Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO Internal Audit Options - A Complete Guide

In this guide we’re going to look at what the ISO standards say about internal auditing, good practice in carrying out the audits, what your options may be in resourcing the audits, and lastly how your audit approach might evolve after certification.

The audit requirements of the ISO standards

Let’s look at what the ISO standards say about internal auditing. Because of the Annex SL structure, all of the management system standards such as 9001, 27001, 14001, 45001 and 22301 have common requirements in the area of internal auditing, so what we’re saying should broadly apply to any or all of these standards. However, there are still some variations and we have used the text from ISO27001:2022 in this guide.

Firstly, before we get into the ISO standard details let’s clarify some of the types of audits that are commonly done and some terminology.

  • A first-party audit occurs when an audit is performed within your organization by your own auditing resource. This is often called an internal audit, and it’s what we’re discussing here.
  • A second-party audit is performed by a supplier, customer, or contractor, often against their proprietary requirements, that is from their point of view.
  • A third-party audit is performed by an independent body against a recognized standard (such as ISO 9001), often to decide whether certification is appropriate.

Internal auditing is covered in Clause 9.2 of the ISO standards. This has two sub-clauses, the first covering auditing in general and the second setting out some specifics of what must be done.

Clause 9.2.1 General

“The organization shall conduct internal audits at planned intervals to provide information on whether the <management system>:

a) conforms to:

                1) the organization’s own requirements for its <management system>;

                2) the requirements of this document

b) is effectively implemented and maintained”

So Clause 9.2.1 says that we must perform internal audits and that they must be at planned intervals, but it doesn’t say how often that should be. This allows a certain degree of flexibility in our approach. We need to check that the management system is doing what we (and our interested parties) want it to do, and that we are doing everything specified in the standard document. We are also checking to see how well the processes of the management system are working in practice.

Clause 9.2.2 Internal audit programme

“The organization shall plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.

The organization shall:

a) Define the audit criteria and scope for each audit;

b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

c) ensure that the results of the audits are reported to relevant management;

Documented information shall be available as evidence of the audit programme(s) and the audit results.”

Clause 9.2.2 requires us to have an audit programme. This must cover when we audit, how we audit, who does it and the reports we must produce. It further says that we should cover the important processes as a priority and go back to those areas we previously found lacking. This clause goes on to require that each individual audit must have its criteria and scope defined, be carried out by impartial people and be correctly reported to management. We must be able to show evidence of the audit programme and the audit reports.

Prior to certification it is common to conduct audits by going through the clauses of the standard in turn, from Clause 4 (Context) to Clause 10 (Improvement) plus any other required sections, such as Annex A of the ISO27001 standard.

Now we know what the standard requires from internal auditing, let’s look at what makes a good audit.

What makes a good internal audit?

There are a number of factors that contribute to conducting a good internal audit, and we’ll go through them in turn.

Auditor skill

In terms of the skills of your internal auditor, you’ll need them to have a decent knowledge of the standard that’s being audited against, so that they understand what’s being asked for, and the language used. It will help if they have done some auditing before, and are familiar with the auditing process. They will also need to be able to effectively arrange an audit, including defining the scope, inviting the right people and making sure the timings and logistics work. Being able to listen and explain what is required will be useful skills, along with the ability to handle difficult conversations and encourage cooperation with the audit. The auditor must be able to produce an adequate report that clearly states the conclusions and describes the audit clearly. Lastly, depending on the standard, the auditor may need technical knowledge of a specific area, such as information security or health and safety.

Audit schedule

There needs to be an overall audit programme that sets out when each audit will happen and what each will cover. For an individual audit, there needs to be a clear definition of its scope (for example “Clauses 4 to 6” or “the supplier management process”) and a plan for its timing (which areas will be covered, when and for how long). It’s important that the right people are available at each stage of the audit, and this may need some discussion with the main contact for the audit. It may make sense to obtain key documentation in advance and to review the target areas in preparation. Room bookings or remote meeting arrangements may need to be made, perhaps including the booking of a projector or other equipment.

Audit day

On the day of the audit the facilities available will need to be checked to make sure that everything is in place for the audit to proceed as planned. An opening meeting will be held to confirm the scope and the schedule of the audit, and the conventions used. As the audit progresses, it is vital to keep an eye on the time to ensure it keeps to the schedule arranged. The evidence of conformity that is provided should be recorded by the auditor so that it can be quoted in the report. If a nonconformity is to be raised, the auditor should explain this at the time and avoid surprises at the end of the audit. The closing meeting will go through the nonconformities and observations raised and confirm next steps. The audit report should then be finalised ready for submission to management.

