Internal audit

1 - In the ***, there is only one person actively working, but he is (of course) also shareholder. Would it be okay if he does the internal audit? In ***, we want to have the CTO as internal auditor. He doesn’t have shares, but he is part of Management. Would this be okay?

ISO 27001 does not prescribe who must perform the internal audit, only requires this person to have the proper competencies for auditing, and that any situations that can lead to a conflict of interest are avoided (e.g., a person should not audit his/her own work).

Considering that:

• for your first scenario, you should consider hire an external auditor or send a trained employee to perform the audit of the work performed by this single person
• for your second scenario, you should consider hire an external auditor, or use a trained employee to perform the audit on the processes the CTO works on

This article will provide you a further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

This material will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

2 - What would be the cost of an online training for these internal auditors?

Advisera’s ISO 27001 Internal Auditor course is free to enroll (you only have to pay in case you want the course’s certificate). For more information about this course, please see:

• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/