ISO 27001 internal audit. What it actually requires.

Clause 9.2 of ISO 27001:2022 requires organisations to conduct internal audits at planned intervals. This page explains what that means in practice — and where the bottlenecks are.

What Clause 9.2 requires.

ISO 27001:2022 Clause 9.2 requires organisations to conduct internal audits at planned intervals to determine whether the information security management system (ISMS) conforms to the organisation's own requirements and to the requirements of the standard.

The internal audit must:

  • Be planned, established, and maintained as an audit programme
  • Define audit criteria and scope for each audit
  • Select auditors who ensure objectivity and impartiality
  • Ensure results are reported to relevant management
  • Retain documented information as evidence of the audit programme and results

The standard does not prescribe how evidence should be reviewed or how findings should be documented in detail. It requires that the audit is conducted — and that it is conducted properly.

The role of ISO 19011:2018.

ISO 27001 references ISO 19011:2018 as the methodology standard for conducting management system audits. ISO 19011 provides guidelines on audit programmes, conducting audits, and evaluating auditor competence.

For internal audits, ISO 19011:2018 is not optional guidance — it is the recognised methodology that defines what a properly conducted audit looks like. Organisations that follow ISO 19011 can demonstrate to external certification bodies that their internal audit process is methodologically sound.

Read our full ISO 19011:2018 methodology alignment →

What constitutes good audit evidence.

ISO 19011:2018 Section 3.9 defines audit evidence as records, statements of fact, or other information relevant to the audit criteria and verifiable. In practice, audit evidence for ISO 27001 includes:

  • Policies and procedures — documented statements of intent and operational controls
  • Training records — evidence that personnel are competent and aware of their responsibilities
  • Risk assessments and treatment plans — documented risk management under Clause 6.1.2
  • Management review minutes — evidence of leadership engagement under Clause 9.3
  • Incident records — evidence of incident management processes under Annex A controls
  • Access control logs — evidence of access management implementation
  • Third-party contracts and agreements — evidence of supplier relationship management

The challenge is not collecting this evidence. Most organisations have it. The challenge is evaluating it systematically against every relevant clause — consistently, completely, and within a defensible timeframe.

The seven principles of auditing.

ISO 19011:2018 Section 4 defines seven principles that auditors should follow. These principles apply equally to AI-assisted audit processes:

Integrity

The foundation of professionalism. Auditors — and audit tools — must perform work honestly and responsibly.

Fair Presentation

Audit findings must reflect the evidence truthfully and accurately. Nothing suppressed, nothing overstated.

Due Professional Care

Auditors must apply diligence and judgement. Provisional findings from Manylder's evidence review are a starting point — Manylder's lead auditor's professional care is what makes them defensible.

Confidentiality

Audit information must be handled securely. Evidence processed within isolated environments, not shared across tenants.

Independence

Auditors must be free from bias. Manylder's lead auditor is independent of the activity being audited. The platform does not audit the auditor's own function.

Evidence-Based Approach

Conclusions must be based on verifiable evidence. Every finding must cite its source documentation.

Risk-Based Approach

Audit effort should be directed where it matters most. Confidence scores help Manylder's lead auditor prioritise review effort on lower-confidence findings.

Common internal audit challenges.

  • Volume — ISO 27001:2022 includes 93 Annex A controls across four categories. Evaluating evidence against each is time-consuming.
  • Consistency — Different auditors apply different interpretations. Findings from one audit cycle may not be comparable to the next.
  • Documentation — Audit reports must be clear, traceable, and defensible. Manual report writing is slow and error-prone.
  • Recurrence — Annual surveillance audits repeat the same evidence review process. Audit fatigue reduces thoroughness over time.
  • Resource constraints — Qualified internal auditors are scarce. Organisations under-resource the audit function relative to its importance.

How ISO 27001 internal audit automation works.

Technology can accelerate the evidence review and documentation stages of internal audit — the stages that consume the most time and introduce the most inconsistency. Specifically:

  • Evidence extraction and classification — automatically identifying which clauses each document addresses
  • Clause-level evaluation — systematically assessing evidence sufficiency against every relevant requirement
  • Confidence scoring — providing Manylder's lead auditor with a prioritisation signal for review effort
  • Report generation — producing structured, professional audit reports with evidence citations

What technology alone cannot do is replace professional judgement. ISO 19011:2018 requires the lead auditor to exercise due professional care, to present findings fairly, and to own the audit conclusions. Any tool that claims to fully automate the audit itself is misrepresenting what audit methodology requires.

Manylder delivers both: structured ISO 27001 internal audit automation and a qualified lead auditor who reviews and confirms every finding. The platform reviews your evidence. The auditor concludes. You receive a complete, defensible internal audit. See how it works →

Your next internal audit. Delivered.

Leave your email and I'll show you how Manylder handles ISO 27001 internal audit, end to end.