How to Run an ISO 27001 Internal Audit (Clause 9.2)

Clause 9.2 of ISO/IEC 27001:2022 requires you to audit your own information security management system at planned intervals — before a certification body ever does. Here is what the clause actually requires, how to run the audit, and where the work is yours alone.

What clause 9.2 actually requires

Clause 9.2 of ISO/IEC 27001:2022 obliges your organization to conduct internal audits of its information security management system (ISMS) at planned intervals. In the 2022 edition the clause is split in two: 9.2.1 General sets out the purpose, and 9.2.2 Internal audit programme sets out the mechanics. The internal audit is not a nice-to-have or a maturity milestone you reach eventually — it is a mandatory part of the management system, and certification bodies will ask for evidence that the programme ran.

The purpose, from 9.2.1, has two prongs. The audit must provide information on whether the ISMS conforms to (a) your organization's own requirements for its ISMS and to the requirements of the standard itself, and (b) whether the ISMS is effectively implemented and maintained. Read those carefully, because they are doing different jobs. The first prong is about conformity — does the system match what it is supposed to be, both your own documented rules and the clauses of ISO 27001. The second is about effectiveness — is it actually working in practice, not just written down. A program can be fully documented and still fail the second test if nobody operates it.

Note what the clause does not say. It requires audits at "planned intervals," not annually. There is no calendar figure in the standard. In practice most organizations run their internal audit programme so that the full scope of the ISMS is covered at least once across each certification cycle, and many adopt an at-least-annual cadence as their own internal standard — but that is common practice and a sensible planning decision, not a number the text mandates. What clause 9.2.2 does require is that you plan, establish, implement, and maintain an audit programme, including the frequency, methods, responsibilities, planning requirements, and reporting.

Independence and objectivity: you cannot audit your own work

Clause 9.2.2 requires you to select auditors and conduct audits in a way that ensures the objectivity and impartiality of the audit process. That is the literal requirement. The familiar shorthand — you cannot audit your own work — is the principle that follows from it, reinforced by the auditing guidance in ISO 19011. An auditor who reviews a control they designed, configured, or operate cannot be impartial about it, because they are effectively grading their own homework, and an external assessor will see the conflict immediately.

This is the requirement that trips up small teams hardest, because in a five- or fifteen-person company the person who wrote the access-control policy is often the same person who administers the systems it governs. ISO 27001 does not demand a dedicated audit department; it demands impartiality of the process. There are two practical ways to get there. The first is to have colleagues cross-audit each other's areas — the person who runs IT audits the HR and supplier-management controls, and someone from outside IT audits the technical controls. The second, common for very small teams or where in-house independence genuinely is not achievable, is to engage an external reviewer or consultant to perform the internal audit on your behalf. Either is acceptable, provided the result is that no one signs off on the very work they own.

Objectivity also has to be visible, not just claimed. Record who audited what, and make the assignments demonstrate the separation — an auditor's report on an area they personally manage is a finding waiting to happen, regardless of how honest that person is. The point of the requirement is that the audit's credibility does not rest on any individual's good faith; it rests on the structure of the programme.

Building the audit programme, plan, scope, and criteria

Four words get used loosely and mean different things, so it is worth separating them. The audit programme is the schedule over time — what gets audited, by whom, and how often, across the whole ISMS and across the certification cycle. The audit plan is the arrangement for a single audit: the dates, the areas in scope, the people to interview, and the evidence to request. The scope is the boundary of a given audit — which parts of the ISMS, which sites, which controls it covers. The criteria are the yardsticks you audit against.

The criteria deserve special attention because they mirror the two-prong purpose from 9.2.1. You are not auditing against the standard alone. The criteria are the requirements of ISO/IEC 27001:2022 (clauses 4 to 10 and the Annex A controls you have adopted), plus your own documented ISMS requirements — your policies, procedures, and your Statement of Applicability — plus any legal, regulatory, and contractual obligations you carry. An internal audit that checks only "do we match the standard" and ignores "do we match our own written rules" has audited half the clause.

