Internal audits under ISO 27001: what SMEs should test

Latest Comments

No comments to show.
Professionals reviewing internal audit evidence for an ISO 27001 ISMS in a clean office setting

Internal audits under ISO 27001: what SMEs should test

For many small businesses, an internal audit can feel like another compliance task competing with day-to-day work. In practice, it is one of the most useful checks you can do. A good internal audit helps you find weak spots before they become costly problems, such as avoidable downtime, lost customer trust, or repeated security mistakes.

For UK SMEs, the aim is not to create a perfect paper trail. It is to check whether your information security management system, often called an ISMS, is actually being followed in the real world. If the answer is yes, you are in a much stronger position to manage risk and improve steadily. If the answer is no, the audit gives you a clear list of fixes.

What an internal audit is meant to do

Why internal audits help you spot gaps before they become business problems

An internal audit is a structured review of how your security arrangements work in practice. It should tell you whether your policies, processes, and controls are being used as intended, and whether they are still suitable for the way your business operates.

That matters because small organisations often grow faster than their controls. A process that worked when you had ten staff may not work when you have thirty, more suppliers, more cloud services, and more customer data. Internal audits help you catch that drift early.

They also help you avoid surprises. If you discover during an audit that staff are sharing accounts, supplier reviews are not being completed, or incident records are incomplete, you can fix those issues before a customer, insurer, or external assessor finds them first.

How an internal audit differs from a certification audit

An internal audit is for your own benefit. It is a management tool. A certification audit, by contrast, is carried out by an external body and is focused on whether you meet the requirements of the standard at that point in time.

That difference matters. Your internal audit should be more practical and more honest. It should ask: are we doing what we said we would do, and is it working well enough for our business?

Set a sensible audit scope for a small organisation

Choosing the systems, teams, and processes to include

For SMEs, the audit scope should be realistic. You do not need to test every system in one go. Start with the areas that matter most to your business and your information security risks.

A sensible scope usually includes:

  • Your main business systems and cloud services
  • How staff join, move roles, and leave the business
  • How access is approved and removed
  • How incidents are reported and handled
  • How suppliers are checked and monitored
  • How backups, updates, and changes are managed
  • How policies are approved, communicated, and reviewed

If you process customer data, hold financial information, or rely heavily on a small number of systems, those areas deserve particular attention.

Keeping the scope realistic for limited time and staff

Many SMEs make the mistake of trying to audit everything at once. That usually leads to a rushed exercise and weak findings. A better approach is to spread the work across the year.

For example, you might audit:

This keeps the workload manageable and gives you a better chance of finding useful issues rather than just ticking boxes.

What SMEs should test in the ISMS

Policies, responsibilities, and records that show the system is working

Start with the basics. Ask whether the business has clear, current policies for the areas that matter, and whether people know what they are meant to do.

Test the following:

  • Are security policies approved and reviewed on a sensible schedule?
  • Do staff know where to find them?
  • Are responsibilities clear, or does everyone assume someone else owns the task?
  • Are records kept for key activities such as training, approvals, incidents, and reviews?

In a small business, unclear ownership is a common weakness. If no one is clearly responsible for a control, it often stops happening.

Risk treatment actions, access control, supplier checks, and incident handling

These are some of the most important areas to test because they affect both security and business continuity.

Risk treatment actions: Check whether the actions you agreed to reduce risk have actually been completed. If a risk was marked as needing stronger access controls, better backups, or supplier review, there should be evidence that the work happened.

Access control: Test whether staff only have the access they need for their role. Look at a sample of users and check whether access was approved, whether leavers were removed promptly, and whether privileged access is limited and reviewed.

Supplier checks: If suppliers handle your data or support key services, check whether they were assessed before use and reviewed afterwards. You are looking for evidence that supplier risk is being managed, not just acknowledged.

Incident handling: Review recent incidents, even minor ones. Did staff know how to report them? Were they logged? Was there a clear response? Were lessons learned captured and acted on?

How to test whether controls are actually working

Looking for evidence, not just written statements

A strong internal audit is based on evidence. A policy saying something should happen is not the same as proof that it does happen.

Useful evidence includes:

  • Approval records
  • Training logs
  • Access review results
  • Supplier assessments
  • Incident tickets or email records
  • Backup test results
  • Change records
  • Meeting notes showing review and follow-up

If the only evidence is a document that says, “we do this”, the control may exist in theory but not in practice.

Using interviews, samples, and document checks in plain English

You do not need a complicated method. A simple approach works well for SMEs:

  • Ask people how they actually carry out the process
  • Check samples of records from the last few months
  • Compare practice to policy and note any differences

For example, if your process says leavers are removed the same day, pick a few recent leavers and check when their access was removed. If your process says backups are tested monthly, ask for the last test result. If your process says incidents are reviewed, look for evidence of that review.

