What ISO 27001 Says About Internal Audit
Internal audit is not optional. ISO/IEC 27001:2022 Clause 9.2, under the Performance Evaluation section, requires organizations to plan, conduct, and document internal audits as part of maintaining their ISMS.
The 2022 revision split the original single Clause 9.2 into two sub-clauses:
- Clause 9.2.1 defines the objectives of each individual audit
- Clause 9.2.2 governs the audit programme as a whole, its planning, frequency, methods, responsibilities, and records
This split matters because it separates the what (individual audit requirements) from the how (programme management). Both apply to your certification and surveillance audits.
Source: Advisera 27001 Academy (advisera.com/27001academy/iso-27001-internal-audit)
What Each Audit Must Assess
Per Clause 9.2.1, every internal audit must determine whether your ISMS:
- Conforms to your own ISMS requirements (your policies and procedures)
- Conforms to the requirements of ISO/IEC 27001:2022 itself
- Is effectively implemented and maintained
The third point is the one most teams underestimate. Having documented policies is not enough, the audit must verify those policies are actually followed in practice.
How Often Do You Need to Audit?
ISO 27001 does not set a fixed interval. Frequency is determined by the organization based on:
- The importance of each process to the ISMS
- Any changes that have affected security (new systems, org restructuring, incidents)
- Results of previous audits
In practice, once per year is the minimum most certification bodies expect. Higher-risk areas, access control, incident management, physical security, are commonly audited more frequently when changes occur.
Source: Advisera 27001 Academy (advisera.com/27001academy/iso-27001-internal-audit)
Who Can Run the Internal Audit?
The standard has one explicit rule on this: auditors shall not audit their own work.
This is the objectivity and impartiality requirement. It means someone from the IT team cannot audit the IT team's own controls. Options that satisfy the requirement:
- An employee from a different department (HR auditing IT, or vice versa)
- An external consultant hired specifically for the internal audit role
- A team member from a subsidiary or affiliate office
No specific certification is required by the standard, but auditors must be "competent," meaning they understand both audit principles and the ISMS requirements. In practice, ISO 27001 Lead Auditor training (offered by BSI, Bureau Veritas, and others) provides a credible baseline.
The Four Documents You Must Produce
Clause 9.2.2 requires the following documented information to be retained:
1. Audit programme The planned schedule: which areas will be audited, with what methods, by whom, and when. This is maintained over the full audit cycle.
2. Audit criteria and scope for each audit Each individual audit must have a defined scope (which processes, systems, or departments) and criteria (which requirements it will test against).
3. Audit results / audit report Findings from each audit, conformances, nonconformities, observations, and any opportunities for improvement.
4. Evidence that the programme was implemented Records showing audits were actually conducted per the programme. Audit checklists, meeting notes, and signed attendance sheets serve this purpose.
How the Audit Feeds Into Corrective Action
Nonconformities found during internal audit feed directly into Clause 10.1 (Nonconformity and Corrective Action). When an audit finds a gap:
- The nonconformity is documented
- A root cause analysis is performed
- Corrective actions are defined and assigned
- Effectiveness of those actions is verified in a follow-up check
This loop, audit → nonconformity → corrective action → verification, is what certification bodies look for when assessing whether your ISMS is genuinely improving over time.
What Commonly Goes Wrong
Auditing the same people every cycle If the same team audits the same controls each year and finds zero nonconformities, certification auditors will look more closely. Real audits find something.
Treating the audit as a document review only ISO 27001 requires evidence that controls work in practice. Clause 9.2.1 says the audit must assess effective implementation, not just whether policies exist.
Leaving too little time before the certification audit Internal audit results must be available for management review (Clause 9.3). Management review must be completed before the external certification audit. Running the internal audit the week before the external audit leaves no time to close nonconformities.
Not keeping records Clause 9.2.2 explicitly requires documented information as evidence. A verbal debrief does not satisfy this. Written reports and checklists are required.
The Minimum Viable Audit Process
For a company running its first internal audit under ISO 27001:
- Define scope: which departments, systems, and processes are in scope for this audit cycle
- Build a checklist: map each Annex A control and Clause requirement to a testable question
- Assign an auditor: someone who did not implement the controls being audited
- Interview and test: review documents, observe processes, test controls (not just ask "do you do this?")
- Write the report: findings categorized as conformance, minor nonconformity, major nonconformity, or observation
- Feed findings into Clause 10.1: open corrective actions for each nonconformity
- Present to management review: Clause 9.3 requires management to review audit results
The whole process, for a 30–50 person company, typically takes two to three weeks from planning to report.
Internal Audit vs. Certification Audit
These are different things:
| Internal Audit | Certification Audit | |
|---|---|---|
| Conducted by | Internal staff or hired consultant | Accredited certification body (CB) |
| Purpose | Identify gaps before external scrutiny | Verify conformance for certificate issuance |
| Output | Internal audit report, corrective actions | Certificate (or nonconformity findings) |
| Frequency | At least annually, risk-based | Stage 1 + Stage 2 initially, then surveillance annually |
| Standard reference | Clause 9.2 | Clause 9.2 + all other clauses |
The internal audit is your self-check before the certification body checks you. The more thorough your internal audit programme, the fewer surprises during certification.
How Automation Changes the Process
The most time-consuming part of internal audit preparation is gathering evidence. Manual processes involve pulling screenshots, exporting logs, and chasing down access control lists from multiple systems.
Compliance platforms that maintain continuous evidence collection, pulling from AWS, GitHub, Okta, Jira, and similar tools daily, reduce audit preparation time because the evidence is already there. The auditor reviews what is already collected rather than requesting it from scratch.
This does not change the audit scope or the independence requirements. It changes how long it takes to prepare.
References:
- ISO/IEC 27001:2022, Information Security Management Systems (available at iso.org/standard/82875.html)
- Advisera 27001 Academy: ISO 27001 Internal Audit (advisera.com)
- ISMS.online: ISO 27001 Annex A Overview (isms.online/iso-27001/annex-a)