Of all the requirements in ISO 27001, the internal audit is the one most likely to be done badly -or skipped entirely. Teams that have just finished implementing the ISMS often treat the internal audit as a tick-box exercise: send someone to look at the documents, write a one-page report, schedule the external audit. That approach almost guarantees painful surprises at Stage 2.
The internal audit done properly is a small certification audit run by your own people. Same methodology, same sampling, same finding classification. Its purpose is to find what the external auditor would have found -while you still have time to fix it. This guide walks through the full method, from programme design to corrective action closure. If you have just completed the work in our implementation roadmap, this is the next stage.
1. Why Clause 9.2 Exists
Clause 9.2 of ISO 27001:2022 requires the organisation to conduct internal audits at planned intervals to determine whether the ISMS:
- Conforms to the organisation's own requirements for its ISMS, and to the requirements of ISO 27001.
- Is effectively implemented and maintained.
That second clause is the important one. Conformity is about whether the design exists; effectiveness is about whether the design works. The external auditor at Stage 2 will test both -and they will start by reading your internal audit reports to see whether you already found the gaps.
If your internal audits show "no findings" but the external auditor immediately finds three nonconformities, your audit programme itself is suspect. A clean internal audit followed by clean Stage 2 is the goal -but a clean internal audit followed by messy Stage 2 raises questions about whether the internal audit was real.
2. Building the Audit Programme
The audit programme is the multi-year master plan. It is one of the 14 mandatory documents -see our mandatory documents guide. The programme covers what gets audited, when, by whom, and how often.
What to cover
The programme must cover the entire ISMS scope -every applicable management system clause and every Annex A control selected in your SoA. Nothing can be missed across a complete cycle.
Frequency
Higher-risk areas get audited more often. A reasonable starting model:
- Annual: Management system clauses (4 through 10) -these underpin everything else, so they get the most scrutiny.
- Annual: Top-risk controls -typically access management, change management, incident response, supplier security, and cryptography.
- 18-24 months: Lower-risk operational controls -physical security where relevant, classification, awareness training mechanics.
- Triggered: Any control where a previous audit found a Major NC, or which is the subject of an incident in the audit period.
Programme document structure
A simple table works: rows for clauses and controls, columns for audit cycle year (Year 1, Year 2, Year 3). Mark each cell with the planned audit month. The certification audit, surveillance audits, and recertification audits are added to the same calendar.
3. Auditor Independence
The single most common Clause 9.2 finding is independence failure -auditors auditing their own work, or work they have a stake in. ISO 19011 (the audit guidance standard) is explicit: an auditor must not audit an activity for which they are operationally responsible.
In a small organisation this is the hardest constraint. If the security manager designed the controls, implemented them, and operates them, who audits them? The practical answers:
- Role rotation. Person A audits domain B; person B audits domain A. Works when you have at least two security-literate staff who can audit each other's areas.
- Internal auditor from a different function. A trained internal auditor from finance, IT operations, or quality can audit information security, provided they have the technical competence to understand the controls.
- External internal auditor. Hire an external auditor to perform the internal audit. This is common for the first certification cycle and for organisations under 50 people. The auditor reports to your management; their findings are your findings. This is fully acceptable under ISO 27001 and is the cleanest way to establish independence.
The consultant who implemented your ISMS cannot then run your internal audit. Same firm performing implementation and internal audit is an independence failure that the certification auditor will challenge.
4. Planning Each Audit
Each audit in the programme needs its own audit plan, issued in advance. The plan defines:
| Field | Content |
|---|---|
| Scope | Which clauses, controls, departments, locations |
| Criteria | The standard (ISO 27001:2022) plus your own policies and procedures |
| Objectives | What the audit is intended to determine (conformity, effectiveness, or both) |
| Methods | Document review, interview, observation, sampling |
| Dates | Start, end, and key milestones |
| Auditors | Lead auditor and any team members, with independence statement |
| Auditees | Departments and roles to be interviewed |
Issue the plan at least one week ahead. Auditees should have time to prepare evidence, not be ambushed. Surprise is not a feature of internal audits.
5. Executing the Audit
Confirm scope and methodology
Lead auditor reviews the plan with the auditee. Confirms scope, criteria, schedule, communication protocols. Establishes what evidence will be sampled and what level of access is needed. Sets the closing meeting time.
Read the relevant policies and procedures
Auditor reads all documents in scope and notes any gaps between what the documents say and what the standard requires. Findings at this stage are usually conformity issues -the document is missing, incomplete, or contradicts the standard.
Talk to the people who actually do the work
Auditor interviews the control owners and operators. Asks open questions: "Walk me through how you handle a security incident." Listens for whether the actual practice matches the documented procedure. A common finding emerges here -the procedure says one thing, but the team does something else, usually because the procedure is out of date.
