ISO 27001 Internal Audit: A Complete Guide
Getting ISO 27001 certification indicates that an organization has implemented an ISMS aligned with the requirements of the ISO/IEC 27001 standard. Nonetheless, simply making policies is not enough to keep the certification. Companies need to evaluate how well their ISMS is being implemented, maintained, and operating on a regular basis.
Internal audits are critical to this process. They allow the company to verify that the security controls are in place and functioning according to ISO 27001 and the company's own policies, and they identify any issues so the company can address them before certification or surveillance audits.
In this article, I am going to explain what ISO 27001 internal audits are, the reason why they are an internal requirement, the differences that they have with external audits, and the methodologies that are used by companies to conduct internal audits.
What Is an ISO 27001 Internal Audit?
An ISO 27001 internal audit is a structured, independent evaluation of an organization’s Information Security Management System to determine whether it conforms to ISO 27001 requirements and the organization’s own security policies and whether the ISMS is effectively implemented and maintained.
Internal audits function as an internal assurance mechanism that allows companies to assess their ISMS before external certification audits. Rather than waiting for an external certification audit to identify issues, organizations proactively assess whether controls are operating as intended and whether documentation reflects actual security practices.
Internal audits serve three core purposes:
Evaluate ISMS performance by checking whether controls are implemented and maintained as intended
Identify gaps before certification audits, giving your team time to remediate issues without pressure
Support continuous improvement by creating a feedback loop between findings and corrective actions
ISO 27001 requires companies to conduct internal audits as part of maintaining an effective ISMS under Clause 9.2. These audits are expected to be planned and performed at defined intervals, and failure to conduct them may be identified as a nonconformity during certification or surveillance audits.
Why ISO 27001 Requires Internal Audits
Clause 9.2: The Requirement in Plain Terms
The ISO/IEC 27001:2022 standard defines internal audit requirements across two subsections:
Clause 9.2.1 (General) mentions that the company shall undertake internal audits at established time intervals to furnish evidence of whether the ISMS:
Meets the company’s own requirements and those of the standard.
Is effectively implemented and maintained.
Clause 9.2.2 (Internal Audit Programme) requires the company to plan, establish, implement, and maintain an audit programme that defines the frequency, methods, responsibilities, planning requirements, and reporting processes. It also requires that:
The company establishes the criteria and scope of each audit.
There is objectivity and impartiality in the selection of the auditors.
The relevant managerial levels are recipients of the reports.
There is retention of the documented evidence about the audit program and the results.
An audit program must be documented, with a defined scope and criteria, qualified auditors conducting impartial audits, and documentation of conclusions and recommendations for action as needed.
The Consequences of Skipping Internal Audits
Your ISMS operates in a constantly changing environment where people, processes, systems, and threats all evolve. Not conducting internal audits means that changes over time will likely create gaps that may go unnoticed. These gaps, whether from human mistakes, updates to a system, or intentional bypassing, are likely to be identified as a significant nonconformity during your certification or surveillance audits.
Some of these consequences may include:
Higher risk exposure exists due to unattended vulnerabilities in access control, data processing, or incident response.
Failure to conduct internal audits may result in major nonconformities, which could affect certification status if not addressed within the required timeframe.
Contractual risk in situations where customers or partners require ISO 27001 certification as part of security assurance programs for vendors.
Reduced stakeholder confidence, particularly when customers or partners expect ISO 27001 certification as part of vendor security due diligence.
ISO 27001 Internal Audit vs. External Audit
These two audit types serve different purposes and should not be confused:
Internal Audit | External Certification Audit | |
Who conducts it | Internal team or independent auditor | Accredited certification body |
Purpose | Identify gaps, verify effectiveness, prepare for certification | Formally assess conformity and grant/maintain certification |
Flexibility | Risk-based, improvement-focused | Structured, compliance-focused |
Outcome | Findings and corrective actions | Pass/fail certification decision |
Timing | Ongoing, at planned intervals | Initial certification, then surveillance audits |
Internal audits happen first. They give your team the chance to identify and resolve issues before an external body formally evaluates your ISMS.
ISO 27001 Internal Audit Requirements
To satisfy Clause 9.2, companies must meet several specific requirements:
Establish an audit programme. The program should include the importance of processes, any changes to the company, and findings from previous audits. It is also a living document that will be changed or updated based on risk, incidents, and changes to the organization.
Define audit criteria and scope. Each individual audit should have a description of the boundaries, including what systems, what departments, or what controls are included, and what benchmark, standard, or policy the audit is assessing.
Select auditors to ensure objectivity. Auditors should be neutral and objective. In some situations, an individual can’t review the audit that they are directly accountable for. Thus, for example, auditors can be internal hires, but the auditor must have no interest in the area audited. Such an arrangement is common in smaller teams, as they are able to achieve these objectives through a cross-functional approach. For example, an HR team member can audit an IT process, and the opposite is also true.
Document findings and corrective actions. Nonconformance should be documented and have a corrective action. It is also common that companies go through a root cause analysis to ensure non-recurrence of the situation.
Retain audit records. Documented evidence is an important aspect that certification auditors will review during their external audit, so please make sure to retain it.
Ensure full ISMS coverage. Over the course of the certification cycle, the audit program generally spans the entirety of the ISMS scope, including clauses 4-10 and the company's relevant Annex A controls.
How ISO 27001 Internal Audits Work: Step-by-Step
Step 1: Define the Audit Scope
Start by considering the parts to be included in the audit. Identify the boundaries of your ISMS. Which systems, departments, processes, and controls will be included in scope? Include any cloud environments, third-party services, or outsourced processes that fall within the defined scope of the ISMS.
A narrowly defined scope helps to prevent “scope creep” by setting clear boundaries so that your team can concentrate on the most important areas.
