ISO 27001 Internal Audit

ISO 27001 internal audit, run alongside your team as you implement.

Atoro gives software companies an independent internal auditor who works with you while you build on Drata or Vanta, so gaps surface and get fixed early, not in front of your certification auditor.

Your platform shows you’re compliant. We confirm an auditor will agree. You get expert eyes on your controls, your evidence, and your Statement of Applicability before the audit that counts.

Built for in-house teams on Drata and Vanta

ISO 27001 internal audit

Independent of your build

Engineer-led

Continuous or one-off

Internal audit, done right

27001
AUDIT

Independent reviewerAn auditor who didn’t build your ISMS, which is the point of an internal audit.

Audit as you implementContinuous review across the build, not a scramble at the end.

Evidence tested earlyWe sample what your certification auditor will, before they do.

Clause 9.2 satisfiedThe mandatory internal audit, done properly and documented.

Platform-nativeWe work inside Drata or Vanta, on the evidence you’re already collecting.

What usually triggers the call

  • The platform shows green, but nobody independent has checked the judgement calls.
  • You’ve scoped your Statement of Applicability and aren’t certain it’s defensible.
  • Your certification audit is booked and you don’t want surprises in the room.
  • You need the mandatory internal audit, and it can’t be done by the people who built the ISMS.
  • You’d rather find the gaps now, with time to fix them, than at Stage 2.

02 Recognition

Your dashboard says you’re compliant. An auditor hasn’t said so yet.

Most in-house teams come to us when they’ve done the hard work on Drata or Vanta themselves, and want to know it will actually hold up.

A platform automates evidence. It doesn’t tell you whether an auditor will accept it, whether your controls are right, or whether your scope holds. That judgement is what an internal audit is for, and it has to come from someone independent of the build.

Atoro gives you that independent reviewer, based on more than 200 compliance and security projects delivered for software and digital product companies.

03 Proof

Engineering-led internal audit

Atoro combines compliance consultants, auditors, engineers, and security specialists with computer science backgrounds.

We understand how ISO 27001 works inside software companies: cloud infrastructure, CI/CD, the SDLC, access control, supplier risk, vulnerability management, incident response, and the evidence behind each control, so our audit tests how you actually build and ship, not a generic checklist.

We hold ISO 27001 ourselves and run internal audits across our own clients’ certifications, with a 100% certification success rate behind the engagements we take to audit.

Certified. Independent. Proven.

ISO 27001 certifiedWe run the discipline we audit you against.

ISO 42001 certifiedFirst consultancy in Europe; AI management systems audited too.

200+ projects deliveredAcross compliance, security, audit, and testing.

Independent by designAuditors separate from any implementation team.

04 System

What an internal audit actually checks

An internal audit is not a dashboard review. It is an independent test of whether your management system meets the standard and whether the evidence would survive a certification auditor.

Atoro reviews:

Scope and Statement of Applicability

Is your scope defensible and every Annex A control decision justified?

Controls in operation

Are the controls actually working, not just documented?

Evidence quality

Will the evidence your platform holds satisfy what an auditor samples?

Risk assessment and treatment

Does your risk work hold up, with owners and decisions recorded?

Mandatory clauses

Management review, corrective actions, and the Clause 9.2 internal audit itself.

Findings and remediation

A clear, prioritised list of what to fix, with time to fix it.

You get an auditor’s verdict before the audit that counts, not a folder of policies.

05 Plan

Two ways to run it

Most teams choose to run the internal audit continuously, alongside the build. Some just need the mandatory audit done once. We do both.

Continuous

Audit as you implement

We review your work across the implementation, so each area is tested as you complete it and problems surface with time to fix them. By the time your certification audit arrives, nothing in the room is a surprise. Best for teams building on Drata or Vanta who want expert assurance throughout.

One-off

Standalone internal audit

Already built your ISMS and just need the mandatory independent internal audit? We scope it, run it, and document it to satisfy Clause 9.2, by an auditor independent of whoever built the system. Best for teams that are audit-ready and need the box ticked properly.

Either way you get a dedicated lead, a clear schedule, action tracking, and Slack support, so the audit moves without your team having to chase it.

What we need from your team

  • One accountable internal lead.
  • Access to your platform and the evidence systems.
  • Time with the control owners we need to interview.
  • Timely decisions on the findings we raise.

Your team stays involved where it matters. Atoro runs the audit.

