We deliver Clause 9.2 internal audits the way an external auditor reads them. Every finding, every observation, every nonconformity surfaced before the certification body arrives, not after.
Internal audit is mandatory under every ISO management system standard and effectively required under most regulatory frameworks. We deliver it as a senior, audit-grade engagement applying the same depth of clause coverage, evidence testing, and finding clarity the certification body brings to Stage 2, six months earlier and entirely confidential between AuditVantage® and the engaging organisation.
Audit scopes covered
Illustrative example. Not live client data.
Every ISO management system standard requires an internal audit before the certification body can certify or recertify you. Most consultants and many companies deliver this audit as a paper exercise. We do not. A thorough internal audit reads exactly the way the external auditor will read your management system, six months before the external auditor arrives.
What we specifically do that a paper-exercise audit does not:
Full clause-by-clause walkthrough, not selective sampling against a pre-tick checklist.
Evidence tested against each clause and control, not what looks plausible on a dashboard.
Control narrative reviewed for defensibility under scrutiny, including how each control links back to a real risk and a real treatment decision.
Scope decisions, exclusions, and Statement of Applicability challenged, the same way the external auditor will challenge them.
Nonconformities along with corrective action guidance that closes the finding cleanly under audit conditions.
Audit report structured to match ISO standard expectation, so the management review process and the next external/certification audit run from the same document.
Internal audit is mandatory or effectively mandatory across every framework we cover. We deliver it under two scopes, mapped to how each framework treats internal audit obligations.
You can engage AuditVantage® for internal audit at three levels of commitment. Each is delivered personally by the Managing Director, an ISO/IEC 27001 Lead Auditor and Lead Implementer.
A weak internal audit creates the illusion of compliance. The external certification audit then finds what the internal audit missed. The cost shows up not in fees but in delay, lost contracts, and lost trust.
A surface-level audit misses what emerges at Stage 2. Findings that could have been closed quietly in-house become major nonconformities under external scrutiny, with a six to twelve month remediation window that can delay your certification or put enterprise contracts at risk.
The value of internal audit is identification: the more we surface internally, the less the external audit escalates. That depends on depth and independence. We apply full audit discipline, as a qualified ISO/IEC 27001 Lead Auditor and Lead Implementer, testing against the actual clause and control rather than a checklist.
Independence is the other half. ISO/IEC 27001 Clause 9.2 requires the internal auditor to be independent of the activity audited. In a small or medium organisation, genuine independence is rarely achievable in-house, since an ISMS manager auditing the controls they designed is not an independent audit. An external internal auditor resolves the independence requirement and raises audit quality at the same time.
Audit programme design. We define the audit programme covering the scope, frequency, methods, and responsibilities for the engagement period, aligned to your certification cycle and the certification body's expectations.
Audit planning. For each cycle, we prepare an audit plan covering objectives, scope, criteria, schedule, and resources, shared with you in advance.
Fieldwork. Document review, interviews, walkthroughs, evidence sampling, and process observation. On-site or remote as appropriate.
Reporting. Written audit report with documented findings, observations, opportunities for improvement, and any nonconformities.
Corrective action follow-up. We review your corrective action plan against each finding, sign off where remediation is complete, and document residual items for the next cycle.
We will not certify you. AuditVantage® is not a certification body. Internal audit prepares you for the external certification audit; it does not replace it.
Internal audit findings remain a confidential output between AuditVantage® and the engaging organisation. We do not report internal audit results to any certification body, regulator, or third party. The information is yours; how you use it is yours.
Can we not just do this ourselves? For most small and medium organisations, true independence between auditor and auditee is structurally impossible to achieve internally. An ISMS manager auditing the controls they themselves designed is not an independent audit. An external internal auditor solves the impartiality requirement and raises the audit quality at the same time.
Why not have our existing consultant do it? Independence. ISO/IEC 27001 Clause 9.2 requires the internal auditor to be independent of the activity audited. A consultant who built or advised on your management system would be auditing their own work. Implementation and internal audit are also different disciplines. We provide the independent audit, reading your management system against the actual clause and control, as a qualified ISO/IEC 27001 Lead Auditor and Lead Implementer, so the findings hold up when your external audit comes.
How is this different from the certification audit? The certification audit is a regulatory event with formal certification consequences. Internal audit is your private, confidential preparation for it. The discipline and standards are identical. The audience and the consequences are not. We deliver internal audit to the same standard the external auditor delivers the certification audit, but you see the findings, not the certification body.
What happens if you find a major nonconformity? We document it precisely, write it in clause-referenced ISO 19011 audit language, and brief your management on what remediation will close it cleanly. We never report nonconformities outside your organisation. The finding is yours, in writing, to remediate before the external auditor sees the same thing.
How long does a thorough internal audit take? For ISO/IEC 27001 with a single, well-defined scope, two to five audit days for fieldwork plus pre-audit document review and post-audit reporting. Multi-standard and larger-scope engagements scale from there. We scope the duration during the discovery call.
Registered office, Düsseldorf
AuditVantage® GmbH is not a law firm and not a certification body. The Managing Director is an IT and information security consultant and ISO/IEC 27001 Lead Implementer and Lead Auditor, not a Rechtsanwältin, and does not provide legal services. Content on this site is general information and does not create an advisory relationship. Full disclaimer in the Impressum.
Auditor impartiality. The Managing Director of AuditVantage® GmbH serves as a contracted Lead Auditor for accredited certification bodies. To preserve impartiality required under ISO/IEC 17021-1, AuditVantage® operates under a formal Conflict of Interest Policy. The Managing Director does not audit organisations that AuditVantage® has advised within the past two years, and AuditVantage® does not advise organisations the Managing Director has audited within the same window. Audit assignments are scheduled by the certification body. AuditVantage® takes no part in that selection.