Antonio Jose Segovia Updated: June 11, 2025.
One of the requirements of ISO 27001 is the realization of an internal audit, as set out in Section 9.2 of the standard. But, the question is: Who can perform this internal audit? We will find out in the following points.
The ISO 27001:2022 standard does not set requirements that an internal auditor must meet to carry out an audit, but the standard clearly requires that the organization shall select auditors.
How can an organization select an auditor? By establishing requirements. If these requirements are not established, any person could audit an ISMS. What would happen if a person without experience or training related to information security audits an ISMS? The simple and emphatic response is: The auditor would not contribute value.
Foundations to be a productive auditor
Therefore, if an auditor is going to add value to an organization by performing an internal audit, it is very important and highly recommended that he or she has adequate experience and demonstrable knowledge of information security.
- What experience? You must be aware that ISO 27001 is relatively young, so it is difficult to find internal auditors who have more than five years of demonstrable experience. Therefore, in this case, requirements could be set based on the number of days spent performing internal audits of ISO 27001: for example, a minimum of 5-10 days to be a lead auditor. It is also recommended that an internal auditor have experience as a consultant implementing the ISO 27001 standard. In the latter case, a requirement could be established that they have participated in a minimum of 2-3 implementation projects.
- What knowledge? Obviously, knowledge about ISO 27001 and information security is necessary. This knowledge can be obtained through training and courses. So, in this case, it is highly recommended that the auditor complete an ISMS lead auditor course, although it would also be desirable that they complete an ISMS implementer training course.
See also: ISO 27001 internal audit: The complete guide.
Selecting an auditor
In short, we need to establish requirements that allow us to check that the internal auditor has demonstrable experience in ISO 27001, which is basically composed of the PDCA cycle (the Deming Cycle: Plan, Do, Check, Act), risk management, and a series of information security controls. There are some organizations that establish a selection process for internal auditors, and in this case the organization asks the potential auditor to carry out a small test consisting of a series of questions.
In addition to this test, the organization also conducts an interview with the candidate to verify the veracity of his professional background (experience and training), and only if the candidate meets all the requirements and completes all the steps will he be eligible to conduct the internal audit.
Further, it is important that the internal auditor does not have a conflict of interest, i.e., that he will not audit his own work.
Three main criteria
So, to summarize, if you’re planning to nominate one of your employees as an internal auditor, keep in mind the following three key things: (1) knowledge of ISO 27001, (2) knowledge of auditing, and (3) avoiding conflicts of interest.
Learn how to perform an internal audit in this free ISO 27001 Internal Auditor Online Course.
