1. Does the internal audit need to happen before Stage 1 certification audit? Or can we schedule an internal audit to happen following Stage 1 when we have implemented the feedback?
2. Currently working on the Statement of Applicability and I wanted to ask if all of the controls we say YES to implementing, do they need to be noted down in the Risk Treatment process? Or is it okay to have some additional controls in the Statement of Applicability in comparison to the Treatment?