Booking audits — 24–72hr draft turnaround
Fixed Fee · £299 UK · ISO 27001:2022
SMP · Sample deliverable

What you actually receive.

Below is a redacted, representative sample of the internal audit report we deliver. Company names, system identifiers, and personnel details have been replaced with placeholders. The structure, methodology, and depth of analysis are real.

Format
PDF · approximately 18–28 pages
Sections
Executive summary, scope, methodology, findings, coverage matrix, sign-off
Delivery
Email, 24–72 hours after onboarding
Revisits
One free, then £150 each
Note

This is a fictional sample produced for illustration only. The "Demo Company Ltd" details, findings, and reference numbers do not relate to any real organisation. Reports we deliver in production follow this structure but are tailored entirely to your ISMS, scope, and evidence.

SAMPLE · NOT FOR ISSUE
Internal Audit Report · № IC-2026-0418

ISO/IEC 27001:2022 Internal Audit Report

Demo Company Ltd — Information Security Management System

Auditee
Demo Company Ltd
Audit period
14–16 April 2026
Standard
ISO/IEC 27001:2022
Report date
18 April 2026
Auditor
InternalCheck (external)
Document version
1.0 — Draft
Quality Assured
01.

Executive summary

This report documents the findings of the internal audit conducted at Demo Company Ltd against the requirements of ISO/IEC 27001:2022. The audit was performed by InternalCheck, an external party with no operational involvement in Acme's information security management system (ISMS), satisfying the impartiality requirement of clause 9.2.2(c).

The audit covered all clauses of ISO/IEC 27001:2022 (clauses 4 through 10) and the 93 controls of Annex A as referenced in the auditee's Statement of Applicability (SoA), version 2.4 dated 02 March 2026. Evidence was reviewed via read-only access to Acme's Vanta tenant, supplemented by sampled interviews and document inspection.

Overall conclusion. The ISMS is broadly conformant with ISO/IEC 27001:2022. The audit identified one major nonconformity, three minor nonconformities, and five opportunities for improvement. The major nonconformity relates to incomplete documented evidence of management review outputs (clause 9.3.3). The minor findings relate to access review cadence, supplier risk assessment timeliness, and incident classification consistency.

None of the findings indicate a fundamental breakdown of the ISMS. The major nonconformity is procedural and is addressable within the standard 30-day window typically afforded by certification bodies for stage 2 or surveillance audits.

1
Major NC
3
Minor NC
5
OFI
84
Conformant
02.

Scope, criteria & objectives

Audit scope

The scope of this internal audit is aligned with the documented ISMS scope of Demo Company Ltd as defined in its scope statement (DOC-ISMS-001, v1.3):

ISMS scope statement (verbatim)

"The design, development, hosting, and support of Acme's cloud-based [SaaS product line], including all corporate functions supporting these activities, conducted from the company's UK head office and remote employees within the United Kingdom and the European Union."

Audit criteria

  • ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements
  • Demo Company Ltd — Statement of Applicability (SoA), v2.4, dated 02/03/2026
  • Acme's documented ISMS policies, procedures, and records
  • Acme's information security objectives for the 2026 calendar year

Audit objectives

  • Determine the extent to which Acme's ISMS conforms to the requirements of ISO/IEC 27001:2022
  • Determine whether the ISMS has been effectively implemented and is being maintained
  • Identify nonconformities, opportunities for improvement, and areas of good practice
  • Provide management with information to support continual improvement of the ISMS

Out of scope

The following were explicitly excluded from this internal audit, in line with the documented ISMS scope: physical security of customer-managed environments, cloud infrastructure operated and audited by AWS under shared-responsibility, and any non-UK/EU subsidiary operations.

03.

Audit methodology

The audit was conducted using a risk-based, evidence-led approach. Sampling was applied where populations of records (e.g. starters/leavers, change requests, supplier reviews) made full inspection impractical.

Audit activities

  • Document review. 47 ISMS documents inspected, including policies, procedures, registers, and records, retrieved from the Vanta documentation library and supporting Google Drive folders.
  • Evidence sampling. Risk-based samples drawn from 12 control populations, including access reviews (sample of 8 from a population of 41), starter/leaver records (sample of 6 from 14), and change requests (sample of 10 from 87).
  • Interviews. Four sampled interviews conducted via video call: Information Security Manager, Head of Engineering, People Operations Lead, and a randomly sampled engineer.
  • System inspection. Read-only walkthrough of Vanta dashboards, AWS IAM (via screen-share), and the corporate SSO admin console.

