Written by
Rob Veen
Doing the ISO 27001 internal audit yourself may seem cheaper, but because of internal hours and hidden risks it often costs significantly more (€4,000+) than outsourcing (€1,600–€2,500). In addition, certification bodies require strict objectivity: you may not check your own work. Outsourcing helps avoid blind spots in your own company and increases the chance of success during the external audit. You have spent months working on your information security and the ISMS (Information Security Management System). The policy has been written, the risk assessment is complete, and the team has been briefed. You are almost ready for certification. But then you come to section 9.2 of the ISO 27001 standard: the internal audit. Before the external auditor (for example from TÜV or DigiTrust) arrives, you are required to review your own organization. This leaves many business owners with a dilemma: "Should we have one of our own employees do this to save costs, or should we hire an expert?" In this article, we give an honest comparison for 2025, supported by examples and scenarios.
The forgotten obligation: Why the internal audit is often the stumbling block
The problem in many organizations is that the internal audit is seen as an administrative checkbox. "Just quickly check whether we have everything." But the ISO standard sets strict requirements for this audit: it must be objective and impartial.
The objectivity dilemma
In a company with 25 to 50 employees, roles are often intertwined. The IT manager wrote the policy and set up the systems. When you ask this person to carry out the internal audit, you are essentially asking: "Would you please check your own homework and judge it strictly?"
The standard is clear about this: Auditors may not audit their own work.
This means you need to find someone else in the organization who meets three conditions:
Knowledge: Understands the ISO 27001 standard.
Impartiality: Has not been involved in the implementation.
Capacity: Has time to go through all processes.
In 90% of SMEs, this person simply is not available.
Expert Tip: A weak internal audit is the number one cause of findings during the external audit. Do not see it as an obligation, but as the dress rehearsal.
Cost comparison: Do it yourself vs. Outsource
Let us set aside the emotion and look at the hard numbers. We compare the situation for an average SME (IT/Services, 50 employees) in 2025.
Scenario A: Do it yourself (Internal)
You assign an operational manager (not IT, because they implemented it) to carry out the audit.
Training/reading ISO 27001: 8 hours (minimum).
Preparing audit questions: 4 hours.
Conducting interviews & checks: 12 hours.
Writing the report: 6 hours.
Total: 30 hours.
At an internal cost rate (gross salary + employer costs + overhead + opportunity cost) of €85 per hour, this project will cost you internally €2,550.
The hidden risk: The chance that an untrained colleague misses errors is high. Will the external auditor find these errors? Then a re-audit follows. Cost: approx. €1,500 extra.
Total estimated impact: €4,050 (plus the necessary stress).
Scenario B: Outsource (External via AuditDirect)
You hire a specialist who does this every day.
Reading in: Done efficiently in advance.
Execution: Audit on site or remote in 1 day. The expert sees through weak spots.
Reporting: Immediately usable as evidence for the external auditor.
Costs: Fixed price, on average between €1,600 - €2,500 (depending on scope).
The balance: Internal vs. External
Component | Internal Audit (Do it yourself) | Internal Audit (Outsource) |
Direct Costs | €2,550 (time investment) | €1,600 - €2,500 (invoice) |
Quality | Low to medium (company blindness) | High (specialist perspective) |
Objectivity | Risk of conflict of interest | 100% Independent |
Re-audit Risk | High | Minimal |
Impact on Team | Burden on core tasks (30+ hours) | Minimal (only interviews) |
The 'WC-eend' effect and false security
The consequence of "we will just do it ourselves" is often the so-called WC-eend effect: "We of WC-eend recommend WC-eend."
When colleagues audit each other, people often do not dare to dig deeply. "Colleague X has been busy, I can see this document is not finished, but I know he is working on it. I approve it." This is human, but risky for your certification. You create a false sense of security and leave blind spots that an external auditor from NEN or a certification body will spot immediately.
An external party such as AuditDirect looks with the same lens as the certification auditor:
Is a procedure missing? We see it.
Is the evidence incomplete? We report it.
Do your employees not know what to answer? We coach them.
Glossary for ISO 27001 Audits
To properly understand the internal audit, it is important to use the correct terminology. This also helps you interpret the audit report.
Non-Conformity (Deviation): Failing to meet a requirement of the standard.
