Internal Audit For ISO 27001 Requirement 9.2

What is covered under ISO 27001 Clause 9.2?

Clause 9 of the management requirements for ISO 27001:2013 is performance evaluation.  9.2 says the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system (ISMS):

  • Conforms to the organisation’s own requirements for its information security management system; and meets the requirements of the ISO 27001 international standard;
  • Whether the ISMS is effectively implemented and maintained

To achieve those goals the ISO auditor will look to see that the organisation has:

  • Planned, implemented and maintained an audit programme
  • Defined the audit criteria and scope for each audit
  • Selected auditors who will be objective and impartial
  • Ensured that audits are reported to relevant management
  • Retained documented information as evidence

How to conduct internal audits on an information security management system to comply with ISO 27001 9.2

Alongside information security risk management, internal audits are popular in creating anxiety for those new to ISMS’ and in particular organisations that are going for their first ISO 27001 certification. As such we have written a separate article on demystifying the internal audit requirements and expressing how an organisation can achieve it’s internal audit goals with much less stress and anxiety than first thought.

Read our free guide to achieving ISO 27001 first time
Download now

How to easily demonstrate 9.2 Internal audits

The ISMS.online platform makes it easy for you to conduct Internal audits at planned intervals, and provide information on whether the system conforms to the requirements and is effectively implemented and maintained.

Step 1 : Focus and planning made easy

ISMS.online can help you focus your planning and assign owners for your audit plan with reminders. It also has easy to use workspaces for capturing results whilst following a simple yet compliant process that dovetails nicely with your corrective actions and improvements work that might follow an audit.
Step 1 : Focus and planning made easy

Step 2 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 9.2 within our platform and easily adapt it to your organisation’s needs. The AAA content for 9.2 provides a tried and tested process for internal audits. You’ll be provided with an audit programme for conducting your audits, guidance on undertaking audits, as well as advice with documenting findings.

You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 2 : Adopt, adapt and add

Step 3 : Demonstrate to auditors

You can easily demonstrate your work to auditors by recording your evidence within the platform e.g. data, policies, controls, procedures, risks, actions, projects, related documentation and reports.
Step 3 : Demonstrate to auditors

Step 4 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 9.2 is part of the third section that ARM will guide you on, where once the foundations of your ISMS have been paid, and Annex A controls have been described, you’ll detail how you comply with the remaining core requirements.
Step 4 : A time-saving path to certification

Step 5 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 5 : Extra support whenever you need it

ISO 27001 requirements

ISO 27001 Annex A Controls

About ISO 27001

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

Policies & Controls Management

Easily collaborate, create and show you are on top of your documentation at all times

Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Audits, Actions & Reviews

Reduce the effort and make light work of corrective actions, improvements, audits and management reviews

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Documented Procedures

Simply document, easily control and publish your procedures to ensure stakeholders follow them

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more for less

Staff Awareness & Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

User Management & Permissions

Practical permissions with low cost plans for more regular and occasional users

Privacy & Security

Strong privacy by design and security controls to match your needs & expectations
See ISMS.online in action

Simple and easy to use | Comprehensive in scope | Affordable and lower cost than alternatives

Book your free demo today