Guest user Created: Jun 11, 2021 Last commented: Jun 11, 2021

Help us understand each other better

Dejan, I know as part of the toolkit I can ask questions via email – but I am not sure who I am supposed to ask. So you win 😊 We are in the process of starting to implement the various components of ISO27001. Most are not documented yet. I am also starting my internal audit program planning. Here is my questions: Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit? It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard. If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit. Is that acceptable? Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit. Please let me know if you have any questions

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 11, 2021

1 - Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit?

Answer: Before the certification audit, you need to perform an internal audit covering all ISO 27001 requirements (i.e., items from clauses 4 to 10) and applicable controls for all elements included in the Information Security Management System scope. This is a requirement from section 9.2 (Internal audit).

For further information, see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to perform an ISO internal audit [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-perform-an-iso-internal-audit-free-webinar-2/

These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

2 - It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard. If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit. Is that acceptable? Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.

Please let me know if you have any questions. Thank you

Answer: Please note that breaking down the internal audit into sections is valid only after the certification audit (i.e., for surveillance audits). For the certification audit, you need to have performed an internal audit over all the ISMS scope.

This article will provide you a further explanation about certification and surveillance audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 11, 2021

Expert Advice Community