Why shouldn't our certification body auditor do our internal audit?

Most certification bodies will not perform your internal audit because of independence rules. Where it is offered, it is typically charged at consultancy day rates of £900–£1,500+ per day, which is many times the cost of a dedicated internal audit service.

Can a member of our own staff perform the internal audit?

ISO 27001:2022 requires that internal auditors do not audit their own work. In small companies, almost everyone is involved in the ISMS in some form, which creates a conflict of interest. An external internal auditor solves this cleanly.

How fast is the turnaround?

Once onboarding is complete and we have access to your evidence (via Vanta, Drata, or a zip file), a written draft report is delivered to your email within 24 to 72 hours.

ISO 27001:2022 Internal Audits for Small Businesses — £299 Fixed Fee

02 · The choice in front of you

Three ways to get an internal audit. Only one makes sense for an SME.

ISO 27001:2022 requires internal audits to be performed by people who are independent of the work being audited. Here's how the realistic options compare on cost, independence, and speed.

Criteria

Hire an external auditor / consultant

Use a member of your own staff

InternalCheck.Me

Typical costFor one full internal audit cycle

✕ EXPENSIVE£900–£1,500 per day, often 2–4 days. £2,000–£6,000+ all-in.

✕ HIDDEN COST"Free" but pulls a senior staff member off revenue work for days.

✓ FIXED£299. One revisit included. £150 per further revisit.

IndependenceThe core ISO 27001:2022 requirement

✓ INDEPENDENTTruly independent — but priced for enterprises.

✕ CONFLICT OF INTERESTIn a small business, almost every employee is involved in the ISMS. Auditing your own work fails the standard.

✓ INDEPENDENTFully external, conflict-free, evidence-based.

Speed to draft report

✕ SLOW2–6 weeks of scheduling, fieldwork, then writeup.

✕ DRIFTSInternal audits get deprioritised behind real work. Often slips.

✓ FASTDraft delivered to your inbox in 24–72 hours after onboarding.

Suitability for SMEsTeams of 5–100

✕ POOR FITDesigned for large enterprises with dedicated GRC budgets.

✕ POOR FITMost SMEs don't have a trained, independent auditor on staff.

✓ BUILT FOR SMESDesigned specifically for small teams using a compliance platform or submit evidence manually.

Format your certification body expects

✓ YESIf you can afford it.

✕ RISKYAuditors flag self-audits where independence isn't demonstrable.

✓ STANDARDDocumented independence, evidence trail, written report — used successfully by SMEs in real audits.

03 · How it works

Automated where it should be. Human where it matters.

We've stripped out the discovery calls, the proposals, and the back-and-forth. You pay, you onboard, we audit. Your draft report is in your inbox within three working days.

Checkout

Fixed price, no quotes, no sales calls. Pay £299 securely online and you're booked in.

~ 2 minutes

ii.

Onboarding

Fill out a short form. Grant us read-only access to your Vanta or Drata portal, or any other compliance platform you use or send a zip of your evidence.

~ 15 minutes

iii.

Audit & review

We work through Clauses 4–10 and the Annex A controls in your scope. Every finding goes through a two-stage quality review.

24–72 hours

iv.

Draft report

A written draft lands in your email. One free revisit is included to recheck any closed findings.

Then certification

04 · Pricing

One price. No surprises.

The same fixed fee whether you're a 5-person startup or a 50-person scale-up. Add-on revisits are flat-priced too.

ISO 27001:2022 · Internal Audit

Full internal audit

£ 299 fixed · all-inclusive

Audit of Clauses 4–10 and applicable Annex A controls
Vanta and Drata portal integrations supported
Written draft report delivered in 24–72 hours
One free revisit to verify closed findings
Two-stage quality review on every report
Full evidence trail in the format certification bodies expect

Book audit — £299

Additional revisits

£150 each

If you need to demonstrate further remediation after your free revisit, each subsequent revisit is a flat £150 — no day rates, no surprises.

Compare

~ £2,000–£6,000

What a typical consultancy charges for the same scope of work, billed at £900–£1,500 per day across multiple days.

Why it's affordable

Process, not price-cutting

Automation handles scheduling, evidence intake, and routine checks. Our auditors spend their time on findings — not admin.

05 · What's included

Built for the way SMEs actually run ISO 27001.

If your ISMS lives in Vanta or Drata, we're already plugged in. If it doesn't, a zip file works just as well.

Vanta & Drata native

Read-only portal access lets us pull evidence directly. No exports, no spreadsheets, no chasing.

Full written report

A proper audit report — scope, methodology, findings, opportunities for improvement, and a management summary.

Independence by design

We never sell your certification audit, your consultancy, or your training. Our only job is the internal audit.

24–72 hour drafts

Once we have your evidence, your draft is in your inbox within three working days. No timeline drift.

Two-stage QA

Every report goes through a structured quality review before delivery — methodology, findings, and language all checked against a defined standard.

Evidence zip alternative

Not on Vanta or Drata? Send a zip of your policies, records, and evidence and we'll work from that.

06 · Frequently asked

Things SMEs ask before booking.

Will my certification body accept this as our internal audit?

Our reports follow the structure expected under ISO 27001:2022 — a documented audit plan, sampling methodology, evidence trail, written findings, and a final report — and have been used successfully by SMEs going through stage 1, stage 2, and surveillance audits with their certification bodies. That said, every certification body is different and we cannot guarantee acceptance in every case. We are not responsible if a certification body rejects or requests changes to the report; final acceptance always rests with your auditor.

Why can't a member of our own staff just do the internal audit?

In principle they can — but ISO 27001:2022 explicitly requires that auditors do not audit their own work. In a small company, the person who manages access controls, the person who wrote your incident response policy, and the person who runs HR onboarding are often the same one or two people. That makes a genuinely independent internal audit nearly impossible without an external auditor. Booking us removes the conflict of interest cleanly.

Why don't we just use our certification body for the internal audit?

Most certification bodies don't offer it because of independence rules between certification and consultancy work. Where it is offered as a separate consultancy service, it's typically billed at £900–£1,500 per day across multiple days, which is many times the cost of a dedicated, fixed-fee internal audit service like ours.

How is quality controlled?

Every report goes through a structured two-stage quality review before it reaches your inbox: a first pass against the audit methodology and evidence, and a second pass for findings classification, language, and consistency. Automation handles the parts that should be automated — scheduling, evidence intake, and mapping controls to clauses — so the audit work itself gets the attention it deserves.

What does "one free revisit" actually mean?

After we send your draft report, you have time to address any findings. When you're ready, we'll re-check the closed findings against fresh evidence and update the report — included in the £299. Any further revisits beyond that first one are charged at a flat £150 each.

What if our ISMS isn't in Vanta or Drata?

No problem. You can send your evidence as a zip file during onboarding — policies, records, screenshots, asset registers, the lot. We work the same way from a zip as we do from a portal.

How quickly can we actually get started?

As soon as you've checked out and completed onboarding, we begin work. The 24–72 hour clock for your draft report starts when we have access to your evidence — not when you book.

Independent ISO 27001 internal audits, without the consultancy bill.

ISO/IEC 27001:2022