Can internal audits be part of the Plan phase in ISO 27001?

Internal audits in the context of ISO 27001 are primarily associated with the "Check" phase of the Plan-Do-Check-Act (PDCA) cycle. The PDCA cycle is a critical framework in ISO 27001 for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). During the Plan phase, organizations focus on defining information security objectives, performing risk assessments, and designing controls to mitigate identified risks.

The intention during the Plan phase is to set up the foundations of the ISMS, which includes policies, objectives, and risk management strategies. Internal audits are conducted later to evaluate the effectiveness of the ISMS, ensuring that the controls put in place during the Planning and Doing phases work as intended. This means that internal audits can only assess and verify compliance and effectiveness after implementation has occurred.

As such, placing internal audits in the Planning phase does not align with the purpose and timing of these audits within the PDCA cycle as defined by the ISO 27001 standard. Audits serve as a retrospective assessment rather than a preparatory activity, which is why it would not be accurate to consider internal audits as a component of the Plan phase.