Back to all documents
    Mandatory Policies
    mandatory
    audit
    compliance

    Internal Audit Checklist

    Step-by-step checklist for ISMS internal audits. Supports clause 9.2.

    Failed to load preview.

    About this Internal Audit Checklist

    The Internal Audit Checklist is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It maps to clause 9.2. of the main ISO 27001 standard.

    Step-by-step checklist for ISMS internal audits. Supports clause 9.2. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to clause 9.2.
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Clause 9.2 - Internal audit
    • Clause 9.2.2 - Internal audit programme
    • Clause 10.1 - Continual improvement
    • Clause 10.2 - Nonconformity and corrective action

    How to customise

    • - Set the audit programme covering all clauses and applicable Annex A controls.
    • - Assign independent auditors with no conflict of interest.
    • - Record findings, classify them, and link to corrective actions.
    • - Schedule audits so the full ISMS is covered within the cycle.

    Evidence auditors may expect

    • - Internal audit programme and plan
    • - Audit reports with findings and evidence sampled
    • - Nonconformity log with root cause and corrective action
    • - Follow-up evidence showing closure

    Auditor may ask

    Q.How is the internal audit programme planned and approved?
    Q.How is auditor independence ensured?
    Q.How are findings tracked to closure?
    Q.How are internal audit results reported to management review?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Internal Audit Checklist

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).