Major: A serious shortcoming that makes certification impossible.
Minor: A smaller shortcoming that must be resolved within a certain time.
Objectivity: The requirement that the auditor must be impartial and have no interest in the outcome of the audit.
ISMS (Information Security Management System): The entire set of policies, procedures and processes being assessed.
External Audit: The official assessment by an accredited party to obtain the certificate.
Conclusion: Do not buy an audit, buy certainty
At the end of the day, outsourcing is often cheaper than doing it yourself, especially if you include the 'opportunity cost' of your own staff. But the real gain is not in the euros, it is in the quality.
With an audit by AuditDirect, the internal audit changes from a mandatory exercise into a valuable dress rehearsal. You eliminate the stress for the external audit because you know the gaps have already been closed.
Ready for the next step?
Do you want to be sure you will pass your ISO 27001 certification without burdening your own staff with tasks they are not trained for?
Click here now to schedule your Internal Audit as soon as possible!
Are you just getting started on the path to ISO 27001 certification? View our Gap Analysis here. Together with you, we take a thorough look at your current situation and build a pragmatic action plan so your certification process starts without errors!
Stress-free guidance so your entire certification journey runs smoothly? Book a free, no-obligation consultation with us here to see how we can help you from the start through to certification.
AuditDirect: A fresh perspective for a fixed price. We do not deliver a list of mistakes, but a list of solutions.
Can I carry out the ISO 27001 internal audit myself?
Yes, you may carry out the internal audit yourself, provided you meet the strict requirement of objectivity. This means that the auditor may not review their own work or implementation. In addition, the internal auditor must have sufficient knowledge of the ISO 27001 standard. Because this combination is often difficult to find internally, many companies choose to outsource it.
What does an ISO 27001 internal audit cost?
Outsourcing an internal audit costs an average of between €1,600 and €2,500. Although doing it yourself may seem free, internal time (reading up, carrying out the audit, reporting) and the opportunity cost often make it cost more than €2,500. If you also include the risk of a re-audit due to missed findings, the total cost of doing it yourself can rise to over €4,000.
Why is independence required for the internal audit?
Section 9.2 of the ISO 27001 standard requires the audit to be objective and impartial. If you check your own work (the "self-check" effect), blind spots can develop and create a false sense of security. An independent auditor ensures that mistakes are reported honestly, which is crucial for achieving certification.
What is the difference between an internal audit and an external audit?
The internal audit is a mandatory 'dress rehearsal' that you organize yourself to check whether your ISMS complies with the standard. The external audit is carried out by an accredited body (such as TÜV or DigiTrust). A strong internal audit significantly increases the chances of passing the official external audit.
What happens if the internal audit is not carried out properly?
If the internal audit is weak or misses errors due to company blind spots, the external auditor will identify these deviations (non-conformities). This often leads to a required re-audit, which adds extra costs (around €1,500) and delays the certification process.
AuditDirect guides you from start to finish toward your ISO 27001 certification
ISO Reality Check
A brief, honest conversation to determine whether ISO 27001 is truly necessary.
FREE*
In 45 minutes, we will discuss:
Why the ISO requirement is there (from your client or internally)
Whether a certification is actually necessary, or if an alternative is sufficient
What your organization is already doing well
And what options you have to handle it smarter and simpler
And we are pragmatic enough that we are also willing to have this conversation with you and your client.
*A limited number of spots available.
Schedule your ISO Reality Check
More information
ISO Baseline Assessment
In one day, we assess together how far your organization has already progressed toward ISO 27001.
€1,250
Within 24 hours you will receive:
A complete baseline assessment of your current situation
An action plan with concrete next steps
Insight into your strongest points and areas for improvement
Support within the organization, as our consultants will conduct interviews with the involved employees
Guidance only starts after the baseline assessment. This way, we know exactly what is and what is not needed, without wasting your company's time.
Schedule your ISO Baseline Assessment
More information
ISO Internal Audit
A practical Internal Audit that tells you exactly whether you are ready for the external audit.
$1,600*
Within 72 hours you will receive:
A complete independent internal audit that meets the ISO 27001 standard 9.2.
Clear and applicable findings and recommendations
Concrete overview of areas for improvement before the external audit
Clear explanation for management and teams involved
*price is based on a small organization
Schedule your ISO internal audit
More information