ISO 27001:2022 Internal Audits: 3 Steps to Pass Certification by June 2026

Your Certification Auditor is Not Your Enemy — But Your ISMS Audit Programme Might Be

Every organisation pursuing ISO 27001:2022 certification eventually faces the same unshakeable dread: the external audit. You have built the policies, mapped the risks, and trained the staff. Then the lead auditor arrives and, within three hours, identifies three non-conformities in your internal audit records. The certification is delayed by ten weeks. The cost overruns hit £14,000. The board demands answers.

This is not a hypothetical. Our consultants have walked into dozens of pre-certification reviews where the internal audit programme — the single most scrutinised control in Clause 9.2 — was treated as a box-ticking exercise. The result is always the same: corrective action plans, re-audits, and a bruised relationship with the certifying body. By June 2026, with the UK Cyber Security and Resilience Bill progressing through Parliament and supply chain security clauses tightening across regulated sectors, the margin for error is zero.

Here is the hard truth: a robust ISO 27001:2022 internal audit programme does not exist to satisfy the auditor. It exists to find the gaps you cannot see. If your internal audits are shallow, your ISMS is fragile. If your ISMS audit schedule is a calendar event you rush through each quarter, you will fail certification — or worse, you will pass but remain exposed.

This article covers the three steps that separate organisations that cruise through certification from those that scramble for extensions. We name the regulations that apply to UK businesses. We avoid scare-mongering. We give you actionable steps you can implement next Monday.

1. Build an Audit Schedule That Matches Your Risk Appetite, Not the Calendar

The most common mistake we see is the "one-size-fits-all" audit schedule. A firm with 200 employees, three cloud providers, and a legacy on-premise server room audits every control annually. A micro-business with 12 employees and one SaaS tool does the same. Neither schedule makes sense.

Under ISO 27001:2022, Clause 9.2 requires your organisation to conduct internal audits at "planned intervals." The standard deliberately avoids prescribing a frequency. It demands that your schedule reflect your ISMS audit schedule based on risk, business change, and the importance of processes. That means you must justify — and document — why you audit certain controls quarterly and others every eighteen months.

What This Looks Like in Practice

Start by classifying your controls into three risk tiers:

• High-risk (quarterly): Access control (A.9), supplier relationships (A.15), incident management (A.16), business continuity (A.17). These controls change frequently and failure impacts are severe.
• Medium-risk (semi-annual): Asset management (A.8), physical security (A.11), information classification (A.8.2). Stable controls but still critical.
• Low-risk (annual): Policy review (A.5), internal audit records (A.17 — meta, yes), organisational responsibilities. Low change rate, low failure impact.

Document this rationale in your ISMS audit schedule. Your external auditor wants to see evidence of risk-informed decision-making, not a photocopied checklist from a template website. We cover this approach in detail on our ISO 27001 certification page, where we break down the full compliance roadmap for UK firms.

2. Audit Evidence Collection: Stop Writing Paragraphs. Start Collecting Real Proof.

Nothing torpedoes an internal audit faster than an auditor who writes "the policy is adequate" without verifying it. We have seen internal audit reports that are essentially prose summaries — pages of narrative with no attached screenshots, no system logs, no signed review forms, no evidence of training completion.

ISO 27001:2022 is unambiguous: Clause 9.2(b) requires you to retain "documented information as evidence of the audit programme implementation and the audit results." That means your audit evidence collection must be verifiable by a third party who was not present during the audit.

The Evidence Collection Framework That Works

When our consultants conduct internal audits, we follow a three-part evidence rule:

1. Observe the control in operation. Do not ask "do you have a backup policy?" Ask "show me the backup run last night. Show me the restore test log."
2. Sample across time. One screenshot from last week proves nothing. Sample five days, four users, three systems. Randomised sampling defeats confirmation bias.
3. Annotate every piece of evidence. File name, date of collection, auditor name, control reference. If a certification body cannot trace a log file back to your audit within thirty seconds, they will flag it.

We recommend using a structured tool to automate this. Our CloudAuditX platform captures evidence from multi-cloud environments and maps it directly to ISO 27001:2022 control IDs. It eliminates the manual spreadsheet chaos that causes most audit failures. The free compliance scanner can give you a baseline of your current posture within ten minutes.

3. Close the Loop: Corrective Actions That Survive External Scrutiny

This is the step that separates mature ISMS from performative compliance. An internal audit identifies non-conformities. You write a corrective action. You assign it to a person. The deadline passes. The issue is forgotten. The external auditor finds the same non-conformity six months later. You get a major non-conformance, not a minor one.

