SGRII Insights · ISO 27001:2022 · 2026
Your ISMS Internal Audit Reviewed Documents. A Stage 2 Auditor Will Test Controls. These Are Not the Same Activity — And the Gap Between Them Is Where Certification Credibility Lives.
An internal audit programme that verifies document existence without testing control operation produces findings about documentation gaps, not security gaps. ISO 19011 requires auditor competence in the subject matter. For ISO 27001, that means information security — not just audit methodology.
SGRII Performance & Digital Solutions
ISMS Practice · April 2026 · 11 min read
SGRII Pillar Lens
Systems
Systems thinking applied to internal audit means recognising that the audit programme is a diagnostic mechanism — not a compliance verification exercise. A diagnostic audit tests whether the system produces the outcomes it was designed to produce. A compliance audit tests whether the documents exist. Both are necessary. Only the first generates findings that improve security. Only the first prepares the organisation for what a Stage 2 auditor will actually do.
The Document Audit vs. The Operational Audit
A document audit asks: does the procedure exist? Is it approved? Is it the current version? Is it accessible to the people who need it? These are legitimate Clause 7.5 questions. They verify that the documented information framework is in order. They tell you nothing about whether the controls described in those procedures are operating.
An operational audit asks: for control A.8.8 (vulnerability management), when was the last scan? What was the scope? How many critical vulnerabilities were identified? How many were remediated within the defined SLA? What was the verification method? These are Clause 8 questions. They test whether the risk treatment plans have become operational reality.
Most ISMS internal audit programmes conduct the first type. Stage 2 certification auditors conduct the second type. The gap between them is where organisations discover — during the certification audit, not before it — that their ISMS is documented but not implemented. A well-designed internal audit programme eliminates this gap by testing what the certification auditor will test, before the certification auditor arrives.
Auditor Competence for ISMS: The Subject Matter Requirement
ISO 19011:2018 requires auditors to have competence in the subject matter they audit. For ISO 9001, this means understanding quality management processes. For ISO 14001, environmental management. For ISO 27001, information security.
An internal auditor with ISO 19011 audit methodology training but no information security competence can verify that procedures exist, are approved, and are current. They cannot meaningfully test whether A.8.16 (monitoring activities) is detecting anomalies, whether A.8.8 (vulnerability management) is remediating within SLA, or whether A.8.5 (secure authentication) MFA deployment covers all privileged accounts. These are technical assessments that require technical understanding.
The practical consequence: ISMS internal audit teams that consist entirely of auditors without information security technical competence produce findings about documentation quality. They do not produce findings about security effectiveness. The certification body auditor — who typically has both audit methodology and information security competence — will find what the internal auditor missed. And the finding will be: the internal audit programme lacks the competence to effectively audit the ISMS.
Sampling Strategy: Management System Clauses + Annex A Controls
An ISMS internal audit programme must cover both layers: management system clauses (4–10) and Annex A controls. A programme that audits only the management system clauses will miss control implementation gaps. A programme that audits only Annex A controls will miss governance gaps.
The sampling strategy for Annex A should be risk-based: prioritise controls that treat the highest-rated risks, controls in the A.8 technological theme (where operational evidence is most objective), controls that are new in the 2022 revision (where implementation maturity is lowest), and controls where previous audits identified observations or minor NCs.
A three-year audit cycle should cover all 93 Annex A controls at least once, with high-risk controls audited annually. Each audit cycle should include at least one deep-dive into an operational process — tracing from risk through control selection through operational evidence through performance measurement — to test the dependency chains that connect the system.
Finding Classification and the Zero-Finding Problem
Finding classification must align to ISO 19011: Major NC (the requirement is not addressed or the system is fundamentally unable to achieve intended outcomes), Minor NC (the requirement is partially addressed but a gap exists), Observation (potential for improvement or an area that could become a nonconformity). Organisations using non-standard scales (High / Medium / Low, Critical / Major / Minor) create confusion when the certification body arrives with the ISO 19011 framework.
An internal audit programme that consistently produces zero findings is not evidence of a perfect ISMS. It is evidence of an audit programme that lacks the capability, independence, or willingness to identify system weaknesses. If the certification body consistently finds issues that internal audits missed, the internal audit programme has a credibility problem — and Clause 9.2 is not effectively implemented.
The uncomfortable corollary: if internal auditors are reluctant to raise Major NCs because of organisational pressure or because they lack the authority to challenge the ISMS Manager (who may also be their colleague), the audit programme has an independence problem. ISO 27001 Clause 9.2 requires auditors to ensure objectivity and impartiality. A programme where the ISMS Manager selects the auditors, defines the scope, and reviews the findings before they are reported has structural independence issues that will eventually surface.
The SGRII Position
The SGRII view on ISMS internal audit is that the programme must test what the certification auditor will test. Document verification is a prerequisite. Operational testing is the audit. Finding classification follows ISO 19011. Zero findings trigger a review of the audit programme’s effectiveness, not a celebration of system maturity.
The SGRII ISMS Audit Pack includes process-based audit checklists that cover both management system clauses and Annex A controls with operational evidence requirements specified for each. The audit programme template includes risk-based sampling guidance, competence requirements for ISMS auditors, and a three-year cycle that ensures full Annex A coverage with annual high-risk control testing.
THE SGRII ISO 27001:2022 ISMS FRAMEWORK
The SGRII ISMS Audit Pack tests what certification auditors test: operational control evidence, not document existence. Process-based checklists cover both management system clauses and Annex A controls.
Includes: ISMS Internal Audit Programme template with risk-based sampling, Process-based audit checklists (Clauses 4–10 + Annex A), Auditor competence requirements for ISMS, Finding classification guidance (ISO 19011-aligned), Audit report template with NC & CA linkage.
GET THE ISMS FRAMEWORK — FROM $149 ›Join the Conversation
Does your ISMS internal audit programme test operational control evidence — or does it verify document existence? And when was the last time your internal audit found a Major NC that your certification body had not previously identified?
Practitioner perspectives that challenge or extend this analysis are particularly welcome. Leave your comment below — the SGRII team responds to every substantive contribution.
Build it, don’t just read about it
SGRII ISO/IEC 27001:2022 ISMS Framework
All 93 Annex A controls, Statement of Applicability, risk register and audit pack — built for certification readiness.
View the Framework → Get the newsletterCoverage is not compliance. SGRII frameworks provide structured coverage, templates and guidance. They are designed for audit defensibility and structured for certification readiness; they do not certify you, do not guarantee a successful audit, and are not legal advice. The official ISO standard remains the only authoritative source of requirements.