Internal Audit

➤  We use a list of 385 criteria to check if all ISO 27001:2022 requirements evidence is covered in Compleye Online.

➤  We draw up a concept report and plan an investigation meeting with the ISMS team to check the gaps before we make the final internal audit report.

➤  We organise a second meeting to discuss and deliver the final report with the findings and help come up with suggestions for improvements.


It’s preferable that internal audit is planned 1-2 months in advance of the external audit. 

That will give you time to address some of the improvements – to be added to the yearly management review.

Tip: Make sure that there are no overdue controls and that you’ve addressed all reviews of documentation and sections in Compleye Online to avoid unnecessary findings in the internal audit report.