Insights  /  ISO 27001

ISO 27001

Can you outsource your ISO 27001 internal audit? Clause 9.2, explained

June 20, 2026  ·  6 min read

ISO 27001 Clause 9.2 requires an internal audit. It does not require you to run it yourself, and for most growing teams, an independent outsourced audit is the more compliant choice.

ISO 27001 Clause 9.2 says you must audit your information security management system at planned intervals. It does not say you have to do it yourself, and for most growing companies, doing it yourself is the wrong answer.

What Clause 9.2 actually requires

The clause requires internal audits that determine whether your ISMS conforms to your own requirements and to ISO 27001, and whether it is effectively implemented and maintained. Crucially, the audit must be objective and impartial. Auditors cannot assess functions they own, operate, or monitor.

The independence problem in a 50-person company

In a small or mid-sized company, the person who could audit the ISMS is usually the person who built it. That is the exact conflict Clause 9.2 is written to prevent. You can rotate internal staff, but few teams have someone both independent of security and competent to audit it. This is why many organizations turn to an outside firm.

An internal audit run by the team that built the ISMS cannot do the one thing it exists to do: find the problems before the certification body does.

Yes, you can outsource it

Outsourcing the internal audit to an external provider is fully compliant, provided that provider is competent and independent of the activities being audited. It is a common and accepted way to meet Clause 9.2, and it has real upsides: genuine independence, experienced auditors who see many ISMS implementations, and less burden on a stretched internal team.

What good looks like

A strong outsourced program covers Clauses 4 to 10, your Statement of Applicability, and every applicable Annex A control, spread across the year and weighted toward higher-risk areas. Findings are classified consistently, tracked in a nonconformity register, and closed through a corrective action plan. It feeds your management review under Clause 9.3 and prepares you for Stage 1, Stage 2, and surveillance.

One thing to insist on

Your internal audit firm should not also be your certification body, and should never issue your certificate. Keeping those roles separate is what gives the internal audit credibility with the body that does certify you. That separation is exactly how we work: we run the outsourced internal audit, you certify with an accredited body. If you also sell into the US, we coordinate it with your SOC 2 readiness so you evidence shared controls once.

Find out where you really stand

A Gap Sprint gives you an honest, fixed-scope picture of your readiness and a prioritized path to pass. Independent, senior-led, evidence you can defend.