Audit questions

1. Does the internal auditor has to have a FORMAL training (should be formally certified of some sort) in order to conduct the internal audits? I found no evidence for that in any of the 9.2 clause.

Answer:

According to ISO 27001 (clause 7.2) competence can be demonstrated by means of education, training or experience. Considering that, an internal auditor does not need to have a formal training if he can demonstrate his competence by other means (e.g., an degree which includes education on auditing topics, or previous experience on auditing ISO 27001 management systems).

For additional information, see:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/

2. Should the information security policy be signed by CEO? Again I found no evidence for that – only "Top Management".

Answer:

By top management you must consider the highest level of the organization related to the ISMS scope. If the organization is included in the ISMS scope this person would be the CEO, however if only part of the organization is included in the ISMS scope this person may be someone else. Please note that for small and mid-sized organizations, due to their size, the most common is that the CEO signs the information security policy, no matter if the scope of the ISMS is the whole" organization or not.