Identifying controls for internal audit

1. e.g. I need to audit an E-Health software name X for instance, which controls do I need to use? let's say that I need to audit the authentication, fail over, vulnerability patch, data leaking, Privacy, compliance for GDPR etc....or even physical security. Every questionnaire contains a checklist of "27k2" questions. However, which questions from Chapter 5-18 do I need to use? all? or only the ones that are applicable but how do I know which ones or which controls are applicable or aren't applicable?..I m really lost.

Answer:

The main guidance to identify which controls to audit is the Statement of Applicability document. This document will inform you which controls were identified as applicable to this software and a general overview of the implementation approach and the implementation status. From the controls identification you can identify on the internal audit checklist which questions you should ask in your audit of this software.

This article will provide you further explanation about performing internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/