ISO Internal Audits
Effective: March 17, 2026 · DCF-165
1. Purpose
This document establishes the internal audit program for the H33.ai Information Security Management System (ISMS) as required by ISO 27001:2022 Clause 9.2. The internal audit program ensures that the ISMS conforms to H33.ai's own requirements, the requirements of ISO 27001:2022, and is effectively implemented and maintained.
Internal audits provide independent, objective assessment of ISMS controls and processes, identify nonconformities and improvement opportunities, and provide evidence of ISMS effectiveness to management and external auditors.
2. Audit Program Overview
| Program Owner | Eric Beans, CEO/CISO |
| Audit Cycle | Annual cycle; all ISMS controls and clauses audited at least once per 3-year cycle |
| Audit Frequency | Minimum 2 internal audits per year |
| Audit Standard | ISO 19011:2018 (Guidelines for auditing management systems) |
| Coverage | All ISO 27001:2022 clauses (4-10) and applicable Annex A controls |
| Record Retention | Minimum 3 years (maintained in Drata evidence library) |
| Current Status | Program established; initial audit scheduled Q2 2026 |
3. Auditor Independence and Competence
ISO 27001 Clause 9.2 requires that auditors are objective and impartial, and do not audit their own work. Given H33.ai's current organizational structure (single-person organization), the following approach ensures audit quality:
- Primary approach: Engage an external consultant or qualified third party to conduct internal audits, ensuring complete independence from ISMS implementation and operation.
- Interim approach (until external auditor engaged): CEO/CISO conducts self-assessment using structured audit checklists based on ISO 27001:2022 requirements, with compensating controls:
- Drata automated continuous monitoring provides independent control validation
- Structured audit checklists ensure completeness and objectivity
- All findings documented with evidence, regardless of outcome
- External SOC 2 Type II auditor provides independent assurance on overlapping controls
- Auditor competence: Auditors must have knowledge of ISO 27001:2022 requirements, ISO 19011:2018 audit methodology, information security management principles, and H33.ai's specific technology stack and risk profile.
4. 2026 Internal Audit Plan
| Audit # | Audit Area | Controls / Clauses | Scheduled | Auditor | Status |
|---|---|---|---|---|---|
| IA-2026-01 | ISMS Core & Governance | Clauses 4 (Context), 5 (Leadership), 6 (Planning), 7 (Support); A.5.1-A.5.4 (Policies & Roles) | June 2026 | External Consultant (TBD) | Scheduled |
| IA-2026-02 | Access Control & Authentication | A.5.15-A.5.18 (Access Control), A.8.2-A.8.5 (Privileged Access, Source Code, Authentication) | June 2026 | External Consultant (TBD) | Scheduled |
| IA-2026-03 | Cryptography & Data Protection | A.8.24 (Cryptography), A.8.11 (Data Masking), A.8.12 (DLP), A.5.14 (Information Transfer), A.5.34 (Privacy/PII) | September 2026 | External Consultant (TBD) | Planned |
| IA-2026-04 | Operations & Monitoring | Clause 8 (Operation), A.8.15-A.8.17 (Logging, Monitoring, Clock Sync), A.8.6 (Capacity), A.8.9 (Configuration) | September 2026 | External Consultant (TBD) | Planned |
| IA-2026-05 | Incident Management & BCP | A.5.24-A.5.28 (Incident Mgmt), A.5.29-A.5.30 (Business Continuity), A.8.13-A.8.14 (Backup, Redundancy) | December 2026 | External Consultant (TBD) | Planned |
| IA-2026-06 | Secure Development & Change Mgmt | A.8.25-A.8.29 (Secure SDLC), A.8.31-A.8.33 (Environment Separation, Change Mgmt, Test Data), A.8.32 (Change Mgmt) | December 2026 | External Consultant (TBD) | Planned |
3-Year Audit Cycle Coverage
| Year | Focus Areas | Coverage Target |
|---|---|---|
| 2026 (Year 1) | Full ISMS establishment audit: all clauses (4-10) + high-risk Annex A controls (cryptography, access, authentication, incident response) | All clauses + 60% of Annex A controls |
| 2027 (Year 2) | Operational effectiveness: supplier management, people controls, physical controls, remaining Annex A controls | All clauses + remaining 40% Annex A controls |
