ISO 27001 Internal Auditor Course Question
In Module 7 Audit Findings, the quiz asks to the student to select which finding is an observation with the correct answer nominated as “The procedure for internal audit can be improved by adding an audit plan”. I would argue that this is a non-conformity as ISO27001-2022 cl 9.2.2 requires the organisation to plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. If an audit plan is not available at the time of the audit, is this an matter of noncompliance with the part of the standard?
I’d appreciate your thoughts and any clarification that you might be able to provide.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that the Audit Program and Audit Plan are different documents.
An Audit program refers to all audits planned for a period of time, while an Audit plan specifies the details of one specific audit; Audit program is mandatory, while Audit plan is not.
For further information, see our complete guide for internal audit.
Comment as guest or Sign in
Oct 10, 2023