Manage your ISMS audit program in the same system where your controls actually run.
ISO 27001 Clause 9.2 requires organisations to conduct internal audits at planned intervals. SOC 2 requires periodic control reviews. NIS2 requires documented assurance. Kordon makes the program operational — not a once-a-year documentation project that happens the month before your certification auditor arrives.
Start with the controls in your ISMS. Decide which ones need formal audit tasks, how frequently, and who performs them. High-risk controls can run quarterly audit tasks; lower-risk ones annually. You set the cadence that matches your audit plan — Kordon maintains it from there.
Audit tasks sit alongside maintenance and review tasks on the same controls. When an audit task comes due, the assignee reviews the relevant evidence, records a verdict — OK or Not OK — and attaches their findings. The control status updates immediately. The audit record stays in the system, attached to the control it tested.
When an audit identifies a gap, create a nonconformity (NCR) or opportunity for improvement (OFI) directly in Kordon. The finding connects to the failed control, the risk it evidences, and the requirement it maps to. Convert it into a remediation task with a named owner and a deadline — tracked to closure in the same system.
Because evidence builds throughout the year as tasks are completed — not in a three-week scramble before the auditor arrives — audit preparation becomes evidence review, not evidence hunting. Give your certification auditor read-only access and walk into your certification audit knowing the trail is there.
Every audit management tool in this market is built for enterprise internal audit departments running SOX and operational audits. Kordon is built for the security manager who manages, executes, and evidences their own information security audit program — without a separate audit tool, a dedicated audit department, or a platform that costs more than your entire security budget.
Schedule recurring internal audit tasks directly on the controls they test. Choose the type — Audit, Review, or Maintenance — and set the frequency that fits your ISO 27001 or SOC 2 audit cycle. Audit tasks run on a schedule that never drifts, assigned to the person actually responsible for the control. <a href="/control-management/">How control management works in Kordon →</a>
When an audit task returns a "Not OK" verdict, the connected control immediately moves to Failing status. The risks that control was mitigating reflect the change at once — no manual update, no reconciliation between what your audit found and what your risk register shows. Real accountability, not a status field you remember to update.
Give your ISO 27001 certification auditor, external reviewer, or internal audit function direct read-only access to see controls, tasks, completed evidence, and risk context at exactly the level of detail they need — without a full Kordon user account. No document pack to compile. No email chain of attachments. They see the program as it actually is.
Evidence is captured as tasks are completed throughout the year — attached to the task that generated it, traceable to the control it maintains and the requirement it satisfies. When your auditor arrives, the evidence is already there. Kordon customers report reducing audit preparation time by up to 80%. <a href="/case-studies/case-study-migrating-from-vanta-with-qminder/">See how Qminder cut audit prep time →</a>
Nonconformities and opportunities for improvement raised during an internal audit connect directly to the control that failed, the risk it evidences, and the framework requirement it violates. Remediation tasks flow from the finding with an assigned owner and deadline — not into a separate issue tracker that loses context the moment it's detached from the audit. <a href="/findings-management/">How findings management works in Kordon →</a>
A control tested for ISO 27001 simultaneously satisfies the equivalent requirement in SOC 2, NIS2, or DORA. Maintain one internal audit program, one evidence trail, and one set of control statuses — across every framework your organisation needs to demonstrate compliance with. <a href="/frameworks/">Multi-framework management in Kordon →</a>