Security controls and the internal audit

Answer:
Some certification bodies requires you to check all security controls during the first internal audit, so our recommendation is that you review all the security controls during the initial internal audit.

There is no global accepted way, but you can distribute the 114 controls (133 control was in the previous version of the standard, not in the current) in the way that you want. For example, maybe you can review 1/3 of security controls each year.

By the way, maybe this article can be interesting for you, because can help you to perform the internal audit “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

And maybe this article about the transition from ISO 27001 20 05 revision to 2013 revision can be also interesting for you “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/

Finally, these materials will help you to know more about the internal audit:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/