Internal audit programme
Plain English Translation
Clause 9.2.2 requires the organization to create a formal 'master schedule' for its audits. Instead of performing random checks, you must establish a structured programme that defines exactly when audits will happen, what specific areas will be checked (scope), how they will be checked (methods), and who will do the checking. Crucially, this schedule should not be arbitrary; it must prioritize areas that are higher risk or have had problems in the past.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Contract an external firm to conduct the full internal audit once per year
- Define a simple audit scope that covers the entire ISMS in one go
- Store the audit plan and report in a secure folder
Required Actions (scaleup)
- Develop a rolling 3-year audit strategy ensuring all controls are tested at least once
- Schedule internal audits quarterly, focusing on different domains each quarter
- Train internal staff to conduct 'peer audits' on departments they do not work in
Required Actions (enterprise)
- Establish a dedicated Internal Audit function with specialized IT auditors
- Integrate audit scheduling with GRC platforms to auto-notify control owners
- Utilize continuous auditing techniques where scripts test controls daily
It is the requirement to plan, establish, and maintain a structured schedule (programme) for conducting audits, including defining the frequency, methods, responsibilities, planning requirements, and reporting.
Create a document (e.g., spreadsheet or GRC plan) listing all ISMS processes and controls. Assign audit dates based on risk (high risk = more frequent). Define who will audit each area and what criteria (e.g., ISO 27001, internal policy) will be used. WatchDog Security's Compliance Center can help maintain the control inventory, map audits to scope and criteria, and keep the supporting evidence and reports organized by cycle.
The standard requires 'planned intervals.' Most organizations operate on an annual cycle, auditing the entire ISMS once a year, or splitting it into smaller quarterly audits covering different scopes.
The programme must include the frequency of audits, the methods to be used (interviews, sampling), responsibilities (who audits), planning requirements (scope/criteria), and reporting mechanisms.
There is no fixed frequency (e.g., 'monthly'). Frequency should be determined by the importance of the processes concerned and the results of previous audits (e.g., areas with past failures should be audited sooner).
Auditors are responsible for conducting audits objectively and impartially. They must define the scope and criteria for their specific audit and report the results to relevant management.
Map out the calendar year. Ensure critical areas (like User Access or Risk Management) are scheduled. Ensure availability of auditors and auditees. Allow time for remediation before the external certification audit.
Common methods include inquiry (interviews), observation (watching processes), inspection (reviewing documents/logs), and re-performance (testing controls yourself).
Risk-based scheduling gets messy when scope, criteria, owners, and evidence live in different places and change over the year. WatchDog Security's Compliance Center can help by mapping the audit programme to control owners, storing scope and criteria per audit, and highlighting gaps when required inputs or evidence are missing ahead of the planned audit window.
Audit outputs are only useful if you can later prove what was tested, what evidence was examined, and what was reported to management. WatchDog Security's Secure File Sharing can help protect sensitive audit packages with encrypted sharing, access controls, and audit logs, while WatchDog Security's Compliance Center can link finalized reports and evidence to the relevant audit cycle for retrieval during management review.
"The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting... The organization shall define the audit criteria and scope for each audit; select auditors and conduct audits that ensure objectivity and the impartiality of the audit process."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-18 | WatchDog Security GRC Team | Initial publication |
