Expert Advice Community

Guest

Finding internal and external auditors

  Quote
Guest
Guest user Created:   May 22, 2020 Last commented:   May 27, 2020

Finding internal and external auditors

We’re still several weeks away from being ready for an internal audit, but I have questions about the internal and external audits that I wanted to ask now in case it takes us a while to make the necessary arrangements.

1. First, we’re thinking of hiring an auditor with who has experience doing ISO 27001 audits to do our internal audit because this seems like this will give us a better sense of how the external audit will go (thought let me know if this logic is flawed for any reason). Do you have any resources you could point me to on hiring an auditor for the internal audit? Or any tips on how best to find someone?

2. Second, do you have any resources you could point me to on finding a certification body? In particular I believe we’ll want to find one that has auditors in ***. We won’t have any operations in *** until after we get certified (we need to be certified before we're allowed to start work there). But once we start operating in *** there I assume we’ll need an auditor to visit our office there for follow-up audits in 2021 and beyond (again, please let me know if any of these assumptions are wrong).

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 22, 2020

1. First, we’re thinking of hiring an auditor with who has experience doing ISO 27001 audits to do our internal audit because this seems like this will give us a better sense of how the external audit will go (thought let me know if this logic is flawed for any reason). Do you have any resources you could point me to on hiring an auditor for the internal audit? Or any tips on how best to find someone?

An experienced auditor will indeed provide a good sense of your ISO 27001 situation. Besides experience in ISO 27001 audits, for selecting an auditor you should consider:

  • the knowledge about your industry
  • reputation
  • pricing

For further information, see:

2. Second, do you have any resources you could point me to on finding a certification body? In particular I believe we’ll want to find one that has auditors in ***. We won’t have any operations in *** until after we get certified (we need to be certified before we're allowed to start work there). But once we start operating in *** there I assume we’ll need an auditor to visit our office there for follow-up audits in 2021 and beyond (again, please let me know if any of these assumptions are wrong).

We do not have knowledge of specific certification bodies that operate in the country you mentioned, but the main certification bodies for ISO 27001 are:

You can contact them to verify the availability for your country.

Regarding additional audits, your assumption is correct. After the certification audit, the certification audit will perform surveillance audits, normally once a year, and one requirement of ISO 27001 is performing internal audits, so you will need a regular visit of an internal auditor before each surveillance audit.

These articles will provide you a further explanation about surveillance audits and selecting a certification body:

This material will also help you regarding selecting a certification body:

Quote
0 0
Guest
Guest user May 26, 2020

Thanks for this. But what we're really looking to understand is how in practice companies go about finding a suitable auditor for their internal audit. For example are there dedicated jobs boards or professional associations, or is it more common just to search for people with ISO 27001 audit experience on LinkedIn?

Quote
0 0
Expert
Rhand Leal May 27, 2020

First of all, sorry for this misunderstanding.

We are not aware of specific jobs, boards or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

May 22, 2020

May 27, 2020