Of all the ISO 27001 requirements, the internal audit is the one most frequently misunderstood — and most frequently misused.
Some organisations treat it as an annual box-tick: a document review that produces a clean report and promptly gets filed. Others make the opposite mistake, conducting an exhaustive investigation that consumes weeks of resource and still misses the things an external auditor will look for.
Getting the internal audit right matters more than most people realise. Done well, it is your early warning system — the mechanism that identifies gaps before your certification body does. Done poorly, it gives you false confidence and leaves problems in place that will surface at the worst possible moment.
This post explains what an ISO 27001 internal audit actually involves, what makes one effective, and what the most common failures look like.
What the Standard Requires
ISO 27001:2022 Clause 9.2 requires organisations to conduct internal audits at planned intervals. The audit must assess whether the ISMS conforms to the organisation’s own requirements and to the requirements of the standard, and whether the ISMS is effectively implemented and maintained.
The standard also requires that:
- The audit programme is planned, taking into account the status and importance of processes, and the results of previous audits
- Auditors are selected to ensure objectivity and impartiality — you cannot audit your own work
- Audit results are reported to relevant management
- Non-conformities are addressed through the corrective action process
These are not bureaucratic formalities. Each requirement exists because audits that are not planned, conducted by conflicted auditors, or followed up with corrective actions are not audits — they are reviews that produce no change.
What a Rigorous Internal Audit Actually Involves
A meaningful ISO 27001 internal audit has four distinct phases.
Planning. Before any audit activity begins, the auditor defines the scope, objectives, and criteria for the audit. What is being assessed? Against which requirements? Which processes, systems, and evidence sources are in scope? A good audit plan also draws on the results of previous audits — if access control was found to have weaknesses last cycle, it should receive deeper scrutiny this time.
Evidence gathering. The bulk of the audit is conducted through three methods: document review (examining policies, procedures, registers, and records), interviews (speaking with the people responsible for implementing and operating controls), and observation (directly reviewing systems, configurations, and processes where appropriate). The combination of all three is what separates a rigorous audit from a document review that calls itself an audit.
Finding classification. Audit findings fall into three categories:
— Major non-conformity: A significant failure to meet a standard requirement, or a pattern of failures that indicates a systemic problem. A major non-conformity found by a certification body typically prevents certification from proceeding until it is resolved.
— Minor non-conformity: An isolated or limited failure to meet a requirement. Addressable through corrective action before or after the certification audit, depending on the body’s requirements.
— Observation/opportunity for improvement: A noted weakness or risk that does not currently constitute a non-conformity but could become one. Smart organisations track observations carefully and address them proactively.
Reporting and follow-up. The audit report documents findings against specific standard clauses, states the evidence reviewed, and records the auditor’s conclusions. Non-conformities require corrective actions with assigned owners and target dates. The follow-up process verifies that corrective actions have been implemented effectively.
The Most Common Internal Audit Mistakes
Auditing your own work. The independence requirement in Clause 9.2 is not optional. If the person who wrote your policies and implemented your controls is also conducting the internal audit, the results are structurally compromised. Auditors look for this — and if your internal audit report was produced by someone without the necessary independence, it will generate questions at the certification audit.
Only reviewing documents, not operations. An internal audit that reviews policies and procedures without examining whether those controls are actually operating produces findings that reflect documentation compliance, not real-world compliance. Effective audits include interviews with staff to test whether controls are understood and applied, and direct inspection of systems or logs where relevant.
A clean report every time. If your internal audit consistently finds no non-conformities and no observations, your internal auditor is either not looking hard enough or not looking at the right things. No ISMS is perfect, and every organisation has areas where controls are not fully bedded in. A clean report is a warning sign, not a comfort.
No corrective action follow-up. Finding non-conformities and recording them is only half of the process. The corrective action cycle — root cause analysis, action planning, implementation, and verification — must be completed. Certification auditors will look at your corrective action register and ask to see evidence that open items from previous internal audits have been closed.
Who Should Conduct Your Internal Audit?
For small to medium-sized organisations that do not have a dedicated internal audit function, the most practical approach is typically to use an external provider with ISO 27001 auditor competence. This solves the independence problem, brings in auditors who know what certification auditors look for, and tends to produce findings that are more actionable than self-assessments.
If you prefer to use internal resource, the auditor should have completed formal ISO 27001 internal auditor training (aligned with ISO 19011), should not be responsible for the areas being audited, and should have sufficient seniority to report findings without internal political pressure to soften them.
Bitsecura conducts ISO 27001 internal audits independently — separate from any implementation work, and scoped specifically against the 2022 standard. We produce audit reports that reflect what we actually find, including the findings that are uncomfortable. Because those are the ones that protect you at certification.
If you want to know what a rigorous internal audit of your ISMS would look like, start a conversation with us here. No commitment required.
Bitsecura provides ISO 27001 implementation, internal audit, and ISMS maintenance services. Learn more about our ISO 27001 services.