Internal audit is the clause of ISO 27001 that fails silently. Startups complete the Annex A controls, draft the policy library, run through Stage 1, pass Stage 2, frame the certificate. Then clause 9.2 comes due and nobody remembers what an internal audit looks like. Year two surveillance arrives, the auditor asks for the internal audit program and reports from the past twelve months, and the organization realizes the ISMS has been on autopilot while the business grew. Recertification slips. Trust with the certification body erodes.
This is a practitioner’s checklist for ISO 27001 internal audit: what clause 9.2 demands, who should perform the audit, how to scope and plan, which evidence to sample, how to write findings that drive improvement, and how to close the loop with management review. It assumes you are responsible for running internal audit in an Indian SaaS or mid-market company, whether in-house or as an external contractor.
What clause 9.2 actually requires
Internal audits must be conducted at planned intervals to provide information on whether the ISMS conforms to the organization’s own requirements and to the standard, and is effectively implemented and maintained. The clause mandates:
- A documented internal audit program that covers the full ISMS scope.
- Defined audit criteria and scope for each audit.
- Objective and impartial auditors.
- Reporting results to relevant management.
- Retention of documented evidence of the audit program and results.
- Corrections and corrective actions without undue delay.
The standard does not specify how often. “Planned intervals” is typically interpreted as at least annually for the full scope, with critical areas audited more frequently. A common cadence: quarterly thematic audits plus one annual full-scope audit.
Who can run the internal audit?
Objectivity and impartiality are mandatory. A developer cannot audit the change management process they participate in. A CISO cannot audit their own ISMS. Three realistic models for an Indian startup:
Model 1: Cross-functional internal audit team
Draw auditors from outside the audited function. An infrastructure engineer audits HR onboarding; a legal team member audits change management. Requires training in ISO 19011 or equivalent audit methodology, and sufficient organizational size (typically 50+ employees) to have independent reviewers.
Model 2: Internal audit by a central risk or compliance function
A dedicated compliance lead runs audits across functions. Works for startups with a named compliance hire. The compliance lead must not also be the ISMS operational owner; otherwise objectivity fails.
Model 3: External contracted internal audit
For small startups, a third-party firm performs the internal audit. Common for teams under 50 and for regulated entities where buyer trust matters. The external firm must not be the same firm doing the certification audit; that would be a conflict of interest.
Most Indian startups under 100 employees use Model 3 for full-scope annual audits and Model 1 or 2 for quarterly thematic audits.
The internal audit program: plan for the year
Document an annual audit program showing: what will be audited, when, by whom, and with what criteria. The program is reviewed and approved at management review. A sample quarterly rhythm for a mid-sized Indian SaaS:
| Quarter | Audit focus | Typical effort |
|---|---|---|
| Q1 | Access management, identity lifecycle, privileged access | 3 to 5 auditor days |
| Q2 | Change management, secure development, deployment controls | 3 to 5 auditor days |
| Q3 | Incident response, business continuity, supplier security | 3 to 5 auditor days |
| Q4 | Full-scope audit: all clauses, full Annex A sampling, management system effectiveness | 8 to 12 auditor days |
Preparing for an internal audit
The auditee (the area being audited) and the auditor prepare in parallel. The auditor’s preparation checklist:
- Review previous audit reports and open findings.
- Review the current Statement of Applicability for controls in the audit scope.
- Review relevant policies and procedures.
- Prepare a sampling plan: which control instances will you test, and how many samples?
- Prepare the opening meeting agenda.
- Draft the audit checklist or questions.
The auditee’s preparation:
- Gather evidence the auditor has requested, in a single location.
- Identify who will be interviewed and brief them.
- Ensure access to systems from which evidence will be pulled is available.
- Review open findings from the previous audit and be ready to show closure.
The sampling plan is where internal audit either works or does not
Audits are not exhaustive reviews. They are sample-based. A good sampling plan picks samples that stress-test the control and that the auditee did not hand-pick. Examples for common controls:
Access control (A.5.15)
- Five new joiners from the past 6 months: was access provisioned within policy timelines? Was it provisioned to the correct least-privilege scope?
- Five leavers from the past 6 months: was access removed within the 24-hour SLA? Was the checklist completed?
- One quarterly access review: were all in-scope systems covered? Were remediations tracked to closure?
- Three random production system users: do they still require access? When was their access last reviewed?
Change management (A.8.32)
- Ten random production deploys from the past 30 days: was the deploy approved? Was CI green? Was review recorded?
- Two emergency changes from the past quarter: was the emergency procedure followed? Was retrospective approval captured?
- Any rolled-back deploys: was the rollback tracked as a change?
Incident management (A.5.24, A.5.25)
- All incidents logged in the past year: were they classified? Were post-incident reviews completed for high-severity incidents?
- One tabletop exercise: was it documented? Were actions tracked?
- One incident where personal data may have been affected: was the 72-hour DPDP notification process considered?
Writing findings that actually improve the ISMS
A finding has four parts: observation, evidence, requirement, classification. A well-written finding looks like:
Observation: Of 10 production deploys sampled from October 2026, 2 deploys (Deploy-4821 and Deploy-4856) were not tagged as approved in the deployment system. Evidence: Screenshots of deployment system records attached as Annex A. Requirement: Change Management Policy v3.1 section 4.2 requires all production deploys to have approval recorded. ISO 27001:2022 A.8.32. Classification: Minor nonconformity.
Avoid vague findings (“change management needs improvement”) and findings without evidence (“the auditor felt controls were weak”). A finding without evidence is an opinion, not an audit observation.
Classification guidance
- Major nonconformity: The ISMS or a required control is absent, systemically failing, or unable to achieve its objective. Will be flagged by the certification body.
- Minor nonconformity: An isolated instance of noncompliance or a weakness in the control that does not impede its overall effectiveness.
- Observation or opportunity for improvement: Not a nonconformity; a suggestion for ISMS improvement.
Closing the loop: corrections, corrective actions, management review
Every nonconformity requires a correction (fix the immediate issue) and a corrective action (address the root cause so it does not recur). The corrective action is tracked with an owner, target date, and evidence of completion.
Internal audit results flow into management review. Clause 9.3 requires management review to consider results from audits. If management review minutes do not reference internal audit findings and follow-up actions, both clauses are effectively broken.
The test of internal audit is whether it produces real change. If your internal audits never find anything, or if findings sit open for twelve months, you are performing theater, not audit.
Common internal audit mistakes
- Auditing only policies, not operations. Reading the policy and asking “do you follow this?” is not an audit. Pull the evidence.
- Auditing only the happy path. A sampling plan that picks easy cases will not find issues. Include edge cases, emergency changes, leavers, and disputed access.
- No follow-up. Findings open for six months without action signal the ISMS is not improving.
- Using the same auditor year after year. Rotate to get fresh eyes.
- Skipping the surveillance-year audit because “last year was clean.” Clauses demand audits at planned intervals; skipping breaks the clause.
Related reading
- ISO 27001:2022 implementation β no-BS guide
- ISO 27001 Statement of Applicability β how to write
- SOC 2 readiness β 90-day playbook
- SOC 2 vs ISO 27001 vs DPDP β which first
Work with RingSafe
RingSafe runs independent internal audits for Indian startups preparing for ISO 27001 certification, surveillance, or recertification. Founder Manish Garg (Associate CISSP, CEH, CCNP Enterprise) and the RingSafe team conduct audits with the same rigor a certification body brings, so Stage 2 or surveillance holds no surprises.
If you need an internal audit in the next quarter and want a partner who will find the gaps before the certification body does, book a scoping call and we will build an audit plan tailored to your ISMS scope.