I know as part of the toolkit I can ask questions via email – but I am not sure who I am supposed to ask. So you win 😊
We are in the process of starting to implement the various components of ISO27001. Most are not documented yet. I am also starting my internal audit program planning. Here is my questions:
Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit? It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard. If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit. Is that acceptable? Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.
Please let me know if you have any questions