Internal audit frequency
Assign topic to the user
Answer: ISO 27001 allows you to set your own frequency and audit scope, however you need to perform at least one internal audit per year because of the certification body surveillance visits. This means that you can take both approaches you suggested - full audit scope every year, or full audit scope in the 3-year period.
It is better if your internal audit covers the whole scope every year, because this way you reduce the likelihood of being non-compliant at surveillance visits.
There is one exception to what I explained above: when you go for the initial certification audit, your internal audit needs to cover the whole ISMS scope.
These materials will also help you regarding internal audit:
- Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Jun 01, 2017