ISO 27001 Internal Audit: Clause 9.2 Requirements, Checklist, and Process

TL;DR

Clause 9.2 of ISO/IEC 27001:2022 makes internal audits mandatory. The standard uses the phrase "planned intervals" rather than specifying a fixed frequency, but certification bodies expect at least one full ISMS audit per year.
Auditors must be objective and impartial. They cannot audit their own work. Independence can come from internal staff on a different team, a dedicated audit function, or an external consultant.
The audit program must define frequency, methods, responsibilities, scope, and reporting requirements, taking into account process importance and the results of previous audits.
Findings fall into three categories: major nonconformity, minor nonconformity, and opportunity for improvement. Major nonconformities must be closed before an initial certification can be granted.
The internal audit feeds the management review (Clause 9.3). The two are separate processes: one is a technical examination of controls; the other is a strategic evaluation by top management.

Who This Is For

This guide is for compliance managers, IT security leads, and operations staff preparing for their first ISO 27001 certification or maintaining an existing one. It covers what Clause 9.2 actually requires, how to run a defensible six-phase audit, what a complete internal audit report must contain, and the findings that most commonly cause problems before the external audit.

What Clause 9.2 Actually Says

ISO/IEC 27001:2022 Clause 9.2 splits into two sub-clauses.

Clause 9.2.1 requires that the organization conduct internal audits at planned intervals to determine whether the ISMS conforms to both the organization's own requirements and the requirements of the standard, and whether the ISMS is effectively implemented and maintained.

Clause 9.2.2 requires that the organization plan, establish, implement, and maintain an audit program. That program must cover the frequency, methods, responsibilities, planning requirements, and reporting for each audit. When planning individual audits, the organization must define the audit criteria and scope for each audit, select auditors who ensure objectivity and impartiality, and ensure that audit results are reported to relevant management.

The standard also requires that documented information be retained as evidence of the audit program and audit results. Under ISO/IEC 27001:2022, the documented information requirements are set in Clause 7.5.

Two points practitioners frequently misread: First, the standard says "planned intervals," not "annual." In practice, certification bodies assess whether the frequency is appropriate given the organization's risk profile, complexity, and the results of previous audits. A high-risk environment with significant changes warrants more frequent audits. Second, the requirement to ensure objectivity and impartiality is the organization's responsibility. The standard does not mandate external auditors; it mandates that whoever conducts the audit is free from conflicts of interest.

What Is an ISO 27001 Internal Audit?

An ISO 27001 internal audit is a systematic, independent examination of your Information Security Management System. It confirms that the ISMS meets the requirements of ISO/IEC 27001:2022 and your own documented policies and procedures.

The scope covers both the management system clauses (Clauses 4 through 10) and the applicable controls from Annex A of the standard. ISO/IEC 27001:2022 reorganized the previous 114 controls into 93 controls across four themes: Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34).

Internal audits serve three purposes. They surface nonconformities before the certification body sees them. They supply the management review with evidence of how controls are performing. They demonstrate to the certification body that the ISMS has a functioning self-correction loop, which is a core expectation of any ISO management system standard.

A single audit session does not have to cover everything at once. Most organizations split the work across several focused audits throughout the year, governed by a documented audit program.

Internal Audit vs. Management Review

These two requirements sit side by side in Clause 9 and are frequently confused.

The internal audit (Clause 9.2) is a structured, evidence-based examination conducted by trained auditors. It tests whether specific controls and management system processes conform to requirements. The output is an audit report with findings, evidence references, and corrective action requests.

The management review (Clause 9.3) is a periodic meeting of top management. It takes the audit results as an input, alongside information about security incidents, risk treatment status, performance metrics, and resource needs, and produces decisions about the future direction of the ISMS.

One feeds the other. Running them as a single meeting is a common shortcut that certification bodies flag.

Internal Audit vs. External Certification Audit

The differences matter when scoping your internal program.

