FAQGlobalISO/IEC 27001

ISO/IEC 27001 FAQ Internal Audit

How should teams run Internal Audits under ISO/IEC 27001:2022 Information Security Management System?

Use this FAQ as a practical internal-audit workflow: define scope, assign accountable roles, collect auditable evidence, and close non-conformities with traceable decisions.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this FAQ to execute and document internal audits in your ISMS: define what is being audited, keep evidence review-ready, and route findings to governance for closure.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What must happen before, during, and after an internal audit?

ISO/IEC 27001 internal audits should be planned, documented, and executed to confirm alignment between your ISMS and both your own requirements and standard requirements.

Before the audit, define scope (processes, systems, suppliers, locations), sample criteria, and owners; during the audit, verify conformance and implementation; after the audit, track issues, decisions, and corrective actions.

  • Create an audit program with objective and interval (for example annual or risk-based with additional audits after major changes).
  • Map each audit area to who can review what: preparer, evidence owner, independent reviewer, and approver.
  • Do not let process builders validate their own findings.
Citations
Recommended next step

Operationalize ISO/IEC 27001

Use this FAQ to connect your ISMS scope, risk register, treatment plan, Statement of Applicability, Annex A evidence, internal audit results, and management-review actions into one accountable evidence model.

Assessment workflow
Open Assessment Autopilot for ISO/IEC 27001

Convert ISO/IEC 27001 answers into owners, evidence requests, control checks, and review tasks.

Explore next step
Talk to Sorena
Talk through ISO/IEC 27001 implementation

Review your ISMS scope, SoA, risk-treatment evidence, audit readiness, and certification gaps.

Explore next step
Question 2

What evidence makes an internal audit auditable?

Evidence should show what was tested, how it was tested, who tested it, and the result.

Show outcomes at a level that can be independently validated later, including issue IDs, test samples, and proof of closure timing.

  • Attach a control-level audit checklist and schedule from your ISMS scope.
  • Keep test artifacts, interview notes, log extracts, and issue tracking entries together with timestamps.
  • Record findings with severity, exception rationale, corrective action owner, and target close date.
Citations
Question 3

Who should review and approve internal-audit findings?

Assign a non-authoring reviewer to validate findings before closure.

Escalate anything that affects scope, customer commitments, or recurring non-conformities to governance for risk-based approval.

Close findings only when correction evidence is available and verified.

  • Record each finding with owner, risk impact, decision date, and remediation proof.
  • Separate independent audit team responsibilities from implementation ownership.
  • Require management-review visibility for unresolved major findings.
Citations
ISO/IEC 27001:2022 standard page

Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations.

Question 4

How often should internal audits and their outcomes be rechecked?

Re-check internal-audit outputs at planned intervals and when triggers indicate evidence may be stale.

If control context changes, supplier ownership changes, or prior findings remain open, rerun impacted audit areas before relying on prior conclusions.

  • Use calendar review dates plus change-trigger reviews for incidents, context shifts, or contractual scope changes.
  • Re-verify closed findings after remediation evidence is produced, not after the target date alone.
  • Track all unresolved findings in governance to prevent drift between audit cycles.
Citations
ISO/IEC 27001:2022 standard page

Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations.

Primary sources

References and citations

IAF CertSearch
iafcertsearch.org
Referenced sections
  • Public IAF certification database used to verify and monitor management-system certifications.
"verify and monitor certifications"
ISO 27001 Lead Auditor Guideline
iso.org
Referenced sections
  • Use the guideline language for planned internal-audit execution: conformance checks, implementation checks, and objective reporting.
"The organization shall conduct internal audits at planned intervals"
ISO/IEC 27001 Lead Auditor Guideline
iso.org
Referenced sections
  • This source supports documented information requirements around findings, corrective action, and independent audit activity.
"Internal audits should be carried out by individuals or teams that are independent and objective"
ISO/IEC 27001:2022 standard page
iso.org
Referenced sections
  • Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations.
"Information security management systems - Requirements"
ISO/IEC 27002:2022 standard page
iso.org
Referenced sections
  • This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance.
"Information security controls"
ISO/IEC 27005:2022 standard page
iso.org
Referenced sections
  • Primary ISO listing for guidance on managing information security risks in support of an ISO/IEC 27001 ISMS.
"Guidance on managing information security risks"
ISO/IEC 27006-1:2024 standard page
iso.org
Referenced sections
  • Primary ISO listing for requirements that apply to bodies auditing and certifying ISO/IEC 27001 information security management systems.
"audit and certification"
Related guides

Explore more topics

ISO/IEC 27001 Annex A Control Evidence Guide
Build useful ISO/IEC 27001:2022 Annex A control evidence: selected controls, SoA rationale, owners, implementation proof, effectiveness checks, audit records, and improvement actions.
ISO/IEC 27001 Annex A Control Ownership FAQ
How should teams assign Annex A Control Ownership under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27001 Audit Readiness Guide
Prepare ISO/IEC 27001 audit evidence across ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, internal audit, management review, and corrective actions.
ISO/IEC 27001 Certification Body Evidence FAQ
How should teams handle Certification Body Evidence under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27001 Certification Stage Workflow
A practical ISO/IEC 27001 certification workflow for scope readiness, Stage 1 document review, Stage 2 evidence, nonconformities, corrective action, certification decision, surveillance, and recertification.
ISO/IEC 27001 Compliance Guide: ISMS Evidence
Build ISO/IEC 27001 compliance around ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, audits, management review, and corrective action evidence.
ISO/IEC 27001 FAQ: ISMS Scope, Risk and SoA
Practical ISO/IEC 27001 FAQ covering ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, certification evidence, audits, management review, and surveillance readiness.
ISO/IEC 27001 Implementation Roadmap Guide
ISO/IEC 27001 Implementation Roadmap for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 Internal Audit and Management Review Guide
ISO/IEC 27001 Internal Audit and Management Review for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 Management Review FAQ
How should teams handle Management Review under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27001 Requirements Guide
ISO/IEC 27001 Requirements for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 Risk Acceptance FAQ
How should teams handle Risk Acceptance under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27001 Risk Treatment and Residual Risk Guide
ISO/IEC 27001 Risk Treatment and Residual Risk for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 Risk Treatment Register Workflow
ISO/IEC 27001 Risk Treatment Register Workflow for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 SoA Exclusions FAQ
How should teams justify Statement of Applicability exclusions under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27001 SoA: workflow for gathering and documenting control evidence
ISO/IEC 27001 Statement of Applicability Evidence Workflow for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 Statement of Applicability template: Annex A control selection and justification
ISO/IEC 27001 Statement of Applicability Template for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 Surveillance Audits FAQ
How should teams handle Surveillance Audits under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references.
ISO/IEC 27001 vs NIS2 Comparison
ISO/IEC 27001 vs NIS2 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 vs NIST CSF 2.0 Comparison
ISO/IEC 27001 vs NIST CSF 2.0 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
ISO/IEC 27001 vs SOC 2 Comparison
ISO/IEC 27001 vs SOC 2 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.