The ISO 27001 internal audit (Clause 9.2) is one of the most misunderstood requirements in the standard. Many organisations treat it as a box-ticking exercise — a quick review before the external certification audit. Done properly, it's the process that keeps your ISMS honest, surfaces real gaps before auditors do, and demonstrates to your certification body that you have a functioning, self-correcting security management system.
This guide explains exactly what Clause 9.2 requires, how to structure an internal audit programme, what to look for during the audit, and the most common nonconformities that surface during ISO 27001 certification.
What Clause 9.2 actually requires
Clause 9.2 of ISO 27001:2022 states that the organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the organisation's own requirements for its ISMS and the requirements of ISO 27001:2022, and is effectively implemented and maintained.
The standard requires that the organisation:
- Plan, establish, implement, and maintain an audit programme (not just individual audits — a programme with frequency, methods, responsibilities, and reporting)
- Define audit criteria and scope for each audit
- Select auditors who ensure objectivity and impartiality — auditors cannot audit their own work
- Ensure results are reported to relevant management
- Retain documented information as evidence of the audit programme and results
There is no requirement for a specific frequency. "Planned intervals" means you define the frequency based on your organisation's risk and context. For most SaaS companies targeting initial certification, a single full-scope internal audit in the 3–6 months before the Stage 1 is standard. Post-certification, annual internal audits are the industry norm.
The internal audit programme vs individual audits
This distinction trips up many organisations. Clause 9.2 requires both an audit programme and individual audit instances.
The audit programme is a document or schedule that defines:
- The overall audit objectives (e.g., verify ISMS conformance with ISO 27001:2022; verify effective implementation)
- The audit scope (full ISMS scope or specific controls/clauses for each audit instance)
- Audit frequency (e.g., full ISMS audit annually; targeted control audits quarterly)
- Audit methodology (document review, interviews, technical testing, observation)
- Responsibilities (who plans audits, who conducts them, who receives results)
- How results are reported and how corrective actions are tracked
Individual audit instances produce an audit report with findings, nonconformities, and observations. Both must be retained as documented information.
Auditor independence: the critical requirement
Clause 9.2(f) requires that auditors ensure objectivity and impartiality — they shall not audit their own work. This creates a practical challenge for small organisations.
In practice, "independence" means:
- The CISO cannot audit CISO-owned controls (e.g., access control policy they wrote)
- The developer cannot audit the change management process they operate
- An engineer can audit HR security policies they don't control, and vice versa
For very small organisations (under 10 people), complete independence is difficult. Options include: using an external consultant or ISO 27001 practitioner for the internal audit; rotating audit responsibility between functional owners (cross-audit); or engaging a trusted peer organisation for a mutual audit exchange.
Certification bodies are pragmatic about small organisations — but there must be some demonstrated separation between audit and auditee for the areas audited.
What the internal audit should cover
A full-scope internal audit covers two things: the mandatory ISMS clauses (4–10) and the Annex A controls. Not every Annex A control needs the same depth — the audit samples based on risk. But all mandatory clauses must be audited.
| Clause | What to check | Common nonconformities |
|---|---|---|
| Clause 4: Context | Context document updated; interested parties register current; ISMS scope statement clear and complete | ISMS scope statement too vague; context not reviewed since initial setup |
| Clause 5: Leadership | Policy approved and signed by management; ISMS roles assigned; management demonstrates commitment | Policy not signed or undated; ISMS owner role unclear; no management communication about ISMS |
| Clause 6: Planning | Risk assessment documented and current; RTP with Annex A links; SoA complete with all 93 controls; objectives SMART and tracked | Risk assessment outdated; SoA not linked to RTP; exclusion justifications vague; objectives not measurable |
| Clause 7: Support | Training records; competence evidence; document control; mandatory documents present | No training records; missing mandatory documents; version control absent |
| Clause 8: Operation | Risk assessment performed in period; treatment plan implemented or in progress; outsourced processes controlled | Risk assessment not updated after significant changes; no evidence of control implementation |
| Clause 9: Performance | Security metrics tracked; management review conducted; internal audit programme documented | No metrics or KPIs; management review not held or poorly documented; audit programme not written |
| Clause 10: Improvement | Nonconformity register; corrective actions with root cause; evidence of completion and verification | No corrective action register; root cause not analysed; recurring issues not addressed |
Major vs minor nonconformities
Audit findings are typically classified as major nonconformities, minor nonconformities, or observations (opportunities for improvement).
