ISO 27001:2022 Clause 9.2 Explained (Internal Audit Requirements)

Clause 9.2 is the most misunderstood requirement in ISO 27001. It mandates internal audits, but most organizations treat it as a box to check rather than a functioning part of their management system.

This article explains exactly what Clause 9.2 requires, how to implement it properly, and the mistakes that lead to nonconformities.

What Clause 9.2 Requires

Clause 9.2 is split into two sub-clauses:

C.9.2.1 — Internal Audit Programme

You must plan, establish, implement, and maintain an audit programme that covers:

• Frequency — How often each area of the ISMS is audited
• Methods — How audits are conducted (document review, interviews, evidence collection)
• Responsibilities — Who conducts audits and who receives results
• Reporting — How findings are documented and communicated

The audit programme must consider the importance of processes and results of previous audits. Higher-risk areas should be audited more frequently.

C.9.2.2 — Internal Audit Process

For each individual audit, you must:

• Define audit criteria and scope
• Select auditors who ensure objectivity and impartiality
• Report results to relevant management
• Retain documented information as evidence

The key requirement: the person who built or manages a part of the ISMS cannot audit that same part.

What Auditors Actually Look For

When the external (certification) auditor reviews your internal audit programme, they evaluate several things:

Coverage

Does the programme cover the full ISMS scope over the audit cycle? If you have 93 applicable controls plus 30 ISMS clauses, every one should be assessed within the cycle (typically annual). You don't have to audit everything in a single audit, but the programme should show when each area gets covered.

Risk-based planning

Higher-risk processes should get more frequent or deeper audits. If your last audit found multiple findings in access control, the next programme should give access control extra attention.

Auditor independence

The standard requires objectivity and impartiality. At a large company, this means auditors from a different department. At a startup, this usually means an external consultant — the person who designed the ISMS cannot also audit it.

Quality of findings

Vague findings like "security could be better" indicate weak internal audit capability. Auditors expect findings to reference specific clause requirements, include evidence, and be classified by severity.

Follow-through

Were corrective actions actually implemented? An audit report that sits in a drawer isn't meeting the standard's intent. Findings should be tracked to closure with evidence of remediation.

Balanced results

An internal audit that finds zero issues is a red flag. Every ISMS has room for improvement. Finding nothing suggests the audit was a formality rather than a genuine evaluation.

Building an Audit Programme

Step 1: Map the scope

List every ISMS clause (4-10) and every applicable Annex A control. This is your audit universe.

Step 2: Assign frequency

• Critical-tier controls — Audit annually, at minimum
• Areas with previous findings — Audit in the next cycle with extra depth
• Low-risk/checkbox controls — Can be grouped and audited on a rotating basis

Step 3: Schedule audits

Spread audits across the year rather than cramming everything into one session before the certification audit. A quarterly cadence works well:

Quarter	Focus
Q1	Access control, identity management, authentication
Q2	Incident response, logging, monitoring
Q3	Change management, SDLC, vulnerability management
Q4	ISMS clauses, risk assessment, management review

Step 4: Assign auditors

Each audit needs an auditor who is independent from the area being assessed. Document the assignment and confirm no conflicts of interest.

Step 5: Conduct the audit

For each audit:

1. Review documentation (policies, procedures)
2. Collect evidence of implementation
3. Interview personnel
4. Classify findings (major nonconformity, minor nonconformity, observation)
5. Write the report
6. Communicate findings to management

Step 6: Track corrective actions

Each finding needs a corrective action with a root cause, specific fix, due date, and owner. Track these to closure and verify the fix with evidence.

Common Mistakes

One big audit right before certification

The standard requires a programme — a systematic plan, not a panic exercise. Auditors want to see that internal auditing is an ongoing activity, not a one-time event.

Self-auditing

Having the ISMS builder audit their own work violates the independence requirement. At a startup, hire an external auditor. It's cheaper than a certification nonconformity.

Findings without follow-up

The audit report exists but no one acts on the findings. This defeats the purpose of the internal audit and creates a double nonconformity: the original control failure plus a Clause 9.2 failure for not acting on audit results.

No connection to management review

Internal audit results should feed into the management review (Clause 9.3). If leadership never sees the audit findings, the ISMS isn't operating as a management system.

The Feedback Loop

Clause 9.2 doesn't exist in isolation. It's part of the Plan-Do-Check-Act cycle:

1. Risk assessment identifies what matters → drives the audit programme
2. Internal audit checks whether controls work → produces findings
3. Corrective actions fix the findings → improve the ISMS
4. Management review evaluates audit results → decides on resource allocation
5. Updated risk assessment reflects changes → drives the next audit programme

When this loop is working, your ISMS gets better over time. When it's broken, you're maintaining compliance theater.

The Bottom Line

Clause 9.2 is not about checking a box. It's about building a mechanism that continuously verifies and improves your security posture. An organization that runs genuine internal audits — with independent auditors, honest findings, and tracked corrective actions — is in a fundamentally better security position than one that doesn't.

If you need an independent auditor to satisfy Clause 9.2, we offer internal audits for $300 with a written findings report and corrective action recommendations.