What is an ISO 27001 internal audit programme?

An audit programme is a planned schedule of internal audits. It covers all ISMS requirements and controls. You must document this programme in internal tools. This ensures the organisation maintains oversight of its security status.

Who should perform the internal audit?

Auditors must be impartial and objective. You cannot audit your own work. Select internal staff or external consultants. Document their competence in your SharePoint management system.

How are internal audit results used?

Audit results inform management of ISMS performance. They identify non-conformities and improvement opportunities. Use Jira to track these findings until resolution. This proves the system is active and maturing.

ISO 27001 Clause 9.2 Guide: Internal Audit Requirements

What is ISO 27001 Clause 9.2 in ISO 27001?

ISO 27001 Clause 9.2 is a documented process for verifying ISMS compliance. You must perform audits at planned intervals. Integrate this activity into tools like SharePoint and Jira. This ensures the organisation owns the evaluation process. Avoid decoupled SaaS software to maintain management control.

Auditor’s Eye: The Shortcut Trap

Auditors see through SaaS platforms that generate automated audit reports. These reports often lack business context. They do not prove that internal staff understand the security controls. We prefer seeing audit plans in Confluence. We want to see non-conformities tracked in Jira. This demonstrates real management ownership of the internal audit function. Decoupled platforms create a dangerous compliance vacuum.

Requirement	ISO 27001:2013	ISO 27001:2022
Audit Programme	Mandatory	Mandatory
Reporting to Management	Required	Expanded focus on results
Auditor Objectivity	Mandatory	Mandatory

How to Implement ISO 27001 Clause 9.2 (Step-by-Step)

Internal auditing is a core requirement for continuous improvement. You must verify that your ISMS meets ISO standards and your own requirements. Use your existing organisational tools to maintain the audit trail. This makes compliance part of your culture. Lead with the audit programme. Follow these specific steps to ensure success.

Step 1: Create the Audit Programme in Confluence

The audit programme defines when you will audit each area. Store this schedule in a central Confluence wiki. List all clauses and controls within the scope. This ensures no part of the ISMS is forgotten.

Step 2: Define Criteria in SharePoint

Document your audit methodology in a controlled SharePoint library. Specify the evidence required for each control. This provides auditors with a clear roadmap. It ensures consistency across different audit cycles.

Step 3: Manage Auditors via HR Systems

Select auditors who are independent of the process they audit. Record their competence and training in your HR or SharePoint system. This proves to certification bodies that your auditors are qualified.

Step 4: Execute and Log Findings in Jira

Conduct the audit and record findings. Log any non-conformities as Jira tickets. Assign these to the relevant process owners immediately. This ensures issues are addressed within your standard operational workflows.

ISO 27001 Clause 9.2 Audit Evidence Checklist

Auditors look for manual records and meeting minutes. They want to see intent and human oversight. Provide these items:

Approved annual audit programme in Confluence.
Audit reports with management signatures in SharePoint.
Competency evidence for internal auditors.
Jira ticket history for resolved non-conformities.
Meeting minutes where audit results were reviewed.

Relational Mapping

Clause 9.2 provides data for Clause 9.3 Management Review. It identifies issues for Clause 10.2 Non-conformity. It validates the operational controls in Clause 8.1. Use internal links in SharePoint to connect these related activities. This creates a cohesive management system.

Auditor Interview: Internal Audit Management

Question: How do you ensure auditors remain objective?

Answer: We use staff from different departments to audit each area.

Question: Where is the evidence of your audit findings?

Answer: Every finding is a Jira ticket linked to the report.

Question: How do you know the audit programme is complete?

Answer: We track completion status in our central Confluence dashboard.

Common Non-Conformities

Failure Mode	Cause	Auditor Finding
Automated Complacency	Relying on SaaS dashboard “green ticks.”	Major NC: No evidence of internal review.
Lack of Objectivity	Staff auditing their own work area.	Major NC: Auditor independence not maintained.
Incomplete Programme	Omitting Annex A controls from audits.	Minor NC: Audit scope is insufficient.

Frequently Asked Questions

What is the bottom line for ISO 27001 internal audits?

The bottom line is that you must have a plan. You must execute audits and record results. Use internal tools like SharePoint to prove ownership. This shows that the organisation takes security seriously. It prevents the decoupling of compliance from daily work.

How often should I audit my ISMS?

Most organisations audit their entire ISMS annually. You may audit high-risk areas more frequently. Document this schedule in your Confluence programme. Auditors check this for consistency and logic. This demonstrates a risk-based approach to auditing.

Can I use an external consultant for internal audits?

Yes: external consultants can provide independent expertise. Ensure you record their qualifications in SharePoint. Management must still review and approve their final reports. This maintains internal accountability for the audit results. It ensures the business owns the final outcome.

LA CASA DE CERTIFICACIÓN