ISO 27001 Internal Audit Guide
This guide explains how to run ISO 27001 internal audits effectively. It covers requirements under Clause 9.2, Annex A controls, practical audit steps, checklists, and FAQs, helping organisations stay compliant, reduce risk, and prepare confidently for ISO 27001 certification.
Key takeaways
ISO 27001 internal audits are mandatory under Clause 9.2 and help organisations identify gaps early, maintain compliance, and stay confident ahead of certification and surveillance audits.
A structured, risk-based internal audit framework covering all clauses and Annex A controls reduces effort, avoids last-minute stress, and keeps the ISMS effective and audit-ready.
Using checklists, continuous evidence collection, and regular management review turns internal audits into a practical business tool that strengthens security, supports improvement, and protects ISO 27001 certification.
What is an ISO 27001 Internal Audit?
An ISO 27001 internal audit is your organisation’s own check of its Information Security Management System (ISMS). It makes sure your ISMS meets the requirements of ISO/IEC 27001:2022 and your internal policies, so your information security works as intended.
First things first - What is ISO 27001?
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It provides a framework that helps organisations protect information, manage risk, and build resilience against threats.
ISO 27001 is increasingly needed by organisations (primarily tech companies) of all sizes, as rising cyber risks and supplier security demands have become critical. Complying with the standard shows you’ve put a structured, risk-based approach in place for information security.
Clause 9.2 of ISO 27001 requires regular internal audits to check whether your ISMS:
Conforms to the requirements of ISO/IEC 27001:2022 and your own ISMS policies.
Is effectively implemented and maintained.
Provides information on performance and improvement opportunities.
How does an internal audit compare to an external audit?
Internal audits are carried out by your team or an impartial consultant. They are flexible and designed to help you find issues early.
In contrast, external audits are delivered by accredited certification bodies and decide whether you become or remain certified.
What does an ISO 27001 internal audit require?
ISO 27001:2022 sets out internal audit requirements in Clause 9.2. This clause requires you to plan, conduct, report on, and retain evidence from your audits. Internal audits must:
Occur at planned intervals
Check conformity with ISO 27001 and your own requirements
Be performed objectively and impartially
Produce documented results that show findings and evidence
How often should you conduct an internal audit?
The standard does not set a fixed frequency. Instead, you should audit at planned intervals based on risk, changes in your ISMS, and your business needs.
The core requirement is that the internal audit is a program that continues throughout the certification lifecycle, meaning it must be done at least annually and on a repeat program basis.
Many organisations do at least one full internal audit each year and more often if there are significant updates or issues.
For companies seeking initial certification and facing a time squeeze, the internal audit is a vital piece of preparation.
“As a certification body, we need to have seen an internal audit before we aware certification - preferably delivered before the Stage 1 audit to ensure the company is prepared as best as possible ahead of the Stage 1, although we will also accept an internal audit delivered before the Stage 2 (which often happens where customers are moving to a tight timeframe).”
On an ongoing basis, while the internal audit needs to happen every year, organisations have flexibility in how they schedule it:
Annual batch: Some people perform all their internal audit in one go (over a few days) once a year, testing everything in one batch.
Split program: Other companies split their internal audit program, testing different parts of their management system at intervals (e.g., monthly) throughout the year.
This proactive approach helps demonstrate ongoing compliance and boosts readiness for certification audits like those delivered by Tempo Audits.
Why conduct an internal ISMS audit?
Conducting an internal ISMS audit is not optional. It is a mandatory requirement under Clause 9.2 of ISO/IEC 27001:2022. If you want to achieve ISO 27001 certification and keep it, internal audits must be carried out at planned intervals.
But compliance is only one part of the reason. There are more, as explained below:
1. Identify issues before they become risks
An internal ISMS audit helps you find gaps early. This includes weaknesses in controls, missing evidence, or processes that are not being followed in practice.
Finding these issues internally is far less costly than having them raised during an external audit or after a security incident.
2. Support continual improvement
ISO 27001 is built around continual improvement. Internal audits provide structured insight into what is working and what needs to change.
They help you:
Improve existing security controls
Refine risk treatment decisions
Keep the ISMS aligned with business changes
This ensures your ISMS stays relevant, not static.
3. Operational benefits for the business
A well-run internal audit also delivers clear operational value:
Promotes a stronger overall security posture
Confirms staff understand their ISMS roles and responsibilities
Helps communicate new or updated security policies
Improves consistency across teams and processes
This is especially important in growing organisations where responsibilities can become unclear.
4. Prepare for external audits and regulations
Internal audits reduce the risk of nonconformities during:
Certification audits
Surveillance audits
They also support readiness for emerging regulations such as NIS2* by ensuring governance, accountability, and control effectiveness are already in place.
