IT audit

Answer: First of all you must define an audit methodology, and after that identify the audit scope (e.g., process, assets, locations, etc.) and which references you'll be using to perform the audit (e.g., ITIL, ISO 27001, etc.). With these information you can built a proper audit plan.

I suggest you to take a look at this free online course to get a better view of the audit process: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

2. Can I use the knowledge of ISO 27001 to conduct one?

Answer: Yes. Many of the ISO 27001 requirements and controls are perfectly applicable to audit IT environments.

3. Must the company be certified?

Answer: This will depend upon the requirements of the audit client (the person or organization that demands the audit). You should verify this with the organization.

4. Which certification body do we use in case the client wan ts to be certified?

Answer: This is a decision of the organization that wants to be certified, because there are many variable to be considered that will impact not only operations but future strategic decisions.

This article will provide you further explanation about certification bodies:
- How to choose a certification body https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body

These materials will also help you regarding IT audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/