Guest user Created: Jun 01, 2017 Last commented: Jun 01, 2017

Internal audit frequency

About the ISMS internal audit role: Shall the ISMS be fully audited by internal within one year or shall it be fully audited every 3 years including minimum of one audit per year?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jun 01, 2017

Answer: ISO 27001 allows you to set your own frequency and audit scope, however you need to perform at least one internal audit per year because of the certification body surveillance visits. This means that you can take both approaches you suggested - full audit scope every year, or full audit scope in the 3-year period.

It is better if your internal audit covers the whole scope every year, because this way you reduce the likelihood of being non-compliant at surveillance visits.

There is one exception to what I explained above: when you go for the initial certification audit, your internal audit needs to cover the whole ISMS scope.

These materials will also help you regarding internal audit:
- Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 01, 2017

Expert Advice Community