As part of ISO 27001 external audit and apart from the security awareness training, we would like to inquiry on topics the auditor will be interviewing the rest of *** employees (the ones who are not currently set up to be members of the ISMS in Conformio).
Currently, we are a bit concerned about what questions the auditor might be asking employees and some directions from you would be much useful.
In interviews with employees, the certification auditor will look if people are familiar with the documentation and use them while performing daily activities, i.e., check that the ISMS is working in the company.
Considering that, the auditor will make questions about their degree of knowledge of, at least, the most important documents that apply to them: Information Security Policy, confidentiality clauses, acceptable use of assets, Access Control Policy, etc.
Examples of possible questions are:
“Do you have access to the internal rules of the organization in relation to information security?”
“Can you show me some of the related policies?”
“Could you tell me what are the points that you consider most important in the policy?”
Please note that when you say “the rest of *** employees (the ones who are not currently set up to be members of the ISMS in Conformio).”, for certification purposes you need to consider only those employees that are part of the ISMS scope (the auditor will not interview people outside the ISMS scope).