ISO 27001 Internal Audit: Everything You Need to Know

Getting an ISO 27001 certification largely depends on how effective your internal audits are. An ISO 27001 internal audit tells you if your ISMS is actually working as intended, whether your controls are in place, and if there are any gaps you need to fix before you meet the external auditor.

And here’s the part many teams overlook: internal audits are not optional. ISO 27001 Clause 9.2 clearly requires you to plan, conduct, and maintain internal audits at defined intervals. Skipping internal audits or treating them as a formality creates conditions that auditors may flag as major non-conformities.

This blog serves as a playbook to ensure internal audits are right the first time. We’ll cover what ISO 27001’s Clause 9.2 mandates, how to define your internal audit scope, and the components of a risk-based plan. We’ll also uncover tips on assigning internal audit roles and how to run the audit from document review to fieldwork and control testing. By the end, you’ll know how to run an internal audit that actually strengthens your ISMS before certification.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit is a systematic, independent review of your Information Security Management System (ISMS) to ensure it meets the requirements of the ISO 27001 standard and that your controls are effective in practice.

It’s a mandatory requirement under Clause 9.2, and it must be conducted before your certification audit. The goal is to identify gaps, test control performance, and ensure your ISMS operates as documented so you’re fully prepared when the external auditor arrives.

Internal audits can be carried out by a trained person within the organization (as long as they aren’t auditing their own work), or by an independent third party.

This article is based on ISO/IEC 27001:2022, but the same internal audit principles also apply if you’re transitioning from the 2013 version.

Purpose of the internal audit

Think of the internal audit as a health check for your ISMS. It allows you to:

• Check your ISMS maturity and readiness before the external audit.
• Confirm that what’s written in your policies is actually practiced day-to-day.
• Spot control gaps early, when fixes are easier and internal.
• Check if leadership regularly reviews risks, KPIs, and audit results.

Mandatory nature of internal audits under clause 9.2

Running regular ISO 27001 internal audits is not only a matter of hygiene, but the ISO 27001 certification mandates it under clause 9.2. It requires you to:

• Run audits at planned intervals based on risk, changes, and what matters most to your ISMS.
• Check whether your ISMS meets ISO 27001 and your own internal requirements, as well as whether it’s effectively implemented and maintained in daily operations.

• Keep audit reports and related records as documented evidence.
• Maintain an audit program that is properly planned, implemented, and updated over time.
• Define the audit criteria and scope clearly for every audit.
• Choose auditors who are objective and not auditing their own work.
• Ensure audit findings are reported to the right management stakeholders so actions can be taken.

Read more about the ISO 27001 controls and clauses.

Who can perform an ISO 27001 internal audit?

Internal audits must be done by an internal team, an ISO 27001 consulting firm, or an independent third-party auditor. Whichever option you choose, auditors must be objective, impartial, and free from conflicts of interest; they should not audit areas they manage or controls they operate. 

Ideally, auditors should have relevant certifications (like ISO 27001 Lead Auditor) or equivalent experience to ensure a thorough and credible audit.

Bringing in an external auditor can be valuable, especially if you want an experienced perspective. Depending on the auditor’s experience or firm (e.g., a Big 4 firm or an independent specialist), this can cost roughly $10,000 to $ 20,000.

Internal audits vs external certification audits

Before we delve deeper, here’s a quick comparison to highlight the differences between internal and external audits:

Aspect	Internal audit	External certification audit
Purpose	Diagnose readiness, find gaps, and improve the ISMS	Formally assess conformity and grant certification
Approach	Flexible, preparatory, improvement-focused	Formal, structured, compliance-focused
Who performs it	Internal team or hired independent auditor	Accredited third-party certification body
Evidence level	Moderate; enough to check implementation	High; detailed proof required for each control
Outcomes	Findings used for corrective actions and preparation	Pass/fail decision for ISO 27001 certification

ISO 27001 internal audit requirements

The ISO 27001 internal audit requirements are laid down in clause 9.2 of the standard and are detailed and stringent. Clause 9.2(a) requires organizations to conduct internal audits at planned intervals, and 9.2(b) advocates that the internal audit must conform to ISO 27001 requirements.

