ISO 27001 internal audit: Meaning, process, checklist

Getting ISO 27001 certified is a big win, but the real challenge is keeping it. ISO 27001 requires you to regularly check if your information security practices still hold up. That's where the internal audit comes in.

In this guide, we'll break down what an ISO 27001 internal audit involves, how often to run it, and what steps to follow — plus a checklist to help you stay on track.

Note: This blog focuses on ISO/IEC 27001:2022, which marks the end of its transition period on October 31, 2025—future-proofing your compliance efforts while remaining relevant to organizations still aligned with the 2013 version.

What is an ISO 27001 audit?

An ISO 27001 audit is a formal review of your organization's Information Security Management System (ISMS) to verify whether it meets the requirements of the ISO/IEC 27001 standard. In simple terms, it's a way to confirm that your security policies, controls, and processes are not just well-documented but actually working to protect sensitive data and manage risks effectively.

There are three types of ISMS audits:

• Internal audits are required at least once a year to identify gaps, assess effectiveness, and get ready for certification.
  
• External audits are carried out by accredited certification bodies to certify your ISMS or maintain that certification through annual surveillance and triennial recertification.
  
• Third-party audits are less common and usually performed by customers or partners to assess your security practices as part of vendor evaluations or contract obligations.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit is an in-house review of an organization's Information Security Management System (ISMS) to ensure compliance with ISO/IEC 27001:2022 and internal security objectives.

Conducted within the organization by trained staff or hired auditors, it identifies risks and gaps in the ISMS. Its goal is to spot any gaps, non-conformities, or improvement areas before certification or a surveillance audit.

Required at least annually, these audits prepare you for external certification. It's a critical step to keep your security practices sharp and compliant.

Who is responsible for the ISO 27001 internal audit?

While top management is accountable for the overall effectiveness of the ISMS as outlined in Clause 5, Clause 9.2 of ISO/IEC 27001:2022 places the responsibility for planning and conducting internal audits on the organization.

Per ISO/IEC 27001:2022, Clause 9.2, they must ensure audits occur at planned intervals and are impartial to verify compliance. This keeps the ISMS effective and ready for certification.

What are the ISO 27001 internal audit requirements?

Here's a comprehensive rundown of what you need to nail an ISO 27001 internal audit, per ISO/IEC 27001:2022:

• Audit methodology: Follow a documented process to ensure consistent, repeatable ISMS audits.
• Scope and objectives: Define the audit's focus, covering specific ISMS areas and goals.
• Audit team: Use qualified auditors (internal or third-party) with ISO 27001 expertise.
• Audit program: Plan audits with clear frequency, methods, and assigned responsibilities.
• Documentation: Record all audit processes, evidence, and findings for traceability.
• Reporting: Share results with management to drive corrective actions and improvements.
• Continual improvement: Use audit findings to enhance the ISMS over time.
• Objectivity and impartiality: Ensure auditors are independent, free from conflicts.
• ISO 27001 knowledge: Auditors must be competent as per Clause 7.2, which includes appropriate education, training, and experience to understand and assess the standard's requirements effectively.

What is the 27001 internal audit process?

ISO/IEC 27001:2022 lays out a clear process to ensure your ISMS is up to standard. Here's the five-step process to get it right:

1. Define audit scope and plan:

Create an audit plan detailing scope, objectives, and schedule, focusing on relevant ISMS assets, Clauses 4–10, and Annex A controls listed in your Statement of Applicability.

2. Collect evidence and review documents:

Examine key ISMS documents like the Scope Statement, Risk Assessment, and Information Security Policy to verify compliance and control effectiveness.

3. Conduct the audit:

Perform assessments through interviews, control observations, and document reviews to evaluate ISMS performance against ISO 27001 requirements and identify gaps.

4. Prepare audit report:

Summarize findings in a report, including scope, non-conformities, corrective actions, and recommendations, ensuring clarity for management review.

5. Management review and follow-up:

Present findings to management, address non-conformities per Clause 10.1, and plan improvements to ensure readiness for certification audits.

Who can conduct internal audits under ISO 27001?

