Recently, I went through the book on "Internal Auditing"("ISO Internal Audit: A Plain English Guide") which I had bought from your Advisera site.
And then I also went through the free training on your site(ISO 27001 Internal Auditor Course).
After that I felt very comfortable and confident on "Internal Audit" subject.
I just loved both areas(book and online training) because this is written beautifully, easy to understand along with practical examples.
Full credit goes to you and your team .
I also passed CISA exam(around 3 years back).
And I am trying consultancy in these areas(ISO 27001 Implementation, Auditing, Data privacy(e.g. EU-GDPR) and BCM etc.)
I had few queries. I need some help and would appreciate if these are addressed for my benefits.
1) First of all, is this book and training together comprehensive and enough to get prepared as a professional to provide consultancy in these areas? Do you feel some more study is required apart from this(to fill any possible knowledge gap)? If yes, please suggest those study areas/material/book etc.
2) In terms of work/activities, what is the difference between Internal Auditor and External Auditor(What External Auditor does but Internal Auditor does not and vice-versa)?
3) In ISO 27001, there are many documents and if any internal/external Auditor has to go through all the documents thoroughly(as pre-audit step), then it may take considerable time. Any tips for this ?
4) How to estimate the effort(time) required to complete any Audit?
5) Should Internal/external Auditors need to check the Firewall configurational setting to ensure that Firewall is properly configured(in context of ISO 27001)?
6) What could be questions related to Legal requirement ?
7) How to cross check(ensure) whether Management has really reviewed the Infosec policy document?
8) How should we test password policy(gather evidence that it is implemented and working as per the policy)?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1) First of all, is this book and training together comprehensive and enough to get prepared as a professional to provide consultancy in these areas? Do you feel some more study is required apart from this(to fill any possible knowledge gap)? If yes, please suggest those study areas/materials/books, etc.
Answer: The internal auditor course is designed for those who want to perform audits in their own organizations. For those who want to work as consultants (or work for certification bodies), the ISO 27001 Lead Auditor course is more recommended.
For further information, see:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
2) In terms of work/activities, what is the difference between Internal Auditor and External Auditor(What External Auditor does but Internal Auditor does not and vice-versa)?
Answer: Please note that internal and external auditor only refers to the situation if the person is an employee of the organization or not.
Regarding work/activities, the proper comparison would be between performing the roles of an auditor, lead auditor (both can be performed by internal and external auditors), and certification auditor (this one can only be performed by an external auditor working for a certification body).
Considering that, the lead auditor and certification auditor have more work and responsibilities, because they need to plan the whole audit, including the coordination of audit team members, if such a team exists.
3) In ISO 27001, there are many documents and if any internal/external Auditor has to go through all the documents thoroughly(as a pre-audit step), then it may take considerable time. Any tips for this?
Answer: First is important to note that ISO 27001 only has a few mandatory documents and records that an auditor must look at, but other documents and records deemed relevant to information security by the organization also must be audited.
Considerint that, an auditor must review all documents, but can review only a sample of records. The sample can be defined based on criteria such as relevant risks, audit scope, previous audit results, etc.
For further information, see:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
4) How to estimate the effort(time) required to complete any Audit?
Answer: The main criteria to estimate the audit effort are number of employees and audit complexity. The document you must consider is the IAF MD 5:2015 "Determination of Audit Time of Quality and Environmental Management Systems" and you can find it at this link: https://www.iaf.nu/upFiles/IAFMD5QMSEMSAuditDurationIssue311062015.pdf
5) Should Internal/external Auditors need to check the Firewall configurational setting to ensure that Firewall is properly configured(in the context of ISO 27001)?
Answer: The auditor needs to check the configuration only if there is internal or external audited document which specifies the required configuration.
For further information, see:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
6) What could be questions related to Legal requirements?
Answer: Questions will depend on the content of the legal requirement. For example, if in a contract there is a clause about backup, the questions would be about the existence of a backup policy, and performed backup and restoration.
7) How to cross-check(ensure) whether Management has really reviewed the Infosec policy document?
Answer: The most relevant evidence is the management review minute (decisions about policies updates are one of its outputs), and you also can check the results of previous audits covering management responsibilities and related treated nonconformities.
For further information, see:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
8) How should we test password policy(gather evidence that it is implemented and working as per the policy)?
Answer: For this, you can either make simple tests like manually typing a new password, or using software that can test the password file. The approach will depend on the scope, purpose, and conditions defined for the audit.
Comment as guest or Sign in
Jul 15, 2020