I am referring to ISO 27001 Internal Auditor Course.
In module 9 (Document review at 2:20) it is said the following:
"You can perform the document review on-site meaning in the auditee or premises, or you can also do it off-site – in your own office – it really does not matter, all you are doing is reading the documentation."
Is this really correct? This documentation is or can be classified and shouldn't leave the premises? I found that statement a bit strange.
You are partially correct. While some documents can be classified in a way that forbids them to leave premises, you may need to make such documents available to the internal auditor when he is off-premises (e.g., during a remote audit due to pandemic) because they are related to mandatory clauses, or are paramount to evaluate a specific control. In these cases, you need to evaluate related risks and implement proper controls to decrease risks to acceptable levels (e.g., sign a specific NDA, provide only access to electronic version through a secure connection to your network, etc.)
These materials will provide you a further explanation about remote audit: