Internal audit scope
Assign topic to the user
Answer: Broadly speaking, you should consider the areas responsible for ISO 27001 main requirements (e.g., document control, risk assessment, management review, corrective actions, etc.), and the areas where the applicable controls stated in SoA are implemented. If you plan a single audit, all the controls stated in SoA should be audited. If you are planning multiple audits, then you can audit part of the controls stated in SoA on each internal audit, but you have to ensure that all controls were covered by your planned audits.
This article will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/ books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Feb 08, 2018