Step 2: Develop the Audit Plan
This audit plan answers the question of what will be audited, the schedule, who will audit, and the methodology. Plans should be risk-based so that the more dangerous areas, such as access management, incident response, and supplier security, are monitored more closely compared to the safer areas.
When building your plan, factor in:
Results of previous audits.
Changes to infrastructure, systems, or personnel.
Outstanding incidents or nonconformities.
Regulatory or contractual obligations.
Most companies plan their audit programme to include the entire ISMS scope before certification and at regular intervals after that.
Step 3: Prepare for the Audit
Before fieldwork starts, auditors must review the relevant ISMS documents: scope statement, Statement of Applicability, information security policies, risk assessments, treatment plans, and previous audit findings. Examining these documents guarantees the auditors' comprehension of the controls and the necessary evidence for presentation.
Step 4: Conduct the Audit
This is where the examination of documents and the practical verification meet. The auditors:
Interview employees to understand how policies are followed in practice
Test controls by tracking the end-to-end processes (what happens when an employee leaving the company)
Review logs and configurations to verify technical controls such as multi-factor authentication and access control.
Collect objective evidence such as screenshots, log exports, meeting records, and access reviews
The objective of the audit is to evaluate whether documented policies and procedures are consistently implemented in day-to-day operations.
Step 5: Document Audit Findings
Findings fall into several categories:
Major nonconformity (NC): A failure that affects the efficiency of the ISMS or indicates that an essential process was not implemented, such as the absence of an access control process.
Minor nonconformity: An isolated gap, such as one employee missing required training.
Observation: A process that works but could be improved.
Opportunity for improvement: A suggestion, not a requirement.
To be successful, each finding will be documented with supporting evidence for each finding, the clause or control it relates to, and enough detail for someone to act on it.
Step 6: Implement Corrective Actions
The only value findings will add is if they lead to action. The company should:
Determine the underlying cause of the gap. This will not be a what, but a why.
A remediation plan should be made for each finding with an action step, an owner assigned to the step, and a due date set to a realistic timeframe.
Fix the issue through a review or retest/check.
Addressing only the visible issue without identifying the underlying cause can allow the same gap to reappear in future audit cycles.
Step 7: Report the Audit Results
The results of the audit must be communicated to the appropriate management. A good audit report includes the following common elements:
Scope and objectives.
Audit methodology.
Summary of findings, organized by severity.
Corrective action status, owners, and timelines.
Management review meetings (a requirement of Clause 9.3) serve as a beneficial platform for communicating these results and making sure management is aware of the status of the ISMS.
Best Practices for Effective ISO 27001 Internal Audits
Following the process is necessary. Doing it well takes a bit more intentionality. These practices consistently distinguish effective audit programmes from compliance theater:
Ensure auditor objectivity and impartiality. Rotate auditors across functions, document them, and maintain independence. Document training, certifications, and assignments.
Prioritize high-risk areas. Focus the audit on areas that are high risk and have significant impact. In particular, access management, data control, supplier management, and responses to incidents should be in scope.
Maintain consistent documentation. A standard template should be used uniformly across the audits for the documents detailing the audit's goals, the audit's goals, and the documents tracking the corrections. A more substantial external audit may be corroborated by the documentation covering the prior audits.
Use evidence-based evaluation. Each finding will involve documentation that is objective and time-and-date relevant. Unsupported allegations will damage an audit's credibility.
Track corrective actions systematically. Refrain from creating an unnecessary report. Each finding should have an owner assigned to it, as well as a deadline for its closure.
Audit at planned intervals, not just before certification. Companies that operate based on the internal audits before the external evaluation lose the possibility of detecting and managing challenges that are positioned to grow and gain complexity.
When to Conduct ISO 27001 Internal Audits
Internal audits can be completed at "planned intervals," which can guide the company to better judge what the term means in practice. Most companies benefit from their ISMS audit being conducted at least annually. Internal audits should also be complemented by:
Major changes to infrastructure, systems, or business processes.
Major security incidents or data breaches.
Organizational restructuring or key personnel changes.
New regulatory obligations or contractual requirements.
Cloud migrations or significant third-party integrations.
Companies that integrate internal audits into broader risk management and compliance processes often maintain more mature and defensible ISMS programs.
How Roz Simplifies ISO 27001 Audit Readiness
Preparing for an ISO 27001 internal audit requires careful documentation, coordinated evidence collection, and structured control evaluation. For CPA firms and advisory teams managing these engagements, the administrative workload can be significant.
Roz is an AI-native audit delivery platform designed to streamline this process. Rather than replacing auditors, our tool automates the first-pass work that typically consumes the most time during audit preparation.
We help teams:
Centralize documentation and evidence in structured client workspaces.
Generate draft workpapers from firm templates with full audit trails and source links.
Extract and map documented controls to ISO 27001 requirements.
Identify documentation gaps to support readiness assessments and remediation planning.
By organizing evidence, documentation, and control evaluation in one structured environment, our tool helps audit teams reduce manual effort and maintain consistent, defensible audit documentation.
Conclusion
ISO 27001 internal audits play a key role in retaining an efficient ISMS. Instead of seeing them as a one-off exercise before a certification, companies should look at their internal audits as a way to assess their security control measures to see if they have been put in place, documented, and if they are working as expected.
Companies that manage this process well incorporate audits as a part of their ongoing security and compliance processes. They ensure that auditors are assigned in a way that ensures objectivity and fairness, meticulous documentation of findings, and a well-maintained system of tracking actions taken to close findings to continually improve.
A well-structured internal audit program is an important component for organizations seeking ISO 27001 certification or strengthening their existing ISMS. Tools like Roz simplify the process of documenting the audit, gathering evidence, and organizing workpapers for internal audits.
