InfoSec

ISO 27001 Internal Audit: How to Run One Before Certification

What clause 9.2 requires, the four steps to run an internal audit, and how it sets up your certification audit.

Author
Dr. Kilian Schmidt
Date
16.9.2025
Updated on
13.7.2026
ISO 27001 Internal Audit: How to Run One Before Certification

What clause 9.2 requires, the four steps to run an internal audit, and how it sets up your certification audit.

An ISO 27001 internal audit is your own check of the ISMS before an external auditor ever sees it. ISO 27001 clause 9.2 makes it mandatory: at planned intervals you assess whether your information security management system meets both your own policies and the requirements of the standard, then fix what you find. Done well, the internal audit is what makes the certification audit predictable rather than a gamble. This article covers what the internal audit is, who runs it, the four steps to complete one, and how it feeds into the external audit it precedes.

If you are looking for the certification side of the process instead, see our guide on how to prepare for an external audit. This post is the internal half that comes first.

What is an ISO 27001 internal audit?

It is a structured self-assessment of your ISMS against two yardsticks: your own documented policies and procedures, and the requirements of ISO 27001, meaning the management clauses 4 to 10 and the Annex A controls you have declared applicable. In the standard's Plan-Do-Check-Act cycle, the internal audit is the "Check". It surfaces non-conformities that would otherwise stay hidden until a certification body finds them, when they are far more expensive to fix.

The output is an internal audit report that goes to management, and it is the main input to the management review. On the strength of that review, leadership decides whether the organisation is ready to apply for certification. So the internal audit is not paperwork for its own sake; it is the evidence base for the readiness decision.

Internal audit vs external audit

They are different exercises with different purposes, and confusing them is where programmes go wrong. The internal audit is your rehearsal; the external audit is the independent verdict. The table sets out who does what.

Internal audit External audit
PurposeSelf-check the ISMS and find gaps before certificationIndependent verification for certification or attestation
Who performs itYour own staff, or a hired consultant (still counts as internal)An accredited certification body or independent auditor
Measured againstClause 9.2: your policies plus clauses 4–10 and Annex AThe standard, via the certification body's methodology
OutputInternal audit report feeding the management reviewCertificate, or findings to close first
FrequencyAt planned intervals, typically annually and before certificationCertification, then annual surveillance; recertification every three years

Because the internal audit directly de-risks the external one, the two belong together in your planning. When you finish reading this, the natural next step is the external audit preparation checklist.

The internal audit process in four steps

A defensible ISO 27001 internal audit follows the same four steps every time, which is what makes it repeatable rather than a one-off scramble.

  1. Define the scope. Decide which systems, processes, functions, departments and locations the audit covers, and which requirements and controls apply. An audit plan documents this so nothing in the ISMS is silently left out.
  2. Collect and document evidence. Gather the evidence that shows each control is implemented and operating: policies, risk assessment and treatment plans, the Statement of Applicability, control logs and records, and corrective actions. Evidence that is hard to produce or trace is the most common source of delay, which is why continuous, automated evidence collection helps.
  3. Write the internal audit report. Review documentation and controls, observe procedures in action, and interview control owners. Record every non-conformity, observation and area for improvement, with the action items to close them before certification.
  4. Hold the management review. Present the report to leadership. Management judges whether the ISMS is effective and suitable, and decides whether the organisation is ready for the certification audit.

Who can run the internal audit?

Your own staff can, but the auditor must be independent of the area being audited. Someone with decision-making power over the controls they are auditing has a conflict of interest and can skew the result, so auditors should not review their own work. Smaller teams often lack a truly independent internal candidate, in which case you can bring in an external consultant to run it. Even then it still counts as an internal audit, because it serves your readiness decision rather than issuing a certificate.

Frequently asked questions

Is an internal audit mandatory for ISO 27001?

Yes. Clause 9.2 requires internal audits at planned intervals. Without them you cannot demonstrate the "Check" stage of the management system, and a certification body will raise it as a non-conformity.

How often should you run an ISO 27001 internal audit?

At planned intervals, which for most organisations means at least annually, plus a full internal audit before the initial certification audit. High-risk areas may warrant more frequent checks.

What is the difference between an internal and external audit?

The internal audit is your own assessment to find and fix gaps before certification. The external audit is conducted by an accredited certification body to verify compliance and issue the certificate. See the external audit preparation guide for that stage.

See how Kertos runs your ISO 27001 internal audit with automated evidence collection and expert support: book a demo.

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

ISO 27001 Internal Audit: How to Run One Before Certification
Ready, your compliance to put on autopilot?
Dr. Kilian Schmidt

Dr. Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt developed a strong interest in legal processes early on. After studying law, he began his career as Senior Legal Counsel and Data Protection Officer at the Home24 Group. After working at Freshfields Bruckhaus Deringer, he moved to TIER Mobility, where, as General Counsel, he was significantly involved in expanding the legal and public policy department - and grew the company from one to 65 cities and from 50 to 800 employees. Motivated by limited technological advances in the legal sector and inspired by his consulting work at Gorillas Technologies, he co-founded Kertos to develop the next generation of European data protection technology.

About Kertos

Kertos is the modern backbone of the data protection and compliance activities of scaling companies. We enable our customers to implement integrated data protection and information security processes in accordance with GDPR, ISO 27001, TISAX®, SOC2 and many other standards quickly and cheaply through automation.

Ready to simplify GDPR compliance?

CTA Image

📅 Schedule Your 5min Compliance Check

Please enter your business email to continue. We require a company email address to ensure we can best serve your organization.

📞 5min Compliance Check