To comply with clause 9.2 Internal audit, a company must prepare its internal audit process, and then perform internal audits.

Here are the steps to start with, to prepare the internal audit process:
1. Internal audit procedure - this is where you define the rules on how the audit needs to be performed.
2. Internal audit program - this is a 1-year or 3-year plan on how many audits will be performed during that period, what will be the scope, audit criteria, etc.

Here are the steps to perform a single internal audit:
1. Document review - you need to review ISO 27001 documentation to become acquainted with the ISMS processes, and to find out if the documents are compliant with ISO 27001.
2. Create a checklist - based on the documents you studied, you create a list of what you need to check during the main audit.
3. The main audit - this is where you check (i.e., find proof) for compliance for each item in your checklist.
4. Internal audit report - you have to summarize all the nonconformities you found, together with your observations and recommendations for improvement.
5. Follow-up - after the nonconformities have been corrected, you need to check if this is done properly.

Examples:
- Document review - in the Backup Policy, you notice that the backup needs to be performed every 6 hours.
- Create a checklist - you enter an item Check if the backup is performed every 6 hours.
- The main audit - you ask the system administrator to show you the backup logs, and you notice that the backup is made every 24 hours.
- Internal audit report - since the backup is performed every 24 hours instead of every 6 hours, then you write down the nonconformity in the report.
- Follow-up - after the system administrator notifies you that he has corrected the backup frequency, you ask him again to show you the backup logs.