ISO 27001 Clause 9.2 requires every certified organisation to conduct internal audits at planned intervals. Most organisations lack a qualified, independent internal auditor on staff. We provide the full audit programme — planning, execution, reporting, and corrective action support — so your ISMS stays compliant year-round.
ISO 27001 Clause 9.2 is non-negotiable: your organisation must conduct internal audits at planned intervals to confirm your Information Security Management System (ISMS) conforms to the standard and is effectively implemented. Certification bodies check for evidence of a documented internal audit programme at every surveillance and re-certification audit. Without it, you risk a major nonconformity — which can suspend or revoke your certificate. The challenge is that the auditor must be objective and impartial, meaning you cannot audit your own work. Our Internal Audit as a Service gives you a qualified, independent audit team without the cost of a full-time hire.
A complete internal audit programme — from initial planning through to corrective action closure and management review pack.
We design a documented audit programme aligned to your ISMS scope and risk profile — satisfying the planning requirements of Clause 9.2.1.
Our qualified ISO 27001 lead auditors conduct the fieldwork — document reviews, staff interviews, and control testing across all applicable ISMS processes and Annex A domains.
We produce a formal audit report with all nonconformities, observations, and opportunities for improvement — plus structured corrective action support to close findings before your external audit.
Most ISO 27001-certified organisations in Singapore — especially SMEs and fintechs — do not have a qualified, independent internal auditor on staff. Auditing your own ISMS creates a conflict of interest that external certification bodies will flag. Outsourcing to our team gives you the independence, qualification, and documentation your certificate depends on.
A major nonconformity at your surveillance audit can suspend your ISO 27001 certificate. A strong internal audit programme is your first line of defence.
Whether you are maintaining your certificate or preparing for re-certification, our internal audit service is scoped for your situation.
You hold ISO 27001 certification and need your annual internal audit completed to satisfy Clause 9.2 before your next surveillance or re-certification audit. We take the entire audit programme off your plate.
You are in the final stages of ISO 27001 implementation and need to complete the internal audit requirement before Stage 2. We conduct the internal audit and help you resolve nonconformities before the external auditor arrives.
Financial institutions pursuing ISO 27001 alongside MAS TRM compliance benefit from our dual-lens approach — auditors experienced in both frameworks identify control gaps that pure ISO auditors may miss.
A structured, four-step process designed to be low-burden on your team and high-value for your certificate.
We review your ISMS documentation, Statement of Applicability, and previous audit reports. We agree on audit scope, sampling approach, interview schedule, and the audit programme document.
Conducted on-site or remotely — whichever suits your team. We review evidence, interview process owners, test controls, and document findings as we go. Typical fieldwork runs 2–5 days depending on scope.
We issue the formal internal audit report within five business days of fieldwork completion — covering conformities, nonconformities (major and minor), observations, and positive findings. Formatted for your certification body.
We do not disappear after the report. For each nonconformity raised, we provide root cause guidance, corrective action recommendations, and a tracking register. We can also prepare your Management Review pack (Clause 9.3) — covering audit results, risk treatment status, and ISMS performance metrics — so leadership has everything needed for their review meeting.
Not yet certified? We guide you through gap assessment, ISMS implementation, policy documentation, and Stage 1 & Stage 2 audit preparation.
For MAS-regulated institutions aligning ISO 27001 controls with Technology Risk Management requirements — our auditors understand both frameworks.
CREST-certified penetration testing — often required as evidence under Annex A controls A.8.8, A.8.25, and A.5.37 during your internal audit.
ISO 27001 Clause 9.2 requires internal audits to be conducted at planned intervals. Most certification bodies expect a minimum of one full internal audit cycle per year. Organisations with higher risk profiles or larger ISMS scopes often conduct two cycles annually. The audit programme must be documented and demonstrate coverage of all ISMS processes and applicable Annex A controls over time.
ISO 27001 requires internal auditors to be objective and impartial — they must not audit their own work. If our team assisted only with specific phases of your ISMS implementation, we can still conduct internal audits on areas we were not directly involved in. For organisations where we delivered full implementation, we recommend using us exclusively for the internal audit programme going forward, after certification, to maintain independence. We will advise on the appropriate scope delineation during onboarding.
The Stage 2 certification audit is conducted by an accredited external certification body (such as BSI, TÜV SÜD, or Bureau Veritas) and results in the granting or renewal of your ISO 27001 certificate. The internal audit is a mandatory requirement you conduct yourself — or outsource to an independent party — to verify your ISMS is working as intended before the external auditor arrives. A strong internal audit programme is one of the most effective ways to pass your Stage 2 audit and surveillance audits without major nonconformities.
Finding nonconformities is expected — it is the purpose of an internal audit. ISO 27001 requires you to document nonconformities, take corrective actions, and verify effectiveness. Our service includes a structured corrective action plan template and optional follow-up verification. Nonconformities found and resolved internally before your external audit significantly reduce the risk of major findings during certification or surveillance audits.
For a typical Singapore SME with an ISMS covering 50–200 staff, fieldwork runs 2 to 3 days. Larger organisations or those with complex ISMS scopes (multiple sites, critical infrastructure, financial services) may require 4 to 5 days of fieldwork. Planning takes approximately one week, and the audit report is issued within five business days of fieldwork completion. We aim to complete the full cycle — from kick-off to closed corrective actions — within four to six weeks.
Clause 9.2 compliance is not optional — and a major nonconformity at your surveillance audit can suspend your certificate. Let our qualified, independent auditors handle it.