This is usually enough to show whether the control is working, without turning the audit into a burden.

Common weaknesses found in SME internal audits

Out-of-date documents, unclear ownership, and missing evidence

Some issues appear again and again in small businesses:

  • Policies exist but have not been reviewed for years
  • People do not know who owns a control
  • Evidence is scattered across email inboxes and shared folders
  • Risk actions are recorded but never closed
  • Supplier checks are done once and then forgotten

These are not unusual. They are usually signs of a business that has grown faster than its processes. The good news is that they are often straightforward to fix once they are visible.

Controls that exist on paper but are not used consistently

Another common issue is inconsistency. A process may work well when one person is involved, but fall apart when they are away. Or staff may follow the process for important systems but ignore it for smaller ones.

Examples include:

  • Access reviews completed for some systems but not others
  • Incident reporting used by IT but not by the wider business
  • Supplier checks done for new contracts but not renewals
  • Backups configured but not tested

Internal audits are useful because they expose this gap between intention and reality.

Turning findings into practical improvements

Ranking issues by business impact and effort to fix

Not every finding needs the same level of attention. A small business should rank issues based on two simple questions:

  • How much business risk does this create?
  • How hard is it to fix?

A missing backup test for a critical system is usually more urgent than a formatting issue in a policy document. A leaver account still active after several weeks is more serious than a minor wording change in a procedure.

This helps you focus limited time and budget where they matter most.

Tracking actions so they are closed properly

Every finding should lead to a clear action, an owner, and a deadline. Without that, the same issues tend to reappear in the next audit.

A simple action log should include:

  • The issue found
  • The business impact
  • The person responsible
  • The target date
  • The evidence needed to show it is fixed

It is also worth checking that actions are really closed, not just marked complete. If the fix depends on a process change, training, or supplier follow-up, ask for proof.

A simple internal audit checklist for SMEs

Questions to ask before, during, and after the audit

Before the audit, ask:

  • What are we trying to learn?
  • Which systems and processes matter most?
  • Who needs to be involved?
  • What evidence should we expect to see?

During the audit, ask:

  • Is the process actually being followed?
  • Can we see evidence from recent activity?
  • Are there any gaps between policy and practice?
  • Do staff understand their responsibilities?

After the audit, ask:

  • What are the highest-risk findings?
  • What can be fixed quickly?
  • What needs management attention?
  • How will we check that actions are complete?

What good follow-up looks like for small teams

Good follow-up is simple, visible, and owned by the right people. It does not need a large governance process. It needs discipline.

For most SMEs, that means:

  • Recording findings in one place
  • Assigning each action to a named person
  • Reviewing progress at management meetings
  • Keeping evidence of completion
  • Using the next audit to check whether the fix stuck

That last point is important. An internal audit is not only about finding problems. It is about proving that improvements are real and lasting.

Final thoughts

Internal audits under ISO 27001 should help you understand whether your security arrangements are working in practice, not just whether the paperwork looks complete. For SMEs, the most useful audits are focused, evidence-based, and tied to real business risk.

If you test the right areas, keep the scope realistic, and follow through on the findings, the audit becomes more than a compliance exercise. It becomes a practical way to reduce disruption, improve accountability, and strengthen trust with customers and suppliers.

If you would like support planning an internal audit programme or reviewing the findings from one, speak to a consultant.

Frequently asked questions

What should an SME test in an ISO 27001 internal audit?

Focus on the controls that affect how the business actually operates. The article suggests checking policies, responsibilities, access control, supplier checks, incident handling, backups, updates, and risk treatment actions. It is also worth looking for evidence that these controls are being used, not just written down.

How do I choose the scope of an internal audit for a small business?

Keep the scope realistic and based on your main risks. A sensible starting point is your core systems, staff joiner-mover-leaver processes, access approvals, incident reporting, supplier management, and backup and change management. If you process customer or financial data, those areas should usually be included as well.

What evidence should I look for during an ISO 27001 internal audit?

Look for records that show the control has been carried out in practice. The article mentions approval records, training logs, access review results, supplier assessments, incident tickets, backup test results, change records, and meeting notes. A policy alone is not enough if there is no supporting evidence.

How often should an SME carry out internal audits under ISO 27001?

The article does not set a fixed frequency, but it does suggest spreading the work across the year rather than trying to audit everything at once. A phased approach can make the workload manageable and help you review different parts of the ISMS in a more useful way. The right schedule will depend on your size, risk profile, and how quickly your business changes.

What is the difference between an internal audit and a certification audit?

An internal audit is for your own management use and should help you check whether your policies and controls are working in practice. A certification audit is carried out by an external body and looks at whether you meet the standard at that point in time. Internal audits are usually more practical and more honest about what needs fixing.

Tags:

Comments are closed