Audit evidence and management review purpose

Answer: If control A.12.6.1 (Management of technical vulnerabilities) is applicable to your organization, and it is implemented by means of Vulnerability Assessment and Penetration Testing, then you may have to show the results to the auditors as evidence that this control is implemented and working properly. Of course you do not have to show all results, only the quantity required to evidence the control is implemented

For further information, read:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

2. What is the difference between an internal review and internal audit?

Answer: I'm assuming you are referring to management review. Considering that, while the internal audit purpose is to verify if processes were planned according defined requirements and are being performed as planned, the purpose of management review is to evaluate if the expected results are bein g achieved and if plannings need to be adjusted.

These articles will provide you further explanation about management review and internal audit:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/