Delivered by Aegentra’s senior, NV1-cleared ISO 27001 practitioners · ISO/IEC 27001:2022 incl. Amendment 1:2024
ISO 27001 Clause 9.2 requires an internal audit that is objective and impartial — which means the people who built and run your ISMS cannot credibly audit it. Aegentra runs the internal audit end to end for Australian organisations that implemented ISO 27001 in-house or with another consultant: audit plan, evidence sampling against the 93 Annex A controls, a findings register mapped to every clause, and a corrective-action plan your certification body will respect. We audit; a JAS-ANZ-accredited body certifies.
Why the internal audit must be independent
Clause 9.2 of ISO/IEC 27001:2022 requires internal audits to be conducted objectively and impartially. You cannot credibly audit work you performed — and certification auditors routinely challenge internal audits done by the same people who built the controls. An outsourced internal audit closes the independence gap in one move and doubles as a dress rehearsal for your Stage 2 or surveillance audit.
Who this service is for
Organisations that implemented ISO 27001 in-house and need an independent internal audit before certification or surveillance.
Companies whose ISMS was built by another consultant — where that consultant auditing their own work would fail the independence test.
Teams whose internal auditor has left, or that are too small to audit independently.
Anyone who wants nonconformities found and fixed before the certification body finds them.
What you get
Audit plan & scope — documented and agreed up front, aligned to your Statement of Applicability.
Fieldwork & evidence sampling — control-owner interviews and sampling of records, configurations, and logs across Clauses 4–10 and applicable Annex A controls.
Audit report & findings register — major and minor nonconformities plus opportunities for improvement, each mapped to the exact clause or control.
Corrective-action plan & close-out — prioritised actions with owners and dates, plus a follow-up review and a management-review-ready summary.
Engagement options
Readiness gap audit — a pre-Stage 1 dry run: documentation and SoA review, sampling of high-risk Annex A controls, and a gap list ranked by certification risk. Fixed fee.
Clause 9.2 internal audit — the full independent internal audit your certification cycle requires every year: audit plan, evidence sampling, findings register, corrective-action plan, and a management-review-ready summary pack. Fixed fee, about 15 business days.
Audit programme retainer — the whole three-year cycle handled: annual internal audits, surveillance-audit preparation in years one and two, and corrective-action tracking between audits. Annual fixed fee.
Fieldwork. Interviews and evidence sampling — remote-first Australia-wide, onsite available in Melbourne and Sydney.
Report. Findings register walked through live with your team.
Close-out. Corrective-action tracking and a follow-up review before your certification body arrives.
Typical timeline for a 10–250 person organisation is around 15 business days from kickoff to final report. Every engagement is fixed-fee. Aegentra issues no certificates — certification audits are performed by JAS-ANZ-accredited bodies, and that separation is exactly what makes this internal audit credible. Need the ISMS built first? See our ISO 27001 consulting and implementation service or the step-by-step implementation guide.