ISO 27001 Internal Audits

We are an IT Service provider in the healthcare industry and have different internal IT teams. We have an IT Field Engineering team, Data Centre, Directory Services, Networks and Telecoms, IT Server team, Project Management Office (PMO) teams etc. These are all specialist teams and their members are SMEs in their field they know the benefits of ISO 27001 and are committed to helping us the Compliance Team however auditing these technical experts from clauses 4 – 10 is a challenge.

So, what we have been doing auditing these internal teams from the controls of Annex A we created a template around these controls. Each team is audited around these controls for example

A6.1.2 Segregation of Duties

A8 Assets

A9 User Access Management

A11 Physical & Environment Security

A12 Operations

A15 Suppliers

A16 Information Security Incidents etc

However, during the recent Surveillance audit, the external auditor issued a non-conformity saying.

“Audits conducted to date have covered service delivery: to date, there has been no audit to conformity with ISO27001 clauses 4-10”

My question is these technical people don’t know what is in clauses 4 -10 of ISO27001. How should we audit them from clauses of the standard? For example, they don’t know the basic questions

Are relevant internal and external issues that can affect an organization's ISMS identified?

Are all relevant interested parties identified, together with their requirements?

Is top-level Information security policy documented?

Are management reviews performed as planned?

Is the Risk Assessment and Risk Treatment Methodology reviewed before the regular review of existing risk assessment?

The only option we can see is if someone within the organization who is independent audits us The Compliance team from Clause 4 – 10 and we continue auditing technical teams from Annex A controls. Please advise if this approach is sufficient to improve our auditing process. Many thanks, Ash