ISO/IEC 27001•

ISO 27001 Requirement 9.2 – Internal Audit

See it in action
By Mark Sharron | Updated 14 December 2023

Clause 9 of the management requirements for ISO 27001 is performance evaluation, for which you must conduct internal audits at planned intervals.

Jump to topic


What does Clause 9.2 involve?

9.2 says the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system (ISMS):

  • Conforms to the organisation’s own requirements for its information security management system; and meets the requirements of the ISO 27001 international standard;
  • Whether the ISMS is effectively implemented and maintained

To achieve those goals the ISO auditor will look to see that the organisation has:

  • Planned, implemented and maintained an audit programme
  • Defined the audit criteria and scope for each audit
  • Selected auditors who will be objective and impartial
  • Ensured that audits are reported to relevant management
  • Retained documented information as evidence

How to conduct internal audits on an ISMS to comply with 9.2

Alongside information security risk management, internal audits are popular in creating anxiety for those new to ISMS’ and in particular organisations that are going for their first ISO 27001 certification.

As such we have written a separate article on demystifying the internal audit requirements and expressing how an organisation can achieve it’s internal audit goals with much less stress and anxiety than first thought.


Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Compliance doesn’t have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


Streamline your workflow with our new Jira integration! Learn more here.