// COMPLIANCE & AUDIT

ISO 27001 Internal Audit

Independent internal audit to prepare for certification and maintain ongoing compliance.

ISO 27001:2022 Aligned
93Annex A Controls
CRESTCertified
Cert-ReadyReporting
Overview

ISO 27001 Internal Audit

ISO 27001:2022 requires organisations to conduct periodic internal audits of their Information Security Management System — evaluating whether the ISMS conforms to the standard's requirements and to the organisation's own policies, objectives, and procedures. Intelliroot's ISO 27001 Internal Audit service provides an independent, evidence-based audit conducted by certified lead auditors who bring both the technical depth to assess control implementation and the audit rigour to produce findings that satisfy certification bodies and external regulators alike.

We develop a structured internal audit programme aligned to your ISMS scope, conduct clause-by-clause and control-level audits using systematic evidence collection, classify all findings as major nonconformities, minor nonconformities, or observations, and prepare an audit report to management that satisfies Clause 9.2 requirements. Our audit outputs are specifically structured to demonstrate continual improvement — giving your certification body the assurance they need that your ISMS is operating effectively and maturing over time.

Why This Matters

Why an Independent Internal Audit Matters

Required by ISO 27001 Clause 9.2

Clause 9.2 mandates planned, systematic internal audits at defined intervals. Certification bodies scrutinise the internal audit programme during surveillance and recertification audits — an inadequate internal audit is a common finding that delays or jeopardises certification.

Independence Ensures Objectivity

ISO 27001 requires that internal auditors be objective and impartial. Using Intelliroot as your internal audit provider ensures independence from the teams implementing controls — preventing the self-assessment bias that certification bodies regularly identify in in-house internal audits.

Identify Gaps Before the Certification Audit

A well-conducted internal audit identifies nonconformities before your external certification body does — giving your team time to close gaps, implement corrective actions, and demonstrate the continual improvement loop that ISO 27001 requires.

Corrective Action Tracking Drives Improvement

Internal audit findings feed directly into your corrective action process. Intelliroot's audit methodology includes structured corrective action tracking templates and follow-up review to close the continual improvement loop required by Clause 10.1.

Scope

What the Audit Covers

ISMS Clauses 4–10

  • Context of the organisation (Clause 4)
  • Leadership and commitment (Clause 5)
  • Planning — risk and opportunity management (Clause 6)
  • Support — resources, competence, awareness (Clause 7)
  • Operation — risk treatment and controls (Clause 8)
  • Performance evaluation and internal audit (Clause 9)
  • Improvement and nonconformity handling (Clause 10)

Annex A Controls (ISO 27001:2022)

  • Organisational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)
  • New 2022 controls (11 new additions)

Evidence Collection & Sampling

  • Document and record review per audit checklist
  • Staff interviews across departments in scope
  • Technical control observation and walkthroughs
  • Log and monitoring evidence sampling
  • Corrective action closure verification

Audit Programme & Reporting

  • Internal audit programme development
  • Nonconformity classification (major / minor / observation)
  • Audit report to management (Clause 9.2 compliant)
  • Certification readiness assessment
  • Corrective action register and tracking
Methodology

How We Conduct the Internal Audit

01

Audit Programme Planning

Develop the internal audit programme covering scope, objectives, criteria, schedule, and audit team composition. Produce clause-by-clause and Annex A audit checklists tailored to your ISMS scope, industry sector, and applicable legal and regulatory obligations.

02

Opening Meeting & Document Request

Conduct the formal opening meeting with ISMS management, agree on the audit plan, and issue a structured document request covering policies, risk register, SoA, previous audit records, training records, incident logs, and corrective action history.

03

Fieldwork — Evidence Collection

Conduct systematic evidence collection through document review, structured staff interviews, and technical control observation. Sample monitoring logs, access control records, vulnerability management data, and supplier review records against the audit criteria.

04

Finding Classification & Audit Report Preparation

Classify all audit findings as major nonconformities, minor nonconformities, or observations with supporting evidence references. Prepare the formal audit report to management meeting Clause 9.2 requirements — suitable for presentation to senior management and the certification body.

05

Closing Meeting & Corrective Action Initiation

Present findings at the formal closing meeting, agree on corrective action owners and target dates, and initialise the corrective action register. Provide follow-up review support to verify that corrective actions have been implemented effectively before the next certification audit.

Focus Areas
ISO 27001:2022 Internal Audit Clause 9.2 Annex A Controls Nonconformity Management Certification Readiness Corrective Actions ISMS Continual Improvement
FAQ

Frequently Asked Questions

ISO 27001 Clause 9.2 requires internal audits at planned intervals. The frequency is determined by your documented audit programme, but most organisations conduct at least one full-scope internal audit per year, with additional targeted audits after significant changes to the ISMS scope or following major incidents.
ISO 27001 requires auditors to be objective and impartial — auditors must not audit their own work. If Intelliroot has been involved in implementing specific controls, we carefully structure the audit team to ensure those specific areas are audited by personnel who were not involved in the implementation, maintaining full independence.
A major nonconformity is the absence of a required element of the ISMS or a systemic failure — it would typically prevent certification if unresolved. A minor nonconformity is a single lapse or isolated gap that does not indicate a systemic breakdown. Observations are opportunities for improvement that do not constitute nonconformities but are recommended for the continual improvement programme.

Deliverables

Internal Audit Report (Clause 9.2 Compliant)

Formal audit report to management covering audit scope, criteria, evidence reviewed, all findings classified by type, and audit conclusions — suitable for submission to the certification body.

Nonconformity & Observation Register

Structured register of all major nonconformities, minor nonconformities, and observations with evidence references, clause citations, and recommended corrective actions.

Internal Audit Programme

Documented annual audit programme covering scope, schedule, objectives, criteria, and audit team — meeting Clause 9.2 programme requirements for certification body review.

Corrective Action Register

Initialised corrective action register with finding references, root cause fields, action owners, target dates, and verification status columns for ongoing tracking.

Certification Readiness Summary

Executive assessment of ISMS readiness for external certification audit, highlighting outstanding gaps, corrective action priorities, and recommended timeline to certification.

Related Services in Compliance & Audit

ISO 27001 Gap Assessment SOC 2 Readiness PCI DSS Compliance GDPR Compliance
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.