Performing audits

The question was if the auditor must check if the controls are applied by collecting evidence like making sure that the backup is done and the process is working rather than just asking how it’s done or just reviewing the process / procedure document. Or looking for AV logs, alerts, and evidence of how the alerts are handled rather than just checking the system has an AV and there is a process for monitoring and handling the alerts. Basically checking the effectiveness of the applied controls by checking evidence and gathering samples. Also if there are any ISO relevant documents that talks about this topic.

Answer: The collection of evidences that confirms that the controls are being applied and working properly and according to what was planned is the core of an audit, so the auditor must complement its evaluation of polices and procedures and interviews with personnel with verification of samples of reco rds defined by each process.

Regarding related ISO standards, I suggest you to take a look at ISO 19011, the ISO standard about performing management systems audits. You can find this standard at this link: https://www.iso.org/standard/50675.html

These articles will provide you further explanation about audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/