Here are five clauses you should be looking at as per ISO internal audit requirements:

Audit program (Clause 9.2)

Requirement: Organizations must plan, establish, implement, maintain, and continuously improve an audit program. The program must include audit frequency, methodology, roles and responsibilities, reporting procedures, and correct action implementation.

How to comply: To meet the requirement, organizations must:

• Create an internal audit schedule defining whether the internal audit will be conducted annually, biannually or quarterly and the areas to be audited.
• Define audit methodology, whether risk-based, asset-based or procedure-based audits will be conducted.
• Appoint qualified and unbiased internal auditors
• Establish a reporting mechanism to report any non-conformities
• Implement an improvement program to incorporate corrective actions and track changes in ISMS.

Audit criteria and scope (Clause 9.2)

Requirement: Organizations must define the audit criteria and scope of each audit, including the processes, areas, systems etc., to be included in each audit. 

How to comply: To meet the requirement, organizations must:

• Start specifying the relevant components such as IT systems, financial operations, and other areas that will be audited in each internal audit window.
• Create a plan for the methods to be used for evaluating the specifics, such as interviews, observation, and tests.
• Assess and prioritize audit areas, focusing on high-risk areas first and taking into account the resources available for audits.

Auditor selection and independence (Clause 9.2)

Requirement: Organizations must select independent internal auditors to ensure impartiality in the assessment. 

How to comply: To meet the requirement, organizations must:

• Appoint internal auditors who are not directly involved in designing or running the ISMS activities to prevent a biased opinion.
• Verify that the auditor is competent in terms of training, skills, and understanding of information security management.
• Create a formal document specifying which individuals are eligible or ineligible to perform internal audit processes, along with the reasons for their eligibility.

Reporting on audit results (Clause 9.2)

Requirement: The internal auditor must report the audit results to the management. All non-conformities and other findings must be reported along with recommendations for improvement.

How to comply: To meet the requirement, organizations must:

• Establish an audit result reporting process 
• Present audit findings to the executives during management review meetings conducted annually or frequently
• Include details on audit scope and findings while highlighting major non-conformities and recommendations for corrective action
• Document management response and track progress on remediation measures

Audit records and retention (Clause 9.2)

Requirement: Organizations must retain the documents and evidence of the ISO 27001 internal audit plan implementation, as well as the audit results. 

How to comply: To meet the requirement, organizations must:

• Maintain audit records such as copies of the internal audit plan, evidence of audit execution, and final audit report
• Establish and document record retention policies that clearly state how long the records should be retained, along with the format
• Establish roles and responsibilities for managing these records
• Ensure that the records are readily available when required while preserving their integrity.

What “audit independence” means in practice

In ISO 27001 internal audits, independence isn’t about who does the audit; it’s about ensuring the auditor has no bias and no conflict of interest. Internal auditors don’t have to be external consultants, but they cannot audit their own work or anything for which they were directly responsible. If the audit isn’t objective, the results won’t be trusted.

What this means for planning internal audits:

• No self-auditing: Auditors shouldn’t review controls or processes they built, manage, or recently worked on.
• Separate reporting: Internal audit should report to an independent function, not to the teams being audited.
• Avoid real or perceived bias: Even if someone feels objective, they must avoid situations where it looks like they’re not.
• Rotate auditors: Move auditors across areas to avoid over-familiarity.
• Provide complete access: Auditors must be able to access all records, systems, and people they need.
• Keep documentation: Record how each auditor is independent from the area they’re auditing. External auditors often check this.

The inputs and outputs of an internal audit

A good internal audit should start with the right background information and end with precise, actionable results. Here’s a breakdown of what feeds the audit and what comes out of it:

Required inputs	Required outputs
Findings from previous internal audits	Audit findings with clear classification (Major NC, Minor NC, Observation)
Your latest risk assessment and risk treatment plan	Evidence of what was tested (screenshots, logs, interviews, access reviews)
Logs or reports from control monitoring tools	Corrective action requests with owners and due dates
Records of incidents, issues, or past non-conformities (NC)	A final internal audit report kept as documented ISMS evidence

ISO 27001 internal audit scope & planning

Before you start an internal audit, you need clarity on what you’re auditing and how you’ll approach it. A well-defined scope and a risk-based plan ensure you’re focusing on the areas that matter most. Start with:

1. Determining audit scope

Your internal audit should cover all the processes in your ISMS and the Annex A controls you’ve included in your Statement of Applicability (SoA). While defining the scope, remember to include:

• Cloud systems and SaaS tools
• Third-party services you rely on
• Outsourced processes that handle or impact your data

If it affects your ISMS, it needs to be in scope.

