Internal Audit Procedure¶
Document ID: PROC-003 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (9.2) | SOC 2 (CC4.1, CC4.2)
1. Purpose¶
This procedure defines the process for conducting internal audits of the ISMS to verify that information security controls are effective, compliant with ISO 27001:2022 and SOC 2 requirements, and aligned with organisational objectives.
2. Scope¶
Internal audits cover all aspects of the ISMS including:
- Policies and procedures
- Technical controls
- Operational processes
- Compliance with legal and regulatory requirements
- SOC 2 Trust Services Criteria
3. Audit Programme¶
3.1 Audit Frequency¶
| Audit Type | Frequency | Scope |
|---|---|---|
| Full ISMS audit | Annually | All controls, policies, and processes |
| Targeted audit | As needed | Specific areas based on risk or incidents |
| Follow-up audit | Within 3 months | Verify corrective actions from prior audits |
3.2 Annual Audit Schedule¶
See: Audit Schedule for the detailed calendar.
4. Audit Process¶
4.1 Planning¶
- ISO defines audit scope and objectives
- Audit criteria identified (ISO 27001 clauses, SOC 2 TSC, internal policies)
- Audit schedule communicated to all relevant parties at least 2 weeks in advance
- Evidence requirements defined per the Evidence Index
4.2 Execution¶
| Step | Action | Output |
|---|---|---|
| 1 | Review documentation against requirements | Gap list |
| 2 | Interview process owners | Interview notes |
| 3 | Examine evidence (logs, configs, records) | Evidence checklist |
| 4 | Test controls for operational effectiveness | Test results |
| 5 | Identify nonconformities and observations | Finding log |
4.3 Findings Classification¶
| Classification | Definition | Action Required |
|---|---|---|
| Major nonconformity | Control is absent or fundamentally ineffective | Corrective action required within 30 days |
| Minor nonconformity | Control exists but partially ineffective or inconsistently applied | Corrective action required within 90 days |
| Observation | Opportunity for improvement; no breach of requirement | Noted for next review cycle |
| Conformity | Control meets requirements | No action required |
4.4 Reporting¶
- Audit report prepared within 5 business days of audit completion
- Report includes: scope, findings, evidence reviewed, recommendations
- Report distributed to ISO and relevant control owners
- Major nonconformities escalated to management review
4.5 Follow-Up¶
- Corrective actions raised via Corrective Action Procedure
- Follow-up audit scheduled to verify corrective action effectiveness
- All findings tracked to closure in the audit log
5. Auditor Independence¶
- Internal audits should be conducted by personnel not directly responsible for the area being audited
- For a small organisation (1-10 employees), the ISO may audit areas not under their direct operational control, or engage an external party
- External audit support may be engaged for independence or specialist expertise
6. Records¶
| Record | Retention | Location |
|---|---|---|
| Audit plan | 3 years | Google Drive > Security > Audits |
| Audit report | 3 years | Google Drive > Security > Audits |
| Finding log | 3 years | Google Drive > Security > Audits |
| Corrective action records | 3 years | Google Drive > Security > Corrective Actions |
7. Review¶
This procedure is reviewed annually or when changes to the audit programme are required.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026