Resume

ISO 27001 Audit 2026 – Zero Nonconformities, Without Consultancy

By Alex Fernandez

Magnifying glass over an audit chart symbolizing detailed ISMS internal review

🛡️ Second consecutive year passing the ISO 27001 audit with zero nonconformities — and the first cycle entirely without external consultancy.

A few days ago we received the final report from DNV for our 2026 ISO 27001 external audit. The result: zero nonconformities. It is the second consecutive year we keep that figure, but this cycle has a detail that makes it, for me, especially relevant: it was the first time the company faced the process without external consultancy, and the first time I personally executed the prior internal audit.

I am writing this post because I think the case illustrates well a strategic decision many ISMS leaders are weighing right now: when does it stop making sense to outsource, and when does it make sense to internalize the audit function? I am not selling a universal recipe. I will share what we did, why we did it, and what I read into it.

Why zero nonconformities in ISO 27001 is not a formality

ISO/IEC 27001 is the international reference standard for Information Security Management Systems (ISMS). It does not certify a company as “secure” in absolute terms — that does not exist — but it certifies that there is a documented, living, auditable system to identify information risks, treat them, and continuously improve.

An external certification or surveillance audit reviews, among other things, the system’s scope, risk analysis, statement of applicability, effective implementation of Annex A controls, the continuous improvement cycle, and management’s traceability over the system. Any of those blocks can generate major or minor nonconformities, and it is common — even in mature organizations — to close the cycle with at least a minor NC or some observations.

That is why a clean report is not a given. And keeping it clean two years in a row, less so.

The decision: internalizing the cycle when you have a Lead Auditor on staff

For years, the reasonable approach for us was to lean on external consultancy to prepare audits. That decision changed when I obtained the ISO 27001 Lead Auditor credential from AENOR in 2025. From that point, the question stopped being “who helps us prepare?” and became “does it still make sense to pay for a layer we already cover internally?”

My answer — after discussing it with management — was no. Three reasons:

1. Context knowledge. Nobody understands the processes, critical assets, and culture of Process Control Tech better than the internal team. A consultancy always needs warm-up time; we do not.

2. System ownership and traceability. When the internal audit is run by a third party, there is a silent risk: the ISMS gets lived as “what the consultancy asks for” instead of “what we need”. Internalizing reinforces real ownership of the system.

3. Economic efficiency. I will not put concrete figures here because the saving depends on each contract, but eliminating a recurring consultancy line frees budget that can be reinvested in controls, training, or tooling. The ROI of certifying the internal lead materializes precisely when the intermediate layer is removed.

Adding to this, this year I obtained the ISO 42001 Lead Auditor credential (AI Management System, April 2026), which prepares us to integrate AI governance into the same management framework when the time comes. But that is another conversation.

How we prepared the internal audit

I personally executed the prior internal audit, applying the same approach an external auditor would: functional independence from the audited areas, a formal program, defined audit criteria, documented evidence, and a report with classified findings.

The Security and ISO Committee was the throughline of the entire cycle. It is the body where system decisions are channeled, risks are reviewed, treatment plans approved, and corrective actions followed up. Without a committee that actually works — not one that exists only on the org chart — a serious internal audit is not viable.

Methodologically, the approach was:

  • Document review of the system (policy, scope, SoA, risk analysis, procedures).
  • Implementation verification of Annex A controls in the involved areas.
  • Interviews with process owners to validate that what is documented matches what is actually done.
  • Closing of findings before the external audit, with action plans and evidence.

It is not magic. It is discipline and method.

The external audit with DNV

With the internal audit closed and findings resolved, we faced the external audit with DNV. DNV evaluated, at a high level, the same blocks any ISO 27001 surveillance audit covers: organizational context, leadership and management commitment, risk-based planning, support (resources, competence, communication), operation, performance evaluation and continuous improvement, plus the implementation of applicable controls.

The difference compared to previous years is that this time there was no external consultant acting as intermediary. The interaction was direct: internal team, committee, management, and auditor. And honestly, that simplifies the conversation a lot.

Strategic reading of the result

Zero nonconformities for the second consecutive year, in the first cycle without external consultancy. That is the headline. But the reading I take is not one of victory — it is one of model validation:

  • The ISMS works because it is embedded in the business, not because an external provider is propping it up.
  • The investment in certifying the internal lead as Lead Auditor paid off in a single cycle.
  • The committee, as the system’s governing body, is what sustains continuous improvement between audits.

Recommendations for other ISMS leaders

If you are considering taking the step to internalize, here is what I would do:

  1. Certify the internal lead before cutting the consultancy. Not the other way around. The Lead Auditor credential (ISO 27001, and ISO 42001 if it applies) is the precondition, not a consequence.
  2. Make sure you have an operating security committee. It is not enough that it is constituted on paper; it has to meet, decide, and leave traceability.
  3. Keep the independence of the internal audit. Even if it is run by someone in-house, they have to be able to audit areas in which they do not have direct operational responsibility.
  4. Do not internalize to save money; internalize to gain control. The savings come, but as a consequence, not as the main goal.
  5. Document as if you were going to be audited tomorrow. Because, in fact, that is how it works.

Closing

Closing an ISO 27001 cycle with DNV with zero nonconformities, without external consultancy, and with the internal audit run in-house is, above all, a sign that the management model is mature. It is not an arrival point; it is the foundation for the next step — in our case, the gradual integration of AI governance under ISO 42001.

Considering internalizing your ISO 27001 cycle, or integrating ISO 42001 into your management system?

If you would like to exchange experiences or discuss the case in more detail, you can reach me at:

Linkedin Meetup

© 2025 Created by Alex Fernandez

en_GBEN
es_ESES en_GBEN

Cookie Policy

This website uses cookies to ensure you get the best experience on our website.

Go It!
Linkedin Meetup