How often are ISO 27001 internal audits required?

ISO 27001 requires internal audits at planned intervals. Most organizations run at least one full internal audit per year covering all clauses and applicable Annex A controls, often split into smaller audits throughout the year on a rolling programme.

Who can perform an ISO 27001 internal audit?

Anyone objective and competent can perform an ISO 27001 internal audit. The key requirement under Clause 9.2 is that auditors do not audit their own work. Many organizations use a mix of internal staff, rotated between teams, and external consultants for areas where internal independence is not possible.

What evidence do internal auditors review?

Internal auditors review policies, procedures, the risk register, the Statement of Applicability, control operation evidence such as logs, tickets, access reviews, training records, and meeting minutes. They also interview personnel to confirm practices match documentation.

What is the difference between an internal audit and a certification audit?

An internal audit is performed by or on behalf of your organization to assess your own ISMS. A certification audit is performed by an accredited certification body to decide whether to issue a certificate. Internal audits are inputs to management review. Certification audits grant or maintain certification.

Do minor nonconformities in an internal audit block certification?

No. Internal audit findings are your early warning system. Finding issues internally is a sign the programme is working. The risk is failing to track and close them, which can then surface as a nonconformity during the external audit.

ISO 27001 Internal Audit — Clause 9.2 Guide & Checklist

If there is a single activity that separates an ISO 27001 programme that will pass audit from one that will not, it is the internal audit. Clause 9.2 of ISO 27001 requires that you audit your own ISMS at planned intervals to confirm it conforms to the standard, to your own requirements, and that it is effectively implemented and maintained. This is not a bureaucratic formality. A well-run internal audit programme is the single best signal of whether your organization is actually operating an ISMS or merely documenting one.

This guide walks through how to plan, staff, execute, evidence, and close out ISO 27001 internal audits so that both Stage 2 and surveillance auditors find a mature, self-correcting programme.

What Clause 9.2 actually requires

Clause 9.2 of ISO 27001 has two subclauses. Clause 9.2.1 requires that the organization conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the organization's own requirements and the requirements of ISO 27001, and whether it is effectively implemented and maintained. Clause 9.2.2 requires that you plan, establish, implement, and maintain an audit programme that includes frequency, methods, responsibilities, planning requirements, and reporting.

In practice, this translates into four expectations that certification auditors will look for:

A documented audit programme that covers the full scope of the ISMS over a defined cycle, typically one to three years.
Objective and competent auditors who do not audit their own work.
Evidence-based audit results with findings categorized and documented.
A closure process where findings are tracked through to corrective action.

Teams often treat the audit programme itself as a compliance artifact rather than a plan. Auditors can tell the difference. A real programme shows evidence of actually being followed, including signed schedules, rescheduled audits, and audit reports with real findings.

Designing the audit programme

The audit programme is the multi-year plan for how your entire ISMS gets audited. For a small to mid-sized organization, a one-year cycle covering every ISO 27001 clause and every applicable Annex A control is typical. Larger organizations often operate a three-year cycle, covering different sections each year so that the full ISMS is audited by the end of the cycle.

A good audit programme defines:

Scope of each audit. Which clauses, which controls, which business units, which systems.
Frequency. When each scope is audited. Higher-risk areas such as change management and access control often get more frequent coverage.
Methods. Document review, interviews, observation, sampling of records, technical testing.
Auditor assignments. Who will audit what, and confirmation that they are independent of the area being audited.
Reporting requirements. Format of audit reports, required sign-offs, distribution list.

Build the programme from your risk assessment output rather than auditing everything equally. An access control failure is a higher-impact risk than a minor documentation gap, so access control deserves deeper sampling.

Auditor independence and competence

Clause 9.2 requires that auditors be objective and impartial. In plain language: the person who built a control cannot audit that control.

Organizations achieve independence in several ways. Some rotate auditors between teams so that an engineer from the platform team audits the people and HR controls while the HR team audits platform controls. Others use a dedicated internal audit function. Many small companies contract with external consultants to audit areas where no internal independence is possible, such as the single ISMS owner auditing their own programme.

