ISO 27001 audits

1. Can the same person who manages ISMS for the organization do the internal audit? Is there a conflict of interest?

Answer: Provided the person who manages ISMS does not audit his own work, he can perform the internal audit.

For example, if this person is responsible for the Information Security Policy, he cannot audit the fulfillment of this policy.

The recommendation is that the internal audit is performed by a person who is not related to the implementation of the ISMS (in this way, you can ensure objectivity and impartiality). One option is to search for an external company, but another option is that the internal audit is performed by an internal employee of your company. 

This article can provide additional information:
- Dilemmas with ISO 27001 & BS 25999-2 interna l auditors: https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/ 

And also, our toolkit related to the internal audit can be interesting for you:
- ISO 27001/ISO 22301 Internal Audit Toolkit: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

2. Does the internal auditor need to be technical in IT. Where system security applications as stated in the policies/ procedures, do the internal auditor need to verify its functionality/ effectiveness or only need to view documented materials. In another word, do the auditor need to test the system for validity?

Answer: Provided the auditor has support from an IT expert during the audit, it is not required for the internal audit to be technical in IT (although knowledge in the area would help).

Verification of controls functionality/ effectiveness is a key part of the audit process, so the auditor needs to test the system for validity.

3. Can an internal audit be carried out in stages over different timeframe or must be done in one process?

Answer: The internal audit can be carried out in stages over different timeframes, provided all the ISMS scope is audited before the next surveillance/recertification audit.

This article will provide you a further explanation about internal and surveillance audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

This material can also help you:
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ 

Thank you Rhand, your answers are helpful.