Internal audit

Answer: The best moment to perform an internal audit would be after a time two or three times longer than the process you want to audit takes to be executed, because after that time you will have more chances to gather evidences to decide if the process is executed properly or not. For small scopes (or when there are sufficient auditors), the internal audit is done a couple of weeks before the management review.

2 - And in regards to the training and awareness... is it enough to provide a PowerPoint video that explains to employees the most important documents (access control, security, acceptable use, etc.), where to find them, what is included in them, what relates to each of them, etc.

Answer: For initial and general training (considering all personnel) this may be a good approach, but you also have to consider specific training and awareness activities considering technical and management personnel, as well as personnel that perform specialized or critical activities.

3 - Also, how long should the internal audit take? should the internal auditor basically go through the provided checklist? I read that the internal audit should be a 1-year plan? Can you elaborate, please.

Answer: For small organizations (up to 20 employees) the internal audit will typically last 1 day, whereas in a company of 100 employees it will be 2 days.

Regarding checklists, they are only one part of the resources an auditor can use. He also should consider documentation review, interviews and process observation to gather information.

Regarding internal audit plan, a 1-year plan generally is developed when an organization has a big scope and wants to audit only parts of it at a time. Considering that ISO 27001 only requires the audits to be conduct at planned intervals (clause 9.2), an organization is free to decide if it wants to perform a single audit during the year, considering all the scope, or multiple audits considering smaller parts of the scope each time. Additionally, for certified organizations, all scope must be audited between certification body's audits, and generally they are performed annually.

Included in the toolkit you bought you have access to video tutorials that can help you plan and perform an internal audit.

These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/