ISO 27001:2022 requires organisations to conduct internal audits at planned intervals as a mandatory component of maintaining their Information Security Management System (ISMS). Clause 9.2 — Internal Audit — requires organisations to conduct audits to determine whether the ISMS conforms to the organisation's own requirements and the ISO 27001 standard, and whether it is effectively implemented and maintained. For organisations in high-risk sectors — financial services, healthcare, critical infrastructure, and defence supply chain — the internal audit programme carries additional weight, serving as both a certification requirement and a key mechanism for demonstrating regulatory compliance to sector regulators.

The IAF transition deadline of 31 July 2026 for accredited ISO 27001:2013 certifications adds further urgency for organisations to ensure their internal audit programmes are updated for the 2022 standard's requirements. The updated standard introduces changes to Annex A controls, restructures the control framework, and places greater emphasis on the continual improvement of the ISMS — all areas that internal auditors must assess effectively. An internal audit that merely checks for the presence of controls without evaluating their operational effectiveness misses the standard's intent and leaves the organisation exposed to certification non-conformities and regulatory gaps.

In this article, our team examines how to conduct effective ISO 27001 internal audit programmes in high-risk sectors, the critical elements of an ISMS audit, and how our consultants help organisations build audit functions that satisfy both certification and regulatory requirements.

What an ISO 27001 Internal Audit Requires

An ISO 27001 internal audit under the 2022 standard must address several key requirements specified in Clause 9.2 and its associated guidance:

  • Audit programme: The organisation must establish, implement, and maintain an audit programme that includes the frequency, methods, responsibilities, planning requirements, and reporting requirements for internal audits. The programme must be risk-based, considering the importance of the processes and areas to be audited and the results of previous audits.
  • Audit criteria: Each audit must have defined criteria — the ISO 27001:2022 standard, the organisation's own ISMS policies and procedures, and any applicable legal or regulatory requirements. The audit evaluates conformity against these criteria.
  • Auditor competence and independence: Auditors must be competent, impartial, and objective. In practice, this means that auditors cannot audit their own work — a challenge for smaller organisations where the same person may be responsible for both ISMS implementation and internal audit.
  • Audit execution: Audits must be conducted systematically, with documented findings (conformities, non-conformities, observations, and opportunities for improvement), evidence to support findings, and clear reporting to relevant management.
  • Corrective action: Non-conformities identified during internal audits must be addressed through corrective actions, with root cause analysis, action plans, target dates, and verification of effectiveness.
  • Management review input: Internal audit results must be included as an input to the management review process (Clause 9.3), ensuring that top management has visibility into the ISMS's performance and any areas requiring attention.

A comprehensive compliance audit checklist is an essential tool for ensuring consistent, thorough coverage across audit cycles. The checklist should cover all relevant clauses of ISO 27001:2022 — from context of the organisation (Clause 4) through continual improvement (Clause 10) — as well as the specific Annex A controls that the organisation has selected in its Statement of Applicability.

Why Effective ISMS Audits Matter in High-Risk Sectors

For organisations in high-risk sectors, the internal audit programme serves functions that go beyond ISO 27001 certification maintenance. The FCA, for example, expects financial services firms to maintain independent assurance over their risk management and control frameworks. While the FCA does not prescribe ISO 27001, an effective ISMS audit that identifies control weaknesses, tests the operating effectiveness of security controls, and reports findings to management provides exactly the kind of independent assurance that regulators expect.

For healthcare organisations handling sensitive patient data, internal audits provide evidence for the NHS Data Security and Protection Toolkit (DSPT) and demonstrate to the ICO that data protection by design and default is embedded in operations. For defence supply chain organisations working toward CMMC 2.0 certification, internal audit findings against NIST SP 800-171 controls provide the basis for the Plans of Actions and Milestones (POA&Ms) that the DoD expects.

The internal audit programme also plays a critical role in the organisation's continual improvement cycle. ISO 27001:2022 places significantly greater emphasis on continual improvement (Clause 10.1) than the 2013 version. Internal audits that identify non-conformities and opportunities for improvement, track corrective actions to closure, and verify the effectiveness of those actions create a documented improvement cycle that certification auditors and regulators can review.

