Scope of the external auditor

Should we allow him to get in to our PC’s and see how the controls are implemented and how my staffs are working? I am asking this because if I allow that then it will be a breach of the confidentiality agreement with my client. How to deal with this if such a situation arise?

Answer:
It starts and ends with the review of the implementation of ISO 27001, I mean, the auditor needs to review the compliance with the standard, and for this he will search evidences of compliance (for this, it can be necessary to see how your staff is working), but this does not mean that you need to show confidential information. For example, if you have defined a clear desk and clear screen policy, the auditor will search PCs with an open session, or passwords written in paper, etc.

Generally, the auditor does not need to see confidential information (only needs to review how it is protected), but if he requests you this information, you ca n justify that the information cannot be seen by external people (if it happens, the auditor can include in his report this situation).

This article about the brain of an ISO auditor can be useful for you “Infographic: The brain of an ISO auditor – What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

And our online course about the internal audit can be also interesting for you, because we give information about the internal audit process “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/