General (Internal audit)
Plain English Translation
Clause 9.2 requires organizations to conduct internal audits at planned intervals to perform a 'self-check' on their security program. The goal is to verify two things: first, that the ISMS meets the organization's own requirements and the ISO 27001 standard; and second, that it is effectively implemented and maintained. Crucially, audits must be objective and impartial, meaning auditors cannot audit their own work.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Designate an 'internal auditor' (competent employee independent of the ISMS implementation)
- Perform a full ISMS audit once per year using a standard checklist
- Store audit findings in a simple document
Required Actions (scaleup)
- Establish a formal Internal Audit Procedure and schedule
- Rotate auditors or hire external consultants to ensure impartiality
- Track audit findings in a ticketing system (e.g., Jira) as corrective actions
Required Actions (enterprise)
- Implement a rolling audit program covering different domains quarterly
- Utilize GRC software to manage audit evidence collection and reporting
- Integrate internal audit findings with risk management updates automatically
It is the requirement to conduct internal audits at planned intervals to verify that the ISMS conforms to requirements and is effectively implemented and maintained.
The standard requires 'planned intervals' defined by the organization. Typically, a full audit of the ISMS is conducted annually, though it can be split into smaller audits throughout the year.
The program must define the frequency, methods, responsibilities, planning requirements, and reporting for audits, taking into account the importance of the processes concerned.
You define the scope and criteria, select objective auditors, collect evidence (documents, interviews, observations), evaluate conformity, and report results to management. WatchDog Security's Compliance Center can help structure the audit scope by control set, centralize evidence collection, and retain auditor notes and outputs as consistent documented information.
A checklist should map to the ISO 27001 clauses (4-10) and Annex A controls, providing space to record evidence examined, observations, and whether the control passes or fails.
Auditors must be competent (Clause 7.2) and impartial. They do not necessarily need certification but must understand the standard and not audit their own work.
Internal audits (Clause 9.2) are conducted by the organization itself (or its consultants) for improvement. External audits are conducted by a certification body to grant the ISO certificate.
Identify all processes and controls to be audited, assign a schedule (e.g., Q1 for HR, Q2 for IT), assign auditors who are independent of those areas, and define the reporting timeline.
Internal audits often break down when evidence is scattered across systems and auditors rely on ad-hoc sampling with inconsistent documentation. WatchDog Security's Compliance Center helps by organizing controls by clause, maintaining an evidence library mapped to each requirement, and highlighting gaps before the audit so auditors can focus on evaluating conformity rather than chasing artifacts.
Audit findings only improve the ISMS if they translate into owned, time-bound corrective actions with verification of completion. WatchDog Security's Risk Register can help document findings as risks or issues, assign owners and due dates, track treatment plans, and produce status reporting that supports Clause 9.2 follow-through and management review.
"The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to 1) the organization's own requirements... 2) the requirements of this document; b) is effectively implemented and maintained."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-18 | WatchDog Security GRC Team | Initial publication |
