My company asked me to be our internal auditor and sent me to your site for training. They're creating an ISMS and hope to have their 1st external audit in September. One of the criteria for the External Audit is for the company to have had a Full System Internal Audit completed. I have finished viewing your ISO 27001 Internal Auditor training videos and I'm currently studying before I take your certification exam. The internal auditor training indicates that the companies ISMS documents need to be reviewed prior to developing the audit plan. My CISO advises me that not all of our company ISMS documents are ready for the Full System Audit but I'm expected to deliver an audit plan based on only the SOA and scope. I'm a little confused.
1. Shouldn't I review all the companies ISMS documents prior to creating the audit plan or is this not necessary for a Full System ISMS Internal Audit? The company advises me that there will be approximately 160 documents which they're expecting me to review during the scheduled audit where they've estimate d to take 5 days based on other audits they've had in the past. My understanding from the training is that I should review all their documents 1st, then develop the audit plan although it's not an ISMS mandatory document by the standard.
Answer: First it is important to note that ISO 27001 does not prescribe the steps for performing internal audit, only that it must be performed periodically, expected inputs and outputs. Considering that, the review of ISMS documents is not mandatory.
The review of ISMS documents prior to developing the internal audit plan is useful for you to identify situations specific to your organization that you should look for (e.g., the name of a record, the periodicity of a task, etc.), but not being able to review all documents should not be an impediment for you to plan your internal audit. In this case you should focus on documented information required by the main clauses from the standard (from sections 4 to 10), and on documents and methods of implementation defined for controls from Annex A stated as applicable in your Statement of Applicability (SoA), and make an observation that some specifics of your organization may not be properly audited, and that there is a risk that nonconformities related to them may be found during the certification audit (this is a risk that your management has to accept if you do not have time to review all documents).
Examples of minimal documents you must include in your review are the ISMS scope, ISMS policy, risk assessment and treatment report.
One additional thing we should mention is that 160 documents for an ISMS is a very uncommon quantity for a set of documents (for small and medium sized companies the set of documents would be no more than 40 to 50), then maybe you have space for an improvement related to decrease the quantity of documents.