Finding classification

  • Major nonconformity. A failure to fulfil a requirement of ISO/IEC 27001:2022 that compromises the ability of the ISMS to achieve its intended outcomes, or the absence/total failure of an entire process.
  • Minor nonconformity. A single observed lapse in conforming to a requirement which does not, in isolation, undermine the effectiveness of the ISMS.
  • Opportunity for improvement (OFI). An observation that does not constitute a nonconformity but where, in the auditor's judgement, the ISMS could be strengthened.

Quality assurance

This report was subject to a structured two-stage quality review prior to issue: a methodology and evidence pass, and a separate findings classification and language consistency pass. Both reviews are recorded internally against report reference IC-2026-0418.

04.

Findings at a glance

The table below lists every finding raised during this audit. Detailed entries follow in section 05.

ID Clause / Control Type Summary
F-01 9.3.3 Major NC Management review outputs not consistently documented across the last three reviews.
F-02 A.5.18 Minor NC Quarterly access reviews overdue for two of eight sampled production systems.
F-03 A.5.19 Minor NC Annual supplier risk reassessment not performed for three of nine critical suppliers.
F-04 A.5.24 Minor NC Inconsistent severity classification across two recent security incidents.
F-05 7.3 OFI Security awareness content has not been refreshed since onboarding rollout.
F-06 A.8.16 OFI Monitoring alert thresholds for the staging environment are looser than production without documented rationale.
F-07 A.5.30 OFI Business continuity testing has been conducted but lessons-learned not recorded in the ISMS.
F-08 6.1.3 OFI Risk treatment plan would benefit from explicit residual risk owners.
F-09 A.6.3 OFI Onboarding training completion records would benefit from automated reminders.
05.

Detailed findings

Finding F-01
Clause 9.3.3 · Management review results
Major NC

Management review outputs not consistently documented

Requirement
ISO/IEC 27001:2022 clause 9.3.3 requires that the results of the management review include decisions related to continual improvement opportunities and any need for changes to the ISMS, and that documented information is retained as evidence of the results.
Evidence reviewed
Management review minutes for the three reviews held on 12/06/2025, 09/10/2025, and 22/01/2026.
Observation
Of the three reviews inspected, only the January 2026 review contained explicit, traceable decisions and assigned owners. The June and October 2025 records consist of attendance lists, agendas, and discussion notes, but do not document decisions, actions, or owners arising from the review.
Impact
The ISMS cannot demonstrate, on documented evidence, that top management has driven continual improvement decisions across the audit period. This is a structural gap in the management review process.
Recommendation
Adopt a standard management review template that mandates capture of decisions, actions, owners, and target dates. Apply retrospectively to the two affected reviews where reasonable reconstruction is possible from attendees.
Finding F-02
Annex A.5.18 · Access rights
Minor NC

Quarterly access reviews overdue on production systems

Requirement
A.5.18 requires that access rights be reviewed regularly. Acme's documented procedure (POL-AC-002) commits to quarterly reviews for production systems.
Evidence reviewed
Sample of eight production-tier systems drawn from the 41-system production register. Last-review dates retrieved from Vanta access review records.
Observation
Two of the eight sampled systems ([SYSTEM-A] and [SYSTEM-C]) had not been reviewed within the prior 90-day window at the time of audit, with elapsed periods of 118 and 134 days respectively.
Recommendation
Configure Vanta to issue review reminders 14 days ahead of the quarterly cadence and escalate to the Information Security Manager at 90 days. Conduct the overdue reviews and document outcomes.
Finding F-03
Annex A.5.19 · Information security in supplier relationships
Minor NC

Annual supplier risk reassessment overdue for critical suppliers

Requirement
A.5.19 requires processes to manage information security risks associated with supplier products and services. Acme's documented procedure (POL-SUP-001) commits to annual reassessment of suppliers classified as critical.
Evidence reviewed
Supplier register listing 9 critical suppliers; reassessment records and SOC 2 / ISO 27001 evidence retrieved from the supplier evidence folder.
Observation
Three of the nine critical suppliers had not been reassessed within the documented 12-month cadence, with the most recent assessment dated 14–16 months prior to the audit.
Recommendation
Bring the three overdue assessments up to date and adopt a calendar-driven review cycle with named owners.
Finding F-04
Annex A.5.24 · Information security incident management planning and preparation
Minor NC

