- ISO 27001 clause 9.2 requires planned internal audits of the ISMS at defined intervals, carried out by someone independent of the area being audited.
- Audit the management-system clauses and a sample of the Annex A controls, and back every conclusion with evidence, not opinion.
- Turn every nonconformity into a tracked corrective action with an owner, due date, and verified closure.
An ISO 27001 internal audit (clause 9.2) is how you find the gaps in your information security management system before the certification body does. Done well, it is your single best rehearsal for the real thing. Here is how to plan and run one.
Why ISO 27001 requires an internal audit
Clause 9.2 of ISO 27001 requires you to run internal audits at planned intervals to confirm the ISMS conforms to both your own requirements and the standard, and that it is effectively implemented and maintained. It is mandatory, and it is the first thing a certification auditor will ask to see.
The point is not to pass your own audit. It is to surface real gaps while you still have time to fix them.
Plan the audit
Before you look at a single control, agree the scope, the criteria (the standard, your policies, and the Statement of Applicability), and the schedule. The auditor must be independent of the area under audit. A short, written audit plan keeps everyone honest. The free ISO 27001 internal audit checklist gives you a ready structure to work from.
What to check
Cover the management-system clauses (leadership, risk assessment and treatment, monitoring, and improvement) and then sample the Annex A controls that matter most:
1. Policies are approved, current, and communicated.
2. Access control is granted on least privilege and reviewed - run a user access review as part of the audit.
3. Logging, monitoring, and change control are operating.
4. Incidents are recorded, triaged, and learned from.
5. The risk assessment and treatment plan are current and match the Statement of Applicability.
Gather evidence, not opinions
An audit conclusion is only as good as the evidence behind it. Screenshots, tickets, access logs, signed attestations, and completed checklists are evidence; "the team says they do this" is not. Capture the evidence as you go, against each control, so the audit trail is complete when you finish.
The single most common information-security audit finding is a leaver who still has an active account, or an admin privilege nobody can justify. A periodic access review, recorded, closes that gap before an auditor finds it.
Turn the ISO 27001 internal audit checklist into a live, assigned audit in RakuOps where every check is timestamped, evidence is attached, and findings become tracked corrective actions.
Where RakuOps fits
RakuOps is a compliance and audit management platform that brings checklists, audits, corrective actions, and an audit trail into one connected system. For an ISO 27001 internal audit, it turns the checklist into an assigned audit, captures evidence against each control, and converts findings into tracked corrective actions with verified closure - so you walk into the certification audit with the record already done. See how it maps to ISO 27001.