ISMS Copilot
ISO 27001 Glossary

What is an Internal Audit in ISO 27001?

Overview

An Internal Audit is a systematic, independent evaluation of your ISMS to verify it conforms to ISO 27001:2022 requirements and is effectively implemented. It's a mandatory requirement under Clause 9.2 and a critical tool for identifying gaps before your certification audit.

Internal audits provide objective evidence that your ISMS is working as intended and help drive continual improvement.

Internal Audit in Practice

ISO 27001:2022 requires you to conduct internal audits at planned intervals to assess whether your ISMS:

  • Conforms to your own ISMS requirements and ISO 27001:2022 standards

  • Is effectively implemented and maintained

  • Achieves the intended outcomes defined in your information security objectives

You must establish an audit program that considers the importance of processes, changes affecting the organization, and results from previous audits.

Internal audits should be conducted by competent personnel who are independent of the area being audited to ensure objectivity.

Key Components of Internal Audits

Audit Planning

Your audit program must define:

  • Audit frequency (typically annually, but high-risk areas may need more frequent reviews)

  • Audit scope covering all ISMS clauses (4-10) and applicable Annex A controls

  • Audit criteria based on ISO 27001:2022 requirements and your documented procedures

  • Audit methods (document review, interviews, observation, sampling)

Conducting the Audit

During the audit, you should:

  • Review documented information (policies, procedures, records)

  • Interview process owners and staff

  • Observe implementation of controls

  • Sample evidence of control effectiveness

  • Document findings objectively with evidence

Audit Reporting

Clause 9.2 requires you to retain documented information as evidence of audit results. Your audit reports should include:

  • Conformities and non-conformities identified

  • Opportunities for improvement

  • Evidence supporting findings

  • Corrective action requirements for non-conformities

Non-conformities found during internal audits must be addressed through corrective action (Clause 10.2) before your certification audit.

Auditor Requirements

ISO 27001:2022 Clause 9.2 specifies that auditors must:

  • Be competent in auditing and information security

  • Be impartial and objective

  • Not audit their own work (independence requirement)

Example: An IT security manager can audit HR processes, but someone else must audit the IT security controls the manager is responsible for.

Audit Frequency and Timing

While ISO 27001:2022 doesn't mandate specific intervals, best practices include:

  • Complete ISMS audit at least annually

  • More frequent audits for critical or high-risk areas

  • Additional audits after significant changes

  • Timing that allows corrective action before external certification audits

Use ISMS Copilot to generate internal audit checklists tailored to specific Annex A controls or create audit questions for interviews with process owners.

Common Audit Areas

Your internal audit should cover:

  • Clause 4: Context, scope, and ISMS boundaries

  • Clause 5: Leadership commitment and policy

  • Clause 6: Risk assessment and treatment

  • Clause 7: Resources, competence, awareness, communication

  • Clause 8: Operational planning and control implementation

  • Clause 9: Monitoring, measurement, internal audit, management review

  • Clause 10: Nonconformity and corrective action, continual improvement

  • Annex A: Applicable controls from your SoA

Was this helpful?