ISO 27001:2022 Internal Audit
Internal audits are a mandatory part of ISO/IEC 27001 (Clause 9.2). Learn what an internal audit involves, how to run one — and download our free, ready-to-use internal audit checklist.
What is an ISO 27001 internal audit?
An ISO/IEC 27001 internal audit is a planned, independent check of your Information Security Management System (ISMS) against the requirements of the standard and your own policies. Clause 9.2 makes internal audits mandatory — they must be carried out at planned intervals to confirm the ISMS conforms and is effectively implemented and maintained, before and after certification.
Why internal audits matter
Required for certification
Clause 9.2 is mandatory — your certification auditor will expect to see a completed internal audit programme.
Find gaps early
Surface nonconformities and weak controls and fix them before your Stage 1 / Stage 2 certification audit.
Drive improvement
Findings feed corrective actions and management review, powering continual improvement of your ISMS.
Build confidence
Give leadership and customers assurance that your security controls are working as intended.
What an internal audit covers
A full internal audit reviews both the management system and the security controls you selected in your Statement of Applicability.
Mandatory clauses (4–10)
Context, leadership, planning, support, operation, performance evaluation and improvement — the ISMS management requirements.
Annex A controls
The Organisational, People, Physical and Technological controls that apply to your organisation per your Statement of Applicability.
The internal audit process
Plan the audit programme
Schedule audits across the whole ISMS over the year, based on the importance and risk of each area.
Prepare
Define the scope and criteria, review documents and policies, and prepare your checklist.
Conduct the audit
Gather objective evidence through interviews, observation and records — focus on what actually happens.
Report findings
Record conformities, nonconformities and observations clearly, with evidence for each.
Corrective action
Assign owners, address root causes, and track each action through to closure.
Follow-up & review
Verify actions are effective, feed results into management review, and plan the next audit.
Free ISO 27001:2022 internal audit checklist
Enter your company email and we’ll give you instant access to the printable checklist.
What’s inside
- Audit questions for every mandatory clause (4–10)
- Annex A control checks — Organisational, People, Physical, Technological
- Conforms / Nonconformity / Observation marking with evidence notes
- Audit summary & sign-off section
- Print-ready, 3 pages — free to use
Frequently asked questions
Are internal audits mandatory for ISO 27001?
Who can perform an internal audit?
How often should we run internal audits?
Can Cianaa perform our internal audit?
Ready to certify your ISMS?
Talk to Cianaa’s independent ISO 27001 lead auditors about certification — conflict-free, across New Zealand & Australia.
Talk to our certification team →