VIGILAssuranceCertified Public Accountants
Home
About
Book a call
background

Internal Audit

Readiness you can audit against.

Vigil delivers ISO readiness and internal audit support for small teams companies pursuing 27001, 27701, or 42001. We prepare the organization so the external certification body finds a ready ISMS, not an open project.

STANDARDS WE COVER

Three ISO internal audit engagements

INFORMATION SECURITY

ISO 27001

Global standard for an information security management system. Risk assessment, Annex A control design, a documented Statement of Applicability, internal audit, and management review.

2022 revision · 93 Annex A controls
PRIVACY

ISO 27701

Standalone privacy management standard, aligned with GDPR and other privacy regimes. Defines obligations for PII controllers and processors through a Privacy Information Management System. As of the 2025 revision, it no longer requires ISO 27001 first, so you can pursue it independently or alongside SOC 2.

2025 revision · standalone PIMS.
AI MANAGEMENT

ISO 42001

Newest standard, specific to organizations that develop or use AI systems. Establishes an AI management system covering risk, impact assessment, and lifecycle controls across AI development.

AIMS · AI lifecycle controls

Internal audit is not certification

Vigil performs readiness assessment, gap remediation, evidence collection, control testing, and the internal audit documentation required by ISO clause 9.2. Certification itself is issued by an accredited external certification body that performs its own audit of your management system. Most clients engage Vigil for readiness and internal audit, then engage an external body separately for the certification audit. We can refer you to trusted certification bodies when you are ready

PRICING

Single framework

$5,000 to $10,000

Multi-framework bundle

$10,000 to $18,000

Disclaimer: Published prices reflect standard tier scope. Final pricing is confirmed during the scoping call based on actual scope, framework set, and tooling environment.

Onboarding timeline

Phase 1: Scoping (week 1)

60-minute scoping call. We confirm which standard or standards are in scope (27001, 27701, 42001) and map the boundary of your management system. Written scope and fixed-fee proposal back within five business days.

Phase 2: Gap assessment and SoA (weeks 2 to 4)

We assess your current state against the standard and document where the gaps are. You decide which Annex A controls apply to your business, build your Statement of Applicability, and own your control design. We guide the structure and flag what's missing. These decisions stay with you, which is what keeps our internal audit objective.

Phase 3: Remediation and evidence (weeks 4 to 8)

You remediate the gaps and implement your controls. We advise on approach and review what you put in place. You assemble the evidence; we tell you whether it will hold up under the certification audit. For multi-framework bundles, evidence is mapped across standards so you collect once.

Phase 4: Internal audit and handoff (weeks 8 to 10)

We conduct the internal audit required by ISO clause 9.2, test your controls, document findings, and prepare the audit package and management review materials. You hand a ready ISMS to your external certification body, not an open project.

Disclaimer: Typical timeline for a single framework. Multi-framework bundles run longer and are scoped on the call. We commit to a specific timeline in the engagement letter once scoping is complete.

Why vigil for internal audit

Cross-mapped to SOC 2

When you hold or plan to hold SOC 2, we map controls across frameworks so you operate one control set, not two.

Multi-framework efficiency

Our internal audit deliverables follow ISO clause structure, so the external certification body finds what they need where they expect it.

Clause-level rigor

Doing ISO 27001 and 27701 together, or adding 42001 to an existing ISMS, is meaningfully cheaper and faster than stacking them one at a time.

100% US-based team

Engagement leadership, fieldwork, and deliverables are all produced in North America.

Working Together

A 30-minute scoping call is the right place to start.

If we're a good fit, we'll send a proposal within 48 hours.If we're not, we'll tell you who is.

Send EmailBook scoping call
Contact Us

Get in touch now

Tell us what your customers are asking for and where you are now. We will tell you what you actually need, and what you don't.