ISO 27001 Internal Audit: What to Check, Who Should Do It, and How to Document It

October 7, 2025

ISO 27001 Clause 9.2 requires organisations to conduct internal audits at planned intervals to determine whether the ISMS conforms to the requirements of the standard and to the organisation's own requirements, and whether it is effectively implemented and maintained. The standard leaves the specifics of how, when, and who largely to the organisation. That flexibility is useful, but it also means internal audit programmes vary significantly in quality, and external auditors can tell.

An internal audit that consists of a brief document review conducted by the same person who built the ISMS, with a one-page summary that finds no significant issues, provides little assurance. An internal audit that tests controls operationally, interviews process owners, and produces findings with corrective actions provides genuine value. The purpose of the internal audit is to find issues before the certification body does. Organisations that use it as a formality rather than an assurance tool are leaving value on the table and creating risk for their certification audits.

What to Check

The scope of an internal audit should cover, over the course of the year, all of the clauses of ISO 27001 and a representative sample of Annex A controls. It does not need to cover everything in a single audit cycle. A practical approach is to prioritise areas that were not covered in the previous external audit, areas where nonconformities or observations were previously raised, and areas where the business has changed significantly since the last review. High-risk control areas, such as access management, change management, and incident response, warrant more frequent attention.

The internal audit should include evidence review (checking that controls are producing the outputs they are supposed to produce), process walkthroughs (confirming with the people who operate the controls that they understand and follow the documented procedures), and document review (checking that policies, procedures, and records are current and approved). Findings should be categorised as nonconformities (where a requirement of the standard or an organisational requirement is not being met) or observations (where improvement is advisable but not required). Each finding should be linked to a corrective action with an assigned owner and a target date.

Who Can Conduct the Internal Audit

ISO 27001 requires that internal auditors are selected to ensure objectivity and impartiality. This means the person being audited cannot audit themselves. Beyond that, the standard does not require auditors to be external parties or to hold specific qualifications, although competence in auditing is a requirement that the organisation must demonstrate.

In practice, organisations handle this in three ways. Some train an internal staff member in ISO 27001 auditing who audits areas they are not personally responsible for. Others use a separate team within the organisation (for example, an internal audit function if one exists) to conduct the ISMS audit. Others engage an external party to conduct the internal audit on their behalf. The external option is the most commonly selected by SMEs and growth-stage companies because it provides genuine independence, access to auditing expertise, and a defensible record that impartiality was maintained. We conduct internal audits for several ISO 27001-certified clients as part of their ongoing maintenance programmes.

How to Document the Internal Audit

ISO 27001 requires the organisation to retain documented information as evidence of the audit programme and the audit results. The minimum documentation expected by certification auditors includes an audit programme (the plan for internal audit activities across the year, including scope, criteria, frequency, and method), individual audit plans for each audit conducted, audit reports that document findings, and a corrective action register or equivalent record that tracks the resolution of findings.

Good internal audit documentation tells a story. It shows that the scope was defined, the audit was planned and executed against that scope, findings were documented with specificity (naming the control, the evidence reviewed, and the gap identified), and corrective actions were assigned, tracked, and closed. An internal audit report that says "controls reviewed, no significant issues found" without specifying which controls were reviewed, what evidence was examined, or who was interviewed does not provide that story. Certification auditors reviewing the internal audit programme will look for the level of detail that would allow them to assess whether the audit was genuinely conducted, not just documented.

Timing and Frequency

The standard requires internal audits to be conducted at planned intervals, without specifying a minimum frequency. The expectation is that the full ISMS is audited within the three-year certification cycle, with surveillance auditors expecting to see internal audit activity in the period since the last external audit. Annual internal audit coverage of the full ISMS is a reasonable baseline. High-risk areas may warrant more frequent attention.

Timing matters relative to the certification cycle. Conducting the internal audit shortly before a surveillance or recertification audit means the findings and corrective actions are fresh and can be presented as current evidence of the ISMS's functioning. Conducting it immediately after an external audit and then not repeating it for 11 months leaves a long gap that surveillance auditors will note. A programme that distributes internal audit activity across the year, with evidence of ongoing attention rather than a single annual event, is more credible.

To discuss internal audit services for your ISO 27001 programme, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Guides
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?