ISO 27001 Internal Audit
ISO 27001 internal audit, run alongside your team as you implement.
Atoro gives software companies an independent internal auditor who works with you while you build on Drata or Vanta, so gaps surface and get fixed early, not in front of your certification auditor.
Your platform shows you’re compliant. We confirm an auditor will agree. You get expert eyes on your controls, your evidence, and your Statement of Applicability before the audit that counts.
Built for in-house teams on Drata and Vanta
ISO 27001 internal audit
Independent of your build
Engineer-led
Continuous or one-off
Internal audit, done right
27001
AUDIT
Independent reviewerAn auditor who didn’t build your ISMS, which is the point of an internal audit.
Audit as you implementContinuous review across the build, not a scramble at the end.
Evidence tested earlyWe sample what your certification auditor will, before they do.
Clause 9.2 satisfiedThe mandatory internal audit, done properly and documented.
Platform-nativeWe work inside Drata or Vanta, on the evidence you’re already collecting.
What usually triggers the call
- The platform shows green, but nobody independent has checked the judgement calls.
- You’ve scoped your Statement of Applicability and aren’t certain it’s defensible.
- Your certification audit is booked and you don’t want surprises in the room.
- You need the mandatory internal audit, and it can’t be done by the people who built the ISMS.
- You’d rather find the gaps now, with time to fix them, than at Stage 2.
02 Recognition
Your dashboard says you’re compliant. An auditor hasn’t said so yet.
Most in-house teams come to us when they’ve done the hard work on Drata or Vanta themselves, and want to know it will actually hold up.
A platform automates evidence. It doesn’t tell you whether an auditor will accept it, whether your controls are right, or whether your scope holds. That judgement is what an internal audit is for, and it has to come from someone independent of the build.
Atoro gives you that independent reviewer, based on more than 200 compliance and security projects delivered for software and digital product companies.
03 Proof
Engineering-led internal audit
Atoro combines compliance consultants, auditors, engineers, and security specialists with computer science backgrounds.
We understand how ISO 27001 works inside software companies: cloud infrastructure, CI/CD, the SDLC, access control, supplier risk, vulnerability management, incident response, and the evidence behind each control, so our audit tests how you actually build and ship, not a generic checklist.
We hold ISO 27001 ourselves and run internal audits across our own clients’ certifications, with a 100% certification success rate behind the engagements we take to audit.
Certified. Independent. Proven.
ISO 27001 certifiedWe run the discipline we audit you against.
ISO 42001 certifiedFirst consultancy in Europe; AI management systems audited too.
200+ projects deliveredAcross compliance, security, audit, and testing.
Independent by designAuditors separate from any implementation team.
04 System
What an internal audit actually checks
An internal audit is not a dashboard review. It is an independent test of whether your management system meets the standard and whether the evidence would survive a certification auditor.
Atoro reviews:
Scope and Statement of Applicability
Is your scope defensible and every Annex A control decision justified?
Controls in operation
Are the controls actually working, not just documented?
Evidence quality
Will the evidence your platform holds satisfy what an auditor samples?
Risk assessment and treatment
Does your risk work hold up, with owners and decisions recorded?
Mandatory clauses
Management review, corrective actions, and the Clause 9.2 internal audit itself.
Findings and remediation
A clear, prioritised list of what to fix, with time to fix it.
You get an auditor’s verdict before the audit that counts, not a folder of policies.
05 Plan
Two ways to run it
Most teams choose to run the internal audit continuously, alongside the build. Some just need the mandatory audit done once. We do both.
Continuous
Audit as you implement
We review your work across the implementation, so each area is tested as you complete it and problems surface with time to fix them. By the time your certification audit arrives, nothing in the room is a surprise. Best for teams building on Drata or Vanta who want expert assurance throughout.
One-off
Standalone internal audit
Already built your ISMS and just need the mandatory independent internal audit? We scope it, run it, and document it to satisfy Clause 9.2, by an auditor independent of whoever built the system. Best for teams that are audit-ready and need the box ticked properly.
Either way you get a dedicated lead, a clear schedule, action tracking, and Slack support, so the audit moves without your team having to chase it.
What we need from your team
- One accountable internal lead.
- Access to your platform and the evidence systems.
- Time with the control owners we need to interview.
- Timely decisions on the findings we raise.
Your team stays involved where it matters. Atoro runs the audit.
