Definition

ISO 27001 clause 9.2 mandates a planned internal audit programme that covers the full ISMS scope at defined intervals, tests conformance with the standard and the organisation's own requirements, and produces documented results reported to management. Second-party reviewers (CB auditors) evaluate the internal audit programme itself as evidence of the organisation's self-governance maturity before issuing a Stage 2 opinion.

Why it matters

The pressure on ISO/IEC 27001 programmes is shifting in specific, observable ways:

• CB auditors from BSI and LRQA routinely cite 'inadequate internal audit programme' as the leading cause of Major NCs at Stage 2 in MENA-region audits — specifically: insufficient sampling, same person auditing their own area, or no corrective action follow-up.
• NCA ECC-1 (domain 3-1) and SAMA CSF (5.3) both require periodic independent reviews of information security controls; the ISO internal audit programme is the primary evidence cited during NCA/SAMA supervisory reviews.
• A credible internal audit trail accelerates Stage 2 from 5 days to 3–4 days by allowing the CB auditor to rely on internal audit work product, reducing on-site sampling cost by AED 20K–50K per cycle.
• India RBI ITGF (2023) and SEBI CSCRF require documented internal audit reports for IT/IS controls to be submitted to the Board Audit Committee — ISO internal audit records directly satisfy this obligation.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Annual audit plan document — listing audit scope areas, scheduled dates, assigned auditors (names, independence statement), and clause/control reference for each audit module
• Audit checklists per module — sampling rationale (e.g. 20% of change tickets from Q3), evidence reviewed, auditor observations and conformance rating
• Nonconformity (NC) register — NC reference number, grade (Major/Minor/Observation), root cause, corrective action owner, due date and closure evidence
• Corrective action closure evidence — e.g. Jira ticket marked Done with approver, updated procedure PDF, screenshot of system configuration change with timestamp
• Management review input report (clause 9.3) — summary of internal audit results, open NCs and trend analysis presented to CISO and board

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: ISMS Manager drafts a 12-month audit plan covering all ISMS clauses (4–10) and all Annex A control domains; assigns auditors ensuring no one audits their own function; secures CISO sign-off and uploads to document management system.
• Day 31–60: Internal Auditor conducts first module (e.g. Access Control — Annex A.5.15–A.5.18, A.8.2–A.8.5) using a structured checklist with 15–20% sampling of Entra ID access reviews and ServiceNow access request tickets; issues draft findings within 5 business days.
• Day 61–90: NC owners respond with root cause analysis and corrective action plans within 10 business days; ISMS Manager validates closure evidence before marking NCs closed; uploads evidence to GRC tool (e.g. Drata, Vanta, Tugboat Logic).
• Day 90+: ISMS Manager prepares annual internal audit summary for management review (clause 9.3); presents NC trend (open vs. closed by grade) and programme coverage percentage to CISO.
• Ongoing: Internal Auditor completes all planned audit modules within the 12-month cycle; programme is reviewed and updated annually to reflect new risks, scope changes and CB feedback.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Programme coverage: 100% of ISMS clauses and Annex A control domains audited at least once per 12-month cycle
• Auditor independence: 0% of audit modules conducted by an auditor responsible for the controls under review
• NC closure rate: ≥90% of Minor NCs closed within 45 days; 100% of Major NCs closed before next CB surveillance audit
• Corrective action on-time rate: ≥85% of NC action plans completed by the agreed due date
• CB reliance rate: CB auditor reduces Stage 2 sampling by ≥20% citing internal audit work product — tracked in audit report

A the next two quarters working plan

MAST Consulting Group runs this ISO/IEC 27001 work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against Clauses 4–10. Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through SoA and risk register as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with internal audit committees. Document the rationale; ISO/IEC 27001 reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into spreadsheet-based SoA where a GRC tool would be overhead and Jira / ServiceNow for nonconformity tracking. A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's ISO/IEC 27001 portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: internal audit programme without independence from the function audited. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: asset inventory that does not reconcile to the risk register. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: management review minutes that skip the required inputs in Clause 9.3.2. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: scope statement that excludes a customer-facing platform. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on ISO/IEC 27001 engagements because the integrations are cheap and the evidence is defensible:

• spreadsheet-based SoA where a GRC tool would be overhead — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Jira / ServiceNow for nonconformity tracking — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Entra / Okta for access evidence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs ISO/IEC 27001 programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for ISO/IEC 27001 programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.