Key Takeaways
- ISO 27001 clause 9.2 requires internal audit at planned intervals to verify the ISMS conforms to the standard and is effectively implemented and maintained.
- Auditor independence: auditors cannot audit their own work. Internal team can audit other parts of the organisation; cross-team rotation common; external consultants common for very small organisations.
- Audit programme: covers all ISMS clauses and applicable Annex A controls over a defined period (typically 1 to 3 years).
- Findings classification: Major non-conformity (significant gap, must close before certification), Minor non-conformity (less significant), Observation (improvement opportunity), OFI (opportunity for improvement).
- Corrective action tracking: every non-conformity has root cause analysis, correction, corrective action, target date, evidence of closure.
Why Internal Audit Matters
Internal audit is the formal mechanism by which the organisation verifies that the ISMS is working as intended before the external auditor arrives. Done properly, it surfaces gaps in time to remediate. Done as paperwork, it produces clean findings that the external auditor immediately invalidates by detecting the gaps internal audit missed.
ISO 27001 clause 9.2 makes internal audit mandatory. The clause requires planned audits, defined scope and criteria, qualified auditors, audit results reporting, retained evidence. Auditors detect every part of this requirement in the audit programme review.
Auditor Selection and Independence
Clause 9.2.2 requires that the auditors and audit process ensure objectivity and impartiality. Auditors cannot audit their own work. The implementer of a control cannot audit that control.
Practical models: cross-team rotation in mid-size and large organisations (the engineering team audits HR, HR audits finance, finance audits engineering, etc., with central facilitation), dedicated internal audit function in large organisations, external consultant-led internal audit in small organisations or where independence cannot be ensured internally.
Auditor competence: ISO 19011 (guidelines for auditing management systems) is the reference. Lead Auditor certification (IRCA, Exemplar Global) is the recognised credential. Codesecure delivers consultant-led internal audits for clients without sufficient in-house auditor capacity.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Audit Programme Planning
The audit programme covers all ISMS clauses (4-10) plus all applicable Annex A controls over a defined period, typically 1 to 3 years. Risk-based prioritisation: high-risk areas audited more frequently, lower-risk areas less frequently.
Typical first-year programme for a small to mid-size Indian organisation: full coverage in year 1 (one audit covering everything), then risk-based annual coverage in years 2 and 3, with full-scope re-audit in year 3 or 4 ahead of recertification.
Programme document includes: audit scope, criteria (ISO 27001 plus applicable laws and regulations and contractual obligations), frequency, methodology, auditor assignments, reporting structure.
Audit Scope and Criteria
Each individual audit has a defined scope (which parts of the ISMS, which locations, which processes, which time period) and criteria (ISO 27001 requirements, applicable controls, internal policies, external regulations). Scope and criteria are documented before the audit starts.
Sampling strategy: the auditor cannot review every transaction; sampling produces statistical confidence. Typical sample sizes: 10 to 20 percent of relevant records, with risk-based focus on high-risk areas and recent changes. Documented sampling methodology defends the conclusions.
Evidence Collection Techniques
Audit evidence types: document review (policies, procedures, records, logs), interview (control owners, users, management), observation (physical walkthrough, system demonstration), technical inspection (configuration review, log sampling, control test).
Effective auditor technique combines all four. Document review alone misses operational reality. Interview alone misses documentation. Observation alone misses the formal management system. Technical inspection alone misses governance. The combination produces defensible conclusions.
Evidence is documented in the audit working papers: what was checked, what was found, sample IDs, observations, conclusions. Working papers are retained for the certification body to review during external audit if requested.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Findings Classification: Major, Minor, Observation
Findings are classified by severity. Major non-conformity: significant breakdown of the ISMS, multiple minor issues in the same area, complete absence of a required control. Major non-conformities must be closed before external certification. Minor non-conformity: isolated failure to meet a requirement, gap in implementation that does not threaten the overall ISMS effectiveness. Must be closed but does not block certification. Observation: a situation noted but not formally a finding. May become a finding if pattern continues. OFI (Opportunity for Improvement): suggestion for enhancement, not a finding.
Indian internal audits frequently raise too few findings (audit team friendly with auditee) or too many (auditor showing off). Calibrated classification with evidence is the auditor's professional standard.
Corrective Action and Follow-Up
Every non-conformity triggers corrective action. The process: root cause analysis (why did this happen, not just what happened), correction (immediate fix to the specific issue), corrective action (systemic fix to prevent recurrence), target date, owner, evidence of closure.
Corrective actions are tracked through closure. The auditor verifies closure at the next audit cycle. Open corrective actions accumulating across cycles is a red flag the external auditor will note.
Management review (clause 9.3) reviews internal audit results and corrective action progress at planned intervals. Documented minutes are the evidence the external auditor expects.
Frequently Asked Questions
How often do we need internal audit?
ISO 27001 requires planned intervals, not a specific frequency. Most organisations audit each part of the ISMS at least once per certification cycle (3 years), with high-risk areas audited annually. First-year programme often covers everything once.
Can we use an external consultant for internal audit?
Yes, particularly common in small and mid-size organisations. External consultant brings independence and methodology. The audit is still classified as 'internal' for ISO purposes because the organisation commissions it (not the certification body).
Who closes corrective actions?
The control owner is typically responsible for closing the action. The ISMS owner verifies closure. The internal auditor (or external if commissioned) verifies closure during follow-up audit.
What if internal audit raises findings the certification body did not?
That is the goal. Internal audit catches gaps before external certification. Open major non-conformities from internal audit must be closed before external audit; minor non-conformities can be in remediation but documented.
How long does an internal audit take?
Depends on scope. Full-scope audit of a small Indian organisation: 5 to 10 audit days. Mid-size enterprise: 15 to 30 audit days. Large enterprise multi-site: 30+ audit days. Plus reporting and follow-up time.
Can Codesecure conduct our internal audit?
Yes. Codesecure delivers consultant-led internal audits for Indian organisations preparing for ISO 27001 certification or maintaining surveillance. ISO/IEC 27001:2022 certified delivery with named ISO 27001 Lead Auditor consultants.
Make Internal Audit Catch Gaps Before The External Audit Does
Codesecure delivers consultant-led ISO 27001 internal audits for Indian organisations preparing for certification or maintaining surveillance. ISO/IEC 27001:2022 certified delivery, named LA consultants, fixed-price proposals.
