ISO 27001 Internal Audit
In this article I lay bare ISO 27001 Clause 9.2 Internal Audit. A beginners guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
We show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Annex A 9.2
Table of contents
- ISO 27001 Internal Audit
- What is ISO 27001 Clause 9.2 Internal Audit?
- What are the ISO 27001:2022 Changes to Clause 9.2?
- ISO 27001:2013 Clause 9.2 Internal Audit Defined
- How to conduct an ISO 27001 internal audit
- How to comply with ISO 27001 Clause 9.2
- ISO 27001 Clause 9.2 Implementation Guide
- How do you demonstrate compliance to ISO 27001 clause 9.2?
- ISO 27001 Clause 9.2 Templates
- ISO 27001 Clause 9.2 FAQ
- Reference
What is ISO 27001 Clause 9.2 Internal Audit?
ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively. The ISO 27001 standard for ISO 27001 certification wants you to test and check that the management system and the associated annex a information security controls are in place and operating as expected and required. It is one of the ISO 27001 controls.
The ISO 27001 standard requires an organisation to effectively check itself. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.
What are the ISO 27001:2022 Changes to Clause 9.2?
There is nothing significant that has changed to the ISO 27001 Clause 9.2 Internal Audit in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 2 sub clauses for enhanced clarity.
ISO 27001:2022 Clause 9.2 Internal Audit
This clause has now had the wording removed and wording shifted to two new separate sub clauses.
ISO 27001:2022 Clause 9.2.1 General – New clause
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
1) the organization’s own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.
ISO 27001:2022 Clause 9.2.2 Internal Audit Programme – New clause
The organization shall plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.
The organization shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management;
Documented information shall be available as evidence of the implementation of the audit programme and the audit results.
ISO 27001:2013 Clause 9.2 Internal Audit Defined
For reference the 2013 version of the clause is provided here/
The ISO 27001:2013 standard defines ISO 27001 Clause 9.2 Internal Audit as:
The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
ISO 27001 Clause 9.2 Internal Audit
1) the organisation’s own requirements for its information security management system; and
2) the requirements of this International Standard;
b) is effectively implemented and maintained. The organisation shall:
c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f ) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.
How to conduct an ISO 27001 internal audit
We have provide a detailed guide on How to Conduct an ISO 27001 Internal Audit
How to comply with ISO 27001 Clause 9.2
Plan your ISO 27001 internal audit programme
Plan your internal audit programme for ISO 27001 based on the needs and availability of the business as well as based on risk. Ensure you plan your external certification audits. Everything should be audited at least once annually before an external audit.
Establish your ISO 27001 internal audit programme
Establish your ISO 27001 internal audit programme by having an audit plan and document the internal audit process. Allocate roles and responsibilities.
Implement your ISO 27001 internal audit programme
Implement the plan into your organisation ensuring that this reporting to the management review team as part of the structured, required agenda. Management Review Team meetings should happen monthly or at least quarterly to be effective.
Maintain your ISO 27001 internal audit programme
Continue to run and adapt your ISO 27001 internal audit programme following your continual improvement processes.
Conduct internal audits
Conduct your internal audits by following the detailed steps in the How to Conduct an ISO 27001 Internal Audit Guide.
ISO 27001 Clause 9.2 Implementation Guide
There are many ways to conduct internal audits.
ISO 27001 internal audits must be done by someone who is independent.
That doesn’t mean that you have to bring in outside third party resource to it, although it can help.
Specialist resource can add incredible value in terms of the insights and the improvements as well as they will be truly impartial.
It is better to have independence at this stage, prior to your external audits.
Who ever does it they should record evidence of the audits, maintain working papers, create management reports and report out to the management review team.
How do you demonstrate compliance to ISO 27001 clause 9.2?
You demonstrate compliance to ISO 27001 clause 9.2 internal audit by having an audit plan in place that covers the audits conducted and future audits you have planned. In addition you will show evidence of the internal audits conducted.
Perform at least one internal audit of everything before you go for your certification audit and make sure your audit plan represents future audits and post certification audits.
Remember internal audit are continual process.
ISO 27001 Clause 9.2 Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 9.2
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
ISO 27001 Clause 9.2 FAQ
ISO 27001 Clause 9.2 requires an organisation to conduct internal audits to check that the information security management system and information security controls are operating as intended.
ISO 27001 clause 9.2 compliance is evidenced by having and audit plan, a documented audit process and evidence that internal audits were conducted across ISO 27001 and Annex A at least once before the certification audit.
You can download ISO 27001 Clause 9,2 templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 9.2 can be found in the ISO 27001 Toolkit.
You perform ISO 27001 internal audits at least once annually and based on risk.
ISO 27001 internal audits are preformed by someone independent. It can be someone external to the organisation but it doesn’t have to be.
The results of the ISO 27001 internal audits are reported the management review team as part of the structured agenda and reporting.
If an ISO 27001 internal audit identifies a non conformity, ie something that is not working as expected, then you follow the documented continual improvement process.