2. Building a risk-based audit plan

Not all processes carry the same risk, so they shouldn’t be audited on the same schedule. High-risk areas, such as access management or incident response, require more frequent attention.

As your ISMS matures, your audit plan should adapt to real-world triggers such as:

• Recent incidents
• Major changes in tools or processes
• New vulnerabilities
• Sudden increases in risk

For example, if you’ve had a recent vendor incident or a new cloud deployment, those areas move up the priority list, regardless of when they were last audited.

3. Sampling strategy

You don’t need to check every record or piece of evidence. Sampling allows you to review a small, representative set, saving time without compromising audit quality.

But the sample must be meaningful. Make sure you include variation across:

• Time periods (e.g., different months)
• Teams and functions
• Types of controls

This helps you get an accurate view without having to audit everything.

Sample audit schedule by risk level

Once you classify your processes by risk, you can map them to a realistic audit frequency. Here’s a sample breakdown you can use as a reference.

Process	Risk level	Recommended audit frequency
Access management	High	Quarterly
Incident response	Medium	Every 6 months
HR security	Medium	Annually
Vendor security	High	Quarterly
Physical security	Low	Annual or bi-annual

Roles & responsibilities in ISO 27001 internal audits

ISO 27001 internal audit is a cross-functional operation; it works best when each role knows its job, owns its deliverables, and respects the boundaries of independence. Here are the major stakeholders involved:

Lead auditor

The lead auditors run the entire audit from start to finish. A lead auditor:

• Plans the audit: define the scope, timeline, and areas to be reviewed
• Assigns auditors: make sure no one audits their own work
• Coordinates the audit: keep departments aligned and things moving
• Reviews findings: look for patterns or repeated issues

Who can play this role from the internal team? A compliance manager, security lead, or operations lead trained in ISO requirements. In small teams, this can even be a senior engineer or a founding team member with good process awareness.

Internal auditors

Internal auditors do the actual fieldwork. They:

• Conduct control tests: check if controls are being followed in practice
• Review evidence: collect logs, screenshots, access records, and any data that supports compliance
• Interview people: ask questions to understand how processes are actually run
• Report what they find: clearly document what works, what doesn’t, and how severe any issues are

Control owners

Control owners are the source of truth for specific security or operational controls. They:

• Submit evidence: present logs, screenshots, or documentation proving their control is in place and working
• Explain the process: walk auditors through how the control works in real life
• Fix what’s broken: they’re also responsible for remediating any gaps found during the audit

ISMS manager

The ISMS Manager (or Compliance Lead) coordinates the audit across the organization. An ISMS Manager:

• Keeps the ISMS aligned: ensures all departments are ready and aware of audit expectations
• Tracks progress: follows up on audit tasks, evidence collection, and remediation
• Acts as the central contact: serves as the bridge between auditors, control owners, and leadership

Top Management

Top management sponsors the audit and ensures accountability. Their role includes:

• Reviewing audit results: discuss findings and monitor follow-up actions
• Approving corrective actions: allocate resources for implementing fixes
• Modeling accountability: show the organization that compliance and audit readiness are strategic priorities

Who can play this role internally? Usually, the CTO, CISO, Head of Engineering, or other senior executives.

ISO 27001 internal audit process (Step-by-step)

An ISO 27001 internal audit process requires defining the audit scope and extent, as well as selecting an internal auditor for documentation review, field investigation, and evidence analysis. Thereafter, the auditor compiles the report and recommends corrective action.

