ISO 27001 Internal Audit: Guidance for SMEs on Clause 9.2 Requirements

ISO 27001 internal audits can feel intimidating for lean teams, but they do not need to be stressful. A structured, step-by-step approach takes the stress out of compliance, may support SMEs and startups in reviewing ISMS activities, preparing evidence, and identifying areas to examine prior to engaging with external auditors.

What is an ISO 27001 Internal Audit?

An ISO 27001 internal audit is a structured process that can help your team review how your ISMS aligns with ISO 27001 requirements (Clause 9.2), whether controls are operating as intended, and whether evidence is available to support compliance efforts.

Key Goals:

• Supports assessment of ISO 27001 clauses and Annex A controls.
• Highlight potential gaps, weaknesses, or missing evidence before Stage 1 or Stage 2 audits.
• Contribute to ongoing improvement as part of the ISMS Plan-Do-Check-Act (PDCA) cycle.

This step-by-step process is not a one-off activity; it forms the “Check” phase of the ISMS PDCA cycle and may contribute to broader continuous improvement initiatives.

Step-by-Step ISO 27001 Internal Audit Method

Step 1: Plan and Scope the Internal Audit

Planning can help make your internal audit structured, manageable, and focused on the areas that matter most.

Key actions:

• Define the audit scope: Identify systems, teams, processes, and locations to review.
• Set objectives: Review alignment with ISO 27001 requirements, assess evidence, and highlight potential gaps.
• Schedule dates and assign an auditor: See the Auditor Independence section for options on internal or external auditors

Tip: Keep the scope realistic to avoid overburdening small teams, while addressing all critical ISMS areas. Consider using a simple checklist or spreadsheet to track scope items.

Step 2: Prepare and Map Audit Evidence

Preparing evidence can support auditors understand whether policies and controls are applied consistently.

Examples of evidence may include:

Tip: Mapping each control to a responsible owner can simplify evidence collection. Consider grouping evidence by process area or department to save time.

Step 3: Conduct the Internal Audit

Process may include:

1. Review documentation and records.
2. Interview key staff to understand how processes are applied in practice.
3. Identify potential nonconformities or gaps.

Note: Auditors typically value consistency, which may be more important than striving for documentation perfection. Small teams may focus on demonstrating repeatable, documented processes. Using a simple interview checklist or scoring template can improve efficiency.

Step 4: Report Findings

• Record observations in a clear, structured report.
• Categorise gaps as minor or major nonconformities.
• Include recommendations that may help address identified gaps.

Tip: Keep reports concise and practical. The aim is to support ongoing improvement without adding unnecessary workload. Using a table format for observations can improve readability.

Step 5: Track Corrective Actions and Learn

• Assign owners to corrective actions.
• Track completion and observe results in the next audit cycle.
• Feed learnings into your ISMS Plan-Do-Check-Act (PDCA) cycle to support continuous improvement.

Tip: Small teams can use a simple tracker, spreadsheet, or project management tool to monitor actions. Documenting lessons learned can make the next audit faster and smoother.

Internal Audit Independence: In-House vs Outsourcing

Clause 9.2 of ISO 27001 highlights the importance of auditors being independent of the work they review. SMEs and startups may find achieving independence challenging, but there are practical options to maintain impartiality.

Independence Requirements

• Auditors should not review their own work (e.g. IT staff reviewing their own access controls).
• Independence helps support an unbiased evaluation and improves the reliability of the audit process.

Internal Options

• Compliance Lead: Suitable for small teams managing multiple areas.
• Operations Manager or Peer Audit: Cross-functional reviews (e.g. HR auditing IT processes) can support impartiality.
• Rotation: Assigning different staff to audits in different cycles can help maintain objectivity.

Outsourcing / Co-sourcing

• Engaging a part-time external consultant can help support independence when internal resources are limited.
• Outsourcing or co-auditing may support smaller teams while maintaining credibility and control over costs.
• External auditors or consulting partners can guide or co-review the internal audit process, which may help teams feel more confident in internal review activities.

Tip: Lean teams may combine self-serve templates with occasional external review to keep the process manageable while aligning with typical ISO 27001 expectations for internal audits.