Dimension	Internal Audit	External Certification Audit
Conducted by	Organization staff or consultant	Accredited certification body
Scope flexibility	Defined by the organization	Must cover the full certified scope
Finding consequence	Feeds corrective action process	Open major nonconformities can block certification
Frequency	Determined by audit program	Stage 2 (initial), then annual surveillance, then re-certification at year 3
Standard	ISO/IEC 27001:2022 Clause 9.2	ISO/IEC 17021-1 (requirements for certification bodies)

The certification body will read your internal audit report during the external audit. A thin, vague report signals a thin, vague ISMS.

Who Can Conduct the Audit

Clause 9.2.2 places the responsibility for ensuring objectivity and impartiality on the organization. In practice, this means three options:

Internal staff from a different team. An IT manager can audit HR controls; they cannot audit the IT controls they own or manage. The key test is whether the auditor has any responsibility for the area being audited.

A dedicated internal audit function. Larger organizations maintain internal auditors who sit outside operational teams and audit across the business. This structure satisfies the independence requirement cleanly.

An external consultant. Small organizations frequently hire a third-party consultant to run the internal audit because they lack the staff depth to maintain credible independence. The consultant works on behalf of the organization; the internal audit is still classified as an internal audit for certification purposes.

Auditor competence is a separate requirement from auditor independence. The standard does not mandate that internal auditors hold a specific credential, but ISO 19011:2018, Guidelines for auditing management systems, provides the reference framework for auditor competence. ISO 19011 covers audit program management, audit conduct, auditor evaluation, and competence requirements. Most organizations map their internal auditor qualification criteria to ISO 19011's competence framework.

Widely recognized training programs for ISO 27001 internal auditors include courses accredited by IRCA (International Register of Certificated Auditors), PECB, and BSI.

💡 Pro Tip

The most common independence failure: the person who wrote the ISMS policies also conducts the audit. External certification auditors flag this in almost every instance. Separate the "policy author" role from the "auditor" role from the start.

When Internal Audits Are Required

The three-year ISO 27001 certification cycle creates a practical schedule:

Before Stage 1 and Stage 2 (initial certification): At least one full internal audit, completed and with evidence of corrective action on major findings, must be available before the certification body arrives.
Before each annual surveillance visit (years 1 and 2): A completed internal audit covering the ISMS since the previous surveillance.
Before re-certification (year 3): A completed internal audit.
High-risk domains: Areas such as cloud infrastructure, access management, or incident response may warrant focused audits more often than the main annual cycle, based on the risk assessment results.

The audit program must document how these timing decisions were made and account for changes to the ISMS, significant security incidents, or results from previous audits that indicate elevated risk.

ISO 27001 Internal Audit Process: Six Phases

A defensible audit follows a repeatable six-phase process. Each phase produces documented outputs that become evidence during the external audit.

Phase 1: Audit Planning

Define the audit scope, objectives, criteria, methods, and timeline. The audit plan identifies which clauses and controls are in scope for this specific audit, which departments and sites are covered, the audit team members, and the reporting schedule. Each audit session should have a written plan, even a single-page one.

Factors that should affect scope selection: results of the most recent risk assessment, findings from the previous internal audit, any significant changes to people, processes, or technology since the last audit, and the importance of the processes being audited.

Phase 2: Document Review

Before any interviews, the auditor reviews the ISMS documentation. This includes the Statement of Applicability, the risk treatment plan, policies, procedures, and records of previous audits, management reviews, and corrective actions. Missing, outdated, or contradictory documents are logged as potential findings at this stage.

The Statement of Applicability is always the first document to review. If it has not been updated to reflect the ISO/IEC 27001:2022 Annex A structure (93 controls, four themes), that is almost certainly a major nonconformity.

Phase 3: Fieldwork

The auditor interviews control owners, observes processes where relevant, and samples records. Each control selected for the audit requires at least one piece of sampled evidence. The sampling approach should be documented in the audit plan.

