ISO 27001 Clause 9.2 Internal Audit is a mandatory performance evaluation control that requires organisations to conduct audits at planned intervals. It provides objective evidence that the ISMS conforms to standard requirements and remains effectively implemented. This process ensures management identifies gaps before they become critical security failures.
ISO 27001:2022 Attributes Table
| Attribute | Value |
|---|---|
| Control Type | Performance Evaluation (Check) |
| Information Security Properties | Confidentiality, Integrity, Availability |
| Cybersecurity Concepts | Identify, Protect, Detect, Respond, Recover |
| Operational Capabilities | Governance, Risk Management, Compliance |
Implementation Difficulty & Cost
| Requirement | Rating | Accountability Cascade |
|---|---|---|
| Difficulty | 4/5 | Requires high independence and deep ISMS knowledge. |
| Implementation Cost | Medium | Costs include training internal staff or hiring consultants. |
| Process Owner | ISMS Manager | Responsible for the Audit Programme. |
| Accountable Officer | CISO / Board | Must review results and allocate resources for fixes. |
ISO 27002 Control Guidance
Physical security audits must verify that physical perimeters remain intact. I often find that staff leave fire doors propped open or bypass badge readers. Auditors should perform site walkthroughs during different shifts. This ensures that security rules apply equally to night staff. You must record any physical breaches in your internal audit reports for management review.
Technical guidance focuses on the validation of system configurations. You should use tools like Microsoft Intune or Nessus to pull technical evidence. I look for proof that encryption remains active on all mobile devices. Do not just take a technician’s word for it. You must verify that the actual settings match the policy documented in your SharePoint library.
Behavioural auditing is the most difficult element. I look for evidence that staff actually understand the policies. Use interviews to test if employees know how to report a security incident. If staff cannot explain the “Clear Desk” policy, the control is ineffective. Your audit records must document these human interactions to prove a thorough evaluation of the security culture.
The Auditor’s Eye: Expert Insight
In my experience, the “Independence Trap” is the most common cause of a Major Non-Conformity (NC). I often find IT Managers auditing their own server room logs. This is a direct conflict of interest. I look for clear separation between the auditor and the process being checked. If you have a small team, consider using a reciprocal audit agreement with another department or hiring an external auditor. I also look for “Evidence of Intent”—I want to see that you actually looked for problems, not just confirmed that everything is fine.
10 Steps to Implement ISO 27001 Clause 9.2
-
Create the Audit Programme
Your audit programme must cover every ISMS clause and Annex A control over a defined cycle. I recommend an annual schedule stored in Confluence. Ensure that high-risk areas receive more frequent audits. I look for a rationale behind your audit frequency. You must prove that you prioritise audits based on risk assessment results and previous performance data.
-
Define Auditor Competence
Select individuals who possess the necessary training and experience. I look for certificates of completion for ISO 27001 Internal Auditor courses. Record these credentials in your SharePoint personnel files. You must demonstrate that your auditors understand both the standard and the specific business processes they are evaluating. Competence is not just a title; it is proven knowledge.
-
Establish Auditor Independence
Ensure auditors do not audit their own work. This is a strict requirement for objectivity. I check your organisational chart against your audit reports. If the person who writes the Access Policy also audits the access logs, I will issue an NC. Document how you maintain this separation in your Internal Audit Procedure to satisfy external certification bodies.
-
Develop Audit Checklists
Create detailed checklists for each audit area to ensure consistency. I prefer seeing these in Confluence or Excel. Your checklists should list the specific requirements, the evidence reviewed, and the auditor’s notes. This prevents “lazy auditing” where auditors miss granular requirements. A thorough checklist provides a clear roadmap for both the auditor and the auditee.
-
Review Management Information
Gather previous audit reports and incident logs before the audit begins. I look for evidence that the auditor studied the history of the department. This allows you to focus on recurring issues or unresolved non-conformities. Use Jira to track past NCs and check if the fixes were effective. Historical context is essential for a high-quality audit outcome.
