically audit your information security according to ISO 27001. You’ll get a clear step-by-step model, an audit checklist, a sample schedule, and the most common pitfalls to ensure your audit delivers more than just a pile of observations.
Prerequisites
- Defined scope: which business areas, locations, systems, and services the audit covers
- Assigned responsible person for coordinating the audit, such as IT manager, quality manager, or information security officer
- Access to key documents: risk assessment, information security policy, access control guidelines, incident handling, and supplier list
- At least 1–2 working days for preparation and 0.5–1 working days for the audit itself in a small organization
- Decision on how findings will be handled and corrective actions closed, for example in monthly management or information security reviews
What Does ISO 27001 Auditing Mean in Practice?
An audit is a systematic review that evaluates whether an organization’s information security management system meets the requirements of the standard, its own policies, and practical operations. It’s not just about reading documents. The audit compares three things:
- what you have decided to do
- what ISO 27001 requires
- what actually happens on a daily basis
A good audit answers at least the following questions:
- Have risks been identified and addressed?
- Are controls, i.e. protective practices, in place?
- Are agreed procedures consistently followed?
- Is there evidence of activities, such as logs, approvals, training records, or tickets?
- Are incidents responded to and processes improved?
From ISO 27001’s perspective, auditing is not a one-off project but part of continuous improvement. In practice, this means internal audits should be conducted at least once a year, while high-risk areas like access rights or supplier management can be checked quarterly.
Note
ISO 27001 does not require that every control in the standard’s annex is implemented identically in all companies. The audit primarily assesses whether the chosen controls are justified considering your own risk environment and whether they work in practice.
What Should You Audit First?
If you try to check everything at once, the audit easily becomes overwhelming, and the most important things get lost. In an SME, it’s best to start with the areas where the risk is greatest or where customers most frequently request evidence.
A typical first audit round usually covers these 3–5 key areas:
| Area | What to Check | Example Evidence | Recommended Frequency |
|---|---|---|---|
| Access Rights Management | Granting, changes, removals | HR exit notifications, AD groups, tickets | Quarterly |
| Risk Management | Identified risks, treatment decisions, monitoring | Risk register, action list | Twice a year |
| Incident Management | Identification and handling of information security incidents | Incident tickets, root cause analysis | Quarterly |
| Supplier Management | Contracts, requirements, evaluations | DPAs, supplier assessments | Once a year |
| Backups and Recovery | Backups, test restores | Backup reports, recovery tests | 2–4 times a year |
Start by asking yourself: where would an error show quickest to the customer, business, or authorities? For example, if an employee's credentials remain active after employment ends, this poses a concrete risk. Then, the audit should verify if accounts are actually removed within 24 hours of departure.
What Kind of Evidence Does the Auditor Need?
One common misconception is that auditing is just document inspection. Documents are only the beginning. ISO 27001 audits require proof that agreed practices are actually implemented.
Collect evidence for the audit from at least these sources:
- policies and guidelines
- system logs and reports
- ticket or service management system entries
- training and onboarding records
- contracts and approvals
- interviews with responsible persons
- spot checks, such as reviewing 5–10 user accounts
For example, in access rights management, a policy saying “supervisor approves accounts” is not enough. The auditor checks a few actual cases: who requested, who approved, when the account was created and when it was removed. This quickly shows if the process is truly under control.
Tip
Select a small sample from each audit area, for example 3 incidents, 5 users, or 2 suppliers. A small but verifiable sample usually reveals much more than general discussions.
Define the Audit Scope and Objective
First, specify what you are auditing and why. In a small organization, a scope might be “access rights management and removal process” or “information security incident handling in the last 12 months.” Also record the audit criteria: ISO 27001 requirements, your own guidelines, and any customer demands.
Prepare a Checklist Based on the Standard and Your Operations
Create a practical checklist where each question leads to verifiable evidence. For example, has the risk assessment been updated within the last 12 months? Is there an assigned approver for access rights, and are removals made within agreed timeframes? Keep the list concise: 10–20 questions per audit area suffice for most SMEs.
Interview Responsible Persons and Verify Evidence
Conduct the audit with those who actually perform the work. Interview IT, HR, service owners, and management if needed. At the same time, verify documents, logs, and spot checks to avoid relying only on descriptions.
Document Findings Clearly and Classify Them
Divide findings into at least three categories: nonconformity, improvement opportunity, and strength. A good record states what was found, which requirement applies, the associated risk, and what should be done. For example: "In two out of five reviewed cases, user accounts were removed more than 72 hours after employment ended, while the target is 24 hours."
