Clause 9.2
The ISO 27001 internal audit, done properly
Clause 9.2 requires your ISMS to be internally audited by someone competent and independent, before the certification body ever arrives, and the certification body itself is not allowed to do it. For most SMEs that creates a genuine gap, and it is one of the services we deliver standalone.
The independence problem
Why your certification body cannot help you here
The internal audit is your management system checking itself; the certification audit is someone else checking it. If the same organisation did both, the second check would be meaningless, so accreditation rules keep certification bodies out of your internal audit entirely.
In-house, independence means the auditor cannot audit their own work. In a 30-person company where one person built the ISMS, that leaves nobody qualified who was not involved, which is why the pragmatic answer is usually an external practitioner delivering clause 9.2 on your behalf.
The method
How the internal audit runs
Plan
An audit programme covering the full ISMS across the certification cycle, with this audit's scope, criteria and schedule agreed up front.
Fieldwork
Documents reviewed, evidence sampled, people interviewed, against clauses 4 to 10 and the applicable Annex A controls. The same method your certification body will use.
Report
Findings graded, nonconformities described precisely enough to fix, and the strengths recorded too, because the certification auditor reads this report.
Close the loop
Corrective actions owned, dated and verified. An internal audit with unactioned findings is worse at Stage 2 than no findings at all: it proves the loop does not turn.
Delivered standalone ahead of your Stage 2 or surveillance visit, or as part of the full readiness engagement. Where your team wants to build the capability instead, we run the first audit jointly and hand over the method.
Quick answers
Internal audit questions, answered
Is the internal audit mandatory for ISO 27001?
Yes. Clause 9.2 requires internal audits at planned intervals, and your Stage 2 assessment expects at least one full internal audit completed, reported and acted on before the certification body arrives. Skipping it is one of the most common causes of a major nonconformity.
Who is allowed to do our internal audit?
Anyone competent and independent of the work being audited. In-house staff can do it if they did not build the thing they are auditing, which in a small organisation usually leaves nobody. Your certification body cannot: auditing the system it certifies would compromise its impartiality. That is why independent internal audit is a consultancy service, and one we deliver as a standalone.
How often do we need internal audits?
The standard says planned intervals; in practice a full-system audit each year, timed a comfortable distance before your surveillance or recertification visit, is the rhythm auditors expect. Higher-risk areas can be audited more often within the same programme.
Can you be our internal auditor every year?
Yes. An external practitioner as your standing clause 9.2 auditor keeps the independence problem solved permanently and gives your certification body a report it recognises as professionally done. Many clients pair it with an annual ISMS health check ahead of surveillance.
Stage 2 or surveillance looming?
Book your clause 9.2 audit while there is time to act on it
A free 45 minute call scopes the audit and fixes the date. The report lands with enough runway to close findings before your assessor arrives.