06 Price
Clear scope before you commit
An internal audit should not be open-ended.
Before we quote, we scope the work properly: company size, certification scope, whether you want continuous or one-off, your platform, your audit timeline, and the maturity of what you’ve built so far.
Your proposal sets out exactly what is reviewed, who runs it, what your team provides, and how findings are delivered.
Included
Independent lead auditor
Separate from any implementation work.
Included
Technical review
Across infrastructure, access, evidence, and controls.
Included
Scope and SoA review
Checked for defensibility before your certification body sees it.
Included
Findings report
With prioritised, practical remediation.
Continuous
Re-check of fixes
Before your certification audit, on continuous engagements.
No vague day-rate dependency. No conflict of interest. No surprises in the audit room.
07 People
The team that runs your audit
An internal audit needs more than a checklist. It needs independent judgement, technical understanding, and the discipline to test evidence the way a certification auditor will.
AB
Ayna Boada McNamara
Head of Service Delivery
Ayna keeps the audit on track: clear schedule, useful sessions, and a team that always knows what is needed next.
Role in your project: keeping the audit organised, visible, and moving.
DI
Daniyah Imran
Security Programs Manager
Daniyah leads the technical review, testing your controls and evidence the way a certification auditor will, across infrastructure, access, and operations.
Role in your project: independent judgement on whether your ISMS will hold up.
Backed by Atoro’s wider team of compliance consultants, auditors, engineers, and security specialists.
08 FAQ
ISO 27001 internal audit FAQs
What is an ISO 27001 internal audit?
A mandatory requirement of the standard (Clause 9.2): an independent check that your ISMS meets ISO 27001 and operates as documented, carried out before your certification or surveillance audit. It must be done by someone independent of the area being audited.
Can we do our own internal audit?
Only if the auditor is independent of the work being audited, which is hard for a small in-house team that built everything itself. Using an external internal auditor satisfies the independence requirement cleanly and gives you a genuine outside check.
Do we still need this if we use Drata or Vanta?
Yes. A platform automates evidence collection and shows control status; it does not perform the internal audit, judge whether your scope is defensible, or confirm an auditor will accept your evidence. We work inside your platform and provide the independent audit it can’t.
What’s “audit as you implement”?
We run the internal audit continuously alongside your implementation, so each area is tested as you finish it and gaps surface with time to fix them, instead of all at once before Stage 2. It’s the difference between finding problems early and finding them in the audit room.
We’ve already built our ISMS, can you just do the audit?
Yes. The standalone internal audit is scoped, run and documented to satisfy Clause 9.2, by an auditor independent of whoever built the system.
Who can perform it, and are you independent?
Our auditors are independent of any implementation team, including our own. If Atoro built your ISMS, a separate Atoro auditor runs the internal audit, which is exactly the separation a certification body checks for.
Does this cover ISO 42001 internal audits too?
Yes. We run internal audits for ISO 42001 AI management systems on the same basis, independent and evidence-tested.
What do we get at the end?
A findings report: what passed, what didn’t, and a prioritised, practical list of what to fix, in time to fix it before your certification audit.
What happens after the internal audit?
You move into your certification or surveillance audit knowing what an independent auditor already found. Atoro can also support the wider cycle through implementation, TrustOps, and managed compliance services.
Case studies
Internal audits, delivered
Heartpace
A full ISO 27001:2022 internal audit in four weeks, with zero disruption to operations.
Heidi Health
Healthcare SaaS, ISO 27001:2022 internal audit in four weeks, certification-ready with zero team disruption.
Firemelon
A first-time internal audit taken from nerves to full confidence.
TILROY
Internal audit simplified with expert support.
SitePlan
Improved processes and a confident audit, with expert support throughout.
Vendorvue
Clear, fast audit results that met their certification goals.
Binarii Labs
Audit readiness strengthened, certification-ready in four weeks.
All case studies
See how scaling tech companies certify with Atoro.
09 Push
Request internal audit pricing
Get a scoped view of what an ISO 27001 internal audit would look like for your company. Complete a short scope questionnaire, book a call, or both.
Then we’ll give you a practical path and a clear commercial model.
No generic sales deck. No vague “starting from” proposal. No conflict of interest.
We’ll review
Whether you want continuous or one-off
Your certification scope and timeline
Your platform setup
The maturity of what you’ve built so far
Your internal team capacity
Whether ISO 42001 is also in scope