Agree on Corrective Actions, Owners, and Deadlines
An audit delivers value only when findings lead to changes. Assign a responsible person, action, and deadline to each nonconformity, e.g., 30 days for small fixes and 60–90 days for broader changes. Verify closure later with evidence, not just notifications.
Sample Audit Schedule for an SME
Breaking the audit into clear phases keeps the workload manageable. The model below works well for companies with 20–250 employees and a defined ISO 27001 scope.
| Week | Task | Responsibility | Goal |
|---|---|---|---|
| 1 | Define scope and schedule | Audit Lead | Scope and participants decided |
| 1 | Prepare checklist | Audit Lead | 10–20 audit questions |
| 2 | Collect documents | Area owners | Required evidence gathered |
| 2 | Interviews and spot checks | Auditor | Findings recorded |
| 3 | Reporting and classification | Auditor | Nonconformities and improvements identified |
| 4 | Agree on corrective actions | Management + owners | Responsibilities and deadlines set |
| 8–12 | Follow-up check | Audit Lead | Corrections closed or escalated |
If resources are limited, do 4 smaller audits per year rather than one large one. This allows time for findings to be addressed before the next round.
Common Mistakes in Auditing
Many audits fail for the same reasons. Do any of these sound familiar?
- Audit done only for certification, not as a management tool.
- Only documents are reviewed, practical implementation is not checked.
- Findings are written too vaguely without deadlines or owners.
- Auditor reviews only their own area without independent perspective.
- Trying to cover the entire standard at once, leaving important risks unaddressed.
A particularly common mistake is copying the checklist directly from a template. Then the audit fails to consider your own environment, such as cloud services, subcontractors, or remote work. ISO 27001 works best when the audit is linked to your risk assessment and business reality.
Warning
A common pitfall is noting observations vaguely as “process should be improved.” Such entries do not lead to action. Always document what is missing, where it was seen, how many cases were affected, and by when the correction will be made.
Should You Conduct the Audit Yourself or Use an External Party?
Internal audits can be conducted by your own team as long as sufficient independence is ensured. In practice, this means for example an IT manager should preferably not audit their own access control process alone but have another person involved, such as a quality manager, information security officer, or external expert.
The simple comparison below helps choose the right approach:
| Option | Suitable For | Benefits | Limitations |
|---|---|---|---|
| Internal Audit | When basic process exists | Cost-effective, fast, teaches organization | Blind spots, challenges in independence |
| External Audit | First round or preparing for certification | Objective perspective, benchmarking experience | Higher cost |
| Hybrid Model | SME wanting continuity | Internal team learns, expert coaches | Requires coordination |
For many SMEs, the most effective solution is the hybrid model: internal reviews are done regularly, and an external expert reviews the overall picture, for example, once a year. This keeps the audit light while ensuring quality is not left to internal opinions alone.
In a solution like Tietoturvapankki, the advantage is that audit required materials, responsibilities, and actions stay in one place. This reduces time otherwise spent searching documents from different folders, emails, and ticketing systems.
How to Make Auditing a Continuous Practice?
The best audit is not an annual panic exercise but part of normal management. When the rhythm is clear, auditing doesn’t feel like a separate project.
In practice, this can be done as follows:
- create an annual calendar with 4–6 checkpoints per year
- monitor at least 3 metrics, such as open incidents, delayed access removals, and completed trainings
- present findings in management reviews at least 1–2 times a year
- ensure corrective actions are closed with evidence, not assumptions
A small but effective set of metrics might look like this:
| Metric | Target | Monitoring Frequency |
|---|---|---|
| Access removals within deadline | 95% within 24 hours | Monthly |
| High-risk incident handling | 100% within 7 days | Monthly |
| Mandatory security training completion | 98% within 30 days | Quarterly |
| Open audit nonconformities | 0 critical, others on schedule | Monthly |
When metrics are visible, auditing changes from a retrospective check to proactive governance. This is precisely where ISO 27001 begins to deliver business value.
Summary
- ISO 27001 audits compare requirements, your own practices, and day-to-day activities.
- Start with the 3–5 most critical risk areas such as access control, incidents, and backups.
- Always collect verifiable evidence: beyond documents, include logs, tickets, interviews, and spot checks.
- Document findings precisely and assign each corrective action an owner and deadline, e.g., 30–90 days.
- Make auditing a continuous practice with an annual calendar and clear metrics, not just for certification.
Need help with information security management?
Our experts are here to assist you.