Expert Advice Community

Guest

Audit planning

  Quote
Guest
Guest user Created:   Oct 16, 2019 Last commented:   Oct 16, 2019

Audit planning

Hi, I am an IT Audit Manager at XXXX and XXXX maintains 3 different ISO 27001 certifications on different continents. There are only 2 of us working on ISO internal auditing and we are finding that testing all of the controls for 3 programs is no longer feasible, even if we divide them up over 3 years. Is it actually required that every control is tested by internal audit every 3 years? Or is there an easier way? How do other companies do this? Any help you can give would be appreciated.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 16, 2019

For certification maintenance purposes, all elements included in the ISMS scope of each certification must be audited at least once during the 3-year period of the certificate validity, so all applied controls must be audited.

Considering your situation, an alternative approach would be for your organization to hire an external audit company to perform internal audits covering less critical controls, leaving you two free to focus on the audits covering the most critical controls.

However, you might have a problem with the level of details you are auditing - it is not necessary to audit each and every record, you can select only a representative sample. Learn more here: ISO 27001 Internal Auditor Course https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-internal-auditor-course/


This article will provide you further explanation about planning audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 16, 2019

Oct 16, 2019

Suggested Topics

Guest user Created:   Jun 27, 2019 ISO 27001 & 22301
Replies: 1
0 0

Internal audit planning

Guest user Created:   Nov 11, 2019 ISO 27001 & 22301
Replies: 1
0 0

Internal audit report