Clause 9.2.2 of ISO/IEC 27001:2022 specifies requirements for the internal audit programme. It requires organizations to:

''Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits.''

This makes option C correct, since importance of the processes is a required factor. Option A is incorrect because audits do not need third-party auditors; objectivity can be maintained internally if independence is respected. Option B is wrong because previous audit results must be considered, not disregarded. Option D is also incorrect --- the standard does not specify a 3-year cycle; frequency depends on risks and needs.

Thus, the correct verified answer is C.