*NIS2 is an EU cybersecurity directive that strengthens security, governance, and incident reporting requirements for organisations managing essential digital services.
Cost and duration of an internal audit
The duration and cost of an ISO 27001 internal audit are not fixed, as there are no mandatory rules like those for an external certification audit. This gives the organisation flexibility to choose the level of thoroughness they desire.
There are no strict rules on how long an internal audit should be. The company can choose based on what it is trying to achieve:
Thoroughness: If you want a more extensive audit to prepare yourself better and find more things, it will require more days (and therefore more cost).
Minimum compliance: If you want a lightweight audit simply to achieve the requirements of the standard, it will be shorter and less expensive - but it might be less helpful in preparing you for the external audit.
For a small to medium-sized organisation (up to 100 staff) that chooses to use an external internal auditor, the typical structure is:
Duration: The audit length can vary (and there are not rules on the length) and is often completed over 1 - 5 days (depending on the size of the company).
Cost: External auditors typically charge a day rate, often between £500 and £1,000. Bearing this in mind, the total cost for a 2 day internal audit might range from between £1,000 to £2,000, whilst a 5-day internal audit might range from between £2,500 to £5,000.
Feel free to reach out to Tempo on hello@tempoaudits.com for an internal audit recommendation. Tempo cannot provide internal audits ourselves, but have a network of available internal auditors.
Handle your ISO 27001 internal audit effortlessly
We understand that the thought of conducting an internal audit by yourself could be overwhelming for your organisation. For any more information or queries, drop us an email at hello@tempoaudits.com.
The practical framework for ISO 27001 internal audits
“The single most common, yet avoidable, mistake we see is when organisations fail to conduct a proper internal audit. This creates a dangerous mismatch between what they believe is their state of readiness, and how they will actually perform during the external certification audit.
The key to preventing this issue is to ensure a truly thorough check of your ISMS, delivered by a competent internal auditor. A well-prepared and effective internal audit is the best possible preparation, as it ensures all issues are picked up and corrected in advance, putting your organisation in a strong, compliant state.”
This goal is achieved when an internal audit follows a clear, repeatable framework. It reduces effort, avoids last-minute stress, and ensures compliance with Clause 9.2 and applicable Annex A controls.
What are Annex A controls in the ISO 27001 internal audit?
Annex A controls are the practical security safeguards within ISO/IEC 27001. They describe the security measures you should have in place to manage information security risks in your business.
Annex A in ISO/IEC 27001:2022 contains 93 controls, grouped into four clear themes:
Organisational controls – policies, roles, supplier security, and governance
People controls – training, awareness, and user responsibilities
Physical controls – offices, equipment, and physical access protection
Technological controls – access control, logging, encryption, and system security
You are not required to implement every control by default. Instead, you select controls based on your risk assessment and document this decision in your Statement of Applicability (SoA).
Below is a practical, audit-ready playbook approved by Tempo Audits experts.
Step 1 - Define audit scope & schedule
Start by defining what will be audited and when.
This includes:
ISO 27001 clauses
Applicable Annex A controls
Processes, systems, and locations
Every clause must be covered each year. Most organisations also audit all applicable Annex A controls annually, although some spread control testing across a three-year certification cycle, provided full coverage is achieved across the 3 year cycle.
Clearly document:
Any exclusions or out-of-scope areas
Audit frequency based on:
Risk assessment results
Business priorities
Resource availability
At a minimum, one internal audit per year is expected. Many organisations audit different ISMS areas throughout the year. Plan around peak business periods and holidays.
Maintain a rolling internal audit programme aligned to the certification cycle.
Step 2 - Assign & prepare auditors
Ensure your internal auditor is competent to carry out the audit. This is a critical ISO 27001 requirement. For SMEs, maintaining full independence in-house can be difficult due to limited resources. As a result, many organisations use external auditors as a practical and cost-effective option.
When selecting an external auditor, look beyond a lead auditor qualification and assess their overall competence, including:
Proven experience conducting internal audits for multiple organisations.
Relevant qualifications, such as ISO 27001 Internal or Lead Auditor certification.
Clear budgeting, as external auditors usually charge a day rate, typically £500-£1,000, with organisations often needing one to five days.
Your certification body will expect to see evidence of auditor competence when reviewing your internal audit during the external audit.
Step 3 - Collect evidence continuously
It’s always better if you maintain evidence throughout the year, including:
ISMS scope and Statement of Applicability (SoA)
Risk assessment and risk treatment plan
Policies, procedures, and records
Corrective actions and management review minutes
To do so, store evidence securely and organise it by clause or control for easy access.
That said, even if you haven’t been collecting evidence continuously, not to worry - a good internal auditor will work to gather the necessary evidence during the internal audit (just as a good external auditor will as well).