-
Conduct Site Walkthroughs
Physically verify that security controls are active on the ground. I often perform “Camera Walkthroughs” to check for unmonitored blind spots. Look for unattended laptops, visible passwords, or unlocked server racks. Document these observations with photos or detailed notes in your audit report. Physical evidence provides a reality check that digital reports often miss.
-
Perform Staff Interviews
Talk to employees at all levels to gauge security awareness. I ask open-ended questions like, “What would you do if you lost your work phone?” I look for answers that align with your SharePoint policies. If staff provide inconsistent answers, it indicates a failure in Clause 7.3. Interviews reveal the true state of your security culture beyond the documentation.
-
Review Technical Logs
Pull samples of logs from your Azure AD or Google Workspace. I look for evidence that you reviewed admin activity and failed login attempts. Verify that the logs match the reported incidents in your Jira service desk. Technical verification ensures that the system works as the policies claim. Never accept a “green tick” without seeing the underlying data.
-
Document All Findings
Record both conformities and non-conformities in a formal audit report. I look for clear, concise descriptions of any gaps found. Each finding must reference the specific ISO 27001 clause or control number. You should also highlight “Opportunities for Improvement” (OFIs). This proves that the audit is a tool for progress, not just a policing exercise.
-
Report to Management
Present the audit results to Top Management for formal review. I look for audit reports signed by the CISO or Board members. Record these discussions in your Management Review meeting minutes. You must prove that the leadership team understands the findings and supports the remediation plan. This final step ensures that the audit drives actual change in the organisation.
Requirements by Environment
- Office Environment: Focus on physical access control, visitor logs, and clear desk compliance. Audit the security of local server rooms and hardware disposal bins.
- Home/Remote: Audit VPN logs, endpoint encryption status in Intune, and home-working risk assessments. Verify that staff use secure home Wi-Fi and keep work devices private.
- Cloud Infrastructure: Audit IAM permissions, multi-factor authentication (MFA) enforcement, and cloud storage bucket settings. Focus on the audit trail of administrative changes in AWS or Azure.
The “Checkbox Compliance” Trap
| Audit Requirement | SaaS Tool Trap | Auditor Reality |
|---|---|---|
| Auditor Objectivity | Automated tools that audit their own configuration. | I need to see a human auditor questioning the system settings. |
| Audit Evidence | Generic “Yes/No” checkboxes in a portal. | I want to see screenshots, log excerpts, and interview notes. |
| Root Cause Analysis | Tools that auto-generate “Fixed” status. | I want to see Jira tickets where humans analysed why a failure occurred. |
10 Steps to Audit Clause 9.2 (Internal Audit Guide)
- Check the Schedule: Verify that the audit programme is current and covers the entire ISMS scope.
- Verify Independence: Check the auditor’s name against the department head of the audited area.
- Sample Training Records: Pull certificates for the internal auditors to confirm they are qualified.
- Inspect the Checklist: Look for specific evidence references (e.g., “Sampled 5 laptops from Intune”).
- Verify Management Reporting: Ensure audit reports were sent to Top Management within the required timeframe.
- Check NC Closure: Pick three past non-conformities and verify they were closed in Jira.
- Audit the Auditor: Ask the auditor how they selected their sample size for technical reviews.
- Look for Negative Findings: Be suspicious of audit reports that show 100% compliance across every area.
- Cross-Reference Incidents: Check if major security incidents from the last quarter were identified in the audit.
- Review Meeting Minutes: Confirm that the Board discussed the audit findings and allocated resources for fixes.
9.2 Audit Evidence Checklist
| Evidence Item | Pass/Fail Criteria | Owner |
|---|---|---|
| Audit Programme | Covers all clauses and controls; stored in Confluence. | ISMS Manager |
| Audit Reports | Detailed findings with evidence links and signatures. | Internal Auditor |
| Corrective Action Logs | Jira tickets showing root cause and fix verification. | Control Owner |
| Competence Records | Certificates and CVs prove auditor capability. | HR Manager |
Required Policy Content: A Lead Auditor’s Checklist
- Scope and Frequency: Define exactly which parts of the organisation are audited and how often.
