1. Do we need to annually test every control that is in scope in the SoA? Or do we do this over a 3 year period?
Answer: If your question is about internal audit, then it would be better if you audit all controls each year, but you can also do it in the 3-year period. If your question was about control A.14.2.8 System security testing or A.12.6.1 Management of technical vulnerabilities (which could also include e.g. pen tests), those activities should be performed continuously or at least periodically, but certainly not only once in 3 years.
2. How should we best structure our audit plan? Should the audit scope reflect the department or the control objectives being reviewed? For example I could see it would make sense for the audit scope in the plan to be 8 Asset management and then using the checklist provided we can assign the specific tests and responsibilities to the auditors. I could then make up an annual checklist for each control area. What do you think?
Answer : You can do it both ways - by controls or by departments. If the auditor has more experience, it is probably better to do it by department; if he/she has less experience, then it will be easier by controls.