ISO Internal Audit. By Practitioners, Not Paper Reviewers.

Independent internal audit for ISO 27001, ISO 42001, and ISO 27701. Clause-by-clause assessment, control testing, and actionable findings that strengthen your program before the certification body arrives.

Book a Strategy Call
Flag_of_Canada (1)
100% Canadian-Based Team with Government Security Clearances

Why Our Internal Audit Is Different

Our auditors are practitioners who build and operate management systems, not consultants who review documentation and check boxes.

The Internal DIY Approach

  • Checkbox Audits:
    Most internal audits are treated as a checkbox: review documentation, confirm policies exist, produce a report that says "generally conforming." That wastes your one chance to find problems before the certification body does.

  • Independence Gap:
    ISO standards require internal audit independence. Without a dedicated audit function, you either pull someone who doesn't understand the standard or outsource to someone who's never built a program.

  • Generic Findings:
    Auditors who haven't implemented a management system produce generic observations. "Consider improving documentation" doesn't help you fix the problem before Stage 2.

The Truvo Approach

  • Practitioner-Led Audit:
    Our auditors have built and operated management systems across dozens of organizations. We find what the certification auditor would find, with recommendations from people who know how to fix it.

  • Multi-Standard Coverage:
    One engagement covering ISO 27001 (ISMS), ISO 42001 (AIMS), and ISO 27701 (PIMS) where applicable. Combined audits for integrated management systems.

  • Certification-Focused Findings:
    Every finding is classified (major nonconformity, minor nonconformity, observation) with specific clause references and remediation guidance prioritized by certification audit risk.

Our Internal Audit Process

A structured, risk-based audit methodology that mirrors how certification bodies assess management systems.

Frame (8)

Detailed Assessment & Strategic Roadmap

  • What We Do

    We review your ISMS, AIMS, or PIMS scope, risk treatment plan, Statement of Applicability, and prior audit findings. We build an audit plan weighted by risk and certification focus areas, and schedule interviews with control owners.

  • What You Get

  • Audit Plan:
    A formal audit plan scoped to your management system, weighted by risk areas and aligned with certification body expectations.

  • Audit Schedule:
    A detailed timeline with dates, interview slots, and document request lists so your team can prepare without disruption.

  • Interview Roster:
    A list of control owners and process stakeholders to be interviewed, with topics and evidence expectations for each session.

Frame (9)

Custom Security Policy Development

  • What We Do

    We review policies, procedures, risk assessments, management review minutes, and previous audit reports for completeness and currency. We verify that documentation reflects the current state of operations, not a snapshot from initial certification.

  • What You Get

  • Document Review Findings:
    A detailed assessment of every reviewed document, noting gaps in coverage, outdated references, missing approvals, and areas where documentation doesn't match practice.

  • Gap Identification:
    A prioritized list of documentation gaps and deficiencies that require attention before the certification audit.

Frame (10)

GRC Platform Implementation & Automation

  • What We Do

    We test the design and operating effectiveness of every applicable control. ISO 27001: 93 Annex A controls. ISO 42001: AI-specific controls. ISO 27701: privacy extension controls. We sample evidence, verify configurations, and confirm that controls produce the expected outcomes.

  • What You Get

  • Control Testing Workpapers:
    Detailed testing documentation for every applicable control, including the test performed, evidence reviewed, and conclusion reached.

Frame (11)

Control Implementation & Remediation Guidance

  • What We Do

    We interview control owners to confirm they understand their responsibilities and can demonstrate them. We test whether documented processes reflect actual practice, and identify areas where institutional knowledge hasn't been captured in procedures.

  • What You Get

  • Interview Notes:
    Structured notes from every interview, documenting what was asked, what was demonstrated, and any discrepancies between documentation and practice.

  • Process Verification Results:
    A summary of where actual operations align with documented procedures and where gaps exist that a certification auditor would flag.

Frame (12)

Penetration Testing & Vulnerability Management

  • What We Do

    We produce a formal internal audit report with nonconformities (major and minor), observations, evidence gaps, and remediation recommendations prioritized by certification risk. The report satisfies ISO Clause 9.2 requirements for documented audit results.

  • What You Get

  • Formal Internal Audit Report:
    A complete audit report that satisfies Clause 9.2 requirements, with every finding classified, referenced to specific clauses, and supported by evidence.

  • Nonconformity Register:
    A structured register of all major and minor nonconformities with clause references, evidence citations, and recommended corrective actions.

Frame (13)

Internal & External Audit Management

  • What We Do

    We walk through every finding with your team, help prioritize fixes by certification risk, and provide management review input (Clause 9.3). We offer optional follow-up to verify corrective actions have been implemented and are effective.

  • What You Get

  • Remediation Roadmap:
    A prioritized plan for addressing every finding, ordered by certification risk and effort, with clear ownership and target dates.

  • Management Review Input:
    Audit results formatted for Clause 9.3 management review, including trends, risk implications, and recommended actions for leadership.

  • Corrective Action Verification:
    Optional follow-up assessment confirming that corrective actions have been implemented, are effective, and will withstand certification body scrutiny.

Don't Just Take Our Word For It

"Truvo is an instrumental and integrated part of our team...
They don’t just provide recommendations; they ensure we meet our stringent ISO 27001 and SWIFT compliance goals. We trust them with projects of national importance, and they deliver."

Mask Group-1
Matt Charette

CISO, Payments Canada

Strengthen Your Management System Before the Certification Body Arrives

Book a strategy call to discuss your internal audit needs. We assess your management system scope, identify the right audit approach, and give you a clear picture of the timeline and investment.

Book Your Free SOC 2 Strategy Session

Frequently Asked Questions

ISO requires internal audits "at planned intervals" (Clause 9.2). Most organizations audit annually, but the cadence should be risk-based. Significant changes to your ISMS, AIMS, or PIMS may warrant more frequent audits.

A gap assessment is performed before building the management system. An internal audit evaluates an operating system. A gap assessment says "build this." An internal audit says "here's what's working and what isn't."

ISO 27001 (information security), ISO 42001 (AI governance), and ISO 27701 (privacy). We also perform combined audits for organizations running integrated management systems.

Our entire team is in North America (Canada and United States). No data is sent offshore.

Find Issues Before the Auditor Does.

Independent internal audit by practitioners who build and operate management systems.

Book a Strategy Call