ISO 27001 Audit requirements

Answer: Considering internal audits, ISO 27001 standard clause 9.2 (Internal audit) does not define who must perform internal audits, so its up to the organization to decide to perform them by itself or to use an external company, based on a top management decision or on legal requirements it must follow (e.g., a customer may define in contract that internal audit must be performed by an external company).

However, if the organization is ISO 27001 certified, the audits related to the certification process (certification audit, maintenance audits and recertification audit), must be performed by an external company (the certification body).

I suggest you to take a look at our page https://advisera.com/ where you can present your information regarding certification needs and we suggest the most appropriate certification body.

These articles will p rovide you further explanation about ISO 27001 audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

This material will also help you regarding ISO 27001 audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/

Thank you.