Three-day course preparing internal auditors for ISO 27001:2022 ISMS audits. Covers Annex A control structure (organizational, people, physical, technological), risk-based audit planning, evidence collection, nonconformity classification, and audit reporting. Aligns to ISO 19011 audit principles.
This three-day intensive gives compliance practitioners a structured, hands-on path to conducting credible ISO 27001:2022 internal audits. Instruction is led by Carl B. Johnson, President and CISO of Cleared Systems, drawing on direct experience implementing and auditing Information Security Management Systems (ISMS) inside defense and federal contractor environments. Every module is grounded in the real artifacts, conversations, and judgment calls auditors face on the floor.
The course opens with a working tour of the ISMS and the updated Annex A control structure introduced in the 2022 revision. Participants examine all four control categories — organizational, people, physical, and technological — understanding how each category maps to an organization's risk treatment decisions and where auditors most often find evidence gaps. The 2022 structural changes are contrasted with the prior version so auditors can speak confidently with auditees who are mid-transition.
Participants build audit plans from a risk-based perspective, learning how to scope an audit engagement, set audit objectives, and prioritize control areas based on documented risk registers and statements of applicability. The module covers how to translate an organization's risk treatment plan into a logical audit sampling strategy — a skill that separates procedural auditors from ones who add real assurance value.
Effective auditing depends on knowing what constitutes sufficient, appropriate evidence. This module walks through interview techniques, document review, observation, and records sampling as they apply to ISMS audits. Participants practice evaluating policy documents, control implementation records, log reviews, and management review outputs against ISO 27001:2022 requirements.
A significant portion of day three addresses the judgment work of auditing: classifying findings as major nonconformities, minor nonconformities, or observations, writing defensible finding statements, and structuring a formal audit report. Participants draft finding language and practice linking each finding back to a specific clause or Annex A control, which is the standard external certification bodies will apply when reviewing internal audit outputs.
All instruction aligns to the ISO 19011 guidelines for auditing management systems. Participants apply ISO 19011 principles — integrity, fair presentation, due professional care, confidentiality, independence, and evidence-based approach — to scenario-based exercises drawn from contractor and federal agency contexts.
This course is designed for the compliance professionals inside your organization who own, support, or feed into the internal audit function. The right attendees include:
If your team is responsible for producing internal audit evidence that will be reviewed by a certification body or a government customer, this is the training that prepares them to do that work at a professional standard.
Internal auditing is one discipline within a mature information security compliance posture. Organizations looking to extend that posture — from risk assessments through ongoing advisory support — can explore the full range of capabilities available through IT compliance services at Cleared Systems, or regulatory vCISO services for organizations that need sustained expert guidance between audit cycles.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