Here’s the 5-step ISO 27001 internal audit process:

Define the scope of the internal audit

The internal auditor must begin by outlining the audit’s boundaries and defining the systems that fall within its scope. It must include all functions, people, systems, etc., that will be examined under the audit to meet the compliance objectives. 

Conduct a documentation review

The internal auditor will first review all your documented information – ISO 27001 scope statement,statement of applicability, information security policies, ISO risk assessments and risk treatment plan, among others, to ensure the audit scope is appropriately defined and covers the ISMS adequately.

Here’s what these documents include:

• ISMS scope statement: The document specifies the boundaries to which ISMS applies
• ISMS statement of applicability: The statement specifies the controls that have been selected and implemented, and justifies the ones that aren’t applicable.
• Information security policy: The policy outlines the security goals of the organization and the SOPs in place to achieve them
• ISO 27001 risk assessment and risk treatment plans: The documents present the approach to identifying risks, the criteria for scoring them and the action plan for treatment
• Definition of responsibilities: The document outlines the roles and responsibilities of individuals in the control implementation.
• Asset inventory and acceptable use: These documents consist of asset inventory and guidelines on fair use.

ISO 27001 lists numerous mandatory documents and records, as well as some non-mandatory documents that are good to keep handy. It is good practice to identify and list the people who built, operated, or monitored the controls of your ISMS and assign them responsibilities for specific documents.

Conduct fieldwork and control testing

After reviewing documentation, the auditor moves into fieldwork, where they actively assess how well your ISMS is functioning. This involves running audit tests, validating technical and procedural controls, interviewing staff, and collecting concrete evidence to verify whether controls are working as intended.

Key activities during this phase:

• Staff interviews: Understand whether employees actually follow ISMS policies in practice.
• Control walkthroughs: Trace the execution of a control end-to-end. For example, what happens when someone leaves the company? Is offboarding consistent with your access policy?
• Log and config reviews: Check audit trails, system configurations (e.g., MFA enforcement, encryption settings), and access logs to validate control coverage.
• Evidence collection: Capture proof like screenshots, log exports, meeting records, or tickets. Every control must be backed by objective, timestamped evidence.

Sprinto advantage: You can implement Sprinto to review the effectiveness of policies, processes and technical controls against ISO 27001. Sprinto enables you to run granular-level automated checks in real time, spot the gaps and initiate proactive responses.

Identify non-conformities, if any

Once you’ve completed fieldwork and gathered evidence, the next step is to identify where your ISMS isn’t meeting expectations. These gaps, referred to as non-conformities (NC), can range from missing documentation to controls that exist on paper but don’t function in practice.

Your job here is to compare what you found against ISO 27001 requirements and your own policies, and then classify the issues:

• Major NC: A big, system-level failure (e.g., no access control process).
• Minor NC: A one-off miss (e.g., one employee didn’t complete training).
• Observation: Something that works, but could be better.
• Opportunity: Helpful suggestions, not mandatory.

It’s important to take note of why non-conformities occurred. Was the policy unclear? Was training overlooked? Was there ownership assigned? The goal is not just to flag problems but to identify patterns and root causes that could lead to wider failure if left unchecked.

Write the audit report

The audit report is where everything comes together. It’s the official record of what was audited, what was found, and what needs to happen next. But more than just a summary, a good audit report builds confidence. It proves to management (and later, external auditors) that your ISMS is not only being monitored, but also continuously improved.

At a minimum, your report should include:

• The audit scope and objectives
• The areas and controls reviewed
• The evidence evaluated (logs, records, interviews, screenshots)
• A clear list of findings, grouped by severity
• Corrective actions, owners, and deadlines

ISO 27001 reporting, non-conformities & corrective action

An ISO 27001 internal audit is only successful when it leads to action. Once findings are documented, ensure you are:

1. Writing a high-quality audit report

Your audit report needs to do three things well:

• Present findings clearly and concisely
• Connect each issue to evidence and control expectations
• Make corrective actions traceable, with deadlines and owners

Avoid vague language like “needs improvement.” Instead, call out exactly what’s missing, which control or clause it violates, and what must be done.

2. Doing a root cause analysis

Fixing an audit finding is not enough; you also need to understand why it happened. If you only patch the surface issue, the same problem will resurface in the next audit.

