ISO 27001 Clause 9.2 requires you to audit your own ISMS at planned intervals. Many teams treat this as a box to tick, which is a wasted opportunity — a genuine internal audit is the most effective way to find and fix problems before an external auditor does, and it is itself evidence the management system is working.
This guide explains what the internal audit is, how to plan and conduct one, who should do it, and how to use it to de-risk your iso 27001 certification.
What the internal audit is
The internal audit is a systematic, independent check of your own ISMS against ISO 27001 and against your own policies and procedures. It confirms that the management system conforms to the standard and is effectively implemented and maintained.
It is mandatory under Clause 9.2 and recurring — not a one-off before certification but an ongoing part of the ISMS. Auditors at every stage, including surveillance, expect to see internal audits being conducted.
Think of it as your organisation auditing itself the way the certification body will, but with the freedom to fix what it finds.
Why it matters beyond compliance
Beyond satisfying the clause, the internal audit is your best rehearsal. It surfaces the gaps an external auditor would find — missing evidence, controls not operating, documents out of date — while you still have time and privacy to address them.
Teams that run genuine internal audits walk into the certification audit confident; those that skip or fake them meet their gaps for the first time in front of the certification body. The internal audit is cheap insurance.
It also drives real improvement, which is the whole point of the management system.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Independence and objectivity
The standard requires internal audits to be objective and impartial, which means auditors should not audit their own work. In practice, the person reviewing a control area should be independent of the people who run it.
In a small company this is a challenge, but solutions exist: have team members audit each other’s areas, or bring in an external party to perform or support the internal audit. The key is that the review is genuinely independent.
Objectivity is what makes the findings credible and useful.
Planning the audit programme
ISO 27001 expects a planned internal audit programme, not ad-hoc checks. The programme defines what will be audited and when, ensuring the whole ISMS is covered over time. Many organisations audit the full ISMS annually, or in a rolling schedule across the year.
The programme should consider the importance of areas and the results of previous audits, focusing attention where risk and past issues are greatest. Documenting the programme is part of meeting the requirement.
A clear programme turns internal audit from a scramble into a managed routine.
Defining scope and criteria
Each internal audit needs a defined scope (which parts of the ISMS) and criteria (what you are auditing against — the standard, your policies, legal requirements). Clear scope and criteria keep the audit focused and its findings meaningful.
For a first internal audit before certification, the scope is usually the whole ISMS, so it genuinely rehearses the external audit. Later audits may focus on particular areas in rotation.
Setting these up front prevents an unfocused review that misses what matters.
Conducting the audit
The audit itself mirrors an external one: the auditor reviews documentation, samples evidence, and interviews the people who operate controls, checking that practice matches policy and that controls genuinely operate. They record what they find objectively.
The tone should be constructive — the goal is improvement, not blame — but the assessment must be honest. An internal audit that flatters the organisation is worse than useless, because it provides false confidence.
Treating it as seriously as the real audit is what makes it valuable.
Recording findings
Findings should be documented clearly, classified (for example as nonconformities or opportunities for improvement), and linked to the relevant requirement or control. This record is both a management tool and evidence for the external auditor that internal audit is functioning.
Do not be alarmed by a long list of findings on a first internal audit — that is the audit doing its job. Each finding is a problem caught early, before it could become an external nonconformity.
A clear findings report is the foundation for the corrective action that follows.
Corrective action and follow-up
Findings are only valuable if acted on. For each nonconformity, investigate the root cause and take corrective action to fix it and prevent recurrence, then verify the fix worked. This closes the loop and demonstrates the continual improvement the standard requires.
Tracking findings to closure is essential: an external auditor will check that internal-audit findings were actually addressed. Open findings that linger suggest a management system that detects but does not fix problems.
The corrective-action process is where internal audit turns into real improvement.
The management review connection
Internal audit results feed directly into the management review (Clause 9.3), where leadership examines the state of the ISMS and makes decisions. The two requirements work together: the audit gathers the evidence, and the review acts on it at the top level.
Conducting both genuinely before certification demonstrates the governance loop an external auditor wants to see. They are also both mandatory, so neither can be skipped.
Linking them properly shows a management system that is not just operating but being actively governed.
Internal audit as ongoing practice
Although it is the best pre-certification rehearsal, internal audit is not a one-time event. It recurs throughout the ISMS’s life, keeping the system honest between external audits and feeding continual improvement. Surveillance audits check that internal audits keep happening.
Building internal audit into your annual rhythm — as part of a maintenance calendar — ensures it is never forgotten and that each external checkpoint finds a system that has been continuously self-checked.
Ongoing internal audit is a hallmark of a mature, well-run ISMS.
Getting help with internal audit
Because independence can be hard to achieve internally — especially for small teams — many organisations bring in external support for the internal audit. An experienced external auditor brings objectivity and knows exactly what the certification body will look for, making the rehearsal genuinely predictive.
This is distinct from the certification body, which must remain independent of your preparation. An internal audit partner helps you get ready; the certification body validates the result.
ISpectra can perform or support your internal audit as part of preparing you for certification, with free VAPT and a multi-framework discount included.
The bottom line
The internal audit is a mandatory ISO 27001 requirement and your single best rehearsal for certification: a systematic, independent check of your ISMS that surfaces problems while you can still fix them quietly. Plan a programme, define scope and criteria, conduct it honestly, record findings, and act on them.
Link it to the management review, run it as ongoing practice rather than a one-off, and use external help where independence is hard to achieve. Done well, it transforms the external audit from a test into a confirmation.
Treat the internal audit as the valuable tool it is, and it will repay the effort many times over at every audit. ISpectra helps organisations achieve iso 27001 certification efficiently, from gap analysis through to the certificate.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.