Best Practices for SME Internal Audits

SMEs and startups can adopt practical, lightweight approaches to conducting ISO 27001 internal audits. The following practices may help make the process clearer, more consistent, and aligned with Clause 9.2 expectations.

• Keep the audit predictable and manageable. Using a repeatable structure or checklist can help small teams maintain consistency across each audit cycle.
• Maintain clear, necessary evidence aligned with ISO 27001 Clause 9.2. Evidence such as logs, approvals, reviews, and records may help your team manage internal audit activities in line with ISO 27001 expectations.
• Assign ownership for each control or process. Clear responsibility can make evidence collection and follow-up activities more efficient.
• Use templates for audit checklists, reports, and corrective actions. Structured tools can reduce effort and support traceability without adding unnecessary documentation.
• Conduct audits at intervals that suit your team’s resources. Integrating findings into the ISMS PDCA cycle may support continual improvement and help identify emerging risks or gaps over time.
  

Lean Audit Tools and Templates

SMEs may find it easier to maintain structure and consistency by using practical ISO 27001 audit tools. Common options include:

1. Internal Audit Checklist Template – A clause-organised list of points that can guide internal review activities.
2. Corrective Action Log Template – A simple way to track issues, follow-up actions, and resolution progress.
3. Evidence Mapping Template – Helps connect risks, controls, and supporting documentation for clearer traceability.

These templates can support SME teams in preparing for internal reviews and understanding expectations typically assessed during certification audits, while promoting a more consistent and efficient audit workflow.

Quick Summary – Internal Audit for SMEs and Startups

• Internal audits form part of ISO 27001 Clause 9.2 and contribute to the “Check” stage of the PDCA cycle.
• Lean teams may run effective audits by using structured checklists, practical evidence, and clear ownership of audit activities.
• Independence supports audit objectivity; teams may rotate internal auditors or engage an external reviewer when needed.
• Recording findings, assigning follow-up actions, and monitoring improvements can help strengthen the ISMS over time.

This approach may support small teams in organising ISO 27001 internal audit activities more effectively, without adding unnecessary complexity.

Conclusion: A Practical Way to Manage ISO 27001 Internal Audits

Internal audits do not need to feel overwhelming. For SMEs and startups, a structured and repeatable approach may help organise audit activities, review Clause 9.2 expectations, and analyse evidence in a structured way before the external assessment.

The internal audit also contributes to the “Check” stage of the Plan-Do-Check-Act (PDCA) cycle, which is intended to support ongoing performance evaluation of the ISMS. Clear responsibilities, documented observations, and evidence mapping may help teams maintain a more consistent approach during each audit cycle.

Where internal expertise is limited, cross-functional peer reviews or external support may help maintain objectivity. Using practical tools – such as internal audit checklists, evidence trackers, and corrective action logs – may help streamline preparation and support clearer workflows.

A structured approach may help teams review ISMS activities, identify potential improvements, and organise information for discussions with external auditors.

Next Step: If your team is seeking tools to help organise ISO 27001 documentation and evidence, you may wish to explore our ISO 27001 template collection.

Next Article: In ISO 27001 Strategic Evaluation: How to Choose Your Implementation Solution, we explore how small teams can strategically evaluate TCO, scale, and long-term risk to select the best combo of templates, consultants, and platforms for compliance.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS: 

Start Here: Complete Guide

• ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

E. Audit, Certification, and Evidence – Detailed Guides by Topic

• What ISO 27001 Stage 1 vs Stage 2 Audits Actually Look Like – SME Guidance – A practical walkthrough of both audit stages, what auditors typically check, and how small teams can prepare efficient, evidence-ready workflows.
• ISO 27001 Certification Costs for SMEs in 2026 – Estimates and Budget Guide – Understand typical implementation costs, drivers, and budgeting considerations for SMEs using templates, consultants, or platforms.
• ISO 27001 Implementation Timelines for Lean Startups and SMEs – Practical guidance for planning and executing ISO 27001 with templates to help small teams target a 3 – 6 months timeframe.
• ISO 27001 Evidence: How Lean Teams Can Approach Audit Verification (SME Guide) – Practical tips for SMEs to organise policies, logs, and records, streamline documentation, and prepare evidence efficiently for audits.

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.