Inconsistent severity classification across recent incidents

Requirement
A.5.24 requires planned and prepared incident management. Acme's incident response procedure (POL-IR-001) defines a four-tier severity scale with explicit criteria.
Evidence reviewed
Two security incidents logged in the last 90 days (INC-2026-007 and INC-2026-011), retrieved from the incident register.
Observation
INC-2026-007 was classified as "Sev 2" despite meeting the documented criteria for "Sev 3" (no customer data exposure, contained within 4 hours). INC-2026-011 was classified as "Sev 3" despite arguably meeting "Sev 2" criteria. The classifications appear to reflect informal judgement rather than documented criteria.
Recommendation
Add a brief classification rationale field to the incident template and require it to reference the specific severity criteria met.
Finding F-05
Clause 7.3 · Awareness
OFI

Security awareness content not refreshed since rollout

Observation
The security awareness training content delivered to all staff has not been updated since the initial ISMS rollout in Q3 2024. Training completion is being tracked correctly and conformance with clause 7.3 is met, but the content does not reflect the threat landscape evolution since 2024 (notably, recent prompt-injection and supply-chain attack patterns relevant to Acme's product).
Recommendation
Schedule an annual content refresh tied to the management review cycle.
Finding F-06
Annex A.8.16 · Monitoring activities
OFI

Alert thresholds differ between staging and production without documented rationale

Observation
Monitoring alert thresholds for the staging environment are demonstrably looser than for production. This is a defensible design choice — staging is non-customer-facing — but the rationale is not documented, which makes the asymmetry difficult to defend if challenged.
Recommendation
Add a brief written rationale to the monitoring policy explaining the staging-versus-production threshold model.
Finding F-07
Annex A.5.30 · ICT readiness for business continuity
OFI

Business continuity testing conducted but lessons not formally recorded

Observation
A tabletop exercise was conducted on 27/02/2026. Outcomes were discussed informally and a Slack thread captures key takeaways, but no formal lessons-learned record exists in the ISMS document set. Conformance is met but evidence is fragile.
Recommendation
Adopt a standard tabletop output template capturing scenario, observed gaps, actions, and owners.
Finding F-08
Clause 6.1.3 · Information security risk treatment
OFI

Residual risks would benefit from explicit owners

Observation
The risk treatment plan correctly identifies treatments and target dates. Residual risk owners are implied by the source risk owner but not explicitly named, which can become ambiguous after personnel changes.
Recommendation
Add an explicit "residual risk owner" column to the risk register.
Finding F-09
Annex A.6.3 · Information security awareness, education and training
OFI

Onboarding training completion would benefit from automated reminders

Observation
Onboarding training is being completed on time in the sampled records, but the process relies on manual follow-up by the People Operations Lead. This is workable at current headcount but unlikely to scale.
Recommendation
Configure Vanta or the HRIS to issue automated reminders at +7, +14, and +21 days for incomplete onboarding modules.
06.

Clause & control coverage matrix

The matrix below summarises the audit's coverage of ISO/IEC 27001:2022 clauses. A complete control-by-control matrix for all 93 Annex A controls is provided in Appendix A of the full report (omitted from this sample for brevity).

Clause Title Status Findings
4Context of the organisationConformant
5LeadershipConformant
6.1.2Risk assessmentConformant
6.1.3Risk treatmentOFIF-08
6.2Information security objectivesConformant
7.2CompetenceConformant
7.3AwarenessOFIF-05
7.5Documented informationConformant
8.1Operational planning and controlConformant
8.2Risk assessment (operational)Conformant
8.3Risk treatment (operational)Conformant
9.1Monitoring, measurement, analysis & evaluationConformant
9.2Internal auditConformant
9.3Management reviewMajor NCF-01
10.1Continual improvementConformant
10.2Nonconformity & corrective actionConformant
07.

Conclusion & sign-off

Demo Company Ltd's ISMS is broadly conformant with the requirements of ISO/IEC 27001:2022. The findings raised in this report are addressable and do not indicate fundamental weaknesses in the ISMS. The major nonconformity (F-01, management review outputs) is procedural and can be remediated through adoption of a structured review template and a backfill exercise.

It is recommended that:

  • Corrective actions for F-01 through F-04 be planned and tracked in the corrective action register, with target completion no later than 30 days from the date of issue of this report.
  • The five opportunities for improvement be considered at the next management review and addressed where they support the 2026 information security objectives.
  • A revisit be scheduled following remediation of the major and minor findings to verify closure.
Audit conducted by
— InternalCheck
External Internal Audit Provider
18 April 2026
Report version
v1.0 — Draft
For management review and acceptance
Reference: IC-2026-0418

Get a report like this for your ISMS.

Fixed £299. Draft in 24–72 hours after onboarding. One free revisit included.

Book your audit