Auditor competence matters as well. Auditors should understand ISO 27001 requirements and auditing practice. ISO 19011 provides guidance on management system auditing and is a good training reference. Certification bodies do not require that internal auditors hold a specific credential, but they will ask how you determined the auditor was competent.

Running the audit — a practical flow

The actual audit follows a predictable pattern.

1. Opening meeting

The auditor and the auditees meet to confirm scope, timing, and expectations. For large audits this is formal. For a small scope it can be a short conversation.

2. Document review

The auditor reviews the relevant policies, procedures, and records before or during the audit. This sets up interview questions and evidence requests.

3. Interviews

Auditors interview the people who actually operate the controls. The goal is to confirm that documented processes match real practice. Interviews often reveal process drift that documentation alone cannot.

4. Evidence sampling

Auditors request samples of records to verify control operation. Examples include a sample of access reviews, a sample of change tickets, a sample of incident records, a sample of backup test logs. Sample sizes should be documented so that the sampling approach is reproducible.

5. Observation and technical verification

Where relevant, auditors observe processes happening in real time or verify technical configurations. Watching an on-call engineer handle a test alert is often more valuable than reading the incident response policy.

6. Closing meeting and draft findings

The auditor debriefs the audited team, outlines preliminary findings, and gives the team a chance to provide additional context before the report is finalized.

Documenting findings

Every internal audit must produce a documented report. The report typically includes:

The audit scope and objectives.
The criteria used, which is usually ISO 27001 and your internal policies.
The audit team and their independence.
Methods used and samples reviewed.
Findings, each categorized as a nonconformity, observation, or opportunity for improvement.
Agreed timelines for corrective actions.

Findings should quote the specific requirement that was not met, describe the evidence of the gap, and state who owns the correction. A finding that says "access reviews are not always completed" is weaker than one that says "Clause 9.2 of your Access Control Policy requires quarterly access reviews. Four of ten sampled systems had no documented review in Q1 2026. Owner: IT Operations."

Findings then flow into the nonconformity and corrective action process, where root causes are identified and fixes are tracked to closure.

How this fits into your ISMS

Internal audits are one of three major inputs to the management review required by Clause 9.3. Management review uses internal audit results along with risk changes, incidents, and performance metrics to make decisions about the direction of the ISMS.

Internal audits also interact directly with continual improvement under Clause 10.3. Patterns in audit findings over time often reveal systemic weaknesses that individual corrective actions cannot resolve. A mature ISMS uses internal audit trends to justify broader process changes, tooling investments, or staffing adjustments.

For first-time certifiers, at least one full internal audit must be complete before the Stage 2 audit in the certification process. Certification auditors will ask to see the internal audit programme, the reports, and evidence that findings were tracked and closed.

Common pitfalls

Writing findings but not closing them. An open finding that sits for a year is worse than no finding at all. It proves the organization does not act on its own audits.
Sampling only happy paths. Pulling the three best-documented change tickets does not prove the change management process works. Randomized or risk-weighted sampling produces credible evidence.
Auditing documentation instead of practice. A control that is beautifully documented but never operated will fail certification. Interviews and observation matter more than document review alone.
Single-person audit team for every audit. If the same person audits every area, independence is fragile. Rotate auditors or introduce external support.
Skipping the opening and closing meetings. These bookend activities create accountability and reduce the risk of disputed findings after the fact.
No audit trail of evidence. Auditors should record what they reviewed, when, and where it came from. Without this, findings are hard to defend.

How episki helps

episki ships with an ISO 27001 internal audit workflow that generates the audit programme from your control graph, assigns independent auditors based on ownership history, captures evidence directly against the control being audited, and tracks findings through to verified closure. Audit reports export in an auditor-ready format that satisfies Clause 9.2 expectations without pulling days of manual effort from your ISMS owner.

See the full ISO 27001 framework for how internal audits connect to the broader certification cycle.

ISO 27001 Internal Audit (Clause 9.2)