Number of controls for audit

One initial question I have is whether there is a “required” number of controls that need to be audited for a certification?  I was thinking that an auditor would check 15-20 randomly selected controls? 

For a certification audit, all controls identified as applicable in the Statement of Applicability will be audited, and this number will vary depending on the results of risk assessment and legal requirements you have to comply to. A reduced number of controls will be audited only during surveillance audits, where the auditor will focus on the controls applicable in the scope of the audit.

For further information, see:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

Any thoughts or recommendations for how best to approach this would be helpful and appreciated!

The best way to approach this situation is to prepare a proper internal audit checklist for your internal audit (performing at least one internal audit is also mandatory for certification). This way you will have a good understanding of the status of your ISMS before the certification audit

This article will provide you a further explanation about internal audit:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course