SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Internal auditors selection

Guest

Internal auditors selection

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Nov 13, 2018 Last commented:   Nov 13, 2018

Internal auditors selection

ISO 27001 & 22301
Would like to know your perspectives - if you don't have an established third line of defense, can a competent risk function do an internal audit to meet the compliance to standard like ISO27K?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Nov 13, 2018

The conflict can be as Risk function is also seen as SME on the project - I don't know how easy it will be to portray the picture in front of audit that risk function is not a consultant here but only a compliance matter job. Any perspective you can please share with me?

Answer:

Before answering your question let me show you my understanding of your scenario:

Lines of defense:
1st - front-line employees with their roles and responsibilities with regards to their activities and applied internal controls and other risk responses.
2nd - organization’s compliance and risk functions providing independent oversight of the risk management activities of the first line of defense.
3rd - internal and external auditors who report independently to the senior management.

SME = Subject Matter Expert

Considering these information, there could be a confli ct of interest if the same person does risk assessment and internal audit (an auditor cannot audit his own work). In this case, this involves if this person is not doing the risk assessment according to the methodology, and if this job is not taking into account all the reasonable threats and vulnerabilities.

Regarding other organization's processes, as long as you can evidence that the internal audit is performed in an unbiased and independent way, and that there is no conflict of interest between the audited processes and the audit team, there is no problem if someone performing a compliance or risk function performs the internal audit, even if he is not part of the organization (in this scenario the SME would be acting as a second party auditor, which will not interfere on your certification process).

These articles will provide you further explanation about internal audits:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 13, 2018

Nov 13, 2018

Suggested Topics
Guest user Created:   Aug 24, 2017 ISO 27001 & 22301
Replies: 1
0 0

Selection of internal auditors
Guest user Created:   May 03, 2021 ISO 27001 & 22301
Replies: 1
1 0

What role should person doing Internal Audit have?
Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Internal Audits