Of all the requirements in ISO 27001, Clause 9.2 is the one that creates the most confusion between what companies think it requires and what certification bodies actually check for during a Stage 2 audit.

Companies typically read the requirement, note that they need to conduct internal audits at planned intervals, run something that looks like an audit, and file the results. Then the certification body arrives for Stage 2, reviews the internal audit program, and raises a nonconformity. Not because the company skipped the audit, but because the audit they ran did not meet the standard's actual requirements.

This post explains what Clause 9.2 requires, what a properly conducted internal audit looks like, and what certification bodies are most commonly citing when they find internal audit programs deficient.

What Clause 9.2 Actually Says

The full text of ISO 27001:2022 Clause 9.2 reads: the organization shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the organization's own requirements for its information security management system, and to the requirements of this document; and is effectively implemented and maintained.

The organization shall also plan, establish, implement, and maintain an audit program, including the frequency, methods, responsibilities, planning requirements, and reporting, taking into consideration the importance of the processes concerned and the results of previous audits. It shall define the audit criteria and scope for each audit, select auditors to ensure objectivity and impartiality of the audit process, ensure that the results of the audits are reported to relevant management, and retain documented information as evidence of the audit program and the audit results.

Two things in that text are doing a lot of work. First, the audit must assess both conformance and effective implementation. A documentation review that confirms your policies exist is not an internal audit. An internal audit must test whether the ISMS is actually working. Second, auditors must be selected to ensure objectivity and impartiality. That phrase has specific implications for who can and cannot conduct the audit.

The Objectivity Requirement

Clause 9.2 does not say internal auditors must be external. It says the process must ensure objectivity and impartiality. In practice, this means the auditor must be independent of the area being audited. The person who manages your access control process cannot audit their own access control process. The CISO cannot audit the ISMS they designed and maintain, at least not the parts where their own judgment is being assessed.

There are several ways organizations satisfy this requirement. They can use employees from a different function, such as finance or legal, who have been trained in the ISMS audit process. They can rotate auditors so no one audits the area they operate in. They can use an external firm to conduct part or all of the internal audit function. Or they can have senior leadership audit operational areas while operational staff audit governance areas.

The critical point is that objectivity must be demonstrable. If a certification body reviews your internal audit records and finds that the same person who owns every significant control also conducted the internal audit, they will raise a nonconformity. The documentation must show that auditor assignments were made with objectivity and impartiality in mind.

The Audit Program vs. Individual Audits

Clause 9.2 requires both an audit program and individual audits. Many organizations conflate these. The audit program is the overarching plan that defines the scope, frequency, methods, responsibilities, and reporting structure for all internal audit activity. Individual audits are the specific engagements conducted under that program.

A compliant audit program document should include the scope of the ISMS being audited, the planned frequency of audits (at minimum annually, with higher frequency for higher-risk areas), the methods that will be used (interviews, document review, observation, technical testing), the criteria against which conformance will be assessed (the ISO 27001 requirements and your own ISMS policies), the roles and responsibilities for planning, conducting, and reporting on audits, and how the results of previous audits will be considered when planning subsequent ones.

That last element, consideration of previous audit results, is frequently missing. ISO 27001 anticipates a continuous improvement cycle. Clauses 9.2, 9.3 (management review), and 10.2 (corrective action) are designed to work together. The internal audit identifies gaps, management reviews those findings and resources the corrective actions, and the next audit cycle verifies that the corrective actions were effective. If your audit program does not include a mechanism for feeding results forward into planning, it is incomplete.

How to Conduct an ISO 27001 Internal Audit

1

Define the scope and objectives

Decide what will be covered in this audit cycle. For smaller organizations, this is often the full ISMS scope in a single cycle. For larger organizations, the scope may be divided across multiple audits during the year, covering different functional areas or control domains. Document the scope in the audit plan, including what is explicitly excluded and why.

