Integrated internal audit

Answer: It is perfectly possible to combine ISO 27001 and ISO 9001 internal audit processes, since both standards have a lot of requirements in common (the requirements for internal audit in both standards are practically the same).

These articles will provide you further explanation about similarities between ISO 27001 and ISO 9001:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

2. Is it mandatory for the author of the security policies and procedures to have appropriate trainings? Shall he/she be an internal certified auditor?

Answer: ISO 27001 requires that people with roles in ISO 27001 must have proper competencies, which can be fulfilled by means of training, education or experience, so it is not mandator y for the author of security policies to have related trainings, if he can demonstrate by other means (e.g., experience) that he has the necessary competence to elaborate the polices. The same applies to the need for an certified internal auditor.

3. Where shall I document the applicable legislation for the company?

Answer: I suggest you to take a look at the free demo of our "List of Legal, Regulatory, Contractual and Other Requirements" template at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/ so you can have an idea of how documentation of applicable legislation looks like.

This article will provide you further explanation about ISO 27001 required documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/