Annual Audit Program
Hi Dejan! I'm been watching your videos on Advisera and planning to take the exam. I was wonder under the Annual Audit Programme you said that companies can define their audit criteria? I was wondering from an external audit perspective, wouldn’t the audit compulsorily look at The standard, internal policies and procedure, legislation requirements and Interested parties requirements?
Is there room to say the audit criteria can be scoped to just the standard and not the internal policies etc?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I’m assuming you are referring to a certification audit perspective.
Considering that, your assumptions are correct. The standard, internal policies and procedures, and applicable legal requirements (e.g., laws, procedures, and contracts) related to the ISMS are mandatory criteria for the internal audit.
The point about the audit criteria definition in the standard is that you can decide how to perform the audit to cover the ISMS scope (several small audits or a single one). You can use the audit criteria to set groups of elements to be audited. For example, you can decide to audit first IT processes then SW development processes, and then HR processes. Or you can decide to audit first processes related to the higher risks. Or you can perform more than one audit in areas with a history of a high quantity of incidents or non-conformities.
Additionally, you can decide to include references, like ISO 27002 or NIST Special Publications, if they were used by the organization to implement their controls.
Comment as guest or Sign in
Mar 15, 2023