What ISO 27001 Says About Internal Audit

Internal audit is not optional. ISO/IEC 27001:2022 Clause 9.2, under the Performance Evaluation section, requires organizations to plan, conduct, and document internal audits as part of maintaining their ISMS.

The 2022 revision split the original single Clause 9.2 into two sub-clauses:

  • Clause 9.2.1 defines the objectives of each individual audit
  • Clause 9.2.2 governs the audit programme as a whole, its planning, frequency, methods, responsibilities, and records

This split matters because it separates the what (individual audit requirements) from the how (programme management). Both apply to your certification and surveillance audits.

Source: Advisera 27001 Academy (advisera.com/27001academy/iso-27001-internal-audit)

What Each Audit Must Assess

Per Clause 9.2.1, every internal audit must determine whether your ISMS:

  1. Conforms to your own ISMS requirements (your policies and procedures)
  2. Conforms to the requirements of ISO/IEC 27001:2022 itself
  3. Is effectively implemented and maintained

The third point is the one most teams underestimate. Having documented policies is not enough, the audit must verify those policies are actually followed in practice.

How Often Do You Need to Audit?

ISO 27001 does not set a fixed interval. Frequency is determined by the organization based on:

  • The importance of each process to the ISMS
  • Any changes that have affected security (new systems, org restructuring, incidents)
  • Results of previous audits

In practice, once per year is the minimum most certification bodies expect. Higher-risk areas, access control, incident management, physical security, are commonly audited more frequently when changes occur.

Source: Advisera 27001 Academy (advisera.com/27001academy/iso-27001-internal-audit)

Who Can Run the Internal Audit?

The standard has one explicit rule on this: auditors shall not audit their own work.

This is the objectivity and impartiality requirement. It means someone from the IT team cannot audit the IT team's own controls. Options that satisfy the requirement:

  • An employee from a different department (HR auditing IT, or vice versa)
  • An external consultant hired specifically for the internal audit role
  • A team member from a subsidiary or affiliate office

No specific certification is required by the standard, but auditors must be "competent," meaning they understand both audit principles and the ISMS requirements. In practice, ISO 27001 Lead Auditor training (offered by BSI, Bureau Veritas, and others) provides a credible baseline.

The Four Documents You Must Produce

Clause 9.2.2 requires the following documented information to be retained:

1. Audit programme The planned schedule: which areas will be audited, with what methods, by whom, and when. This is maintained over the full audit cycle.

2. Audit criteria and scope for each audit Each individual audit must have a defined scope (which processes, systems, or departments) and criteria (which requirements it will test against).

3. Audit results / audit report Findings from each audit, conformances, nonconformities, observations, and any opportunities for improvement.

4. Evidence that the programme was implemented Records showing audits were actually conducted per the programme. Audit checklists, meeting notes, and signed attendance sheets serve this purpose.

How the Audit Feeds Into Corrective Action

Nonconformities found during internal audit feed directly into Clause 10.1 (Nonconformity and Corrective Action). When an audit finds a gap:

  1. The nonconformity is documented
  2. A root cause analysis is performed
  3. Corrective actions are defined and assigned
  4. Effectiveness of those actions is verified in a follow-up check

This loop, audit → nonconformity → corrective action → verification, is what certification bodies look for when assessing whether your ISMS is genuinely improving over time.

What Commonly Goes Wrong

Auditing the same people every cycle If the same team audits the same controls each year and finds zero nonconformities, certification auditors will look more closely. Real audits find something.

Treating the audit as a document review only ISO 27001 requires evidence that controls work in practice. Clause 9.2.1 says the audit must assess effective implementation, not just whether policies exist.

Leaving too little time before the certification audit Internal audit results must be available for management review (Clause 9.3). Management review must be completed before the external certification audit. Running the internal audit the week before the external audit leaves no time to close nonconformities.

Not keeping records Clause 9.2.2 explicitly requires documented information as evidence. A verbal debrief does not satisfy this. Written reports and checklists are required.

The Minimum Viable Audit Process

For a company running its first internal audit under ISO 27001:

  1. Define scope: which departments, systems, and processes are in scope for this audit cycle
  2. Build a checklist: map each Annex A control and Clause requirement to a testable question
  3. Assign an auditor: someone who did not implement the controls being audited
  4. Interview and test: review documents, observe processes, test controls (not just ask "do you do this?")
  5. Write the report: findings categorized as conformance, minor nonconformity, major nonconformity, or observation
  6. Feed findings into Clause 10.1: open corrective actions for each nonconformity
  7. Present to management review: Clause 9.3 requires management to review audit results

The whole process, for a 30–50 person company, typically takes two to three weeks from planning to report.

Internal Audit vs. Certification Audit

These are different things:

Internal AuditCertification Audit
Conducted byInternal staff or hired consultantAccredited certification body (CB)
PurposeIdentify gaps before external scrutinyVerify conformance for certificate issuance
OutputInternal audit report, corrective actionsCertificate (or nonconformity findings)
FrequencyAt least annually, risk-basedStage 1 + Stage 2 initially, then surveillance annually
Standard referenceClause 9.2Clause 9.2 + all other clauses

The internal audit is your self-check before the certification body checks you. The more thorough your internal audit programme, the fewer surprises during certification.

How Automation Changes the Process

The most time-consuming part of internal audit preparation is gathering evidence. Manual processes involve pulling screenshots, exporting logs, and chasing down access control lists from multiple systems.

Compliance platforms that maintain continuous evidence collection, pulling from AWS, GitHub, Okta, Jira, and similar tools daily, reduce audit preparation time because the evidence is already there. The auditor reviews what is already collected rather than requesting it from scratch.

This does not change the audit scope or the independence requirements. It changes how long it takes to prepare.


References:

Tags:
ISO 27001Internal AuditISMSClause 9.2