Audit report and nonconformances

The audit report should always include an executive summary at the beginning. This will outline the strengths and weaknesses of the processes in the scope of the audit, and a balanced view of the health of the management system. The auditor should provide a concise, factual, and easy to read report which includes numbers and details of any audit findings on the first page so that senior management have this information immediately in front of them. The report should always distinguish between nonconformities and auditor observations so it is clear where the problems lie that need fixing immediately vs things that can be improved later on.

Nonconformance statements need to be concise and directly refer to the standard requirement and/or the internal process or procedural requirement that was found deficient, so they can be easily resolved. Make sure hard evidence findings are attached or referenced too. A list of who was involved at each stage of the audit should be included so that it is clear where the recorded information came from. Even if your audit report has some nonconformances and/or observations, it’s important to take note of the reported positive aspects too and share them among the wider team.

Audit feedback

Once the audit has been completed and the report written, the auditees may be given an opportunity to review it and ask any questions they may have. When finalised, the report needs to be submitted to the appropriate layer of management and an action plan requested to address any nonconformities found. The implementation of these actions should be confirmed by the auditor at a later date to ensure that actions are not being ignored. It may be useful to obtain feedback from the people involved in the audit on how they felt it went – was it helpful, fair and was the pace appropriate?

Now we know what needs to be done, let’s talk about who could fulfil the auditor role.

Options for meeting the requirements

In basic terms there are two options to auditor selection; using inhouse resources or external resources. An inhouse resource could be an existing auditor if your organization is big enough to have one. Alternatively, an existing member of staff could be trained up to be an internal auditor, or one could be recruited. An external resource could also be used, and there are many companies offering internal audit services, of which CertiKit is one.

Let’s look at the pros and cons of each approach.

Inhouse internal auditor


  • An inhouse resource may have existing knowledge of what the business does, and the processes involved, and this may be useful.
  • Developing ISO skills within your current staff could be something you want to do.
  • Using a resource that is already on the payroll may also be a cost-effective option.


  • However, an inhouse resource may have limited exposure to the way other organizations run their management systems, and lack a wider knowledge.
  • There may be the cost of training to consider, and it may take a long time for them to get to a point where they feel confident to carry out an audit, potentially delaying the implementation of your management system.
  • If they carry out audits on a part-time basis they may be distracted by their other responsibilities within the organization and they may not meet the impartiality requirements in business areas in which they are actively involved.

External internal auditor


  • The pros of using an external resource include having access to auditors with a wide range of auditing experience gained across many varied management systems.
  • They may be available at relatively short notice and so not delay your management system implementation.
  • Their cost may compare favourably with maintaining a competent inhouse resource and they are likely to meet the requirements for impartiality.


  • However, there will be a cost each year and they will have a limited knowledge of how your organization works.
  • Depending on how busy they are, they may not be available within the timescales you need.

Internal audit approaches after certification

Once you’re certified you have some flexibility in how to structure your audit programme.

There is no right or wrong way in selecting the approach an organization wants to take for performing internal audits. However, it is important that an effective approach is chosen and defined.  Typical approaches include:

  • ISO Clause-based audit
  • Departmental/Business function
  • Process audit
  • Risk-based audit approach

As well as reviewing each clause in turn, you could decide to look at how a specific department meets the requirements of the standard. Similarly, you could audit a business process that may cross interdepartmental boundaries or decide to audit those areas of greatest risk first.

If you have a balanced internal audit programme then it may actually be a mix of some, or all, of these techniques which are applied to particular circumstances.

In Conclusion

Internal auditing is an important part of an ISO management system and without evidence of an effective programme, your organization is unlikely to become certified. The requirements are relatively straightforward and leave a fair degree of choice about how to approach them, both from a resourcing and a method point of view.


Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

CertiKit's Internal Audit Service

If you’ve decided to outsource your internal audit, CertiKit can help. Our qualified lead auditors can provide internal audits for:

  • ISO/IEC 27001 – Information Security Management System
  • ISO 22301 – Business Continuity Management System
  • ISO 9001 – Quality Management System
  • ISO 14001 – Environmental Management System
  • ISO 45001 – Occupational Health and Safety Management System

CertiKit’s internal audits are conducted remotely via MS Teams to clients in the UK, the EU and those +/- 5 hours of the UK time zone.

Find out more

We’ve helped more than 4000 businesses with their compliance


Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.

View all Testimonials