| 2028 (Year 3) | Continual improvement: risk-based selection of controls with highest change frequency or previous findings | All clauses + risk-prioritized Annex A subset |
5. Audit Methodology
Phase 1: Planning
- Define audit scope, objectives, and criteria for each audit engagement
- Review previous audit results, risk assessment outputs, and management review decisions
- Prepare audit checklist based on ISO 27001:2022 requirements and H33.ai policies
- Identify evidence requirements and sampling approach
- Confirm audit schedule with relevant personnel
- Prepare audit notification (minimum 2 weeks advance notice)
Phase 2: Execution
- Conduct opening meeting to confirm scope, schedule, and methodology
- Gather and examine evidence: documentation review, system configuration review, log analysis, personnel interviews
- Evaluate conformity against audit criteria (ISO 27001 requirements, H33.ai policies)
- Document findings: conformities, nonconformities, observations, and opportunities for improvement
- Classify nonconformities: Major (significant failure of control or process) or Minor (isolated or partial failure)
- Conduct closing meeting to present preliminary findings
Phase 3: Reporting
- Prepare formal audit report within 5 business days of audit completion
- Report includes: executive summary, scope, methodology, detailed findings, evidence references, nonconformity classifications, recommendations
- Distribute report to CEO/CISO (and management review input)
- Upload report to Drata evidence library
Phase 4: Follow-Up
- Corrective Action Requests (CARs) issued for all nonconformities (see DCF-566)
- Root cause analysis required for major nonconformities
- Corrective action implementation tracked in Drata
- Verification audit conducted to confirm effective corrective action
- Closure of nonconformities documented with evidence of resolution
- Results fed into next management review (DCF-164)
6. Audit Report Template Outline
- Cover Page: Audit ID, title, date, auditor, classification
- Executive Summary: Overall ISMS conformity assessment, key findings summary, number of nonconformities (major/minor), number of observations
- Scope and Objectives: Controls and clauses audited, objectives, exclusions
- Methodology: Evidence gathering methods, sampling approach, tools used
- Detailed Findings: For each control/clause audited:
- Control reference and title
- Audit criteria (requirement)
- Evidence examined
- Finding (conformity / minor nonconformity / major nonconformity / observation)
- Details and explanation
- Nonconformity Summary: List of all nonconformities with classification, CAR reference, and due date
- Opportunities for Improvement: Observations and recommendations
- Conclusion and Recommendation: Overall assessment of ISMS effectiveness
- Distribution List and Approval
7. Corrective Action Tracking
All nonconformities identified during internal audits are tracked through the nonconformity management process defined in DCF-566. The following timelines apply:
| Major Nonconformity | Root cause analysis within 5 business days. Corrective action plan within 10 business days. Implementation within 30 calendar days. Verification within 45 calendar days. |
| Minor Nonconformity | Corrective action plan within 10 business days. Implementation within 60 calendar days. Verification at next scheduled audit. |
| Observation | Recommendation tracked. Action at management discretion. Reviewed at next management review. |
Current Status: No internal audits completed to date. No open nonconformities. Initial audit (IA-2026-01 and IA-2026-02) scheduled for June 2026.
8. Program Review
| Review Frequency | Annual (as part of management review per DCF-164) |
| Review Criteria | Audit program coverage, auditor effectiveness, finding trends, corrective action closure rates, resource adequacy |
| Program Adjustments | Based on risk assessment changes, organizational changes, previous audit results, and management review decisions |
9. Approval
| Prepared By | Eric Beans, CEO/CISO |
| Approved By | Eric Beans, CEO/CISO |
| Approval Date | March 17, 2026 |
| Next Review | March 17, 2027 |
| Signature | /s/ Eric Beans |
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945