Internal Audits for ISO 27001 and ISO 45001 Why Australian Organisations Must Stop Auditing in Silos

Internal audits are now a routine function of corporations, government, and high-risk industries Australia-wide. Despite that, they are still not effectively conducted. Take for example companies that are certified for ISO 27001 (information security) and ISO 45001 (occupational health and safety). They tend to treat each cycle of audit as a repetitive exercise. Two audit standards, two audit schedules, and two completely disconnected sets of findings.

That style of auditing makes less and less sense.

Integrated understanding of risk is a current requirement by various stakeholders in Australia, including regulators and insurers. The intersection of cyber threats, incidents affecting workplace safety, intricate and multilayered regulations, and ESG (Environmental, Social, Governance) responsibilities means it is time for internal audits to change. Internal Auditing ISO 27001 and ISO 45001 as separate systems is simply losing an opportunity for risk visibility, control effectiveness, and operational efficiency.

Internal audits are a compliance gear, but they should be a system risk intelligence. 

Why Silos Won’t Work in Today’s Environment

There is an increase in reliance on digital infrastructure, which is leading to hybrid work models, and under growing WHS laws, the psychosocial obligations are expanding. These factors are blurring the line between digital and physical risks.

A ransomware attack can do a lot more than steal data. It can cause real operational and logistical challenges and negatively impact communication channels that are crucial to the safety of your organization. On the other hand, any breach of workplace safety can lead to the failure of communication and surveillance systems, an escalation of security software issues, or the unauthorized breaking of perimeter systems—all of which are under the scope of ISO 27001.

When the WHS and Cybersecurity teams do not collaborate, there is no way to bridge the gaps caused by their siloed perspectives. The organization, therefore, remains vulnerable. Oddly, this is not because it is failing to meet compliance requirements, but because it is not adequately fulfilling the requirement for insight that spans multiple disciplines.

Compliance vs Accountability for Weakness

There is a considerable compliance disconnect within and between ISO 27001 and ISO 45001 systems. Auditors and organizations alike are more focused on compliance auditing and reporting than control monitoring and operational effectiveness.

For example, an ISO 27001 internal audit could confirm a control on password policies but not analyze the risk created when multiple people share access to lone worker safety applications. An ISO 45001 audit could compare training records to a control, and confirm adequacy, but fail to assess the real possibility of a critical safety procedure being undermined by insecure cloud resources.

Auditors need to think outside the box. Systems should be evaluated for interactivity, control respect, and incident response across both domains.

Data-Driven Audits: Using One Set of Findings to Strengthen Both Systems

Many organizations in Australia use integrated platforms to risk manage Lahebo, Skytrust, or Vault. manage risks, incidents, and actions across departments. However, internal audit results still get processed as standalone results by standard or department, which is a missed opportunity. 

When looking at results for an internal audit for ISO 27001, considering shared risks for other standards could be useful.  For example, under ISO 45001, poor version control of emergency procedures may present a risk.  Also, lapses in contractor onboarding could expose gaps in controls under ISO 27001 like  third-party access control or security assessments. 

When organisations regard internal audit as a shared process, system health, cultural, and risk maturity converge to provide a broader view.

Running “Audit Season” to Continuous Assurance

Australian businesses are beginning to adopt a very different strategy for internal assurance programs. Instead of focusing on periodic audits, rolling assurance programs are replacing standalone audits. 

Instead of isolating two audits spaced months apart, progressive organisations: 

– Map common processes across ISO 27001 and ISO 45001 (e.g. incident response, corrective actions, leadership commitment).

– Assign cross-functional audit teams.

– Track evidence of control and effectiveness digitally, over time, and not just on audit day.

This style reduces repetitive work, speeds up response time, and fosters a culture of continuous improvement. In addition, it allows organizations to prepare for external audits with confidence and real time evidence.

The Internal Cultural Opportunity: Strategic Conversations

Internal audits should not just be about compliance. They can be a springboard for strategic conversations.

Is safety and security a shared responsibility? Are executive stakeholders alerted to both cyber risks and WHS liabilities in the same context? Is there a joined up approach to resilience planning? 

Strategic audits in ISO27001 and 45001 frameworks can strengthen the necessary cross-functional alignment and executive engagement.

In Closing

In 2025, and for the foreseeable future, Australian organizations will no longer be able to afford the luxury of disaggregating information security from workplace safety. Internal audits of ISO27001 and 45001 will need to be fused, intelligent, and insight-driven. 

When designed seamlessly, these audits will enhance the value of your certifications and sustain the safety of your people, your data, and your operations. 

Smarter audits. Unified audits. Purposeful audits.