- Auditor Selection Criteria: Must specify that auditors must be objective, independent, and competent.
- Reporting Procedures: Must define the path for findings to reach Top Management and process owners.
- Non-Conformity Management: Must state that all gaps must be logged, analysed for root cause, and tracked to closure.
- Evidence Retention: Specify that audit reports and evidence must be kept for at least three years (one full cycle).
What to Teach Employees
- The Purpose of Auditing: Explain that audits are for system improvement, not personal blame.
- Transparency: Encourage staff to be honest with auditors about where processes fail.
- Policy Location: Ensure all staff know how to find the ISMS policies in SharePoint.
Enforcement and Consequences
Failure to maintain a regular internal audit programme is a Major Non-Conformity. I follow a strict path for non-compliance: Verbal Warning for missing documentation, Written NC for missed audit deadlines, and Termination of Certification if audits are consistently falsified or ignored. Management must ensure that auditors have the authority to access all areas of the ISMS.
Common Implementation Challenges
| Challenge | Root Cause | Solution |
|---|---|---|
| Lack of Resources | Management sees audits as a low priority. | Present audit findings as risk reduction and business protection. |
| Auditor Bias | Small teams auditing their own friends or managers. | Utilise external consultants for high-risk or technical areas. |
| Surface-Level Audits | Auditors only checking for documentation existence. | Require technical samples and staff interviews in the checklist. |
Sample Statement of Applicability (SoA) Entry
“Clause 9.2 is applicable. We conduct internal audits at planned intervals to ensure ISMS conformity and effectiveness. We maintain an independent audit programme managed through Confluence, with findings tracked to closure in Jira. Results are reported to Top Management during quarterly review sessions to drive continual improvement.”
Changes from ISO 27001:2013
| ISO 27001:2013 Reference | ISO 27001:2022 Reference | Change Detail |
|---|---|---|
| Clause 9.2 | Clause 9.2.1 & 9.2.2 | Split into “General” and “Internal Audit Programme” for clarity. |
| Audit programme focuses on scope. | Greater emphasis on reporting audit results to management. |
How to Measure Effectiveness (KPIs)
- Audit Programme Completion Rate: Percentage of planned audits completed on time (Target: 100%).
- Average Time to Close NCs: Time from audit finding to verification of fix in Jira (Target: < 30 days).
- Recurrence Rate: Percentage of audit findings that were previously identified in the last cycle (Target: 0%).
Related ISO 27001 Controls
- ISO 27001 Clause 9.3 Management Review: This control requires management to evaluate the results of internal audits to determine ISMS suitability.
- ISO 27001 Clause 10.1 Continual Improvement: Internal audits provide the vital data needed to identify opportunities for system growth.
- ISO 27001 Clause 10.2 Nonconformity and Corrective Action: This clause governs the formal process for fixing the gaps identified during an internal audit.
ISO 27001 Clause 9.2 FAQ
Can we audit our ISMS just once a year?
Yes, but I recommend auditing different areas throughout the year. This keeps security at the forefront of staff minds. High-risk areas should be audited more frequently than once a year.
Do internal auditors need to be certified?
The standard requires “competence.” While a certificate is the easiest way to prove this to me, you can also use experience and internal training records to demonstrate capability.
What is the difference between an internal audit and a gap analysis?
A gap analysis happens before implementation to see what is missing. An internal audit verifies that your implemented system actually works as intended and meets the standard.
Can the CISO perform the internal audit?
Only if they are not auditing the specific processes they manage. For a complete ISMS audit, the CISO usually lacks the required independence for many sections.
What happens if an internal audit finds no problems?
As a Lead Auditor, this makes me suspicious. It often suggests the audit was not thorough enough. I will look deeper into your samples to see if the internal auditor missed something.