Skip to content
360 Cyber Compliance

ISO 27001 · 1 July 2026

ISO 27001 internal audits: a practical guide

Internal audits are a mandatory requirement of ISO/IEC 27001:2022 — and one of the most useful things you’ll do for your ISMS. They’re your own health check, giving you the chance to find and fix issues before a certification auditor does. This guide explains how to plan and run them well.

Why internal audits are required

Clause 9.2 of the standard requires you to conduct internal audits at planned intervals to confirm your ISMS both conforms to ISO/IEC 27001 and is effectively implemented and maintained. In plain terms, an internal audit answers two questions:

  1. Are we doing what we said we’d do?
  2. Is what we’re doing actually working?

A completed internal audit programme is checked at initial certification and at every surveillance audit. Skip it and you are almost certain to raise a nonconformity.

Internal vs external audits

It helps to be clear on the difference:

Internal auditExternal (certification) audit
Who runs itYou, or a partner on your behalfUKAS-accredited certification body
PurposeSelf-check and improvementIndependent certification
WhenAt planned intervals through the yearStage 1, Stage 2 and surveillance
OutcomeFindings for you to act onCertification decision

Internal audits are your opportunity to fix things quietly; external audits are where those fixes pay off.

Who can carry out an internal audit

The key principle is objectivity and impartiality: auditors should not audit their own work. In a small organisation that can be tricky, so options include:

  • A staff member auditing an area they aren’t responsible for.
  • Someone from another team or department.
  • An external partner conducting the internal audit on your behalf — a common and accepted approach for SMEs, and often the most practical.

Auditors also need enough competence to understand what they’re assessing.

Planning your audit programme

You don’t have to audit everything at once. Most organisations run a rolling programme across the year, covering all parts of the ISMS over a defined cycle. A good programme considers:

  • The importance and risk of each area (audit higher-risk areas more often).
  • Results of previous audits.
  • Changes to systems, suppliers or scope.
  • Coverage of the management clauses and your applicable Annex A controls.

Document the programme so you can show an auditor how the whole ISMS is covered over time.

Running an internal audit: step by step

  1. Define the scope of this particular audit — which processes or controls it covers.
  2. Prepare by reviewing relevant documents: the policy, risk assessment, SoA and previous findings.
  3. Gather evidence through interviews, observation and reviewing records and logs.
  4. Compare against requirements — the standard and your own documented process.
  5. Record findings, classifying them as nonconformities, observations or opportunities for improvement.
  6. Report the results clearly to the relevant owners and to management.
  7. Track corrective actions through to completion, with root cause analysis for nonconformities.

Turning findings into improvement

The value of an internal audit lies in what happens next. For each nonconformity:

  • Understand the root cause, not just the symptom.
  • Agree a corrective action and an owner.
  • Set a target date and follow up to confirm it’s resolved.
  • Check the fix actually prevents recurrence.

Well-managed corrective actions are strong evidence of the continual improvement the standard expects.

Feeding the management review

Internal audit results are a key input to the management review, where leadership considers the performance of the ISMS and decides on improvements, resources and objectives. Both the internal audit programme and the management review are mandatory, and both are checked at certification and surveillance. Together they demonstrate that leadership is genuinely engaged — not just endorsing a document.

Common internal audit pitfalls

  • Not doing them at all, or leaving them until just before the external audit.
  • Auditors reviewing their own work, undermining impartiality.
  • Findings with no corrective action, so the same issues recur.
  • Only auditing the easy areas, leaving gaps in coverage.
  • No link to the management review, breaking the improvement loop.

If any terms are unfamiliar, our glossary explains them in plain English.

How we can help

For many SMEs, the practical challenge is finding someone impartial and competent to run internal audits. We provide practical support throughout — designing an audit programme, conducting internal audits on your behalf, and helping you turn findings into effective corrective actions and a meaningful management review — as part of a transparent, fixed-fee engagement with a clear delivery process. Our free ISO 27001 gap assessment tool is a useful precursor to a first internal audit.

Learn more about our ISO 27001 service or get in touch to arrange support.

Need help in practice? See our ISO 27001 service.

Need a hand with this?

Book a free, no-obligation readiness check.