ISO 27001 Lab
Audit lab

Learn internal audit, external audit, evidence review, and finding classification

The Audit Lab combines two modes. Internal audit mode focuses on planning, sampling, interviewing, and improvement. External audit mode focuses on certification logic, scope verification, evidence validation, and proportional classification of nonconformities.
Internal audit mode
Purpose, planning, sampling, interviews, evidence collection, gap identification, and improvement orientation before certification pressure arrives.
External audit mode
Scope verification, document review, evidence review, control implementation validation, management review, and proportional classification of findings.
Evidence-centered drills
Ask what evidence comes next, whether the sample is sufficient, what makes the weakness systemic, and what follow-up question the auditor would ask.
Open the nonconformity labPractice audit evidenceCompare ISO 19011 and ISO 27001
Purpose of internal audit
Plan sampling, challenge the operating reality, interview process owners, and surface improvement opportunities before certification pressure does it for you.
What to focus on
Process consistency, root causes, weak ownership, and whether the evidence trail is usable for management improvement.

Audit exercises

Evidence, clause impact, and finding classification

Case 1Mode internal
No incident process in scoped operations
During audit interviews, three teams describe different incident escalation paths. No single documented process or training record exists.
What evidence would you ask for?
  • Conflicting interview answers / Réponses d'entretien contradictoires
  • No documented incident workflow / Aucun workflow incident documenté
  • No awareness evidence / Aucune preuve de sensibilisation
Which clause is affected?
Is this major, minor, or an observation?
Case 2Mode internal
One late access review
The access review process is documented and operating, but one sampled business unit missed its quarterly review window.
What evidence would you ask for?
  • Process exists and is approved / Le processus existe et est approuvé
  • Three teams have current evidence / Trois équipes ont des preuves à jour
  • One team is missing the latest record / Une équipe n'a pas la dernière trace
Which clause is affected?
Is this major, minor, or an observation?
Case 3Mode internal
Management review trend analysis could improve
Management reviews happen on schedule and cover required topics, but the report could show recurring trends more clearly.
What evidence would you ask for?
  • Meeting cadence is respected / La cadence des réunions est respectée
  • Required inputs are present / Les intrants requis sont présents
  • Opportunity to improve data storytelling / Possibilité d'améliorer la lisibilité des données
Which clause is affected?
Is this major, minor, or an observation?

Severity guide

What auditors typically mean

Major nonconformity
Example major nonconformity: the organization states that internal audits are performed annually, but there is no audit programme, no reports, and no evidence of any internal audits in the certification cycle.
Minor nonconformity
Example minor nonconformity: the access review process exists, is documented, and is mostly followed, but one sampled team has no evidence for its latest periodic review.
Observation
Example observation: the incident dashboard works, but trend analysis could be clearer to help management review identify recurring issues earlier.