Step 4 - Conduct audit activities
Auditors must:
Review documentation
Interview staff
Observe operations
Evidence should reflect real practice, and findings must be recorded against relevant clauses or controls and classified as compliant, nonconforming, or improvement opportunities.
Preferably before your certification, the internal audit would take place at least a few weeks (and preferably at least a month) before the certification audit begins, so that you have time to resolve any issues highlighted in the internal audit.
Step 5 - Score & analyse findings
Rate findings clearly into categories like:
Compliant
Major nonconformity
Minor nonconformity
Opportunity for improvement
Prioritise based on risk and impact.
Link findings to corrective actions and risk treatment plans, following your corrective action process.
Step 6 - Produce the internal audit report
The report should summarise:
Scope, objectives, and methodology
Key findings and nonconformities
Recommended actions and priorities
Include auditor competence details and the forward audit programme* for certification body review.
*Forward audit programme - A documented plan showing future internal audits, scope, and timing, used by certification bodies to confirm ongoing ISO 27001 compliance.
Step 7 - Management review & follow-up
Top management must review audit results under Clause 9.3.
ISO 27001:2022 Clause 9.3 (Management Review) requires top management to regularly review the ISMS to ensure it remains effective, compliant, and aligned with business and security objectives.
This closes the loop and keeps the ISMS effective, compliant, and audit-ready.
ISO 27001 internal audit checklist
An ISO 27001 internal audit checklist is a practical tool that helps ensure every required area of the ISMS is reviewed in a consistent and structured way.
The checklist maps directly to:
ISO 27001 clauses
Applicable Annex A controls
What should an ISO 27001 internal audit checklist include?
A well-designed checklist typically includes the following columns:
Clause or Annex A control - ISO 27001 requirement or security control
Control owner - who is responsible for implementation
Evidence type - policy, log, screenshot, record, or interview
Evidence location - folder, system, or platform reference
Compliance rating - compliant, minor nonconformity, major nonconformity, or improvement opportunity
This structure makes audits easier to run and easier to evidence. Here’s a sample ISO 27001 internal audit checklist created for a UK-based IT company to give you a clearer understanding of how yours will typically look like. Feel free to edit the rows as per your organisational requirements or create a fresh one by drawing inspiration from this.
How a great checklist supports certification readiness
Certification bodies expect to see clear, repeatable internal audit processes. A structured checklist demonstrates control, oversight, and maturity.
It simplifies internal audits and helps maintain continuous readiness for certification and surveillance audits.
Manage ISO 27001 internal audits the right way!
An effective ISO 27001 internal audit is not a mere compliance requirement. It is a practical way to strengthen your ISMS, reduce risk, and stay ready for certification.
A clear audit framework, supported by structured evidence and regular reviews, helps identify issues early and supports continual improvement.
While internal audits must remain independent, Tempo Audits provides clear guidance and best-practice insight to help organisations understand what certification bodies expect.
Through our UKAS-accredited ISO 27001 certification services, we review your ISMS documentation and assess readiness for certification (Stage 1 Audit). To learn more about us and discuss ISO 27001 certification, get in touch with us today.
FAQs
-
Select auditors who are not involved in the day-to-day management or implementation of the ISMS. Consider using cross-department personnel or external experts for objectivity.
-
Yes. Small businesses can assign responsible staff, rotate auditors, or use external providers to perform audits efficiently, ensuring compliance without overburdening resources. However, they need to ensure that the responsible staff are “competent” to deliver the internal audit.
-
Scheduling interviews with busy staff
Accessing sensitive documentation securely
Ensuring auditors have the required competence
Collecting evidence consistently throughout the year
-
Use a non-conformance register or compliance management tool to log findings, assign owners, set deadlines, and track completion of corrective actions.
-
Collect screenshots, policy documents, meeting minutes, incident logs, and KPIs continuously. Store them in an access-controlled folder or wiki, or GRC platform, to simplify audit reviews.
-
Frequent internal audits identify gaps early, allowing corrective actions before external audits, increasing the likelihood of passing the certification audit on the first attempt. They’re also a requirement under the standard, so are needed to conform with the ISO 27001 standard.
-
Digital evidence repositories, automated compliance platforms, audit checklists, and standardized templates help streamline audits and reduce manual effort.
-
Prioritize based on risk assessment results, critical business processes, previous audit findings, and areas with frequent changes in technology or regulations.
At the least, Tempo expects to see all clauses internally audited each year, and a programme which covers all the Annex A controls over a certification cycle (although preferably covering them all every year is best)
-
Yes. Auditors often link related clauses, such as management review, risk treatment, and corrective actions, to reduce duplication and streamline evidence collection.
-
Document corrective actions clearly, assign owners and deadlines, monitor progress, and validate that actions were completed effectively before the next audit cycle.