Internal Audit

For ISO 27001 and ISO 42001, yes — formally required, no exceptions. Without one, you can't proceed at Stage 2. For SOC 2 and BSI C5, it's not mandated — but mature programmes run one anyway, because auditors and customers increasingly expect evidence of independent internal testing.

Scoping, structured interviews and evidence reviews, a closing meeting, and a severity-rated findings report within five business days. Remediation guidance through closure is included.

Internal audit is your own test of whether the ISMS works — on your timeline, findings yours to fix. External audit is a certification body or regulator deciding whether you meet the standard — on their timeline, findings in the report that decides your certificate.

Yes, if the auditor is independent of the function being audited. Across frameworks that require it, auditors must be objective and impartial — they can't have designed, implemented, or operated the controls they're testing. Larger organisations with separate compliance or audit functions can do this in-house. Smaller ones rarely can — and when the same team builds and audits the programme, the result is friendly findings, familiar blind spots, and confirmation bias.

No. Platforms like Vanta, Drata, or Scytale are great at collecting evidence and monitoring controls, but an audit is an independent test by a qualified auditor — not a dashboard check.

No tool is strictly required. Internal audits can be run with anything from a compliance platform to a spreadsheet and a document repository. What matters is that evidence is organised, traceable, and reviewable by an independent auditor — not the software behind it.

Yes, and it's often the efficient choice. Common controls — access management, incident response, change control, vendor management — overlap significantly across ISO 27001, SOC 2, BSI C5, and ISO 42001.

Findings are classified by severity: observations (improvement points), minor nonconformities (a control partly meeting the standard), and major nonconformities (a control missing, broken, or systemically failing). Minor findings typically close within 30–90 days. Majors need to be resolved before an external audit or regulatory review — but "serious" doesn't mean "terminal." Handled properly, even majors become evidence the programme is working.

It depends on the framework. For ISO 27001 and ISO 42001, yes — the audit is part of what the external auditor reviews. For SOC 2 and BSI C5 external auditors only see it if you reference it in your programme or share it. Either way: findings aren't red flags. What auditors don't want to see is a programme that never finds anything, or finds things and doesn't close them.

A severity-rated findings report, an executive summary written for leadership, and a closing meeting that aligns the team on next steps. Every finding is sourced to evidence. For ISO 27001 and ISO 42001, the report and your closure record become the evidence your certification body or regulator will review. For SOC 2 and BSI C5, they're internal artefacts that drive your improvement cycle — and increasingly, evidence customers and auditors want to see anyway.

Most organisations time them 6–10 weeks before the external audit or regulatory review, with ad-hoc audits triggered by significant changes or incidents.

Depends on the framework. ISO 27001 and ISO 42001 require internal audits at planned intervals — typically annually, with full coverage across a three-year certification cycle. SOC 2 and BSI C5 don't mandate a frequency, but mature programmes run one annually.

A few ways. We're auditor-led — our team actively audits for UKAS and DAkkS accredited certification bodies. We're built for tech teams — tool-agnostic and fluent in the technology underneath your controls. And we're structured differently — fixed scope, fixed price, no separate engagement for remediation.