Per Clause 9.2.2, internal audits must be conducted by individuals who are both competent and impartial. Competency—as defined in Clause 7.2—includes appropriate education, training, or experience. While some organizations engage certified internal staff (e.g., those with Lead Auditor training) or independent third-party consultants, ISO 27001 does not mandate certifications. Software tools, such as compliance platforms, can assist with evidence collection and reporting, but they do not replace the need for qualified human auditors.

What is the importance of ISO 27001 internal audits?

Internal audits, mandated by Clause 9.2 of ISO/IEC 27001:2022, are critical for keeping your ISMS robust and compliant. They help identify weaknesses before external audits and drive continuous improvement. Here's why they matter:

• Ensure compliance: Internal audits verify that your ISMS aligns with ISO 27001 requirements and your organization's security policies, reducing the risk of certification failures.
• Identify risks and gaps: Audits uncover vulnerabilities and non-conformities, enabling proactive risk management before they become costly issues.
• Drive improvement: By addressing audit findings, organizations strengthen their ISMS, enhancing security and operational efficiency over time.

How to avoid common ISO 27001 internal audit mistakes?

Internal audits require a methodical approach, but common pitfalls can undermine your efforts. Here's how to steer clear of three frequent mistakes:

• Lack of auditor independence: Using auditors involved in ISMS operations risks bias. Choose impartial auditors with no direct responsibility for audited processes.
• Poor planning: Vague scope or objectives can lead to incomplete audits. Define clear goals, covering relevant clauses and Annex A controls, in your audit plan.
• Ignoring follow-up: Failing to act on audit findings wastes the process. Ensure that management reviews and implements corrective actions promptly.

FAQs

Do all internal auditors need to undergo training?

Internal auditors must be competent as required by Clause 9.2.2 of ISO/IEC 27001:2022. Competency is defined in Clause 7.2 and may be achieved through a combination of education, training, or relevant experience.

While formal training—such as ISO 27001 internal auditor or lead auditor courses—can help build this competency, such certifications are not explicitly required by the standard. What matters is that auditors understand the standard, audit methodology, and can assess the ISMS impartially and effectively.

What are some important audits for ISO 27001 certification?

Key audits include internal audits (Clause 9.2), which are conducted objectively and impartially to evaluate ISMS compliance; surveillance audits, typically held annually after certification, to monitor ongoing adherence; and recertification audits every three years to renew certification. Together, these audits ensure that your ISMS continues to meet ISO/IEC 27001:2022 requirements.

Can ISO 27001 auditors carry out internal audits as well?

External consultants with ISO 27001 expertise, who are not affiliated with your certification body, can be engaged to conduct internal audits, as long as they are independent of the areas being audited. Certification auditors, however, are not allowed to perform internal audits for the same client due to conflict-of-interest rules.

Are the internal audit requirements the same as ISO 27001 after 2013?

Yes, the core internal audit requirements in ISO/IEC 27001:2022 are essentially the same as those in the 2013 version. Organizations are still required to conduct internal audits at planned intervals to evaluate ISMS conformity and effectiveness. The 2022 update includes minor wording improvements for clarity but does not change the intent or expectations under Clause 9.2.

What do you do with the findings of the ISO 27001 internal audit?

After the internal audit, organizations must document the findings, report them to relevant management, and take corrective actions where necessary. Non-conformities should be analyzed to determine root causes, followed by implementing and tracking appropriate measures.

These actions are not only essential for preparing for external audits but are also critical for maintaining and continually improving the ISMS, as required by Clause 10.1 of ISO/IEC 27001:2022.

What are some common non-conformities found in an internal audit?

Frequent issues include:

1. Incomplete risk assessments (Clause 6.1.2) — missing risk criteria or outdated evaluations

2. Outdated documentation (Clause 7.5) — policies not reviewed or aligned with current practices

3. Access control gaps (Annex A.9) — shared credentials or lack of user access reviews

These usually stem from poor planning or lack of follow-up on past audit findings.

How often should an ISO 27001 internal audit be conducted?

Clause 9.2 requires internal audits at least annually, though frequency may increase based on risk assessments or significant ISMS changes. Regular audits ensure ongoing compliance and readiness for certification.