ISO 27001:2022 Clause 9.2: Internal Audit

ISO27001-2022 Clause 9.2 Internal Audit

The Definitive Governance Requirement.

Clause 9.2 mandates that you conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the organisation’s own requirements and the requirements of the ISO 27001 standard. This is your dress rehearsal. You do not want the external auditor to find the bodies; you want to find them yourself, bury them, and document the remediation.

The Mandate

The standard is non-negotiable on this point: Self-regulation is mandatory. You must verify your own compliance before you invite a certification body to do so.

You are required to establish an Audit Program that defines:

  1. Frequency: How often will you audit? (Risk-based approach).
  2. Methods: How will you test? (Interviews, observation, sampling).
  3. Responsibilities: Who is running the audit?
  4. Planning: What is the scope of each specific audit?
  5. Reporting: The results must be reported to relevant management.

The Verdict: The Internal Audit is the only mechanism that validates the integrity of your system. Without it, your certificate is invalid.

The Implementation Strategy

Internal Audit is not a box-ticking exercise; it is a forensic investigation.

  1. The Golden Rule of Independence: You cannot mark your own homework. The IT Manager cannot audit the IT Department. You must select auditors who are objective and impartial. If you do not have independent internal staff, you must outsource this function.
  2. Risk-Based Scheduling: Do not audit everything equally. Audit the high-risk areas (e.g., Access Control, Change Management) more frequently than low-risk areas.
  3. The “Criteria” Definition: You are auditing against two things:
    • The ISO 27001 Standard (The Law).
    • Your Own Policies (The Company Bylaws).
  4. The Non-Conformance Report (NCR): When you find a failure, document it formally. Do not hide it. An internal audit with “Zero Non-Conformities” is statistically impossible and makes external auditors suspicious.

The Auditor’s Trap

[The Auditor’s View] The most common Major Non-Conformance here is “Conflict of Interest.” I frequently see the CISO signing off on the audit report for the ISMS they built. This is an immediate failure of Clause 9.2(e). Objectivity is not a preference; it is a requirement. If you cannot prove independence, your audit results are void.

Required Evidence

An auditor looks for the schedule and the output.

  • The Audit Program: A calendar view showing what is being audited and when over a 3-year cycle.
  • The Audit Plan: A specific document for each audit event detailing the scope and criteria.
  • The Audit Report: The formal findings (Conformities, Non-Conformities, and Opportunities for Improvement).
  • Evidence of Remediation: Proof that the findings from the previous audit were actually fixed.

Strategic Acceleration

Conducting an internal audit requires deep knowledge of the standard. If your internal auditor misses a gap, the external auditor will find it, and it will cost you your certification.

The Hightable™ Internal Audit Pack includes the pre-written Audit Checklists for every clause and control. It guides you through the questioning process, ensuring you don’t miss a single requirement.

The Next Move: Deploy the Audit Checklists