Are the results of internal audits classified as mandatory records?

The results of internal audits are classified as mandatory records because they serve as essential evidence of compliance with the ISO 27001 standard requirements and the organization's information security management system (ISMS). These records contribute to demonstrating that the internal audit process is being carried out systematically and effectively.

Mandatory records encompass documented evidence that is necessary for showing adherence to policies and standards, tracking performance, and facilitating improvements within the ISMS. Retaining the results of internal audits helps ensure continuous improvement by providing insights into areas where the organization may need to enhance its security measures or processes. Additionally, these records can support external audits and assessments, allowing auditors to evaluate the effectiveness of the established controls and identify potential weaknesses.

In contrast, the other options suggest different conditions under which audit results might be considered mandatory, which is not aligned with the general requirement of ISO 27001. Maintaining comprehensive and accurate records of all internal audits, regardless of their significance or the presence of corrective actions, reflects a commitment to due diligence and ongoing risk management.