Short answer: ISO 27001 clause 9.2 makes internal audit mandatory. It is your own structured check that the ISMS conforms to the standard and works in practice, run by someone objective, at planned intervals, covering the whole system across the cycle. You cannot certify without at least one completed internal audit, because the external auditor samples its records.
The internal audit is the one requirement that trips first time certifications, because it is easy to treat as a formality and hard to fake. Clause 9.2 asks you to audit your own management system before anyone certifies it, and the external auditor will read the results. This covers how to scope it, build the programme, run it and turn findings into action.
Why does ISO 27001 require an internal audit?
Clause 9.2 requires internal audits at planned intervals to confirm the ISMS conforms to both your own requirements and the standard, and that it is effectively implemented and maintained. It is the “check” in the plan do check act cycle the whole standard runs on.
The point is not to catch people out. It is to find the gaps yourself, before the certification body does, and to feed real findings into the management review so the system improves. An external auditor treats the internal audit as evidence the ISMS is self correcting. A first time certification with no completed internal audit is not ready for Stage 2, because there is no record the organisation has tested itself. The internal audit is also where you rehearse the discipline the surveillance and recertification audits will later expect. The ISO 27001 guide explains how the internal audit sits inside the full management system.
How do you scope an ISO 27001 internal audit?
Scope it to the whole ISMS across the cycle, not everything at once. The standard wants the full management system, clauses 4 to 10 and the applicable Annex A controls, covered over time, but a single audit rarely does all of it. You define an audit programme that spreads coverage across the three year cycle and prioritises by risk and by change.
A sensible programme weights attention toward high risk areas, controls that changed, and anything that produced a finding last time. Areas that are stable and low risk can be sampled less often, as long as everything is covered before the certificate cycle turns. Tie the scope to your ISMS scope and your risk assessment, so the audit follows the risk rather than marching through a control list alphabetically. Record what each planned audit will cover and why, because the external auditor will ask how you decided.
What is the difference between the ISO 27001 audit programme and audit plan?
Two documents, often confused. The audit programme is the standing schedule: what gets audited, when, across the cycle, and how coverage is spread. The audit plan is for a single audit: its objective, scope, criteria, the areas and people involved, and the dates.
| Document | Covers | Timeframe |
|---|---|---|
| Audit programme | The full schedule of internal audits and how the ISMS is covered | The three year cycle |
| Audit plan | One specific audit: objective, scope, criteria, participants | A single audit |
| Audit report | Findings, nonconformities, observations from one audit | Output of one audit |
Clause 9.2 asks for both the programme and, for each audit, defined criteria and scope. Keeping them separate is what lets an auditor see you plan coverage deliberately rather than auditing whatever is convenient. Findings from each report feed the management review and the corrective action process.
Who can run an ISO 27001 internal audit and stay independent?
Whoever runs it must be objective and must not audit their own work. That is the one hard rule. In a large organisation an independent internal audit function handles it. In a small team, where the same handful of people own most of the ISMS, independence is harder, so many bring in an external party or have people audit areas they do not run.
The external certification auditor will check independence. An internal audit where the person who wrote the risk assessment also audited it carries no weight, and an auditor will discount it. Competence matters too: the internal auditor needs to understand the standard and how to gather evidence, not just tick a checklist. Using an external specialist for the internal audit is common and legitimate; it is not the same as the certification audit, which only an accredited body can perform. Cybernion runs independent ISO 27001 internal audits and readiness where in house independence is hard to reach. The ISO 27001 statement of applicability and the ISO 27001 annex A controls are the two documents the internal auditor most commonly works from.
How do you handle ISO 27001 internal audit findings?
Record them, classify them and act on them, then close the loop. Findings usually fall into nonconformities, where a requirement is not met, and observations or opportunities for improvement, which are not failures but are worth acting on. Each nonconformity needs a root cause and a corrective action under clause 10, with an owner and a date, and evidence the fix worked.
The mistake is treating the internal audit as a paperwork exercise that finds nothing. An internal audit that reports a clean sweep every time tells an external auditor nobody looked hard. Real findings, tracked to closure, are the signal a management system is alive. Feed them into the next management review and carry unresolved items forward. How you manage nonconformities and corrective actions is covered in nonconformities and corrective actions.
Frequently asked questions
Is an internal audit mandatory for ISO 27001?
Yes. Clause 9.2 requires internal audits at planned intervals covering the whole ISMS. You cannot certify without at least one completed internal audit before Stage 2, because it is one of the records the external auditor samples.
Can you run your own ISO 27001 internal audit?
You can, provided the auditor is objective and does not audit their own work. Many organisations use an independent internal team or an external party to preserve independence, especially in smaller teams where everyone owns part of the ISMS.
How often do you need an ISO 27001 internal audit?
At planned intervals across the three year cycle so the whole ISMS is covered. Most organisations run at least one full internal audit a year, sometimes split into a programme of smaller audits, ahead of each external surveillance or recertification audit.
What is the difference between an ISO 27001 internal and external audit?
The internal audit is your own check that the ISMS conforms and works, run under clause 9.2. The external audit is conducted by an accredited certification body and results in the certificate. The internal audit prepares for and feeds the external one.
What do you produce from an ISO 27001 internal audit?
An audit programme, an audit plan, findings recorded as nonconformities or observations, and an audit report. Those records feed the management review and are evidence the external auditor asks for.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, clause 9.2 (Internal audit), iso.org, 2022
- ISO/IEC 27001:2022, clause 10 (Improvement), iso.org, 2022
Last updated: 3 July, 2026