Audit checklist

Answer: If you are an ISO 27001 certified organization, or you are pretending to become certified, you have to audit both the implementation of the standard (to evaluate the compliance to the standard's requirements) and the implementation of your internal controls (to evaluate the compliance of the implementation with the defined plans, policies and procedures)

These articles will provide you further explanation about internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding internal audit:
- ISO Int ernal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Got it. Thanks.

Now looking at Dejan's checklist, it contains all requirements in 27001 from chapter 4 to 10 plus all the controls in the appendix.
It doesn't make sense to audit the full checklist for every department so I'm guessing that the auditor, as part of the preparation, choose what clauses in the checklist to include in each audit.
In short, each audit will consist of a subset of the checklist depending on the nature of the department. Can you confirm?

We're short on auditors that know infosec and the standard so would you say it would be compliant if we (the security office) audit ourselfs and our own work as long as we "select auditors and conduct audits that ensure objectivity and the impartiality of the audit process"?

Regarding the scope of an audit (i.e. what clauses from the checklist to include), would it be ok to narrow the scope to just a few controls? I mean, in your template "Annual Internal Audit Program" the heading "Scope" exists suggesting that the auditor can choose what clauses to include.
An example: The auditor choose to audit the HR dept so he/she sets the scope to A.7 Human resource security and A.9 Access Control.
Would that fly?

>1- Now looking at Dejan's checklist, it contains all requirements in 27001 from chapter 4 to 10 plus all the controls in the appendix.

It doesn't make sense to audit the full checklist for every department so I'm guessing that the auditor, as part of the preparation, choose what clauses in the checklist to include in each audit.

In short, each audit will consist of a subset of the checklist depending on the nature of the department. Can you confirm?

Answer: Your assumption is correct, the auditor can define a subset of the items to be included in the checklist, depending on the purpose of the audit and the audited department.

>2 - We're short on auditors that know infosec and the standard so would you say it would be compliant if we (the security office) audit ourselfs and our own work as long as we “select auditors and conduct audits that ensure objectivity and the impartiality of the audit process”?

Answer: The security office cannot audit its own work alone. The main requirements of ISO 27001 (from clauses 4 to 10) do not require deep knowledge about information security to be audited, so the security office and another auditor with competence in auditing ISO management systems (e.g., ISO 9001 and ISO 14001) working together would be sufficient to ensure the audit process is objective and impartial.

>3 - Regarding the scope of an audit (i.e. what clauses from the checklist to include), would it be ok to narrow the scope to just a few controls? I mean, in your template “Annual Internal Audit Program” the heading “Scope” exists suggesting that the auditor can choose what clauses to include.

An example: The auditor choose to audit the HR dept so he/she sets the scope to A.7 Human resource security and A.9 Access Control.

Would that fly?

Answer: The auditor can narrow the scope of an audit to a few controls if it fits the purpose of the audit, but you must ensure that all controls regarding the certification scope are audited between external audits, according to the external audit plan. For example, if in the next maintenance audit the certification auditor will audit the HR department, you must ensure all controls applicable to HR department, not only the controls from sections A.7 and A.9 (e.g., requirement 7.2 will also be audited by the external auditor). Another option is to use a couple of auditors in each audit event, where each would focus on only one group of controls.