ISO 27001 Clause 9.2 Internal Audit

ISO 27001

ISO 27001 Internal Audit is an ISO 27001 clause and a requirement of ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems to get ISO 27001 certification.

What is ISO 27001 Clause 9.2?

ISO 27001:2022 Clause 9.2.1 General – New clause

The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
a) conforms to
1) the organisation’s own requirements for its information security management system;
2) the requirements of this document;
b) is effectively implemented and maintained.ISO 27001:2022 Clause 9.2.1 General

ISO 27001:2022 Clause 9.2.2 Internal Audit Programme – New clause

The organisation shall plan, establish, implement and maintain an audit programme(s), including the
frequency, methods, responsibilities, planning requirements and reporting.
When establishing the internal audit programme(s), the organisation shall consider the importance of the processes concerned and the results of previous audits.
The organisation shall:
a) define the audit criteria and scope for each audit;
b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
c) ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the implementation of the audit programme and the audit results.

ISO 27001:2022 Clause 9.2 Internal Audit