Audit questions

1. One of my client is outsourced the IT and Software Development, I have to do the internal audit for this client, in scope document they have mentioned as entire organization. In that case do I have to audit the IT department

I’m assuming that your client is outsourcing its IT and Software Development.

Considering that, in terms of the IT department you need to audit the contract/service agreement they have with the outsourcing company, to evaluate if the outsourced services are being managed by the company and fulfilled by the provider.

In case the client is providing IT and Software Development to other companies, then you need to audit the IT department.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

2. One of the client is operating on Co-working space, Physical, access, IT, and Networking security is Managed by the provider, In this scenario do the client needs to have access, network, physical security polices and procedures

In this scenario, the client needs to have the Access control policy because it is a mandatory document according to ISO 27001. Regarding network and physical security policies, the client can decide on its own whether these are needed or not. The fact that the client is using outsourced services has no impact on this situation.