For access control (A.5.15), a typical sample covers five to ten user access reviews from the review cycle. For supplier management (A.5.19 through A.5.22), a sample of three or more supplier risk assessments from new or renewed contracts.

Phase 4: Analysis

The auditor compares observations against the ISO 27001 requirements and the organization's own documented policies. Gaps are classified as:

Major nonconformity: Absence or complete breakdown of a system to meet a requirement. The system either does not exist or has failed to the point where conformity with a requirement cannot be assured.
Minor nonconformity: A single observed lapse or partial failure that does not constitute a system breakdown but indicates the requirement is not being consistently met.
Opportunity for improvement: An observation that does not constitute a nonconformity but where performance could be enhanced.

These definitions align with ISO/IEC 17021-1:2015, Conformity assessment: Requirements for bodies providing audit and certification of management systems, which governs how certification bodies themselves classify findings.

Phase 5: Reporting

The audit report documents the scope, audit plan reference, methodology, findings with evidence citations, the nonconformities log, opportunities for improvement, and corrective action requests with owners and due dates. Each finding cites the specific clause or control, the evidence reviewed, and the observed gap.

Phase 6: Follow-up

The audit is not closed until every major nonconformity has a documented root cause analysis, a corrective action, and evidence that the action was effective. Minor nonconformities require corrective action; root cause analysis is good practice but not always mandatory for minor issues.

ISO 27001 Internal Audit Checklist: 40 Items

Use this checklist as a starting point. Adapt it to your Statement of Applicability. Items are organized by clause and Annex A domain.

Clauses 4-10 (Management System)

Is the ISMS scope documented, current, and consistent with the certified scope?
Does the ISMS scope match what appears in the Statement of Applicability?
Are interested parties and their security requirements documented?
Is the information security policy approved by top management and communicated to all relevant parties?
Are information security objectives documented, measurable, and tracked against targets?
Is the risk assessment methodology documented and applied consistently?
Is the risk treatment plan complete, with named owners and due dates?
Is the Statement of Applicability current and aligned with the ISO/IEC 27001:2022 Annex A structure (93 controls, four themes)?
Are resources for the ISMS documented and assessed as adequate?
Are competence records (training completions, certifications) maintained for all ISMS roles?
Is the security communication plan documented and followed?
Are documented information controls (version control, approval, distribution) followed?
Are operational planning records available for security processes?
Is evidence of risk assessments and risk treatment decisions current?
Is a monitoring and measurement plan in place and generating records?
Are internal audits conducted in accordance with the audit program?
Is top management conducting documented management reviews?
Are nonconformities and corrective actions tracked to verified closure?
Is there documented evidence of continual improvement activities?

Annex A Controls (Samples)

A.5.1 Policies: Are all required policies approved, dated, and reviewed at defined intervals?
A.5.2 Roles and responsibilities: Is a security responsibility matrix maintained and current?
A.5.9 Inventory of assets: Is the asset register current, with named owners for each asset?
A.5.15 Access control: Are user access reviews conducted at defined intervals and results documented?
A.5.23 Cloud services: Are cloud service risk assessments documented before provisioning?
A.5.30 ICT readiness: Are business continuity and disaster recovery tests performed and documented?
A.5.34 Privacy: Is a privacy impact assessment process in place and followed for new projects?
A.6.3 Awareness training: Is security awareness training delivered, tracked, and completed by all staff?
A.6.7 Remote working: Is a remote working policy documented, approved, and enforced?
A.7.4 Physical security monitoring: Are visitor logs, access badge records, and surveillance retention logs maintained?
A.8.1 User endpoint devices: Is an endpoint security baseline documented and monitoring evidence available?
A.8.5 Secure authentication: Is MFA enforced on all privileged accounts, with evidence?
A.8.7 Protection against malware: Are endpoint protection logs retained and reviewed at defined intervals?
A.8.8 Technical vulnerability management: Are vulnerability scans run on schedule, with remediation tracked against SLAs?
A.8.12 Data leakage prevention: Are DLP controls documented for sensitive data flows?
A.8.16 Monitoring: Are SIEM or equivalent logs retained for the documented retention period?
A.8.24 Cryptography: Is cryptographic key management documented and key lifecycle tracked?
A.8.28 Secure coding: Are secure coding standards documented and applied in development?
A.8.32 Change management: Are all changes authorized, tested, and logged before deployment?
A.8.33 Test information: Is production data masked or anonymized in non-production environments?
Supplier management: Has the top-tier supplier list been reviewed for current security obligations and contract coverage?

