9.2 Internal audit

Clause 9.2 requires organizations to plan and perform internal audits of the information security management system at regular intervals, evaluating compliance with ISO/IEC 27001 requirements and the effectiveness of controls. Audits must be conducted by impartial personnel, and audit results recorded, reported to management, and used to drive corrective actions and continual improvement.