Internal Audit is a mandatory, systematic evaluation of an Information Security Management System required under Clause 9.2. The appointment of independent, competent auditors is the primary implementation requirement, delivering the business benefit of objective compliance verification and proactive risk mitigation before external certification assessments.
What is Internal Audit?
An internal audit is a planned and documented process conducted by an organisation to evaluate its own Information Security Management System (ISMS). Its purpose is to verify if the ISMS conforms to the requirements of the ISO 27001 standard and the organisation’s own security policies. The audit is performed by competent personnel, either from within the organisation or an external consultant, who are independent of the activities being audited.
Key Characteristics
- Mandatory: ISO 27001 Clause 9.2 Internal Audit requires organisations to conduct internal audits at planned intervals.
- Objective: It provides management with an objective assessment of the ISMS’s performance and effectiveness.
- Continual Improvement: The findings from an internal audit are used to identify nonconformities and opportunities for improvement, which feeds directly into the Plan-Do-Check-Act (PDCA) cycle.
Example
- A company’s internal audit team reviews the Access Control logs for the past three months to ensure that all failed login attempts are being logged and investigated as required by their ISMS policy.
ISO 27001 Context
The internal audit is a crucial “Check” activity in the PDCA cycle, allowing an organisation to proactively find and fix issues before a third-party certification audit.
How to implement Internal Audit
1. Establish the Internal Audit Programme
Provision a multi-year audit schedule that ensures every part of the ISMS, including all mandatory clauses and Annex A controls, is audited at planned intervals. This programme must be risk-based, focusing more frequent reviews on high-risk areas identified in your Risk Register. Key requirements include:
- Documenting the audit frequency for each department or control set.
- Aligning the programme with the 3-year certification cycle.
- Obtaining senior management approval for the audit roadmap.
2. Appoint Competent and Independent Auditors
Formalise the selection of auditors who possess the necessary technical knowledge of ISO 27001 and are independent of the function being audited. Objectivity is critical: you cannot audit your own work. Auditor criteria involve:
- Verifying Lead Auditor or Internal Auditor certifications.
- Ensuring auditors understand technical controls such as IAM roles and MFA.
- Documenting the independence of the audit team to prevent conflicts of interest.
3. Define the Audit Scope and Criteria
Define the specific boundaries for each individual audit to prevent “scope creep” and ensure thoroughness. The criteria must include the ISO 27001 standard, internal policies, and regulatory requirements. Technical actions include:
- Mapping the audit scope to the current Asset Register.
- Referencing the Statement of Applicability (SoA) to confirm which controls are in scope.
- Defining the Rules of Engagement (ROE) for technical testing.
4. Develop Technical Audit Checklists
Provision structured audit checklists that guide the auditor through specific verification points, ensuring a consistent and technical assessment. These checklists should lead to objective evidence rather than subjective opinions. Requirements include:
- Creating specific questions for technical controls like encryption and logging.
- Including placeholders for recording specific document version numbers.
- Ensuring checklists cover both Clause requirements and Annex A controls.
5. Provision Access to ISMS Documentation
Audit the documented information before the site visit to identify obvious gaps in policy or procedure. This “desktop review” saves time during interviews and provides context for technical testing. Necessary steps involve:
- Reviewing the Information Security Policy and relevant sub-policies.
- Checking that the Risk Treatment Plan is up to date.
- Verifying that previous audit findings have been addressed.
6. Execute Fieldwork and Technical Testing
Execute the audit by interviewing process owners and observing technical controls in operation. Auditors must seek “objective evidence” to prove that what is written in the policy is happening in practice. Verification methods include:
- Observing the onboarding and offboarding process within the IAM system.
- Checking for the presence of MFA on remote access points.
- Reviewing physical security controls and clean desk policy compliance.
7. Formalise Findings and Non-conformities
Formalise all findings as either “Non-conformities” (where a requirement is not met) or “Opportunities for Improvement” (OFIs). Every finding must be linked to a specific clause or control for traceability. Requirements involve:
- Writing clear descriptions of the evidence found for each non-conformity.
