June 2026. Internal audit is mandatory under ISO 27001 — and in surveillance years often the first source external auditors examine. Thin internal audits (document review only) or samples without risk link cause findings and extra work.
What must internal audit cover at minimum?
- ISMS scope and SoA — including recent changes (cloud, SaaS, merger);
- risk treatment and CAP follow-up since last audit;
- operation samples: access reviews, logging, changes, backup-restore;
- management review input: metrics, incidents, vendors, complaints.
Choosing samples
Base samples on risk, not convenience. Pick at least one critical SaaS, one privileged access change, one change with security impact and one incident/CAP from the audit period. Document why you chose these samples — auditors ask for rationale.
Independence and competence
Internal auditor must not only check their own work. In small organisations: outsourced or colleague from another department with training. Keep audit plan, checklist, findings, CAP and verification — version and date.
More: internal audit, audit preparation and evidence.
Schedule internal audit at least six weeks before external surveillance. Findings need CAP with owner before the external auditor arrives — open majors without plan are red flags.
Link internal audit to NIS2 and GDPR themes where relevant: notification, vendors, logging. One audit programme with tags avoids three parallel calendars.
Align audit programme to risk
Spread internal audit across the year — not everything in the week before external audit. Plan high-risk areas (identity, logging, vendors) more often than low-risk documentation. Record the multi-year audit programme and have management review approve it.
Train internal auditors in sampling technique: what to ask, which evidence to accept, when to escalate to major finding. A checklist without judgement is insufficient — findings must trigger CAP with owner and deadline.
Link internal audit findings to metrics in management review. Repeating minor findings without trend break often become major at surveillance.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
Chain and contracts
Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.
Continual improvement
Plan a short quarterly review: what worked, which near-miss stood out, which control needs extra attention? Record three improvement actions with owners — that is what ISO 27001, NIS2 and GDPR supervision want to see: PDCA in practice, not paper only.
Knowledge base and readiness
For deeper guidance see our knowledge base on ISMS, ISO 27001, NIS2 and GDPR. Use the readiness overview to compare priorities with your current maturity. This article is educational; engage specialists for legal or audit decisions.
