for ISO 27001, clause 9.2, do you need an internal audit function or can it be named something else? such as risk review? My organization does external financial audits but a client is asking for us to assist with their "internal audit" function of 9.2. However we cannot do internal audits only risk reviews.
ISO 27001 does not prescribe how to name the function which performs internal audit, only that requirements for internal audit are fulfilled.
So, if you can comply with requirements from clause 9.2, then you can perform the internal audit job for ISO 27001. The requirements are: - audits must be performed at planned intervals - there must be an audit programme, defining frequency, methods, responsibilities, planning requirements and reporting - there must be defined audit criteria and audit scope for each audit - auditors must not have conflict of interest with the audited scope (e.g., auditors cannot audit their own work) - auditors must have experience with performing audit and have knowledge of ISO 27001 - audit results must be recorded and communicated to relevant management