Introduction
Most organisations know they need an internal audit. Far fewer know how to build a programme that satisfies the auditor, adds genuine value, and doesn’t consume weeks of calendar time each year.
ISO 27001 Clause 9.2 requires you to conduct internal audits at planned intervals. But “planned intervals” is doing a lot of work in that sentence.
This guide on the ISO 27001 internal audit programme explains exactly what that means, how to structure an annual audit, and how to run individual audits efficiently — including what to actually look at, how to record findings, and how to close them properly before your certification body shows up.
What ISO 27001 Requires
Clause 9.2 sets out the requirements for internal audits. In plain terms, you must:
- Conduct internal audits at planned intervals to determine whether the ISMS conforms to the organisation’s own requirements and to ISO 27001
- Plan, establish, implement, and maintain an audit programme, including frequency, methods, responsibilities, planning requirements, and reporting
- Define the audit criteria and scope for each audit
- Select auditors who are objective and impartial
- Report audit results to relevant management
- Retain documented information as evidence of the audit results
That’s the requirement. The question is how to make it work in practice without it becoming a bureaucratic drain.
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
✓ Full toolkit included
✓ Learn as you build
✓ 12-month access
✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy
£285
Instant access
What an Audit Programme Actually Is
The audit programme is the overarching plan that governs your internal audit activity for the year (or certification cycle). It answers: what will be audited, when, by whom, and how?
An individual audit is a specific examination of one or more parts of the ISMS — perhaps a set of clauses, a group of controls, a particular department, or a specific process.
Most organisations with a relatively small ISMS scope will run 2–4 audits per year and cover all clauses and relevant controls across the certification cycle (typically three years). Larger or more complex ISMSs may audit quarterly.
Designing Your Annual Audit Programme
Step 1: Identify what needs to be audited
Your programme should ensure that every part of the ISMS is audited over a reasonable period. For a three-year certification cycle, you should be able to demonstrate that all clauses and all relevant Annex A controls have been audited at least once.
For a smaller organisation doing two audits per year, a practical split might be:
Audit 1 (typically mid-year):
- Clauses 4–7 (context, leadership, planning, support)
- Annex A organisational controls (5.1–5.37) — sample basis
- Annex A people controls (6.1–6.8)
Audit 2 (typically pre-management review, Q4):
- Clauses 8–10 (operation, performance evaluation, improvement)
- Annex A physical controls (7.1–7.14)
- Annex A technological controls (8.1–8.34) — sample basis
- Any areas flagged from Audit 1
Trigger-based audits (ad hoc):
- Following a significant incident
- After major organisational change (new system, new location, major restructure)
- Following a surveillance audit finding that requires follow-up
Planning Your Internal Audit Programme
ISO 27001 Clause 9.2 requires a planned audit programme — not a single audit. Here's how to structure audits across the year so every area of your ISMS gets covered.
Jan–Mar
Apr–Jun
Jul–Sep
Oct–Dec
Step 2: Set the frequency based on risk
ISO 27001 doesn’t mandate specific intervals, but your audit frequency should be risk-informed. Higher-risk areas or controls with a history of nonconformity should be audited more frequently. Low-risk, stable areas can be audited less often.
Document your rationale. If your certification auditor asks why you audit access controls quarterly but physical security annually, you should have a principled answer.
Step 3: Assign responsibility
Each audit must be conducted by someone objective and impartial. This means the auditor cannot audit their own work.
For most organisations, there are three practical options:
Option 1: Internal auditor trained in ISO 27001. Someone within the organisation who has completed ISO 27001 internal auditor training and is not responsible for the processes or controls being audited. For many SMEs, this is the most cost-effective option once trained.
Option 2: Cross-functional approach. Members of one team audit another team’s controls. Requires careful design to avoid conflicts of interest.
Option 3: External auditor. A third party (consultant or specialist firm) conducts the internal audits. More expensive, but completely eliminates objectivity concerns and often adds more rigorous scrutiny.
Step 4: Document the programme
Produce an audit programme document — it doesn’t need to be long. One page covering the following is sufficient:
- Audit objectives for the period
- Scope of each planned audit (areas, clauses, controls)
- Planned dates or quarters
- Allocated auditor(s)
- Reporting method and recipients
- Review date for the programme itself
This document becomes audit evidence. Keep it updated when things change.
How to Run an Individual Internal Audit
Each audit in your programme follows the same six-phase process — from planning through to confirmed closure. Here's what happens at each stage and what evidence to retain.
Audit Planning
Define the scope, objectives, and criteria for this specific audit. Select an auditor who is independent of the area being audited. Notify auditees with adequate notice.
- Define audit scope
- Select independent auditor
- Set audit criteria
- Notify auditees (min. 2 weeks)
- Audit plan / brief
- Auditor appointment record
- Meeting invite / notification
Document Review
Review relevant policies, procedures, previous audit reports, and risk documentation before conducting fieldwork. Identify areas of focus and prepare the audit checklist.
- Review ISMS policies
- Check previous findings
- Prepare audit checklist
- Identify evidence to request
- Completed audit checklist
- Document review notes
Opening Meeting
Brief the auditees on the audit scope, process, and schedule. Confirm points of contact, logistics, and how findings will be communicated. Establishes a professional tone.
- Introduce audit objectives
- Confirm scope with auditees
- Agree schedule for the day
- Set expectations on outputs
- Opening meeting notes
- Attendance record
Evidence Gathering
The fieldwork phase. Collect and test evidence through interviews, observation, and document review. Record findings — both conforming and nonconforming — against audit criteria.
- Conduct interviews
- Test controls in practice
- Review records and logs
- Note observations & findings
- Interview notes
- Evidence samples collected
- Completed checklist responses
- Photographs / screenshots
Closing Meeting & Report
Present findings to auditees before finalising — gives them the opportunity to clarify factual errors. Issue the formal audit report within an agreed timeframe (typically 5 working days).
- Present preliminary findings
- Agree factual accuracy
- Issue formal audit report
- Classify findings (Major / Minor / OFI)
- Closing meeting notes
- Signed audit report
- Findings classification record
Corrective Action & Closure
For each nonconformity, the auditee must determine root cause, implement a corrective action, and provide evidence of closure. The auditor verifies effectiveness before closing the finding.
- Agree corrective actions
- Assign owners & deadlines
- Verify effective implementation
- Formally close nonconformity
- Corrective action log
- Root cause analysis
- Closure evidence
- Auditor sign-off
Running Individual Audits: A Practical Approach
Before the audit
- Prepare an audit plan. For each audit, produce a brief plan covering: scope, objectives, audit criteria (which clause or control requirements you’re checking against), methodology (interviews, document review, observation, sampling), and dates.
- Notify participants. Give people enough notice to prepare. Surprising people serves no one — the point is to assess real operation, not to catch people out.
- Review previous results. Look at the last audit’s findings for these areas. Were corrective actions closed? Are there repeat issues?
- Prepare your checklist. Build or use a checklist aligned to the clauses and controls in scope. Good checklists prompt you to gather specific evidence rather than ask vague questions.
During the audit
Auditing is primarily a process of gathering evidence. You’re not looking for perfection — you’re looking for conformity: does the ISMS operate as documented, and does what’s documented meet the standard’s requirements?
Use a combination of:
- Document review — Are policies current and approved? Are records complete and accessible?
- Interviews — Do staff understand the policies and procedures relevant to their role? Can they explain what they’d do in a given scenario?
- Observation — Are controls operating in practice? (Screen locks active, clean desk policy observed, access controls working as described.)
- Sampling — For controls that operate continuously (access reviews, backup checks, patching), sample a representative set of records rather than reviewing every instance.
Take contemporaneous notes. Record what you reviewed, who you spoke to, what you found, and your assessment. These become the audit evidence.
Understanding Audit Finding Types
Not all audit findings are equal. Knowing the difference between a major nonconformity, a minor nonconformity, and an observation determines how urgently you need to act — and what's at stake for your certificate.
- No risk assessment has been conducted
- No internal audit has taken place
- Information security policy does not exist
- Multiple minor NCs in the same area (pattern)
- Previously agreed corrective action not implemented
- Access review completed but poorly documented
- One user account not disabled after offboarding
- Training records incomplete for 2 of 20 staff
- Supplier contract lacks required security clauses
- Patch applied late — outside agreed SLA window
- Manual process could be automated to reduce error
- Policy wording could be clearer for staff
- Audit checklist could be extended to cover more controls
- Metrics exist but aren't being reviewed regularly
- Security awareness training could include phishing sims
Avoid the temptation to grade everything as minor to soften the message. An honest audit report is more valuable than a flattering one — and your certification body will often find the same issues anyway.
Writing the Audit Report
The audit report is a key piece of ISMS evidence. It should include:
- Audit scope, objectives, and criteria
- Dates and participants
- Methodology used (document review, interviews, observation)
- Summary of findings — conformities, nonconformities, and observations
- Specific nonconformity details: which requirement is not met, what evidence supports the finding, the recommended corrective action
- Auditor declaration (signed and dated)
Keep the report factual and evidence-based. Avoid vague language like “processes could be improved.” Specific, evidence-based findings are more useful and more credible.
Managing Corrective Actions
Every nonconformity needs a corrective action — a documented response that addresses the root cause, not just the symptom.
A corrective action record should capture:
- The nonconformity identified
- Root cause analysis (why did this happen?)
- The corrective action planned
- The person responsible
- The target completion date
- Evidence of completion (reviewed and signed off)
Corrective actions should be reviewed at the management review. Outstanding or overdue corrective actions are a common finding in certification audits — close them properly and on time.
Common Internal Audit Mistakes
- Auditing only the documentation, not the operation. Policies are easy to write. What auditors (internal and external) really want to see is that the organisation is operating the controls in practice. Always check whether policies are being followed, not just whether they exist.
- Using the same person to audit their own controls. This is a direct requirement of Clause 9.2 — auditors must be objective and impartial. Certifying that your own work complies with the standard is not audit evidence.
- Leaving it too long between audits. “Planned intervals” means there should be no prolonged gaps. Doing one audit in year one and nothing until the surveillance audit is not a programme — it’s a one-off.
- Failing to close corrective actions. An audit that raises five nonconformities and closes none of them is worse than no audit at all. Track and close corrective actions actively.
- Writing report findings too vaguely. “Access management needs improvement” is not an audit finding. “Three user accounts had active access rights 90+ days after the relevant employees left the organisation, contrary to the documented off-boarding procedure in Control 5.18” is an audit finding.
What Your Certification Auditor Will Look For
When your certification body (whether at Stage 2, a surveillance audit, or recertification) reviews your internal audit programme, they typically look for:
- Evidence that a programme exists and has been followed
- That all parts of the ISMS have been audited (at least on a sampling or rotation basis)
- That auditors were competent and objective
- That findings were recorded and reported to management
- That corrective actions were raised, tracked, and closed
- That the results fed into the management review
If any of these elements are missing, expect a finding. The most common problem is the last two — corrective actions that were raised but never closed, and results that weren’t formally presented to management.
Summary
An effective internal audit programme isn’t about generating paperwork — it’s about genuinely checking that your ISMS is working. The organisations that get the most from internal audits are the ones that treat them as a real assurance mechanism rather than a compliance exercise.
Build a simple programme plan, conduct audits at sensible intervals, write clear reports, close your corrective actions, and make sure the results reach management. Do that consistently and your certification audits will be straightforward.
Related resources:
- ISO 27001 Internal Audit guide
- How to prepare for your Stage 2 audit
- ISO 27001 Nonconformity and Corrective Action guide (article 18 in this series)
Frequently Asked Questions
How many internal audits do we need per year?
ISO 27001 doesn’t specify a number — it requires audits at “planned intervals.” For most SMEs, two audits per year is typical. The interval should be appropriate to the risk and complexity of your ISMS.
Can we use an Excel spreadsheet to track the audit programme?
Yes. There’s no requirement for dedicated audit software. A well-maintained spreadsheet with programme plan, individual audit reports, and corrective action tracking is sufficient.
Do our internal auditors need to be certified?
Not necessarily. They must be competent and objective. Many organisations send a nominated person on a one- or two-day ISO 27001 internal auditor training course, which is usually sufficient.
What’s the minimum we can do and still pass certification?
You must have at least one internal audit completed before your Stage 2 certification audit, with the results reported to management and corrective actions in progress. Two audits is more comfortable and gives you a stronger evidence base.
Can a consultant do our internal audit?
Yes — this is a legitimate and common approach, especially for smaller organisations without in-house audit capability. The consultant functions as your internal auditor; the audit is still part of your ISMS internal audit programme.
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
✓ Full toolkit included
✓ Learn as you build
✓ 12-month access
✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy
£285
Instant access
