Practical resources for ISO standards, internal audits, and GAP assessments

An internal audit is an independent and objective assessment performed to confirm whether the ISMS:

• conforms to the requirements of ISO/IEC 27001:2022
• is effectively implemented and maintained
• is applied consistently within the defined scope

An internal audit is typically performed:

• before a certification audit
• periodically (commonly at least once per year)
• after significant changes in the organisation, processes, or risk landscape
• It is a mandatory requirement of ISO/IEC 27001.

1. Clearly defined scope

Ensure the ISMS scope is documented, understood by key roles, and aligned with real operational activities. An unclear or overly broad scope is a common reason for findings.

2. Up-to-date risk assessment

Verify that the risk assessment is current, the methodology is documented, and risks are treated with appropriate measures. Auditors frequently identify nonconformities in risk management.

3. Policies and procedures — not only “on paper”

Having documents is not enough. You should be able to demonstrate that policies are communicated, procedures are applied in practice, and employees understand their responsibilities.

4. Annex A applicability

Annex A controls should be assessed against risk, clearly justified in the Statement of Applicability (SoA), and either implemented in practice or excluded with solid rationale.

5. Internal records and evidence

Prepare evidence such as training records, logs and reports, minutes from reviews and meetings, and records from previous audits and corrective actions.

The most common problems found during internal audits include:

• a formally implemented ISMS without real operational application
• lack of traceability between risk and controls
• outdated policies and procedures
• lack of follow-up actions after the audit

A high-quality internal audit:

• identifies real weaknesses
• supports management decision-making
• prepares the organisation for certification audits
• improves the overall level of information security

It requires an organisation to consider climate change as a potential external factor that may affect the management system.

The amendment applies to:

• Clause 4.1 — Understanding the organisation and its context
• Clause 4.2 — Understanding the needs and expectations of interested parties

It applies to management system standards, including (but not limited to):

• ISO/IEC 27001:2022
• ISO 9001:2015

The organisation should:

• determine whether climate change is a relevant external issue
• document that consideration within the context analysis
• where applicable, reflect impacts on risks, resources, and interested parties

It is important to underline that the amendment:

• does not introduce new controls
• does not require an environmental or ESG strategy
• does not require ISO 14001 certification
• does not require quantitative climate metrics

In practice, organisations usually add climate change as an item in their external issues analysis, document a conclusion on relevance, and—if relevant—reflect it in risk management.

It is acceptable to conclude that climate change has no direct impact, provided that the conclusion is reasoned and documented.

Auditors typically check whether:

• climate change was considered as an external issue
• there is a clear documented decision
• there is a logical link between context analysis and risk management

The most common findings related to the amendment include:

• no consideration of climate change at all
• a formal text addition without a real assessment
• lack of a documented decision
• confusion between ISO 14001 requirements and ISO 27001 / ISO 9001