Internal Audit ISO 27001

Find weaknesses
before the auditor does.

Our certified Lead Auditors review your ISMS with the same methodology as the external certification body - so you have no surprises in the real audit.

Request internal audit View process

ISO/IEC 27001:2022 Certified Lead Auditors ISO 19011 compliant

AUDIT REPORT - SAMPLE

MAJOR - A.8.2 ACCESS RIGHTS

No regular recertification of access rights. Former employees still had active accounts after 6 months.

MINOR - A.8.13 BACKUP

Backup restore tests not documented. Last verified restoration more than 12 months ago.

OBSERVATION - A.6.3 TRAINING

Awareness training takes place but effectiveness is not systematically measured.

STRENGTH - A.16.1 INCIDENT MANAGEMENT

Exemplary incident response procedure with clear escalation paths and regular exercises.

Certification readiness: 78% 3 measures prioritised

Trusted by over 200 organisations

Internal audits conducted: 100+; Internal audits conducted
Pass the certification audit first time: 93%; Pass the certification audit first time
Years of audit experience: 10+; Years of audit experience
To individual quote: 24h; To individual quote

Why do organisations fail the certification audit?

The most common causes of Major nonconformities are avoidable - if you look carefully beforehand.

Organisational blind spots

Whoever built their own ISMS systematically overlooks gaps. The external perspective uncovers what is considered self-evident internally - but is not standard-compliant.

Documentation vs. reality

The ISMS is perfect on paper - but in day-to-day operations processes are bypassed, exceptions go undocumented, and controls are not practised. That is exactly what the external auditor checks.

Time pressure before the audit

Many organisations only start audit preparation shortly before the certification date. Major nonconformities discovered at that stage can cost months and thousands of euros.

Our audit process

The 5-phase audit process

From scoping through document review and on-site audit to the verified remediation of all nonconformities.

Why AWARE7 for your internal audit

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Your Lead Auditors

IRCA-certified ISO 27001 Lead Auditors with 10+ years of audit experience - for internal audits that genuinely prepare you for certification.

Chris Wojzechowski

Geschäftsführender Gesellschafter

E-Mail

PGP 465C26E1AF161AFA

Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.

IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)

Vollständiges Profil ansehen

Jan Hörnemann

Chief Operating Officer · Prokurist

E-Mail

PGP A3FD64BB96C888E2

M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.

ISO 27001 Lead Auditor (PECB/TÜV) T.I.S.P. (TeleTrusT) ITIL 4 (PeopleCert) BSI IT-Grundschutz-Praktiker (DGI) Ext. ISB (TÜV) BSI CyberRisikoCheck CEH (EC-Council)

Vollständiges Profil ansehen

Successfully prepared for certification

Beratung Informationssicherheit

brainbits GmbH

Ausbau und Begleitung des ISMS zur ISO 27001 Zertifizierung

Monate bis zur Zertifizierungsreife

Mitarbeitende im Team

Pentesting & Schwachstellenscans

Institut für Verwaltungswissenschaften gGmbH

Externe Schwachstellenanalyse

Complementary services

ISMS ISO 27001 Consulting

Build your ISMS from scratch or bring it to certification-ready standard. We accompany you from gap analysis to successful certification.

Learn about ISMS consulting

External CISO

After the audit: your external Information Security Officer ensures the ISMS is continuously maintained and developed.

Learn about external CISO

Penetration Testing

Combine your internal audit with technical security testing: penetration tests verify that your technical controls actually work.

Request penetration test

Frequently asked questions about internal audits

Questions about the process, findings, costs, or technical testing? Find answers here.

Why do we need an internal audit?

ISO 27001 (Clause 9.2) requires regular internal audits as part of the continual improvement process (PDCA cycle - Plan-Do-Check-Act). Internal audits are the best preparation for the external certification audit - they uncover weaknesses before the external auditor finds them. Without evidence of internal audits, certification is not possible.

Can we not conduct the internal audit ourselves?

In principle yes, but ISO 27001 requires objectivity and impartiality from the auditor. Whoever implemented a process may not audit it themselves. In SMEs in particular, resources and the necessary distance are often lacking. An external internal auditor brings a fresh perspective, industry experience, and benchmarking knowledge - and saves you from having to build internal audit competence.

How often must an internal audit be conducted?

ISO 27001 requires at least annual internal audits covering the entire ISMS scope. In practice many organisations distribute audits across the year: different areas are reviewed at different times (rolling audit schedule). We recommend auditing critical controls more frequently.

What is the difference between a Major and a Minor nonconformity?

A Major nonconformity is a serious failure: a key control element is missing, does not function, or was not implemented at all. A Minor nonconformity is a minor deficiency that does not endanger the overall effectiveness of the ISMS. Both must be remedied before certification, but Major nonconformities require immediate corrective action with root cause analysis.

How does an internal audit differ from an external certification audit?

An internal audit is conducted by or on behalf of the organisation itself and serves as self-assessment. The external certification audit is conducted by an accredited certification body (e.g. TUV, DEKRA) and leads to ISO 27001 certification on successful completion. Our internal audit simulates the external audit in methodology and depth - so that you have no surprises in the real audit.

What does the audit report look like?

Our audit report contains: executive summary for management, detailed findings with evidence and standard reference, classification of each finding (Major/Minor/Observation/Strength), a prioritised action plan with responsibilities and deadlines, and an overall assessment of your certification readiness. The report is structured so that it can serve directly as evidence for the external auditor.

What does an internal audit cost?

Costs depend on scope size, number of sites, and the complexity of your ISMS. For an SME with 50-200 employees and a single site, the investment is typically EUR 3,000-8,000 for a complete internal audit including document review, on-site audit, and report. We provide an individual quote within 24 hours.

How long does an internal audit take?

An internal audit for an SME typically takes 3-5 audit days on-site, plus 2-3 days for document review and report preparation. For larger organisations or multiple sites we plan correspondingly more time. From engagement to completed report: typically 2-4 weeks.

Do you also review technical controls?

Yes. In addition to the organisational review (policies, processes, responsibilities), we also verify technical controls: access controls, network segmentation, patch management, backup procedures, logging, and monitoring. Where appropriate, we can combine the internal audit with a technical vulnerability scan.

Aus dem Blog

Alle Artikel

Weiterbildung & Zertifizierung

Ready for your internal audit?

93% of organisations audited by AWARE7 pass their certification audit on the first attempt. Your individual quote is ready within 24 hours.

Request internal audit

Kostenlos · 30 Minuten · Unverbindlich

Find weaknessesbefore the auditor does.