Test against the criteria
For each control, sample records over the audit period. Examples: "Show me 5 user-access reviews from the last 6 months." "Show me the last 3 change requests for production systems." "Show me 2 internal audit reports from the previous cycle." Sample sizes are small -typically 3-5 instances per control -but selected to be representative.
Share findings as they emerge
End each audit day with a brief catch-up so the auditee has visibility. No surprises at the closing meeting. If a Major NC is emerging, the auditee should know mid-week, not in the final report.
Present findings and agree timeline
Lead auditor presents draft findings -each with reference to the criterion, the evidence, and the gap. Auditee can challenge findings on factual grounds (auditor misunderstood the process or missed evidence). Final report follows within 5 working days. Corrective action timelines agreed.
6. Classifying Findings
Every observation falls into one of four categories. The classification is not arbitrary -it determines what corrective action is needed and how the external auditor will react when they read your audit report.
Major Nonconformity
Systemic failure, missing requirement, or finding that materially undermines the ISMS. Examples: no risk assessment performed, mandatory document missing, control absent from SoA but operating. Blocks certification.
Minor Nonconformity
Single instance of nonconformity in an otherwise functioning control. Examples: one training record missing from a sample of twenty, one access review delayed by two weeks. Does not block certification but must be closed.
Opportunity for Improvement
Not a nonconformity. A practice could be improved or strengthened, but it currently meets the requirement. Examples: risk register could include more impact dimensions, training could be more frequent. Does not require corrective action but informs continual improvement.
Conformity
Control meets the requirement, with evidence. The vast majority of findings in a well-prepared audit. Worth recording explicitly -it is positive evidence the auditor can refer to at Stage 2.
If the gap means the requirement is not being met at all, it is Major. If the gap is a single instance within a functioning process, it is Minor. The test is "does the control work?" not "how serious does this feel?"
7. The Corrective Action Loop
A finding without a corrective action plan is half a finding. Clause 10.1 requires the organisation to react to nonconformities and take action to control them, deal with the consequences, and prevent recurrence.
For every NC, four artefacts
- Root cause analysis. Why did this happen? Five-Whys is the most common technique. Stop when you reach a cause you can act on. "Training records were missing" -why? "The HR system did not record completion." Why? "The integration to the LMS broke in February and was not noticed." Why? "There was no alert on integration failure." That is the root cause; the integration alert is the corrective action.
- Corrective action plan. What will be done, by whom, by when. Specific, dated, owned. "Implement integration health check by 30 June 2026" -not "improve training processes."
- Implementation. The action is taken. Evidence captured.
- Effectiveness verification. 30-60 days after implementation, verify the action worked and the NC is not recurring. Only then is the NC closed.
Timing relative to Stage 2
All Major NCs from the internal audit must be closed before Stage 2. Minor NCs should ideally be closed too, but can sometimes be carried into Stage 2 with documented corrective action plans, depending on the certification body. OFIs do not need closure but are useful inputs to the continual improvement programme.
A corrective action plan that says "we will retrain staff" with no date, owner, or evidence requirement is not a corrective action. Auditors at Stage 2 will read your internal audit findings, look at your corrective actions, and ask to see the evidence. If the evidence is not there, the original Minor NC becomes a Stage 2 Major.
Need an independent internal audit before Stage 2?
SecComply runs ISO 27001 internal audits as external internal auditors -fully Clause 9.2 compliant, independent, and run to the same standard as the certification audit. Findings come with corrective action recommendations and we track them to closure before your Stage 2.
Book an internal audit โFAQ
Anyone competent who is independent of the activity being audited. The auditor must not have designed, implemented, or operationally owned the control they are auditing. For small organisations where this is hard to achieve internally, external auditors are commonly used for at least the first cycle.
ISO 27001 Clause 9.2 requires audits at planned intervals -it does not prescribe a frequency. Common practice is to audit the full ISMS scope across a 1-2 year programme, with higher-risk areas audited more frequently. The full scope must be covered before the certification audit and re-covered before each surveillance and recertification.
A Major NC is a systemic failure, a missing requirement, or a finding that materially undermines the ISMS -for example, no risk assessment was conducted, or a mandatory document is missing. A Minor NC is a single instance of nonconformity within an otherwise-functioning control -for example, one training record is missing from a sample of twenty. Major NCs typically block certification; Minor NCs may be carried over with a corrective action plan.
No. A gap assessment is forward-looking (what needs to be built) and uses different methodology than an audit (what is operating effectively). The internal audit is required by Clause 9.2 and tests the same things the certification auditor will test. Skipping it almost guarantees Stage 2 surprises.
For a small-to-medium organisation, a full ISMS internal audit typically takes 5-10 auditor-days spread across 2-4 weeks. This includes planning, fieldwork, reporting, and follow-up on findings. Larger organisations may need 15-25 auditor-days. The audit itself is days; the corrective action cycle that follows can take weeks.