ISO 27001 Internal Audit: Requirements & Process
Quick Answer
ISO 27001 Clause 9.2 requires organizations to conduct internal audits at planned intervals to verify the ISMS conforms to requirements and is effectively implemented. Internal audits must be independent (auditors can't audit their own work), follow a documented audit program, and produce formal findings.
Internal Audit Requirements
Internal auditing is a mandatory requirement of ISO 27001 (Clause 9.2). It serves as your organization's self-check mechanism — verifying that your ISMS works as designed before the external certification body assesses it.
Key Takeaways
- Mandatory under Clause 9.2 — must be conducted at planned intervals
- Auditors must be independent — you cannot audit your own work
- Must cover both ISMS requirements (Clauses 4-10) and Annex A controls
- Findings must be documented and nonconformities must have corrective actions
- Internal audit must be completed before the external certification audit
Internal Audit Process
Conducting an ISO 27001 Internal Audit
Plan the audit program
Create an annual audit plan covering all ISMS clauses and applicable Annex A controls. Not everything needs auditing every cycle — prioritize based on risk, previous findings, and changes. Document the schedule and scope of each audit.
Select auditors
Auditors must be independent of the area being audited. Options: trained internal staff (from a different department), external consultant, or internal audit team. ISO 27001 lead auditor training is recommended but not mandatory for internal auditors.
Prepare the audit
Review the ISMS documentation, previous audit findings, risk assessment, SoA, and any changes since the last audit. Create an audit checklist covering the areas in scope. Notify auditees.
Conduct the audit
Gather evidence through: document review, staff interviews, system observations, and control testing. Compare actual practices against documented procedures and ISO 27001 requirements. Note any gaps or deviations.
Report findings
Document findings categorized as: conformity (working as intended), minor nonconformity (gap that doesn't undermine the ISMS), major nonconformity (significant failure in the ISMS), or opportunity for improvement.
Track corrective actions
For each nonconformity, assign an owner, define corrective action, set a deadline, and verify completion. Corrective actions must address root causes, not just symptoms. Track through to closure.
What to Audit
| Area | Key Questions | Evidence to Review |
|---|---|---|
| ISMS Clauses 4-10 | Is the ISMS established, implemented, maintained, and improved as per requirements? | Policies, risk assessment, management review minutes, improvement records |
| Risk Management | Is the risk assessment current? Are treatment plans implemented? | Risk register, risk treatment plan, SoA, control evidence |
| Annex A Controls | Are selected controls implemented and effective? | Control evidence, access logs, encryption configs, incident records |
| Documentation | Is documented information current, approved, and accessible? | Policy versions, approval records, document control logs |
| Awareness & Training | Are personnel aware of security policies and their responsibilities? | Training records, awareness session logs, staff interviews |
| Incident Management | Are incidents detected, reported, and responded to properly? | Incident logs, response records, post-incident reviews |
⚠️ Independence Is Critical
The most common internal audit deficiency flagged by certification auditors is lack of independence. The person who designed or manages a control cannot audit it. In small organizations, this often means using an external consultant for internal audit, or having departments cross-audit each other.
Internal Audit Cycle
The continuous internal audit improvement cycle
Plan
Define audit program, schedule, scope, and assign auditors
Execute
Conduct audits, gather evidence, interview staff
Report
Document findings, classify nonconformities
Correct
Implement corrective actions, verify effectiveness
Clause 9.2
ISO 27001 Requirement
Mandates internal audit program
Annual
Minimum Frequency
Full ISMS coverage per audit cycle
1-5 days
Typical Duration
Depending on organization size
Before Stage 2
Must Complete
Internal audit needed before certification
Can we do the internal audit ourselves?
Yes, but auditors must be independent of the areas they audit. In small organizations, this is challenging. Common solutions: have departments cross-audit each other, hire an external consultant for the internal audit, or train a staff member from a different department as an internal auditor.
How often do we need to audit?
ISO 27001 requires audits at 'planned intervals.' Most organizations conduct a full internal audit annually. You can audit different parts throughout the year as long as the entire ISMS is covered within your audit cycle. High-risk areas should be audited more frequently.
What if we find major issues in the internal audit?
That's actually a good sign — it means your internal audit is working. Document the findings, conduct root cause analysis, implement corrective actions, and verify effectiveness. Address major nonconformities before the external audit. Certification bodies expect to see a mature internal audit with real findings — a clean audit raises suspicion.
Can a compliance platform replace internal audit?
Not entirely. Continuous monitoring from compliance platforms provides ongoing control evidence, but the formal internal audit process (planning, independent assessment, findings, corrective actions) is a separate requirement. Platforms can streamline evidence gathering and finding tracking, but an independent assessment is still required.
Streamline Your Internal Audit Process
Compare platforms with internal audit modules, finding tracking, and corrective action management.
Browse ISO 27001 Tools