Help us understand each other better
Assign topic to the user
1 - Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit?
Answer: Before the certification audit, you need to perform an internal audit covering all ISO 27001 requirements (i.e., items from clauses 4 to 10) and applicable controls for all elements included in the Information Security Management System scope. This is a requirement from section 9.2 (Internal audit).
For further information, see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to perform an ISO internal audit [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-perform-an-iso-internal-audit-free-webinar-2/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
2 - It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard. If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit. Is that acceptable? Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.
Please let me know if you have any questions. Thank you
Answer: Please note that breaking down the internal audit into sections is valid only after the certification audit (i.e., for surveillance audits). For the certification audit, you need to have performed an internal audit over all the ISMS scope.
This article will provide you a further explanation about certification and surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
Comment as guest or Sign in
Jun 11, 2021