Finding internal and external auditors

1. First, we’re thinking of hiring an auditor with who has experience doing ISO 27001 audits to do our internal audit because this seems like this will give us a better sense of how the external audit will go (thought let me know if this logic is flawed for any reason). Do you have any resources you could point me to on hiring an auditor for the internal audit? Or any tips on how best to find someone?

An experienced auditor will indeed provide a good sense of your ISO 27001 situation. Besides experience in ISO 27001 audits, for selecting an auditor you should consider:

• the knowledge about your industry
• reputation
• pricing

For further information, see:

•  Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

2. Second, do you have any resources you could point me to on finding a certification body? In particular I believe we’ll want to find one that has auditors in ***. We won’t have any operations in *** until after we get certified (we need to be certified before we're allowed to start work there). But once we start operating in *** there I assume we’ll need an auditor to visit our office there for follow-up audits in 2021 and beyond (again, please let me know if any of these assumptions are wrong).

We do not have knowledge of specific certification bodies that operate in the country you mentioned, but the main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.dnvgl.com/
• DNV: https://www.dnvgl.com/services?ServiceTypes=136423
• SGS: www.sgs.com/
• TUV: www.tuv.com

You can contact them to verify the availability for your country.

Regarding additional audits, your assumption is correct. After the certification audit, the certification audit will perform surveillance audits, normally once a year, and one requirement of ISO 27001 is performing internal audits, so you will need a regular visit of an internal auditor before each surveillance audit.

These articles will provide you a further explanation about surveillance audits and selecting a certification body:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

This material will also help you regarding selecting a certification body:

• List of Questions to ask an ISO 27001 or ISO 22301 certification body (MS Word) https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

Thanks for this. But what we're really looking to understand is how in practice companies go about finding a suitable auditor for their internal audit. For example are there dedicated jobs boards or professional associations, or is it more common just to search for people with ISO 27001 audit experience on LinkedIn?

First of all, sorry for this misunderstanding.

We are not aware of specific jobs, boards or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.