What an Internal ISO 27001 Audit Entails

An internal ISO 27001 audit is one of the most important activities in maintaining an effective Information Security Management System (ISMS). It provides assurance that your organisation’s information security controls are working as intended, helps identify weaknesses before they become compliance issues, and supports continual improvement between external audits.

Under Clause 9.2 of ISO/IEC 27001:2022, organisations are required to conduct internal audits at planned intervals. The internal audit is a mandatory requirement that helps organisations remain compliant and resilient as risks and technologies evolve.

This article explains what an internal ISO 27001 audit involves, who can perform it, how often it should occur, and what to expect at each stage of the process.

What Is an Internal ISO 27001 Audit

An internal ISO 27001 audit is a systematic and independent review of your ISMS. Its purpose is to check whether your policies, controls, and procedures align with the ISO 27001 standard, your organisation’s own requirements, and the scope defined in your Statement of Applicability (SoA).

Unlike an external audit conducted by a certification body, the internal audit is an internal self-assessment and improvement activity. It identifies nonconformities early so they can be corrected before an external certification or surveillance audit.

An internal audit must be carried out by someone who is independent from the processes being audited. This ensures objectivity and prevents conflicts of interest. The findings are then used as input to management review and continuous improvement of the ISMS.

Who Can Conduct an Internal ISO 27001 Audit?

The ISO 27001 standard does not require internal auditors to be certified by an external body, but they must be competent, impartial, and independent of the area being audited. Suitable options include:

• Trained internal staff such as compliance officers or IT risk professionals who are not responsible for the systems under review.
• A dedicated internal audit team operating under risk or governance.
• External consultants engaged specifically to conduct internal audits within your ISMS program.

The key is that auditors must not audit their own work. You should also document their training and competence to demonstrate audit credibility.

How Often Should Internal Audits Be Conducted

ISO 27001 requires audits at planned intervals but does not set a specific frequency. Most organisations conduct internal audits at least once per year, aligning them with the external certification cycle.

Many organisations adopt a rolling audit schedule over the three-year certification cycle. This allows different ISO 27001 clauses and Annex A controls to be reviewed at different times, focusing resources where they are needed most.

Audit frequency can vary based on:

• The size and complexity of the organisation
• The results of previous audits
• Major system or organisational changes
• Maturity of the ISMS and control environment

Key Steps in an Internal ISO 27001 Audit

A structured approach helps ensure consistency and useful results. The process typically includes five stages:

1. Audit Planning and Preparation

• Define the scope, objectives, and criteria for the audit, including which systems or controls will be reviewed.
• Develop or update an audit checklist based on ISO 27001 clauses, your Statement of Applicability, and internal procedures.
• Assign auditors and confirm their independence from audited areas.
• Review documentation such as policies, risk assessments, and incident logs.
• Communicate the audit plan and schedule interviews or evidence sessions.

2. Conducting the Audit

• Interview process owners and staff to assess their understanding and application of controls.
• Review documentation and records including logs, reports, and risk registers.
• Observe processes in operation to confirm controls are implemented correctly.
• Record findings as conformities, nonconformities, or opportunities for improvement.

3. Audit Reporting

• Summarise audit scope, criteria, and methods.
• List all findings with supporting evidence and their severity.
• Recommend corrective actions for each nonconformity.
• Present the audit report to management and relevant stakeholders.

4. Corrective Actions and Follow-Up

• Develop corrective action plans with clear ownership and timelines.
• Monitor and verify progress to ensure issues are resolved.
• Conduct follow-up reviews if required to confirm closure of findings.

5. Management Review and Integration

• Feed audit results into the management review process as required under Clause 9.3.
• Evaluate ISMS performance, resource needs, and risk posture.
• Update risk assessments, training plans, and documentation based on audit outcomes.

What Should Be Covered in an Internal Audit

A complete internal audit should include:

1. Clauses 4 to 10 of ISO 27001 covering context, leadership, planning, support, operation, evaluation, and improvement.
2. Annex A controls included in your Statement of Applicability.
3. Policies and procedures to confirm they reflect actual practice.
4. Risk assessments and treatment plans to verify currency and effectiveness.
5. Evidence of control performance such as access reviews, incident reports, and supplier evaluations.
6. Staff awareness and competence.
7. Closure of previous audit findings and corrective actions.
8. Structured checklists help ensure full coverage and repeatability across audit cycles.

Common Challenges and Pitfalls

Internal audits can lose value if they are treated as administrative exercises rather than management tools. Frequent problems include:

• Auditors reviewing their own work or processes
• Incomplete or outdated documentation
• Focusing on control design rather than control effectiveness
• Weak corrective action tracking
• Limited management involvement
• Infrequent audits or too much scope at once
• Insufficient training for internal auditors

Avoiding these issues requires planning, leadership support, and a culture that values improvement rather than minimal compliance.

Tips to Maximise Audit Value

• Train internal auditors on ISO 27001 principles and audit techniques.
• Prioritise high-risk systems and business-critical processes.
• Run mock audits to identify and correct gaps early.
• Use structured templates or audit management tools for consistency.
• Maintain detailed and version-controlled audit records.
• Involve senior management to ensure ownership of audit outcomes.
• Align audit timing with certification or major business milestones.

An internal ISO 27001 audit is a vital mechanism for confirming that your information security controls are effective, compliant, and improving over time. It provides management with visibility of strengths and weaknesses and prepares the organisation for successful external audits.

For Australian organisations working toward or maintaining ISO 27001 certification, a structured internal audit program strengthens security governance, improves readiness, and reduces certification risks.

About CyberPulse

CyberPulse is a security-first compliance partner helping organisations reduce cyber risk, build resilience and achieve certification with confidence. Founded by former CISOs and security leaders, we align technical depth with real-world context to deliver measurable outcomes across advisory, managed services, compliance and threat defence.

Let’s Talk

Follow us on LinkedIn for practical insights, or contact us to speak with a CyberPulse expert.

Useful Links

• ISO 27001 Certification in Australia: A Practical Guide for Businesses
• Cost of ISO 27001 Certification in Australia
• Top 10 ISO 27001 Auditors in Australia (2025)
• What to Expect for Your First ISO 27001 Audit

External Resources

• ISO Official Page
• ISO Standards Clauses and Controls