Contents of Internal audit program
Assign topic to the user
Answer:
ISO 27001 does not require you to write the Audit plan, it is mandatory is to write the Audit program - this Audit program is a document that specifies the series of internal audits during a period of e.g. one year.
It is not necessary to clearly define what you will do in each audit, as you mentioned it is enough to mention the audit criteria.
By the way, in this free online training you'll learn everything you need to know about internal audits: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Hi Dejan, I have a question, the external audit, observe me that I need to be more specific with the criteria and define explicitly that the criteria for performing the Internal Audit should at least include all ISO 27001 clauses and the controls the company has identified as applicable in its SOA.
I thought that makeing the referral to ISO27001 and Iso27002 was enough.
What do you recomend me to do in this case?
Note: I am using the advisera template( Audit program)
In case you are planning a single audit to cover all the ISMS scope at once, these references you defined are sufficient.
In case you are planning to perform multiple audits to cover small parts of the scope each time (e.g., IT processes audit, HR processes, etc.), then you need to be more specific about which criteria you will use. For example, in the case of auditing HR processes, most probably controls from section A.14 System acquisition, development and maintenance won’t be part of your checklist, while controls from section A.7 Human resource security will take more space in your checklist.
This article will provide you a further explanation about building an audit checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding building the audit program:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Jul 28, 2021