Common ISO 27001 Internal Audit Findings

The same findings appear across initial and surveillance audits. Addressing them before the external audit avoids corrective action requests that delay certification.

Finding	Frequency	Typical Root Cause
Statement of Applicability not updated to ISO/IEC 27001:2022 Annex A structure	Very high	Transition from 2013 version not completed
Access review evidence missing for one or more periods	Very high	No calendared review cycle with an owner
Supplier risk assessments not completed for new vendors	High	No security checkpoint in vendor onboarding
Security awareness training completion below 100 percent	High	New hires missed in rollout; no automated tracking
Risk treatment plan with overdue items and no documented escalation	High	Tracking in a static document rather than a live system
Vulnerability remediation SLAs exceeded without documented exception	Medium	Patch backlog; no escalation trigger
Management review minutes absent or too brief to demonstrate meaningful review	Medium	Review conducted informally without a scribe
Incident log not reviewed at the documented interval	Medium	No defined cadence owner
Backup restoration never tested against documented RTO/RPO	Medium	Backup assumed operational; no test schedule

How Long Does an ISO 27001 Internal Audit Take?

ISO 27001 does not specify audit durations. The factors that determine effort are: ISMS scope (number of sites, departments, systems), number of applicable Annex A controls, complexity of the environment, whether documentation is well-maintained, and whether the auditor is familiar with the environment from a previous cycle.

General planning ranges, based on auditor days of effort (not calendar days):

Small organizations (under 50 people, single site):

Planning: 1 to 2 days
Document review: 2 to 3 days
Fieldwork: 3 to 5 days
Reporting: 2 to 3 days
Total: roughly 8 to 13 auditor days

Mid-size organizations (50 to 500 people): Typically 15 to 25 auditor days per full audit cycle.

Enterprise programs: Multiple focused audits throughout the year, with total annual auditor effort varying by scope.

These are directional estimates. Organizations with well-maintained documentation and a familiar auditor will track toward the lower end. First-year audits in organizations where documentation is being built during the engagement will track higher.

ISO 27001 Internal Audit Report: Required Sections

The standard requires that documented information be retained as evidence of the audit program and audit results (Clause 9.2.2). There is no mandated report format, but a complete report that satisfies certification body scrutiny covers:

Executive summary: Audit objective, scope, and headline findings — typically half a page.
Audit plan reference: Dates, auditor names, scope approved by management.
Scope and exclusions: What was covered; what was deliberately out of scope and why.
Methodology: Sampling approach, evidence types, interview schedule.
Clause-by-clause findings: Each clause examined, evidence reviewed, gaps noted.
Annex A control findings: Organized by theme or domain.
Nonconformities log: Each finding classified as major or minor, with the specific clause or control cited.
Opportunities for improvement: Not nonconformities, but documented recommendations.
Corrective action requests: Named owners, due dates, and verification method.
Appendices: Interview schedule, documents reviewed list, sampling evidence.

A thin report without specific clause references or evidence citations is a finding in itself. Certification auditors treat internal audit report quality as a signal of ISMS maturity.

Integrating Internal Audit with Other Compliance Work

Organizations holding multiple certifications or working toward multiple frameworks can reduce overall audit effort by mapping controls before scoping individual audits.

Many ISO 27001 Annex A controls map to SOC 2 Trust Services Criteria. Auditing access control evidence once, with both frameworks' criteria in mind, avoids running two separate evidence collection exercises for the same population of records.

