What ISO 27001 Covers
ISO 27001 consists of two parts: the main standard, which describes the requirements for an Information Security Management System (ISMS), and Annex A, which contains ninety-three controls across four categories — Organisational Controls, People Controls, Physical Controls, and Technological Controls.
The main standard requirements address governance and management system elements: context establishment, leadership and commitment, risk assessment methodology, statement of applicability, treatment plans, and the management review and internal audit requirements of the ISMS itself. These are the process and governance controls that determine whether the ISMS is being managed effectively as an ongoing programme rather than implemented once and left static.
Annex A controls cover the operational security measures the organisation should consider implementing. Not all Annex A controls are mandatory — organisations apply those relevant to their risk context and document their applicability decisions in the Statement of Applicability. This tailoring mechanism makes the standard practical for organisations of different sizes and risk profiles.
Using ISO 27001 as Audit Criteria
For internal auditors, ISO 27001 provides several valuable functions as an audit framework. First, it defines a comprehensive set of security controls that can serve as criteria for assessing the completeness of the organisation's security programme — regardless of whether the organisation is pursuing certification. An information security audit structured around the Annex A control domains will systematically cover the major risk areas without requiring the auditor to construct criteria from scratch.
Second, the risk assessment methodology requirements of the main standard provide criteria for assessing whether the organisation's information security decisions are appropriately risk-based. A programme that implements controls based purely on regulatory requirements and vendor recommendations without a systematic risk assessment process will show gaps against these criteria — indicating a fundamental governance weakness in how security investments are prioritised.
Third, ISO 27001's explicit requirements for management commitment, internal audit of the ISMS, and management review create governance criteria that are directly testable. Is the information security function reporting to an appropriate level of seniority? Does senior leadership review ISMS performance regularly? Are internal audits of the ISMS conducted, and are findings acted upon? These are straightforward procedural tests with significant governance implications.
Key Annex A Domains for IT Auditors
Access control (A.5.15–A.5.18): User access management, including provisioning, de-provisioning, privileged access management, and access rights review. These controls directly overlap with IT general control access management work — ISO 27001 provides a risk-based framework for assessing their adequacy and completeness.
Asset management (A.5.9–A.5.14): Inventory of information assets, classification of information, and handling of media. Without an accurate asset inventory, comprehensive security coverage is structurally impossible — you cannot protect assets whose existence you cannot see.
Supplier relationships (A.5.19–A.5.22): Security requirements in supplier agreements, monitoring of supplier service delivery, and management of changes in supplier services. This aligns directly with third-party risk management work and provides specific control criteria for that assessment area.
Information security incident management (A.5.24–A.5.28): Responsibilities and procedures for incident detection, response, learning, and evidence collection. Evaluating whether the organisation has an effective, tested incident management capability is a critical component of any cybersecurity audit.
ISO 27001 certification means that an independent body has assessed conformance with the standard's requirements at a point in time. It is a valuable governance signal — but controls can deteriorate between annual certification audits. Internal audit's role is to provide continuous assurance over the control environment that certification assessment alone cannot provide.
Certification vs. Alignment
Organisations that are not pursuing ISO 27001 certification can still benefit from using the standard as an audit framework. The controls and governance requirements are equally relevant whether or not an external certification audit is planned. For organisations considering certification, internal audit can add significant value by conducting pre-certification gap assessments that identify control weaknesses before the external auditors arrive — giving management the opportunity to remediate gaps and present a stronger control environment to the certification body.