A workable programme spreads the full ISMS across planned intervals so that everything is covered without trying to audit the entire system in a single sitting. It also weights attention toward areas of higher risk, recent change, or prior findings — the standard expects you to consider the importance of the processes concerned and the results of previous audits when planning. Each individual audit then gets its own plan and scope drawn from that programme, with criteria stated up front so the auditor and the area being audited both know what they are being measured against.

Conducting the audit: sampling evidence against the SoA, Annex A, and clauses 4–10

An internal audit is conducted by gathering evidence and testing it against the criteria — through interviews, document review, observation, and sampling of records. You are not trying to inspect every record; you are taking a representative sample and following it through to confirm the control or process operates as documented. The discipline is to move from a claim to proof: the policy says access is reviewed quarterly, so show me the last review, who performed it, and what changed as a result.

The Statement of Applicability (SoA) is the natural spine for the Annex A portion of the audit. The SoA lists every one of the 93 Annex A:2022 controls across the four themes — Organizational (A.5, 37 controls), People (A.6, 8 controls), Physical (A.7, 14 controls), and Technological (A.8, 34 controls) — and records which apply, why, and their status. Auditing against it means walking applicable controls and asking for the evidence the SoA's status implies: a control marked implemented should have records behind it, and an exclusion should have a justification that survives a follow-up question. This is exactly how a certification body will work, which is why the internal audit doubles as a rehearsal.

The Annex A controls are only part of the job. The management system clauses — context (4), leadership (5), planning (6), support (7), operation (8), performance evaluation (9), and improvement (10) — are equally in scope and are where first-time auditees most often have gaps, because they are about how the ISMS governs itself rather than about technical controls. Sample these too: is there evidence of risk assessment under 6.1, of competence and awareness under 7.2 and 7.3, of monitoring and measurement under 9.1, and of management review under 9.3. An audit that tests only the technical controls and skips the governance clauses will leave the same gaps an external auditor is specifically trained to find.

Findings, corrective action, and feeding the management review

As you audit, you record findings. The significant ones are nonconformities — places where the ISMS does not meet a criterion, whether that is a clause of the standard, your own policy, or an obligation you carry. Each nonconformity should be specific, evidenced, and tied to the requirement it breaches, so that the person responsible can see exactly what is wrong and against what. Vague findings produce vague fixes. It is also worth distinguishing nonconformities from observations or opportunities for improvement, which note weaknesses or good ideas that are not actual breaches.

Nonconformities then flow into corrective action, which ISO/IEC 27001:2022 addresses in clause 10.2 (in the 2022 edition, 10.1 is Continual improvement and 10.2 is Nonconformity and corrective action — the order was reversed from the 2013 edition, so cite the 2022 numbering). Corrective action is not just fixing the immediate problem; the clause requires you to react to the nonconformity, evaluate the need to eliminate its cause so it does not recur, implement the action, review its effectiveness, and retain documented information of what you found and did. A corrective-action log that records root cause, action, owner, due date, and verified closure is the evidence that this happened.

The results then feed the management review under clause 9.3, where top management considers, among other inputs, the results of audits and the status of nonconformities and corrective actions. This is the loop that makes the management system self-governing: the internal audit surfaces what is not working, corrective action fixes it, and the management review confirms leadership has seen and acted on it. Crucially, both the internal audit and the management review must happen before a certification audit. A certification body conducting a Stage 2 audit will expect to see that the programme ran, that findings were raised, and that the organization governed itself — an ISMS that has never audited itself has no evidence it works, and first-time auditees who skip this step are noticed immediately.

Where a documentation toolkit fits — and where it does not

Running an internal audit from a blank page means first building the apparatus: an audit procedure that defines roles and independence, an audit plan template, a programme schedule, a findings and nonconformity register, and a corrective-action log — before you can ask a single audit question. That scaffolding is the same for almost every ISO 27001 program, which makes it exactly the kind of work a documentation toolkit is meant to remove so your time goes to the audit itself.

