Guest
I just bought the termplate for Internal audit program, ISO27001 and I am wondering about the details. The template is very simple and doesn't really show how to ensure that the whole standard incl the security controls have been reviewed in a three year period which I understand is a requirement from our certification body. The template only includes detailing the areas (departments and processes for example) and other details such as methods, Criterias (which I understand would be iso27001 then) etc.
Isn't it also necessary to show in the program that we have a plan to ensure full review of the standard? And if so, how would you suggest this is inserted into the IA Program, using the Advisera template?
Hello Advisera,
we've hired our internal auditor from outside, and we will receive Audit Report from him.
Do we still have to write the Internal audit Procedure and program, or is it normally what the Internal auditor should provide us in this case?
Thank you!
Is it typical in smaller companies (50-100 employees) that for the internal audit an external auditor is being hired? Or should you be thinking of somebody internally in the first place anyhow?