What is Internal Audit?

An internal audit is a planned, independent review an organization performs on itself to check whether its own controls, policies, and procedures are working and meet a chosen standard. In ISO/IEC 27001:2022 it is mandatory under Clause 9.2, must be conducted at planned intervals, and feeds management review and corrective action.

Internal audit matters because it is how you find problems before an external auditor, regulator, or attacker does. For ISO 27001 certification it is not optional: auditors will ask to see an internal audit programme, evidence that audits actually ran across the ISMS scope, the findings raised, and proof those findings were closed. A clean Stage 2 audit is far more likely when internal audit has already surfaced and fixed the gaps.

A concrete example: your access control policy requires quarterly access reviews. An internal audit samples the last two quarters, finds one review was skipped, and raises a nonconformity. That triggers a corrective action, and the fix is documented well before the certification body ever looks. Auditors must be objective and not audit their own work, so a small team typically has one person audit another's area, or brings in an outside reviewer.

A documented internal audit procedure and a reusable audit programme, checklist, and findings log make this dramatically faster to stand up. ComplianceDocs templates give you the procedure, schedule, and evidence forms so you are not inventing them under deadline pressure, but running the audits and closing the findings is work only your organization can do; the templates do not by themselves make you compliant or certified.

Related terms: Compliance Audit · Corrective Action · Continual Improvement · Audit Evidence

Frequently asked questions

Is an internal audit required for ISO 27001 certification?
Yes. Clause 9.2 of ISO/IEC 27001:2022 requires the organization to conduct internal audits at planned intervals to confirm the ISMS conforms to both the standard and its own requirements and is effectively implemented. Certification bodies will ask for evidence the programme ran.
Can someone audit their own work in an internal audit?
No. The standard requires objectivity and impartiality, so auditors must not audit their own work. In a small team this usually means colleagues audit each other's areas, or you engage an independent external reviewer to perform the internal audit.
How is an internal audit different from the external certification audit?
An internal audit is run by or for the organization to check its own readiness. The external (certification) audit is performed by an accredited certification body and is what actually leads to the certificate; internal audit is preparation and evidence for it.

Toolkits that cover Internal Audit

ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.