Your ISO 27001:2022 surveillance audit is in six weeks. The certification body has requested evidence of your internal audit programme. You pull up last year's internal audit report and realise it's a two-page checklist with "compliant" ticked against every control. No findings. No observations. No evidence of corrective actions. That report will not survive scrutiny — and your certification is now at risk.
Internal audits are not a box-ticking exercise. They are the mechanism by which your Information Security Management System (ISMS) demonstrates continual improvement. Certification bodies know the difference between a genuine internal audit programme and a performative one. The October 2025 transition deadline for ISO 27001:2022 has passed. If you transitioned, your certification body now expects your internal audits to reflect the restructured controls in Annex A and the updated requirements in clauses 4-10. If your internal audit programme hasn't evolved, your next surveillance audit will expose that gap.
This post covers what certification bodies actually look for in internal audits, the mistakes that trigger nonconformities, and how to build an audit programme that survives external scrutiny.
What ISO 27001:2022 Requires from Internal Audits
Clause 9.2 of ISO 27001:2022 sets out the internal audit requirements. The standard requires you to conduct internal audits at planned intervals to determine whether your ISMS conforms to your own requirements, the requirements of the standard, and is effectively implemented and maintained.
That last part matters. "Effectively implemented and maintained" is not the same as "documented and approved." Your certification body expects evidence that controls are operating as intended, not just that policies exist. The internal audit must assess operational effectiveness, not just design adequacy.
The 2022 revision consolidated Annex A from 114 controls across 14 domains to 93 controls across 4 themes: organisational, people, physical, and technological. Your internal audit programme must reflect this restructure. If your audit checklists still reference the 2013 control numbering, you're auditing against an obsolete framework.
What Certification Bodies Actually Scrutinise
External auditors from certification bodies are looking for specific evidence that your internal audit programme is substantive. Here's what triggers concern:
Audit Independence
Clause 9.2.2(c) requires auditors to be objective and impartial. If your IT manager audited their own controls, that's a nonconformity. Small organisations struggle with this. You have limited staff. The solution is not to skip independence requirements — it's to use external support or cross-functional auditors who did not implement the controls they're assessing.
Audit Scope Coverage
Your internal audit programme must cover the entire ISMS scope over a defined cycle. Certification bodies check whether you've audited all Annex A controls and all clause requirements within your surveillance cycle. Cherry-picking the easy controls and avoiding the difficult ones — like supplier management (A.5.19-A.5.22) or cloud security (A.5.23) — will be noticed.
Evidence of Findings
An internal audit that finds nothing is not a good audit. It's either a poor audit or a sign that your auditor lacks the competence to identify issues. Certification bodies expect to see minor nonconformities, observations, and opportunities for improvement. They want to see your corrective action process in action. A clean internal audit report signals that the audit was superficial.
Corrective Action Follow-Through
Clause 10.2 requires you to address nonconformities through corrective action. Your certification body will trace findings from your internal audit through to closure. If your internal audit identified a gap in access review processes six months ago and no corrective action was taken, that's a systemic failure of your ISMS management.
Common Mistakes That Trigger Nonconformities
These are the errors I see repeatedly when reviewing organisations' internal audit programmes:
- Using generic checklists: Downloaded templates that don't reflect your actual scope, risk treatment plan, or Statement of Applicability. Your internal audit must assess your ISMS, not a theoretical one.
- No audit programme: Conducting audits ad hoc rather than against a planned programme that ensures full coverage. Clause 9.2.2(a) explicitly requires a programme.
- Competence gaps: Auditors who don't understand the controls they're assessing. If your internal auditor doesn't know what A.8.15 (logging) requires operationally, they cannot assess whether it's effective.
- No management review input: Internal audit results must feed into management review (clause 9.3). If your management review minutes don't reference internal audit findings, that linkage is broken.
Building an Internal Audit Programme That Works
Start with your Statement of Applicability. Map every applicable control to an audit activity. Assign audit dates across your surveillance cycle so that all controls are covered before your next external audit. Document this in an audit programme — a simple table showing control reference, audit date, auditor assigned, and status.
For each audit, prepare an audit plan that specifies scope, criteria, methods, and schedule. Conduct the audit by examining evidence: configurations, logs, records, interviews with control owners. Document findings with specific evidence, not vague statements. "Access reviews not conducted quarterly as required by policy — last review dated March 2024" is a finding. "Access management could be improved" is not.
Raise corrective actions for nonconformities. Track them to closure. Ensure the management review agenda includes internal audit results as a standing item. This creates the documented evidence trail your certification body expects.
How Pyralink Supports Your Internal Audit Programme
Pyralink Innovation Ltd provides practical internal audit support for organisations maintaining ISO 27001:2022 certification. As a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC), we deliver internal audits that meet independence requirements while identifying genuine improvement opportunities.
Our CloudAuditX platform provides automated evidence collection for cloud security controls — A.5.23 (cloud services security) and A.8 technological controls — generating audit-ready reports that demonstrate control effectiveness. This addresses one of the most common compliance audit UK challenges: proving that cloud configurations match policy requirements.
For organisations needing ongoing support, our fractional vCISO service (from £497/month) includes internal audit programme management, ensuring your ISMS audit cycle stays on track between certification body visits. Pyralink holds £5M professional indemnity insurance, providing assurance for audit and advisory engagements.
Your ISO 27001:2022 internal audit programme is the foundation of your certification. Build it properly, or risk losing the certification you worked to achieve.