ISO 27001 audit for organisations that want to be demonstrably compliant
An ISO 27001 audit assesses whether your information security management system (ISMS) demonstrably works in practice — not just on paper. An independent auditor reviews the organisation's context, risk analysis, Statement of Applicability, controls, internal audit, management review and improvement actions. You receive a clear findings report with evidence, risks and concrete points for improvement. This takes you from loose documents to a demonstrably working ISMS that is ready for the certification audit.
What is an ISO 27001 audit?
In an ISO 27001 audit, an auditor assesses whether your ISMS meets ISO/IEC 27001:2022 and whether it works. This is done through document review, interviews and sampling of evidence. The auditor follows the principles of ISO 19011: independence, an evidence-based approach and fair reporting.
Who is this for?
For organisations that want to achieve ISO 27001, retain their certificate, or need to have an independent internal audit carried out. Also for companies that are asked by clients or a tender to demonstrably manage information security.
Which problems do we solve?
- Policy and risk analysis that do not match practice.
- A Statement of Applicability that is not substantiated.
- Internal audit and management review that are missing or merely formal.
- Uncertainty about whether you will pass the certification audit.
Our approach in 5 steps
- Define the scope — the boundaries, objectives and context of the ISMS.
- Document review — policy, risk analysis and SoA against the standard.
- Interviews & sampling — is the policy demonstrably working?
- Findings report — evidence, risks and priorities.
- Improvement plan & follow-up — concrete actions towards certification.
Evidence: what the auditor wants to see
An auditor looks for evidence that policy is applied: completed risk registers, internal audits that have been carried out, management review minutes, logging, access reviews and improvement actions that have been followed up. We help you make this evidence demonstrable and easy to find.
What you receive (deliverables)
- Findings report with non-conformities and observations.
- Prioritisation by risk and impact.
- A practical improvement plan with a schedule.
- Advice on the route towards a combined audit or certification.
ISO/IEC 27001 — official standard page (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search functions alike.
An ISO 27001 audit is an independent assessment of your information security management system (ISMS). The auditor checks whether you meet the requirements of ISO/IEC 27001 and, more importantly, whether the system demonstrably works. Among other things, the auditor reviews the context, risk analysis, Statement of Applicability, controls, internal audit and management review. The result is a report with findings, risks and points for improvement.
The auditor checks whether policy not only exists, but is also applied. In concrete terms, the auditor looks at the scope and context, the risk assessment and treatment, the Statement of Applicability, the operation of technical and organisational controls, staff awareness, internal audits, the management review and the follow-up of improvement actions. Evidence is gathered through documents, interviews and sampling in practice.
The cost depends on the scope, the number of locations, the number of employees and the maturity of your ISMS. A gap analysis or internal audit is generally more limited than a full certification process. The certificate costs themselves are set by the certification body, not by us. Schedule a no-obligation audit scan for a suitable estimate tailored to your situation.
Start with a gap analysis to see where you stand. Make sure the scope is clear, the risk analysis is up to date and linked to the Statement of Applicability, and that policies and procedures are genuinely used. Carry out at least one internal audit and one management review and record improvement actions. A pre-audit simulates the real audit and removes surprises in advance.
An internal audit is part of your own ISMS and may be carried out by an independent hired auditor, as long as they do not assess their own work. The certification audit is carried out by an accredited certification body and leads to the official ISO 27001 certificate. A good internal audit and pre-audit make that certification audit considerably smoother.
The Statement of Applicability is a mandatory document that indicates, for each control in Annex A (93 controls in ISO 27001:2022), whether it applies, with justification and implementation status. The SoA links your risks to concrete controls and is the heart of every ISO 27001 audit. An incomplete or unsubstantiated SoA is a common cause of findings.
An implementation and certification process usually takes 3 to 9 months, depending on the size of the organisation and how many controls are already in place. A standalone gap analysis or internal audit is usually completed within one to two weeks, including reporting. A gap analysis beforehand gives you a realistic timeline.
At least annually, and all parts of the ISMS must be covered within the three-year certification cycle. Many organisations work with an audit programme in which topics are scheduled throughout the year based on risk and earlier findings. We draw up a suitable audit programme together with you.
Schedule an independent ISO 27001 audit scan
Within a single conversation you will know whether your ISMS is audit-ready and what the very next step is.