06 Price

Clear scope before you commit

An internal audit should not be open-ended.

Before we quote, we scope the work properly: company size, certification scope, whether you want continuous or one-off, your platform, your audit timeline, and the maturity of what you’ve built so far.

Your proposal sets out exactly what is reviewed, who runs it, what your team provides, and how findings are delivered.

Included

Independent lead auditor

Separate from any implementation work.

Included

Technical review

Across infrastructure, access, evidence, and controls.

Included

Scope and SoA review

Checked for defensibility before your certification body sees it.

Included

Findings report

With prioritised, practical remediation.

Continuous

Re-check of fixes

Before your certification audit, on continuous engagements.

No vague day-rate dependency. No conflict of interest. No surprises in the audit room.

07 People

The team that runs your audit

An internal audit needs more than a checklist. It needs independent judgement, technical understanding, and the discipline to test evidence the way a certification auditor will.

AB

Ayna Boada McNamara

Head of Service Delivery

Ayna keeps the audit on track: clear schedule, useful sessions, and a team that always knows what is needed next.

Role in your project: keeping the audit organised, visible, and moving.

DI

Daniyah Imran

Security Programs Manager

Daniyah leads the technical review, testing your controls and evidence the way a certification auditor will, across infrastructure, access, and operations.

Role in your project: independent judgement on whether your ISMS will hold up.

Backed by Atoro’s wider team of compliance consultants, auditors, engineers, and security specialists.

08 FAQ

ISO 27001 internal audit FAQs

What is an ISO 27001 internal audit?

A mandatory requirement of the standard (Clause 9.2): an independent check that your ISMS meets ISO 27001 and operates as documented, carried out before your certification or surveillance audit. It must be done by someone independent of the area being audited.

Can we do our own internal audit?

Only if the auditor is independent of the work being audited, which is hard for a small in-house team that built everything itself. Using an external internal auditor satisfies the independence requirement cleanly and gives you a genuine outside check.

Do we still need this if we use Drata or Vanta?

Yes. A platform automates evidence collection and shows control status; it does not perform the internal audit, judge whether your scope is defensible, or confirm an auditor will accept your evidence. We work inside your platform and provide the independent audit it can’t.

What’s “audit as you implement”?

We run the internal audit continuously alongside your implementation, so each area is tested as you finish it and gaps surface with time to fix them, instead of all at once before Stage 2. It’s the difference between finding problems early and finding them in the audit room.

We’ve already built our ISMS, can you just do the audit?

Yes. The standalone internal audit is scoped, run and documented to satisfy Clause 9.2, by an auditor independent of whoever built the system.

Who can perform it, and are you independent?

Our auditors are independent of any implementation team, including our own. If Atoro built your ISMS, a separate Atoro auditor runs the internal audit, which is exactly the separation a certification body checks for.

Does this cover ISO 42001 internal audits too?

Yes. We run internal audits for ISO 42001 AI management systems on the same basis, independent and evidence-tested.

What do we get at the end?

A findings report: what passed, what didn’t, and a prioritised, practical list of what to fix, in time to fix it before your certification audit.

What happens after the internal audit?

You move into your certification or surveillance audit knowing what an independent auditor already found. Atoro can also support the wider cycle through implementation, TrustOps, and managed compliance services.

Case studies

Internal audits, delivered

Heartpace

A full ISO 27001:2022 internal audit in four weeks, with zero disruption to operations.

Heidi Health

Healthcare SaaS, ISO 27001:2022 internal audit in four weeks, certification-ready with zero team disruption.

Firemelon

A first-time internal audit taken from nerves to full confidence.

TILROY

Internal audit simplified with expert support.

SitePlan

Improved processes and a confident audit, with expert support throughout.

Vendorvue

Clear, fast audit results that met their certification goals.

Binarii Labs

Audit readiness strengthened, certification-ready in four weeks.

All case studies

See how scaling tech companies certify with Atoro.

09 Push

Request internal audit pricing

Get a scoped view of what an ISO 27001 internal audit would look like for your company. Complete a short scope questionnaire, book a call, or both.

Then we’ll give you a practical path and a clear commercial model.

No generic sales deck. No vague “starting from” proposal. No conflict of interest.

We’ll review

Whether you want continuous or one-off

Your certification scope and timeline

Your platform setup

The maturity of what you’ve built so far

Your internal team capacity

Whether ISO 42001 is also in scope