Internal Audit for ISO 27001 Information Security
ISO 27001 Clause 9.2
This sub-clause requires planned internal audits to confirm the ISMS conforms to the standard and the organisation's own requirements and is effectively implemented and maintained.
ISO 27001 Clause 9.2 - Internal Audit
Internal audit is the management system's self-check. It is the process by which the organisation independently looks at its own ISMS and identifies what is working, what is not, and what needs to be fixed before an external auditor finds it. Clause 9.2 sets out the requirements for the audit programme and how individual audits are run.
What ISO 27001 Clause 9.2 Requires
The clause splits into two parts. Clause 9.2.1 General requires internal audits at planned intervals to provide information on whether the ISMS conforms to the organisation's own requirements and to the requirements of the standard, and is effectively implemented and maintained.
Clause 9.2.2 Internal Audit Programme requires the organisation to plan, establish, implement and maintain an audit programme including frequency, methods, responsibilities, planning requirements and reporting. The programme must take account of the importance of the processes and the results of previous audits. Audit criteria and scope must be defined for each audit. Auditors must be selected so that objectivity and impartiality are maintained. Audit results must be reported to relevant management. Documented information must be retained as evidence of the audit programme and the audit results.
Planning the Internal Audit Programme
The audit programme typically covers a one-year or three-year cycle. Within that cycle, every clause of the standard and every relevant Annex A control area should be audited at least once. Higher-risk areas - or areas where previous audits have raised findings - get audited more frequently. The programme is documented, owned and updated as circumstances change.
For most organisations the programme breaks the standard down into manageable themes - one audit covers Clauses 4-7, another covers Clause 8 and the operational Annex A controls, another covers Clauses 9-10 and so on. The split is for the organisation to decide.
Auditor Independence
Auditors must be independent of the activity being audited. In a small organisation this often means using an external internal auditor or splitting the audit programme so colleagues audit each other's areas. The information security manager cannot audit the controls they own. The internal auditor cannot audit a previous review they themselves carried out.
The auditor needs competence as well as independence. Most internal auditors have completed an internal auditor training course or an ISO 27001 lead auditor course. The auditor's competence is recorded against the role in the training matrix.
Conducting Audits and Following Up
Each individual audit follows a planned process: define scope and criteria, gather evidence, identify findings, report findings to relevant management, and follow up on corrective actions. Findings are categorised - non-conformity, observation, opportunity for improvement - and tracked through to closure in the issues and actions register.
The output of the audit programme - findings, trends, audit completion status - is one of the inputs to the management review under Clause 9.3.
The most useful internal audits are the ones that find things. An audit programme that always concludes 'all good' is either auditing the wrong things, auditing too lightly, or both. The point of internal audit is to find the gaps before the external auditor does, so the organisation can fix them on its own terms.
I look at the internal audit programme early. I check that it covers the whole standard over a defined cycle, that the auditors are independent and competent, and that findings from previous audits have been closed out. A well-run internal audit programme makes the rest of the certification audit much shorter.
Practical Compliance Guidance
The audit schedule and the audit checklist together provide the framework for an internal audit programme that meets Clause 9.2. The findings and actions are tracked through the issues register.
The documents below support the planning, conducting and follow-up of internal audits for an ISO 27001 management system.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Complete documentation set for ISO 27001:2022 including the audit schedule, audit checklist and supporting registers. |
| ER11 Audit Schedule | Audit schedule that records each planned audit, the scope, the auditor and the dates, used to demonstrate the planned audit programme required by Clause 9.2. |
| A-C ISO 9001 - 27001 Management System Audit Checklist | Audit checklist covering the management system clauses, used to structure individual internal audits and demonstrate criteria-based audit conduct. |
| ER1 Issues and Actions Register | Tracks audit findings and corrective actions through to closure, including effectiveness reviews. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
No UK legislation directly governs internal audit of an information security management system. The audit programme often references regulatory requirements as part of the audit criteria, particularly UK GDPR for personal data handling.
