Intro
What makes a great ISO 27001 internal audit? It’s not just about clause checklists or perfect documentation. It’s about thinking like an investigator, seeing patterns, asking the right questions, and above all connecting the standard to the real-life processes in your organization.
Earlier this month, we spent two intensive days with the team at ZIRA d.o.o., helping them build exactly those skills. Not through dry theory, but by diving into practical work: reviewing how ISO 27001 clauses play out in real settings, drafting audit plan that relates directly to their organization, creating audit test scenarios through collaborative exercises, and practicing interviewing skills through realistic role-plays.
However, this blog is not about the training itself. It’s about what any organization can learn from it.
Clause-by-Clause Doesn’t Work—But You Still Need to Know Them
Together we went clause by clause though whole ISO 27001 standard — but not to memorize them. Instead, we used ZIRA’s own organizational context to analyze and interpret what these clauses actually require in practice.
When you understand what a clause wants rather than just what it says, you can ask better questions, spot smarter evidence, and avoid false positives.
The first part of our training focused on laying a strong foundation in information security principles through the lens of ISO 27001. We challenged participants to look past the wording of clauses and instead focus on the intent behind them.
Good Audits Start Before the Audit
Once the team had a strong grasp of the standard’s underlying logic, we moved into practical application and explored how to apply that knowledge in audit planning. Here is the thing: before you ever step into a department or ask your first question, preparation is 80% of the job. But preparation isn’t just about documents—it’s about mindset.
We then focused on how to translate that understanding into audit preparation—from risk-based planning to building targeted checklists and audit test scenarios. The goal was to give the team tools to follow risks across departments and identify meaningful evidence—not just fill out forms.
Planning Like a Pro
One of the most common mistakes we see in internal audits is treating the Audit Plan like a set of calendar invites. We flipped the script.
Together with the ZIRA team, we built an audit plan around themes: data access, supplier management, incident response. Then we mapped the real stakeholders, questions, and possible evidence across those themes.
Your audit plan should never look like a meeting schedule. Plan around risks, not just departments.
Role-Playing: Where the Real Learning Happens
It’s easy to talk about auditing. It’s much harder to interview a colleague and uncover something they didn’t even know was an issue.
We simulated actual interviews, encouraged follow-up probing, and worked through body language, hesitation, and inconsistent responses. Many participants said this was their biggest takeaway.
Interviews reveal the gap between documentation and practice—if you know how to listen beyond the answers.
From Simulation to Reality
In a few weeks, we’ll return to ZIRA to do a real two-day internal audit. Their team will run it. We’ll observe and coach.
This is where training meets transformation—because applying these skills in a real environment is what turns auditors into catalysts for improvement.
Conclusion
The true goal of an internal audit isn’t to check boxes. It’s to uncover truths, build trust, and drive better decisions.
Whether you’re just starting your ISO 27001 journey or looking to deepen your internal audit capability, we hope these insights help spark your own “Aha” moment.
Want to explore a training or audit coaching session with us? Let’s talk.