- Categorising findings into Major or Minor non-conformities.
- Discussing findings with the auditee at a closing meeting to ensure accuracy.
8. Generate the Internal Audit Report
Generate a technical report that summarises the audit activities and provides management with a clear view of the ISMS health. This report is a critical input for the Management Review meeting. Essential components include:
- Using a “Bottom Line Up Front” (BLUF) executive summary.
- Listing all identified non-conformities and their priority levels.
- Highlighting areas of strength as well as security weaknesses.
9. Trigger Corrective Action Plans
Revoke security risks by ensuring that owners are assigned to every non-conformity and that corrective actions are planned. The goal is to fix the root cause: not just the symptom. Implementation steps are:
- Conducting a Root Cause Analysis (RCA) for all major findings.
- Setting specific deadlines for the completion of remediations.
- Updating the Risk Treatment Plan if the audit reveals new vulnerabilities.
10. Verify Remediation and Close the Audit
Audit the evidence provided for remediations to verify that the non-conformities have been effectively resolved. An audit is not “closed” until the corrective actions are proven to work. Necessary actions include:
- Re-testing technical controls to ensure fixes are implemented.
- Updating the Internal Audit Programme to reflect the closed status.
- Providing the final verified status to the ISMS Management Forum.
Internal Audit FAQ
What is an ISO 27001 internal audit?
An ISO 27001 internal audit is a mandatory, systematic assessment of an organisation’s Information Security Management System (ISMS) required by Clause 9.2. It verifies that 100% of the implemented security controls meet the standard’s requirements, function as intended, and effectively mitigate identified risks before external certification assessments.
How often should ISO 27001 internal audits be performed?
Organisations must conduct internal audits at planned intervals, typically annually, ensuring the entire scope of the ISMS is reviewed within a 3-year certification cycle. Regular auditing ensures that 100% of mandatory clauses and Annex A controls are sampled to maintain continuous compliance and operational security performance.
Who is qualified to conduct an ISO 27001 internal audit?
The audit must be performed by competent, impartial auditors who are independent of the specific processes being audited to ensure 100% objectivity. While internal staff can conduct these reviews, many organisations utilise external Lead Auditors to identify 30% more potential gaps than non-specialist internal teams.
What are the benefits of a thorough internal audit?
A thorough internal audit reduces the risk of major non-conformities during external UKAS assessments by 95% and provides management with citable evidence of security maturity. Key benefits include:
- Validation that 100% of risk treatment plans are correctly implemented.
- Identification of operational efficiencies and continuous improvement opportunities.
- Enhanced stakeholder confidence through verified data protection practices.
- Early detection of security weaknesses before they lead to data breaches.
Related ISO 27001 Controls
| Related ISO 27001 Control / Clause | Relationship Description |
|---|---|
| ISO 27001 Clause 9.2: Internal Audit | Mandatory Requirement: The primary clause that requires organizations to conduct internal audits at planned intervals to ensure the ISMS conforms to the standard and is effectively implemented. |
| ISO 27001 Clause 10.1: Continual Improvement | Lifecycle Link: Internal audit findings identify nonconformities and areas for improvement, serving as a primary driver for the “Act” phase of the PDCA cycle. |
| ISO 27001 Clause 9.3: Management Review | Reporting Requirement: Results and findings from internal audits must be reported to top management as part of the formal management review process. |
| ISO 27001 Clause 7.2: Competence | Personnel Quality: Requires that the internal audit be performed by “competent personnel” who have the necessary skills and training to evaluate the ISMS objectively. |
| ISO 27001 Annex A 5.35: Independent Review | Operational Control: An Annex A control that mirrors the requirement for independent and objective evaluations of the organization’s approach to managing information security. |
| Glossary: Nonconformity | Audit Output: Internal audits are specifically designed to detect nonconformities—instances where the ISMS fails to meet a requirement of the standard. |
| Glossary: ISMS | Subject Matter: The entire Information Security Management System is the “scope” of the internal audit, which evaluates its overall health and compliance. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where Internal Audit is categorized as a vital performance evaluation and governance term. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
