The Internal Audits module supports the requirements of ISO 27001 Clause 9.2, which mandates that organisations conduct internal audits at planned intervals to determine whether the ISMS conforms to the organisation's own requirements and the requirements of ISO 27001, and is effectively implemented and maintained.
Creating an Audit Record
To create a new audit, click "Add Audit" and complete the following form:
Enter the audit title, select the audit type, and assign the lead auditor and audit team members.
Enter the scheduled date, and when the audit begins, update the start date. Set the completion date when the audit concludes and the report is finalised.
Describe the audit scope in the textarea and select the specific ISMS clauses and Annex A categories that will be covered during the audit.
Set the initial status to "Planned". Update to "In Progress" when the audit begins, and "Completed" when the final report is issued.
As the audit progresses, add findings with classifications, descriptions, clause references, evidence, and corrective action details.
Once complete, use the audit report generation feature to produce a formatted audit report.
Audit Form Fields Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Audit Title | Text input | Required | A descriptive title for the audit. Example: "Q1 2026 Internal ISMS Audit", "Annex A.8 Technological Controls Audit" |
| Audit Type | Select dropdown | Optional | The type of audit being conducted. Options: Internal (conducted by or on behalf of the organisation), External (conducted by a third party or certification body), Surveillance (periodic audit by the certification body between certification cycles) |
| Lead Auditor | Text input | Optional | Name of the person leading the audit. Must be independent of the areas being audited (Clause 9.2 requirement). Example: "Jane Smith, Internal Auditor" or "ABC Consulting Ltd" |
| Audit Team | Text input | Optional | Names of additional audit team members. Comma-separated or free-text format. |
| Scheduled Date | Date picker | Optional | The planned date for the audit. Used for the audit schedule on the dashboard. |
| Start Date | Date picker | Optional | The actual date the audit fieldwork began |
| Completion Date | Date picker | Optional | The date the audit was completed and the report was finalised |
| Scope | Textarea | Optional | Detailed description of what the audit covers, including specific processes, departments, systems, or locations in scope |
| Clauses Covered | Multi-select | Optional | Select the ISMS clauses and Annex A categories covered by this audit. Options: Clause 4 (Context), Clause 5 (Leadership), Clause 6 (Planning), Clause 7 (Support), Clause 8 (Operation), Clause 9 (Performance Evaluation), Clause 10 (Improvement), A.5 Organisational, A.6 People, A.7 Physical, A.8 Technological |
| Status | Select dropdown | Optional | Current status of the audit. Options: Planned, In Progress, Completed, Cancelled |
Finding Classifications
Audit findings are classified according to their severity and nature. Each classification has specific implications for corrective action requirements:
| Classification | Definition | Action Required |
|---|---|---|
| Major Nonconformity | A significant failure to fulfil one or more requirements of ISO 27001, or a situation that raises significant doubt about the ability of the ISMS to achieve its intended outcomes. Examples: entire clause not addressed, information security policy does not exist, no risk assessment performed, management reviews never conducted. | Mandatory corrective action required before certification can be granted or maintained. Root cause analysis and evidence of effective correction must be provided. A follow-up audit may be required to verify implementation. |
| Minor Nonconformity | A single observed lapse in fulfilling a requirement of ISO 27001 that does not affect the overall capability of the ISMS. Examples: a single document missing a review date, one access review overdue, a policy exists but is not the latest version. | Corrective action required, typically within a defined timeframe (e.g., 90 days). Must be addressed before the next surveillance audit. Root cause analysis recommended. |
| Observation | An area where the auditor notes a potential concern that could develop into a nonconformity if not addressed, but does not currently constitute a failure to meet a requirement. Also known as "area of concern". | No mandatory corrective action, but the organisation should monitor the area and consider preventive action. Should be reviewed at the next audit. |
| Opportunity for Improvement (OFI) | A suggestion from the auditor for improving the ISMS beyond the minimum requirements of the standard. These are positive recommendations, not failures. | No action required. Considered at management discretion as part of continual improvement (Clause 10.1). Implementing OFIs demonstrates maturity. |
Recording Individual Findings
For each finding identified during the audit, record the following details:
| Field | Type | Description |
|---|---|---|
| Finding Description | Textarea | A clear, factual description of what was observed during the audit. State the objective evidence that supports the finding. Avoid subjective language. |
| Classification | Select dropdown | Major Nonconformity, Minor Nonconformity, Observation, or Opportunity for Improvement |
| Clause Reference | Text input | The specific ISO 27001 clause or Annex A control reference that the finding relates to. Example: "Clause 7.5.3" or "A.8.8" |
| Evidence | Textarea | The objective evidence collected during the audit that supports the finding. Include document references, interview notes, system screenshots, or observation records. |
| Corrective Action | Textarea | The proposed or agreed corrective action to address the finding. Should address both the immediate issue and the underlying root cause. |
| Due Date | Date picker | The target date for completing the corrective action |
| Status | Select dropdown | Status of the finding: Open, Corrective Action in Progress, Corrective Action Complete, Verified Closed |
Audit Report Generation
Once all findings are recorded, use the "Generate Report" feature to produce a formatted audit report. The report includes:
- Audit details (title, type, team, dates, scope)
- Executive summary with finding counts by classification
- Detailed findings with descriptions, evidence, clause references, and corrective actions
- Conclusion and overall assessment
- Appendices with supporting evidence references