Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Back to Knowledge & Insights

Your Internal Audit Checklist

Your ISO/IEC 27001:2022 Internal Audits plays a significant role in ensuring the effectiveness of your ISMS:

  • Compliance Verification: Ensures that your ISMS aligns with the standards requirements.
  • Identification of Non-Conformities: Identifies non-conformities from your information security policies, procedures, or controls.
  • Continuous Improvement: Matures your ISMS to strengthen your overall information security posture.
  • Risk Management: Evaluates the effectiveness of your risk assessment and management processes.
  • Validation of Controls: Assesses the effectiveness of your applicable controls.
  • Management Review Support: Offer insights into the performance of your ISMS.
  • Demonstration of Commitment: Proactive approach to maintaining and improving your ISMS.
  • Preparation for External Audits: Assessing and addressing issues internally, you are better equipped to pass external audits with fewer non-conformities.
  • Employee Awareness and Training: Engaging employees in the process helps raise awareness and encourages a culture of security.

An internal audit should accurately assess your business’s operations, controls and risks, with a view to achieving compliance and taking steps towards better information security.

Your internal audit can be quickly and methodically carried out by a member of your organisation using the Hicomply Audit tool, saving you around £4,000.

As well as identifying what needs to be done before you can claim certification, an internal audit also highlights what’s needed to improve your business activities overall. It also has the added benefit of encouraging optimisation, long-term cost savings, and even improving the customer experience.

So what should your internal audit include? Let us explain.


Completing the scope of an internal audit means defining its boundaries and focus, ensuring it aligns with your business objectives and cybersecurity goals. A well-defined scope encompasses all critical areas of your operations, including IT infrastructure, data management, and employee protocols.

Data Asset Register

A Data Asset Register is a catalogue of all the data assets within your organisation, outlining where they are stored, how they are used, and who has access to them. A thorough and up-to-date register will give you a much better grasp of the value and sensitivity of your data, as well as helping you to identify potential vulnerabilities and implement effective safeguards.

Risk assessment and treatment plan

Risk assessment involves identifying potential threats and evaluating the likelihood and impact of them, as well as developing strategies to mitigate them. Regular updates and reviews are also necessary in helping you adapt to evolving cyber threats.

Policies and procedures

Maintaining a secure environment relies heavily on your ability to develop and enforce clear policies and procedures. These documents should outline standards and practices for your employees to follow in order to protect sensitive information and systems, covering areas like password management, data encryption, and incident response. As with treatment plans, regularly reviewing and updating your policies ensures they remain effective and compliant.

Statement of Applicability

The Statement of Applicability covers which controls are applicable to your organisation and the reasons for their selection or exclusion. A solid statement will be tailored to your specific business context, risks, and regulatory requirements. Completing a Statement of Applicability provides you with a roadmap for implementing and maintaining effective cybersecurity controls, ensuring that your efforts are focused and aligned with your business objectives.

Supplier review

Supplier review encourages you to look at the bigger picture, exploring risks posed by third-party vendors and supply chain links. By assessing their security policies, practices, and compliance with industry standards, you can ensure that your suppliers are handling data securely and not posing any additional risks.

Access review

Access reviews scrutinise who has access to data points within your business. The goal of this exercise is to make sure that employees can only access necessary resources. Access reviews help in detecting and preventing inappropriate access, reducing the risk and scale of internal threats.

Top management review

Top management reviews require senior leadership to evaluate the effectiveness of cybersecurity across the breadth of the business. It involves assessing performance against cybersecurity objectives, resource allocation, and considering any changes in external and internal contexts that might affect cybersecurity.

Addressing previous non-conformances

When it comes to information security, it’s important to learn from past mistakes and oversights. Addressing previous non-conformances means analysing previous audit findings and implementing corrective actions, strengthening both your security and your commitment to data protection.

Annual InfoSec training

Annual Information Security (InfoSec) training keeps your team updated on the latest cybersecurity threats and best practices, covering a range of topics from threat awareness and safe data handling to response and security incidents. Regular training ensures that your employees are equipped to recognise and respond to cybersecurity challenges.

Not currently using Hicomply? Ready to find out more about what the platform can do for you? Book a demo.

More Insights

How to solve a problem like third-party vendors
Spread your ISMS audit over three years
Understanding e-commerce requirements for PCI DSS