Audit planning
Hi, I am an IT Audit Manager at XXXX and XXXX maintains 3 different ISO 27001 certifications on different continents. There are only 2 of us working on ISO internal auditing and we are finding that testing all of the controls for 3 programs is no longer feasible, even if we divide them up over 3 years. Is it actually required that every control is tested by internal audit every 3 years? Or is there an easier way? How do other companies do this? Any help you can give would be appreciated.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
For certification maintenance purposes, all elements included in the ISMS scope of each certification must be audited at least once during the 3-year period of the certificate validity, so all applied controls must be audited.
Considering your situation, an alternative approach would be for your organization to hire an external audit company to perform internal audits covering less critical controls, leaving you two free to focus on the audits covering the most critical controls.
However, you might have a problem with the level of details you are auditing - it is not necessary to audit each and every record, you can select only a representative sample. Learn more here: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
This article will provide you further explanation about planning audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
Comment as guest or Sign in
Oct 16, 2019