Practical Implementation Steps for Internal Audits

Our team recommends the following structured approach to building and executing an effective ISO 27001:2022 internal audit programme:

  • Develop the audit programme: Define the annual audit schedule, balancing full coverage of the ISMS with risk-based prioritisation. Higher-risk areas — such as access controls, incident management, and supplier security — should be audited more frequently. Lower-risk areas may be covered on a longer cycle.
  • Select and train auditors: Identify internal staff with appropriate competence to conduct audits — knowledge of ISO 27001:2022, auditing techniques, and the organisation's operations. Where internal resources are limited or independence cannot be maintained, engage external auditors who can provide impartial assessment.
  • Develop audit checklists and tools: Create detailed audit checklists covering each ISMS clause and applicable Annex A control. The checklist should include specific questions, evidence to examine, and acceptance criteria. Update checklists for the 2022 standard's restructuring and new controls.
  • Plan and scope each audit: For each audit in the programme, define the scope (which clauses, controls, processes, or locations), objectives, criteria, team, and schedule. Communicate the plan to auditees in advance to ensure availability of relevant personnel and evidence.
  • Conduct the audit: Execute the audit through document review, interviews, observation, and testing. Gather evidence systematically — objective evidence is the basis for all findings. Document findings as they arise, distinguishing between conformities, non-conformities (major and minor), and observations or opportunities for improvement.
  • Report findings: Prepare clear, actionable audit reports that communicate findings, evidence, and recommended corrective actions to process owners and management. Ensure that non-conformities include root cause analysis and agreed corrective action plans with target dates.
  • Track and verify corrective actions: Monitor corrective actions to closure, verify their effectiveness through follow-up review or re-audit, and update the audit programme based on lessons learned.

Common Internal Audit Pitfalls

Several recurring issues undermine the effectiveness of ISO 27001 internal audits in high-risk sectors. The most common is inadequate auditor independence — particularly in smaller organisations where the person responsible for ISMS implementation also conducts the internal audit. Certification auditors identify this as a non-conformity under Clause 9.2's requirement for impartial and objective auditors.

Another frequent issue is audit fatigue — organisations that schedule audits too frequently or too broadly without risk-based prioritisation find that audit quality suffers and auditees become less engaged. A well-designed audit programme balances thorough coverage with operational practicality.

A third issue is the tendency to focus on documentation rather than operational effectiveness. An internal audit that confirms that policies exist and records are complete, but does not test whether controls are operating effectively in practice, provides false assurance. Auditors must go beyond document review to test control operation through observation, interview, and technical testing.

How Our Team Supports Internal Audit Programmes

Pyralink Innovation Ltd provides internal audit support services for organisations in high-risk sectors. Our team's consultants can serve as independent internal auditors — where the organisation does not have the internal resource or independence to conduct its own audits — or provide audit programme design, auditor training, and quality assurance for existing internal audit functions. We work across multiple regulatory regimes, ensuring that internal audits address not only ISO 27001:2022 requirements but also sector-specific regulatory expectations.

Our CloudAuditX platform streamlines the audit process by providing real-time visibility into control implementation, automated evidence collection, and audit trail management — reducing the administrative burden of audit preparation and enabling auditors to focus on testing rather than document collection.

Frequently Asked Questions

How often should ISO 27001 internal audits be conducted?

Clause 9.2 requires audits at planned intervals. For most organisations, a practical approach is a rolling programme of audits throughout the year — each focusing on specific clauses, controls, or processes — ensuring full coverage of the ISMS at least annually. Higher-risk areas should be audited more frequently, while lower-risk areas may be audited on a longer cycle.

Can the same person implement the ISMS and conduct internal audits?

No. Clause 9.2 requires auditors to be impartial and objective, and they cannot audit their own work. In practice, this means the person responsible for ISMS implementation cannot serve as the sole internal auditor. Organisations may rotate auditors across different processes or engage external auditors to maintain independence.

What is the difference between first-party, second-party, and third-party audits?

First-party audits are internal audits conducted by the organisation itself (or on its behalf). Second-party audits are conducted by the organisation's customers or other external parties. Third-party audits are conducted by independent certification bodies (such as UKAS-accredited certification bodies for ISO 27001 certification). ISO 27001 requires first-party audits (Clause 9.2) and makes the organisation subject to third-party audits for certification. Second-party audits may be required by customers or regulators.

What should an ISO 27001 internal audit report include?

An internal audit report should include the audit scope, objectives, criteria, team, and schedule; a summary of findings including conformities, non-conformities (classified as major or minor), observations, and opportunities for improvement; evidence supporting each finding; root cause analysis for non-conformities; agreed corrective actions with target dates and responsible owners; and any recommendations for ISMS improvement.

Ready to strengthen your ISO 27001 internal audit programme? Explore our vCISO services → or Get your free compliance score →