Guide · ISO/IEC 27001:2022

ISO 27001:2022 Internal Audit

Internal audits are a mandatory part of ISO/IEC 27001 (Clause 9.2). Learn what an internal audit involves, how to run one — and download our free, ready-to-use internal audit checklist.

What is an ISO 27001 internal audit?

An ISO/IEC 27001 internal audit is a planned, independent check of your Information Security Management System (ISMS) against the requirements of the standard and your own policies. Clause 9.2 makes internal audits mandatory — they must be carried out at planned intervals to confirm the ISMS conforms and is effectively implemented and maintained, before and after certification.

Clause 9.2Mandatory requirement
Planned intervalsAcross the whole ISMS
IndependentAuditor doesn’t audit own work

Why internal audits matter

Required for certification

Clause 9.2 is mandatory — your certification auditor will expect to see a completed internal audit programme.

Find gaps early

Surface nonconformities and weak controls and fix them before your Stage 1 / Stage 2 certification audit.

Drive improvement

Findings feed corrective actions and management review, powering continual improvement of your ISMS.

Build confidence

Give leadership and customers assurance that your security controls are working as intended.

What an internal audit covers

A full internal audit reviews both the management system and the security controls you selected in your Statement of Applicability.

Mandatory clauses (4–10)

Context, leadership, planning, support, operation, performance evaluation and improvement — the ISMS management requirements.

Annex A controls

The Organisational, People, Physical and Technological controls that apply to your organisation per your Statement of Applicability.

The internal audit process

Plan the audit programme

Schedule audits across the whole ISMS over the year, based on the importance and risk of each area.

Prepare

Define the scope and criteria, review documents and policies, and prepare your checklist.

Conduct the audit

Gather objective evidence through interviews, observation and records — focus on what actually happens.

Report findings

Record conformities, nonconformities and observations clearly, with evidence for each.

Corrective action

Assign owners, address root causes, and track each action through to closure.

Follow-up & review

Verify actions are effective, feed results into management review, and plan the next audit.

Free ISO 27001:2022 internal audit checklist

Enter your company email and we’ll give you instant access to the printable checklist.

What’s inside

  • Audit questions for every mandatory clause (4–10)
  • Annex A control checks — Organisational, People, Physical, Technological
  • Conforms / Nonconformity / Observation marking with evidence notes
  • Audit summary & sign-off section
  • Print-ready, 3 pages — free to use

Please use your company email — free webmail (Gmail, Yahoo, Outlook…) isn’t accepted. We’ll never share your details.

Frequently asked questions

Are internal audits mandatory for ISO 27001?
Yes. Clause 9.2 of ISO/IEC 27001:2022 requires internal audits at planned intervals to check the ISMS conforms and is effectively implemented and maintained.
Who can perform an internal audit?
Someone competent and objective who does not audit their own work. It can be trained internal staff or an external party — but not your certification body, to keep certification impartial.
How often should we run internal audits?
At planned intervals — commonly annually — with the programme covering the whole ISMS across the three-year certification cycle, and more often for higher-risk areas.
Can Cianaa perform our internal audit?
As your independent certification body we can’t carry out your internal audits — doing so would compromise the impartiality of your certification. This free checklist helps you run your own; when you’re ready, we provide the independent certification audit.

Ready to certify your ISMS?

Talk to Cianaa’s independent ISO 27001 lead auditors about certification — conflict-free, across New Zealand & Australia.

Talk to our certification team →