2

Select and assign auditors

Assign auditors to areas where they have no operational responsibility. Document the assignment rationale, including a brief explanation of why each auditor is independent of the area they are auditing. If you are using external auditors for some or all of the program, document that selection and the rationale for choosing that firm.

3

Prepare the audit checklist and criteria

Develop a checklist that maps each audit question to a specific ISO 27001 requirement or ISMS policy. The checklist should ask not only whether a control exists but whether it is operating effectively. For each control area, identify the evidence you will request and the interviews you will conduct. The criteria must be defined before the audit begins, not during it.

4

Conduct the audit activities

Internal audit fieldwork typically includes a combination of document review, interviews with control owners, and observation of processes. For technical controls, it should include some level of technical testing or configuration review. The auditor should take working notes during fieldwork that are retained as part of the audit documentation. These working papers, not just the final report, are what certification bodies may ask to see.

5

Document findings and nonconformities

Each finding must reference the specific ISO 27001 clause or ISMS policy requirement it relates to. Findings should distinguish between major nonconformities (failures that put the ISMS's ability to achieve its intended outcomes at risk), minor nonconformities (isolated failures or omissions), and observations or opportunities for improvement. The finding documentation must be specific enough to support a corrective action plan.

6

Report to management and close the loop

Clause 9.2 requires that results be reported to relevant management. This means the internal audit findings must be formally presented to management, not just filed in a folder. The management review meeting under Clause 9.3 is the typical vehicle for this. The audit report should become an input to the management review, and the management review should produce decisions about corrective actions, resources, and priorities that feed back into the next audit cycle.

What Certification Bodies Check For

During a Stage 2 audit, the certification body will review your internal audit program and individual audit records. The most common findings relate to four issues.

First, auditor independence. The certification body will look at who conducted each audit and confirm they were not auditing areas where they have operational responsibility. If the documentation does not clearly establish independence, this is typically a minor nonconformity.

Second, coverage. The internal audit must cover the full ISMS scope over the audit program period. If your program is planned to run annually and you have only audited three of the twelve Annex A control domains in your most recent cycle, the coverage is incomplete. Certification bodies are looking for evidence that every significant area of the ISMS is examined at appropriate intervals.

Third, depth of testing. A document review that asks whether policies exist is not sufficient. The certification body wants to see evidence that the auditor tested whether controls are operating effectively, through interviews, records review, and technical testing where appropriate. An internal audit that passes every control with no findings in an organization with known complexity is a red flag, not a clean record.

Fourth, the follow-through loop. The certification body will trace your internal audit findings forward to corrective action plans and then look for evidence that those corrective actions were implemented and verified. If findings from your last internal audit have no documented corrective actions, or corrective actions were documented but never implemented, that is a significant gap.

The question certification bodies ask first"Show me the documentation for your most recent internal audit, including the audit plan, the working notes from fieldwork, the findings, and the corrective actions taken in response." If you cannot produce all four components within minutes, you have a documentation gap that a Stage 2 audit will surface.

When to Use an External Firm for Internal Audit

ISO 27001 permits outsourcing the internal audit function to an external firm, provided that firm is independent of the organization and has the competence to conduct ISO 27001 internal audits. Organizations typically choose this route for one of three reasons: they lack the internal competence to audit their own ISMS objectively, the organization is too small to have enough independent personnel to conduct a meaningful internal audit, or management wants the credibility and depth that comes from a specialized external auditor.

Using an external firm does not eliminate your responsibility. You still need an audit program, you still need to define scope and criteria, and you still need to ensure that management reviews and acts on the findings. What the external firm provides is the fieldwork, the working papers, and the findings report. What you provide is the organizational context, the evidence, and the commitment to treat findings seriously.

One important caveat: the firm conducting your internal audit cannot be the same firm conducting your Stage 2 audit or your surveillance audits. Independence is required between the internal audit function and the external certification body, just as it is required within the internal audit process itself.