ISO 27001:2022 Clause 10.1 requires corrective action to be "appropriate to the effects of the nonconformities encountered." That means you need root cause analysis, not surface-level fixes. If a user shared a password, the corrective action is not "remind them not to." The root cause is "no MFA enforcement and no privileged access management system." The corrective action is implementing conditional access policies and training the user on MFA usage — and then verifying compliance in the next audit cycle.

What Your Non-Conformity Register Must Contain

• Control reference (e.g., A.9.3.1 — Management of privileged access rights)
• Description of the finding — specific, datestamped, evidenced
• Root cause analysis — use 5 Whys or Fishbone. No more than one page.
• Corrective action plan — owner, budget, deadline, success criteria
• Verification of effectiveness — a re-audit within 90 days

Your external auditor will read your non-conformity register before they start the onsite audit. If it shows closed-loop, verifiable corrective actions, they will trust your process. If it shows vague entries with no verification, they will dig deeper — and they will find more issues.

Common Mistakes That Kill Certification Attempts (and How to Avoid Them)

We have seen UK firms fail certification audits because of these three recurring errors:

Mistake 1: Treating internal audit as a management responsibility. A sales director or finance manager who conducts the internal audit is not qualified to assess access controls, encryption policies, or incident response procedures. Assign trained auditors — either internal staff with ISO 27001 Lead Auditor certification or an external vCISO. Our fractional vCISO service supplies qualified auditors at a predictable monthly cost, starting at £497/month.

Mistake 2: Auditing only the policies, not the implementation. A policy that says "passwords must be complex" is worthless if your Active Directory allows "Password123." Audit evidence collection must include system-level verification. Use automated scanning tools where possible.

Mistake 3: Ignoring supplier audits. If you outsource data processing, you must audit your suppliers. Clause A.15.1.1 requires that "information security requirements are established and agreed with external suppliers." The UK ICO has fined organisations for failing to verify their suppliers' compliance. Do not assume your cloud provider's SOC 2 covers your ISO 27001 obligations — it does not.

A Worked Example: The Six-Week Pre-Certification Sprint

A London-based fintech startup, 45 employees, fully cloud-native, targeting ISO 27001:2022 certification by June 2026. They had one previous failed attempt. Their internal audit programme was a quarterly 20-minute walkthrough. No evidence collected. No root cause analysis. No supplier audits.

Our team rebuilt their programme in six weeks:

• Week 1: Created a risk-tiered ISMS audit schedule. High-risk controls moved to monthly. Low-risk controls moved to annual.
• Week 2-3: Trained three internal staff as internal auditors (40-hour Lead Auditor course). They shadowed our consultants for the first cycle.
• Week 4: Conducted a full internal audit using structured audit evidence collection templates. Collected 47 evidence files across 24 controls.
• Week 5: Root cause analysis on 12 findings. Implemented corrective actions, including enabling MFA for third-party vendor access and reclassifying 200+ assets.
• Week 6: Verification audit. Zero non-conformities.

The external certification audit passed on first attempt. That is the difference between a programme built for the auditor and a programme built for security.

How Pyralink Innovation Ltd Delivers Certification-Ready Internal Audits

Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team has implemented ISO 27001:2022 internal audit programmes in regulated environments — financial services, legal, healthcare, and SaaS. We hold £5 million professional indemnity insurance, so your board can rest easy.

When you engage us, you do not get a template. You get a structured programme built for your specific risk profile. We build your ISMS audit schedule, train your staff, conduct the first audit cycle with you, and verify evidence collection. If you need ongoing support, our fractional vCISO service provides continuous audit oversight for a flat monthly fee.

For multi-cloud environments, CloudAuditX automates audit evidence collection across AWS, Azure, and GCP. It maps every control to its ISO 27001:2022 reference, timestamps the evidence, and generates the auditable records your certification body requires. You can start with a free compliance scanner to see where you stand before committing to a full programme.

Two Steps to Take Today

You have three months to June 2026. That is enough time to build a certification-ready internal audit programme — if you start now. Do not wait until the external auditor is booked.

Run a free CloudAuditX scan →
Find the gaps in your ISMS audit schedule and evidence collection before the external auditor does. It takes ten minutes to set up.

Book a free security review →
Speak with one of our consultants for thirty minutes. We will assess your current internal audit maturity and tell you exactly what needs to change for your June 2026 certification.

Your certification depends on your internal audit programme. Make it audit-proof.

---

Related Reading

• ISO 27001:2022 Internal Audits: What Your Certification Body Actually Expects
• ISO 27001:2022 Annex A Controls: What Changed and What Your ISMS Actually Needs
• Conducting ISO 27001:2022 Risk Assessments in UK Financial Services Organisations