ISO 27001 · 1 July 2026
ISO 27001 internal audits: a practical guide
Internal audits are a mandatory requirement of ISO/IEC 27001:2022 — and one of the most useful things you’ll do for your ISMS. They’re your own health check, giving you the chance to find and fix issues before a certification auditor does. This guide explains how to plan and run them well.
Why internal audits are required
Clause 9.2 of the standard requires you to conduct internal audits at planned intervals to confirm your ISMS both conforms to ISO/IEC 27001 and is effectively implemented and maintained. In plain terms, an internal audit answers two questions:
- Are we doing what we said we’d do?
- Is what we’re doing actually working?
A completed internal audit programme is checked at initial certification and at every surveillance audit. Skip it and you are almost certain to raise a nonconformity.
Internal vs external audits
It helps to be clear on the difference:
| Internal audit | External (certification) audit | |
|---|---|---|
| Who runs it | You, or a partner on your behalf | UKAS-accredited certification body |
| Purpose | Self-check and improvement | Independent certification |
| When | At planned intervals through the year | Stage 1, Stage 2 and surveillance |
| Outcome | Findings for you to act on | Certification decision |
Internal audits are your opportunity to fix things quietly; external audits are where those fixes pay off.
Who can carry out an internal audit
The key principle is objectivity and impartiality: auditors should not audit their own work. In a small organisation that can be tricky, so options include:
- A staff member auditing an area they aren’t responsible for.
- Someone from another team or department.
- An external partner conducting the internal audit on your behalf — a common and accepted approach for SMEs, and often the most practical.
Auditors also need enough competence to understand what they’re assessing.
Planning your audit programme
You don’t have to audit everything at once. Most organisations run a rolling programme across the year, covering all parts of the ISMS over a defined cycle. A good programme considers:
- The importance and risk of each area (audit higher-risk areas more often).
- Results of previous audits.
- Changes to systems, suppliers or scope.
- Coverage of the management clauses and your applicable Annex A controls.
Document the programme so you can show an auditor how the whole ISMS is covered over time.
Running an internal audit: step by step
- Define the scope of this particular audit — which processes or controls it covers.
- Prepare by reviewing relevant documents: the policy, risk assessment, SoA and previous findings.
- Gather evidence through interviews, observation and reviewing records and logs.
- Compare against requirements — the standard and your own documented process.
- Record findings, classifying them as nonconformities, observations or opportunities for improvement.
- Report the results clearly to the relevant owners and to management.
- Track corrective actions through to completion, with root cause analysis for nonconformities.
Turning findings into improvement
The value of an internal audit lies in what happens next. For each nonconformity:
- Understand the root cause, not just the symptom.
- Agree a corrective action and an owner.
- Set a target date and follow up to confirm it’s resolved.
- Check the fix actually prevents recurrence.
Well-managed corrective actions are strong evidence of the continual improvement the standard expects.
Feeding the management review
Internal audit results are a key input to the management review, where leadership considers the performance of the ISMS and decides on improvements, resources and objectives. Both the internal audit programme and the management review are mandatory, and both are checked at certification and surveillance. Together they demonstrate that leadership is genuinely engaged — not just endorsing a document.
Common internal audit pitfalls
- Not doing them at all, or leaving them until just before the external audit.
- Auditors reviewing their own work, undermining impartiality.
- Findings with no corrective action, so the same issues recur.
- Only auditing the easy areas, leaving gaps in coverage.
- No link to the management review, breaking the improvement loop.
If any terms are unfamiliar, our glossary explains them in plain English.
How we can help
For many SMEs, the practical challenge is finding someone impartial and competent to run internal audits. We provide practical support throughout — designing an audit programme, conducting internal audits on your behalf, and helping you turn findings into effective corrective actions and a meaningful management review — as part of a transparent, fixed-fee engagement with a clear delivery process. Our free ISO 27001 gap assessment tool is a useful precursor to a first internal audit.
Learn more about our ISO 27001 service or get in touch to arrange support.
Need help in practice? See our ISO 27001 service.