Difference between the internal audit and the risk assessment

Internal audit and risk assessment have completely different purpose: during the internal audit you have to find out if everyone is complying with your policies and procedures; during the risk assessment you have to find out which potential security incidents can happen to you.

Learn more here:
- Internal audit: How to conduct it according to ISO 27001 and BS 25999-2 https://www.iso27001standard.com/en/webinars/Internal-audi*********************************************************
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Thanks Dejan !!

1) Should the risk assessment activity be more of a discussion with the stakeholders(application owners) and understanding how the application works and the processes they follow?

2) Should we be collecting evidences or should we just take their words as it is?

1) The risk assessment should be done by all asset owners - since the assets are not only software and hardware, but also information, people, infrastructure, etc., it will have to include more people. Risk assessment is about understanding threats and vulnerabilities and how to value the risks - see this webinar for detailed explanation: The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

2) Internal audit is about both doing the interviews and collecting hard evidence (e.g. records, personal insight, etc.)

Correction:

The toolkit refers to several different positions, however every organization DOES NOT distribute it repsonsbilities the same way. Is there a comprehensive list of the required/needed areas of responsbilities so I can align that to the titles in my organization?

Todd,

In most cases, our templates do not refer to particular positions, they always indicate with [job title] where a person responsible for particular activity/process should be inserted.

We do not have a comprehensive list of required areas of responsibilities because this can differ greatly from a company to company. But in general, you could have these responsibilities for a smaller company:
- CEO - approves all the main documents and the budget
- CIO - project sponsor, responsible for information security on a high level
- CISO (or Security Manager) - responsible for day to day coordination of ISMS
- System administrator - responsible for administrating the IT infrastructure