The ComplianceDocs ISO 27001 Complete Toolkit includes an editable ISMS Internal Audit Procedure that lays out how to plan the programme, preserve auditor objectivity and impartiality, conduct the audit, and record findings and corrective actions — alongside a Management Review Procedure for clause 9.3, an Audit Evidence Checklist, the 93-control Statement of Applicability workbook, and the risk register the audit samples against. Together those give you an editable starting point and a consistent paper trail: the procedure that structures how you run and record the audit, and the documents the audit checks against.

What the toolkit cannot do is the audit. The sampling, the interviews, the judgment about whether a control genuinely operates, the nonconformities you raise, and the corrective actions you verify all have to reflect your real ISMS, and only your organization can supply them — and auditor independence still has to be arranged in your specific team. Be unambiguous about the limit: no template, procedure, or document set makes an organization "ISO 27001 certified." Certification is issued only by an accredited certification body after it audits a working management system, and the internal audit is your rehearsal for that, not a substitute. A toolkit speeds and structures the documentation; running the audit, fixing what it finds, and earning the certificate remain yours. (Any cost or time references here are illustrative estimates, not quotes; actual figures vary by organization, scope, and certification body.)

Frequently asked questions

Is an internal audit required for ISO 27001 certification?

Yes. Clause 9.2 of ISO/IEC 27001:2022 requires the organization to conduct internal audits of its ISMS at planned intervals, and a certification body will ask for evidence the programme ran. The purpose is to confirm the ISMS conforms both to the standard and to your own documented requirements, and that it is effectively implemented and maintained. The internal audit, together with the management review under clause 9.3, must take place before a certification audit. An ISMS that has never audited itself has no evidence that it actually works, which an external assessor notices immediately.

How often does ISO 27001 require an internal audit?

The standard says "planned intervals" and does not set a fixed calendar figure, so it does not literally mandate an annual audit. In practice, most organizations run their audit programme so the full scope of the ISMS is covered at least once across each certification cycle, and many adopt an at-least-annual cadence as their own internal standard. Clause 9.2.2 requires you to plan the programme considering the importance of the processes concerned and the results of previous audits, which usually means weighting attention toward higher-risk and recently changed areas. Treat the cadence as a planning decision you can defend, not a number from the text.

Can someone audit their own work in an ISO 27001 internal audit?

No. Clause 9.2.2 requires you to ensure the objectivity and impartiality of the audit process, and the well-known principle that you cannot audit your own work follows directly from it, reinforced by the auditing guidance in ISO 19011. An auditor cannot be impartial about a control they designed, configured, or operate. In a small team this usually means colleagues cross-audit each other's areas, or you engage an external reviewer to perform the internal audit. The credibility of the audit should rest on how the assignments are structured, not on any individual's good faith, so record who audited what to show the separation.

What is the difference between an internal audit and the certification audit?

An internal audit is run by or for your organization to check its own ISMS against the standard, your own policies, and your obligations — it is preparation and evidence. The external certification audit is performed by an accredited certification body and is what actually leads to the certificate; a Stage 1 audit largely reviews your documentation and readiness, and a Stage 2 audit tests whether the system operates in practice. The internal audit is effectively a rehearsal for Stage 2 and must happen before it. Importantly, no internal audit, template, or toolkit confers certification — only the accredited body can issue it, after auditing a working management system.

What happens to the findings from an ISO 27001 internal audit?

Findings are recorded, and the significant ones — places where the ISMS does not meet a criterion — are raised as nonconformities, each tied to the specific requirement it breaches. Nonconformities flow into corrective action under clause 10.2 of the 2022 edition, which requires you to address the immediate problem, evaluate and eliminate its root cause so it does not recur, implement the action, review its effectiveness, and retain documented information. The results, including the status of nonconformities and corrective actions, then feed the management review under clause 9.3. That loop — audit, correct, review — is what makes the management system self-governing and is exactly the evidence a certification body looks for.

Related guides: ISO/IEC 27001

Toolkits that help

← All articles