The same approach works across HIPAA Security Rule technical safeguards, PCI DSS requirement clusters, and NIST CSF categories. The prerequisite is a written control mapping that shows which ISO 27001 Annex A controls satisfy which requirements in each other framework. Build that mapping once; update it when controls or frameworks change. The NIST CSF and ISO 27001 comparison covers the specific overlap for organizations running both.

Frequently Asked Questions

Is an ISO 27001 internal audit required every year?

In practice, yes. The standard says "planned intervals," and the frequency must reflect the risk profile and previous audit results. Certification bodies assess the audit program during external audits. An organization that runs an internal audit only once in the three-year cycle, or only before the initial certification, will receive findings about the adequacy of its audit program.

Can I use internal audit software instead of spreadsheets?

Yes. Compliance automation platforms that include internal audit modules (such as Vanta, Drata, Secureframe, and Sprinto) can manage sampling, evidence collection, and finding tracking. For a small ISMS with fewer than 40 applicable controls, a structured spreadsheet works. The choice of tool does not affect compliance; the completeness of the outputs does.

What happens if the internal audit finds a major nonconformity?

Major nonconformities must be addressed before the external audit can close. For an initial certification, an open major nonconformity means the certification body cannot issue the certificate until the finding is resolved and verified. Fix it, document the root cause analysis, implement the corrective action, and verify effectiveness with a follow-up check or targeted audit.

Can the CISO conduct the internal audit?

The CISO can audit areas they do not control or own, such as HR processes, physical security managed by facilities, or finance-related controls. They cannot audit the security controls for which they are responsible. Most organizations either hire an external consultant or rotate audit responsibilities so that no one audits their own work.

How many samples should the auditor pull for each control?

The standard does not specify a sample size formula. A common approach from audit practice is to take the square root of the population size, plus one, capped at a practical maximum for large populations. For a population of 100 user access reviews, sample roughly 11. For 10,000 change tickets, sample 25. Document the sampling rationale in the audit plan. The certification body will assess whether the sampling was risk-informed and consistent.

Do I need to audit controls marked "not applicable" in the Statement of Applicability?

No. Controls excluded from the Statement of Applicability are outside the audit scope. The exclusion decision itself is in scope. The auditor should confirm that the justification for each excluded control in the SoA is still accurate and documented, particularly after significant changes to the business.

How soon after the internal audit should the external audit happen?

Certification bodies generally expect the internal audit to have occurred within the preceding twelve months. If the gap is more than twelve months, questions will arise about whether the evidence is still representative of current operations. If the gap is shorter than four to six weeks, there may not be enough time to close findings and implement corrective actions before the external audit.

What is the difference between a major and a minor nonconformity?

Per ISO/IEC 17021-1:2015, which governs accredited certification bodies, a major nonconformity is the absence of or complete failure of a management system to meet a requirement, or a situation that would raise significant doubt about the ability of the management system to achieve its intended outcomes. A minor nonconformity is a single observed lapse that does not indicate a system failure but shows the requirement is not being consistently met.

Related reading:

Sources used:

ISO/IEC 27001:2022, "Information security, cybersecurity and privacy protection — Information security management systems — Requirements." International Organization for Standardization. https://www.iso.org/standard/27001 (accessed 2026-05-12).
ISO 19011:2018, "Guidelines for auditing management systems." International Organization for Standardization. https://www.iso.org/standard/70017.html (accessed 2026-05-12).
ISO/IEC 17021-1:2015, "Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements." International Organization for Standardization. https://www.iso.org/standard/61651.html (accessed 2026-05-12).

Sources used

ISO/IEC 27001:2022 — accessed 2026-05-12
Guidelines for auditing management systems — accessed 2026-05-12
IRCA (International Register of Certificated Auditors) — accessed 2026-05-12
PECB — accessed 2026-05-12
BSI — accessed 2026-05-12
Conformity assessment: Requirements for bodies providing audit and certification of management systems — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.