Guest user Created: Jun 03, 2022 Last commented: Jun 03, 2022

ISO 27001 Clause 9.2

for ISO 27001, clause 9.2, do you need an internal audit function or can it be named something else? such as risk review? My organization does external financial audits but a client is asking for us to assist with their "internal audit" function of 9.2. However we cannot do internal audits only risk reviews.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 03, 2022

ISO 27001 does not prescribe how to name the function which performs internal audit, only that requirements for internal audit are fulfilled.

So, if you can comply with requirements from clause 9.2, then you can perform the internal audit job for ISO 27001. The requirements are:
- audits must be performed at planned intervals
- there must be an audit programme, defining frequency, methods, responsibilities, planning requirements and reporting
- there must be defined audit criteria and audit scope for each audit
- auditors must not have conflict of interest with the audited scope (e.g., auditors cannot audit their own work)
- auditors must have experience with performing audit and have knowledge of ISO 27001
- audit results must be recorded and communicated to relevant management

For further information, see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 03, 2022

Expert Advice Community