We have been working on the ISO 27001 project using Advisera templates.
With regards to the Internal Audit, we plan to conduct the audit based on "ISMS policies" as scope instead of "Departments" as scope as indicated in Advisera vimeo video and templates.
This approach lead to some doubts around scope & criteria content in the templates for which we want to clarify with Advisera ISO27001 experts.
Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit
Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements
Internal Audit Program (Scope & Criteria)
Scope (What, when, who) - HR Security Policy
Criteria (What) - BS7858 (mentioned in HR Security policy)
and so on for other policies in our ISMS to be scope and criteria
Internal Audit Procedure template (Section 3.2) is proposed to be updated as follows:
Scope of the audit (departments, processes, clauses of the standard, etc.) == >> plan to add "ISMS Policies" (to cover HR Security policy, Access Control policy, etc.) as our approach to audit is based on audit of polices instead of departments
Audit criteria (standards, legislation and regulations, internal documentation, corporate standards, and/or contractual obligations) == >> BS7858 is a regulatory & contractual obligation from regulator for HR security policy
1 - Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit
The internal audit can be performed in terms of implemented ISMS policies. You only need to ensure that all mandatory clauses and applicable controls are audited before the next certification/surveillance audit.
2 - Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements
First is important to note that audit criteria need to be something against which ISMS policies are compared, not within ISMS policies, so you should think about requirements “applied” to ISMS policies, not “within” them.
Considering that, requirements used to develop ISMS policies can be used as audit criteria. In your example, BS7858 requirements are the criteria against which you evaluate your HR screening policy.