We have been working on the ISO 27001 project using Advisera templates.
With regards to the Internal Audit, we plan to conduct the audit based on "ISMS policies" as scope instead of "Departments" as scope as indicated in Advisera vimeo video and templates.
This approach lead to some doubts around scope & criteria content in the templates for which we want to clarify with Advisera ISO27001 experts.
Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit
Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements
Internal Audit Program (Scope & Criteria)
Scope (What, when, who) - HR Security Policy
Criteria (What) - BS7858 (mentioned in HR Security policy)
and so on for other policies in our ISMS to be scope and criteria
Internal Audit Procedure template (Section 3.2) is proposed to be updated as follows:
Scope of the audit (departments, processes, clauses of the standard, etc.) == >> plan to add "ISMS Policies" (to cover HR Security policy, Access Control policy, etc.) as our approach to audit is based on audit of polices instead of departments
Audit criteria (standards, legislation and regulations, internal documentation, corporate standards, and/or contractual obligations) == >> BS7858 is a regulatory & contractual obligation from regulator for HR security policy