Skip to content
Kellwick
← All articles
Internal Audits

Internal audit readiness checklist for SaaS teams

A credible internal audit finds real problems before your external auditor does. Here is how to run one that satisfies the standard and actually helps.

By Kellwick Team · March 25, 2026 · 3 min read

The internal audit is one of the most misunderstood parts of ISO 27001. Too many teams treat it as a formality: a rushed afternoon by the same person who built the ISMS, ticking boxes to satisfy Clause 9.2. That approach fails the standard and wastes the one chance you have to catch problems before the certification body does.

Why independence is non-negotiable

Clause 9.2 requires that auditors do not audit their own work. If the person who wrote your access control policy also audits it, they cannot see it objectively. They know what it was supposed to say, not what it actually does.

You have a few practical options:

  • A colleague from a different function audits the area you own, and you audit theirs.
  • A second-line role (someone outside the ISMS build) runs the audit.
  • An external party performs the internal audit for you.

Independence does not mean adversarial. It means the auditor has no stake in the result looking good.

Plan before you audit

A credible internal audit is planned, not improvised. Before anyone reviews evidence, you should have an audit programme that covers the whole ISMS across a defined period, usually the certification cycle.

Your plan should state:

  • Scope: which clauses, controls and parts of the business are in this audit.
  • Criteria: the standard, your policies, and legal or contractual requirements.
  • Schedule: dates, auditors and the areas each will cover.
  • Method: interviews, document review, sampling of records and system checks.

Risk should drive frequency. Areas that changed recently, failed before, or carry the most risk deserve deeper and more frequent attention.

Test the controls that carry the most risk

Do not audit every control equally. Spend your time where failure would hurt: access management, change control, backups, supplier oversight, and incident response.

For each, ask for evidence rather than opinions:

  • Pull a sample of leavers and confirm access was revoked on time.
  • Take a recent production change and trace it through review and approval.
  • Ask for the last restore test and its result, not just the backup policy.
  • Check that a real incident was logged, triaged and closed with actions.

If someone describes a process but cannot show a record, treat that as a finding. Verbal assurance is not evidence.

Record findings honestly

An internal audit that finds nothing is a warning sign, not a success. External auditors are wary of a clean internal audit that precedes a messy Stage 2.

Document what you find with enough detail to act on:

  • The finding and the clause or control it relates to.
  • Objective evidence, including what you sampled.
  • A classification: nonconformity, observation or opportunity for improvement.
  • An owner and a target date for correction.

Then feed nonconformities into your corrective action process. Root cause matters more than a quick patch. If leaver access was missed, ask why the offboarding trigger failed, not just close the one ticket.

Close the loop before the auditor arrives

Findings only count if they lead somewhere. Track each to closure, verify the fix held, and bring the results into your management review. That gives leadership a real picture of ISMS health and shows the auditor a system that learns.

Give yourself enough runway. Running the internal audit a week before Stage 2 leaves no time to fix what you find. Two to three months is more realistic.

Bottom line

A strong internal audit is independent, planned, evidenced and honest. Done well, it turns the external audit into a confirmation rather than a discovery. If you are unsure whether your internal audit would hold up, a short readiness review can show you where the gaps are while you still have time to close them.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.