A major nonconformity is a significant failure to satisfy a requirement of ISO 27001. Examples:
- No risk assessment has been conducted (Clause 6.1.2 not met)
- No Statement of Applicability exists (Clause 6.1.3(d) not met)
- ISMS scope is not documented (Clause 4.3 not met)
- No management review has taken place (Clause 9.3 not met)
- No internal audit programme exists (Clause 9.2 not met)
A minor nonconformity is a specific failure where the requirement exists but is partially met or contains gaps:
- Risk assessment conducted but not reviewed after a major system change
- SoA exists but 3 controls have no exclusion justification
- Management review held but minutes don't address required inputs
- Training records exist but not for all personnel with ISMS responsibilities
For initial certification, major nonconformities must be closed before the certification body will issue the certificate. Minor nonconformities typically get a 90-day remediation window.
The 8 most common ISO 27001 internal audit findings
| Finding | Clause/Control | How to fix it |
|---|---|---|
| Risk assessment not updated after significant changes (new system, acquisition, major incident) | Clause 8.2 | Define "significant change" triggers in your ISMS procedures; add risk assessment review to change management process |
| SoA controls not traceable to risk register entries | Clause 6.1.3 | Cross-reference RTP control selections to SoA during production; use ComplyKit's linked generators |
| Privileged access not reviewed on schedule | A.8.2 | Implement quarterly access review in Identity Provider (Okta, Azure AD); document evidence of each review |
| Security awareness training not completed by all staff | A.6.3 / Clause 7.2 | Enforce completion via LMS; track % completion; include in new-hire onboarding |
| Vulnerability scans not run or CVEs not tracked | A.8.8 | Implement scheduled scanning (Trivy, Snyk, AWS Inspector); maintain CVE remediation register |
| Backup restoration not tested | A.8.13 | Document restoration test results at least annually; retain evidence |
| Supplier security assessments not conducted | A.5.19-21 | Create a critical supplier list; request SOC 2 / ISO 27001 certs; complete vendor risk questionnaire |
| IRP not tested | A.5.26 | Conduct tabletop exercise; document scenario, participants, findings, and follow-up actions |
How the internal audit connects to the certification audit
The external certification body (Stage 1 and Stage 2) will ask to see your internal audit records. What they're checking:
- That an internal audit programme exists (Clause 9.2 requires a programme, not just ad hoc audits)
- That the internal audit was conducted — audit report, findings, corrective actions
- That nonconformities from the internal audit were addressed — corrective action register with status
- That the internal auditor was independent of the activities audited
- That management received the audit results (management review input)
A well-documented internal audit with honest nonconformities and completed corrective actions actually builds certification body confidence. It demonstrates that your ISMS is self-correcting. An internal audit that finds zero nonconformities in a first-year ISMS is a red flag — it suggests the audit was superficial.
Timing: when to conduct the internal audit before certification
For initial ISO 27001 certification, the recommended sequence is:
- ISMS implemented and operating for 3–6 months (evidence accumulation period)
- Management review conducted
- Internal audit conducted — typically 4–8 weeks before Stage 1
- Corrective actions for major nonconformities completed before Stage 1
- Stage 1 audit (document review)
- Any Stage 1 gaps addressed
- Stage 2 audit (evidence review) — typically 4–8 weeks after Stage 1
Conducting the internal audit too close to Stage 1 (less than 2 weeks) doesn't leave time to fix major nonconformities. Too far out (more than 3 months) risks the audit report being stale by Stage 1.
Use the ISO 27001 Internal Audit Checklist Generator to build a pre-populated Clause 9.2 audit checklist covering all mandatory clauses and key Annex A control areas. Pair it with the ISO 27001 Risk Assessment Generator, Risk Treatment Plan Generator, and Statement of Applicability Generator for a complete audit-ready Clause 6 and Clause 9 package.