ISO 27001 Internal Audits: How to Run One That Actually Helps
Clause 9.2 of ISO 27001 requires you to audit your own ISMS at planned intervals. Most teams treat this as a chore. Done properly, it’s the opposite: a dress rehearsal that finds your nonconformities before the certification auditor does — when they cost a corrective action, not a delayed certificate.
What clause 9.2 actually requires
- An audit programme: planned intervals, methods, responsibilities and reporting — covering the whole ISMS over the cycle, not everything at once.
- Defined criteria and scope for each individual audit.
- Auditors who are objective and impartial — nobody audits their own work.
- Results reported to relevant management.
- Documented information kept as evidence of the programme and results.
- Nonconformities fed into clause 10.2: corrective action, root cause, and verification that the fix worked.
Who can audit? The independence problem, solved practically
Small companies stall here: the person who built the ISMS is the only one who understands it. Your options, in rough order of preference for a small team:
| Option | Trade-off |
|---|---|
| Outsource to a consultant | Most common for SMEs. Genuine independence and audit skill; costs money; brief them well on context. |
| Cross-functional internal auditor | Someone competent but outside the ISMS (e.g. engineering lead audits governance; ops lead audits engineering controls). Free, builds culture; needs training. |
| Peer swap | Two companies audit each other. Cheap and surprisingly effective; mind confidentiality. |
Whichever you choose, the certification body will check one thing hard: that the auditor did not audit work they own.
Running the audit: a lightweight method
- Plan: pick the scope slice (e.g. access control + supplier management + clauses 4–6), gather criteria (the standard, your policies, the SoA).
- Sample: request evidence before interviews — access-review records, incident tickets, change approvals. Evidence first keeps interviews honest.
- Interview: ask “show me”, not “do you”. “Show me the last leaver’s revocation” beats “do you revoke access promptly?” every time.
- Grade findings: nonconformity (requirement not met), observation (weakness worth noting), opportunity for improvement. Resist grade inflation in either direction.
- Report: findings tied to specific clause/control references, with evidence cited — write it the way you’d want to receive it.
- Close the loop: corrective actions with owners, root cause, deadlines — and verify effectiveness, not just completion.
Timing around certification
Before your Stage 1 certification audit you need at least one full internal audit and one management review completed, with the findings demonstrably actioned. Leave 6–8 weeks between internal audit and Stage 1 so corrective actions have time to land — an internal audit the week before certification helps nobody.
Common failure modes
- The zero-findings audit. Certification auditors treat a spotless internal audit as a red flag, not a green one — it usually means the audit wasn’t real.
- Auditing documents instead of operations — policies get reviewed, but nobody samples whether access reviews actually happened.
- Findings without closure: a nonconformity log where nothing ever reaches “verified effective” is itself a clause 10.2 finding.
- One mega-audit every year instead of a rolling programme — shallow coverage, burned-out team, stale results by audit day.
The bottom line
The internal audit is the ISMS checking its own pulse. Keep the programme rolling, the auditors genuinely independent, the questions evidence-first, and the findings driven to verified closure — and certification audits stop producing surprises.
Audit-ready evidence, all year round
Cyber Horizon keeps controls, owners, evidence and corrective actions in one place — so internal audits sample live records instead of chasing screenshots, and findings track to verified closure.
Book a Demo