Root cause analysis is about digging one level deeper:

• A missed access review might not be carelessness. It could mean no one was assigned ownership, the process wasn’t on a calendar, or reviewers didn’t know what to check.
• Inconsistent logging may indicate that the logging tool wasn’t configured properly or that teams are using different standards.
• Missing training records may indicate a broken onboarding process or unclear responsibility for storing evidence.

3. Building corrective action plans

After identifying a non-conformity, you need a clear plan to rectify it and ensure it doesn’t recur. A corrective action plan should clearly outline what needs to change and assign responsibility for implementation.

A strong plan includes:

• An explicit action: The exact fix you’ll implement 
• An assigned owner: One person responsible for completing the action
• A due date: A realistic deadline so the issue doesn’t stay open indefinitely
• A follow-up check: Someone must verify the fix worked, either through a retest or a quick review.

Common challenges in ISO 27001 internal audits

Internal audits often go off track or hit roadblocks. Here are some of the most common issues that come up, and how to avoid them:

• Too much focus on documents: Some teams believe that having policies and procedures is sufficient. But just having documents doesn’t mean you’re compliant. What matters is whether people are actually following them.
• What’s on paper doesn’t match reality: This is one of the biggest reasons audits fail. You might have an excellent policy for offboarding employees, but if IT isn’t removing access consistently, it’s a serious gap.
• Sampling the wrong evidence: Some audits spend too much time on low-risk areas and skip over parts of the business that are changing rapidly, such as cloud systems or third-party vendors.
• Insufficient preparedness: Sometimes, the people being audited (control owners) don’t know what they’re supposed to show or how to explain their process. This leads to confusion and delays.
• No follow-up after the audit: Many audits conclude with a report, but it often goes unaddressed. The same problems keep resurfacing because no one has been assigned to address them.

Streamline ISO 27001 internal audits with Sprinto

Manual internal audits are slow, error-prone, and hard to scale. Between chasing down evidence, translating policies into controls, and trying to align teams, most businesses spend weeks prepping for something they could automate in hours. Sprinto changes that.

Sprinto is a compliance automation platform purpose-built for fast-moving teams and designed to make ISO 27001 internal audits not just easier, but more effective.

Here’s how Sprinto transforms the audit process:

• Always-on control monitoring: Sprinto connects to your systems and continuously checks if your controls are working, no more spreadsheet guesswork.
• Evidence on autopilot: Logs, screenshots, configs; Sprinto collects and maps audit-ready evidence automatically.
• Built-in AI advisor: Sprinto AI flags gaps before they become audit failures, suggests fixes, and even helps you respond to auditor questions.
• Real-time audit dashboard: Track what’s working, what’s not, and what’s overdue; all in one place.

FAQs

1. Who is qualified to perform an ISO 27001 internal audit?

Anyone with a strong understanding of ISO 27001, your ISMS, and audit best practices can perform the audit as long as they’re independent of the area being audited. That means they can’t audit their own work or department.

2. How much evidence is “enough” for an internal audit?

You need to show that controls exist and are working. Screenshots, logs, interview notes, or policy records are all valid forms of evidence. The key is objective proof that matches what the policy says should happen.

3. Do internal audits require a formal checklist?

Not strictly, but they’re highly recommended. A checklist ensures you cover everything relevant (especially your SoA controls), and it helps you stay consistent from one audit cycle to the next.

4. What tools are commonly used for ISO 27001 internal audits?

Many teams use a mix of spreadsheets, shared folders, and manual trackers, but these become hard to manage quickly. Tools like Sprinto help by automating control checks, collecting audit-ready evidence, and giving you a dashboard to track audit progress in real time.

5. What happens if we find a major non-conformity?

You need to document it, perform a root cause analysis, and implement a corrective action plan with clear ownership and timelines. Major issues won’t block certification if they’re handled well and closed out before the external audit.

6. Do we need to re-audit after a major change?

Yes, if the change impacts your ISMS (e.g., new product launch, cloud migration, org restructuring), a targeted internal audit helps you verify that controls still hold up in the new environment.