The important thing about a 27001 internal audit is that the purpose of the audit is to ensure that the management system is effective. It is not specifically about checking security. The management system is supposed to ensure that security is effective and thus so long as the management system is working then the organization should be appropriately secure. It's not that security is not looked at, after all the state of security was “caused” by the management system and thus it will reflect its health. But intensive security auditing, possibly appropriate for other reasons, is not the goal of ISO 27001.

Cavendish Scott has 25 years of experience auditing management systems. We are process experts, have wide-ranging experience, and understand the needs of information security. We provide objective evidence of problems, alerting management before the ISO auditor finds issues but we also provide subjective suggestions based on experience and supported by evidence of improvements, streamlining, or strengthening conformance. We save you the problem of finding internal resources, training them and still worrying about how thorough and effective they are. We provide the assurance that your ISO certification is safe and that your organization is appropriately secure. Contact us to find out how you can get that assurance.


You've Got Security. How Are Your Processes?