Security objectives and audit process

Answer: You can define as many objectives as you consider needed to fulfill the needs and expectations of your interested parties, information security requirements and the results of risk assessments and risk treatments. There is no predefined number to be achieved.

Please, see this article for more information: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

2 - Competencies of people with roles & responsibilities ie for MD (Information Security Lead). Do you think he should do some kind of high level course to evidence he is competent? Or would some online training suffice? Does he need proven credentials ?

Answer: For the standard, evidences of competence can be demonstrated in terms of education, training, or exp erience. So, if your IS Leader lacks a high level course but has recorded experience or certifications, this is sufficient for the standard. It's up to your organization to define which types of evidences it considers necessary for its needs.

Please, see this article for more information: What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/

3 - Internal audit…does the person who will be likely to do the internal audit review also need some kind of proven training and certification to ensure they are competent to do the job? If so, do you please have any recommendations of suitable training courses? I am assuming that a different person would do the audit each year and am wondering if several people should therefore be trained ( or at least a new person each year?)

Answer: The same answer for question 2 applies here. You have to have evidences of competence for internal audit, either in terms of education, training, or experience. You do not need to have a different person to perform the internal audit each year if you can ensure there is no conflict of interest between the auditor and the audited process (the common rule is that no one should audit his own work or any work under his responsibility). The good practice recommends to have more than one auditor available so you can have a different view of the audited process (which is good to identify non conformities and opportunities for improvement) and to minimize risks regarding relying on a single person capable to perform internal audit, but this conditions are not mandatory by the standard.

Regarding an internal auditor course, please see more information here: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

4 - Finally, is there any chance you could supply us with any more templates which would be helpful to use going forwards; Procedure for corrective actions and Internal audit form?

Answer: For the procedure and and form I suggest you take a look at the free demos and verify if they can meet your needs. The links are:
- Procedure for corrective actions https://advisera.com/27001academy/documentation/procedure-for-corrective-action/
- Internal audit form https://advisera.com/27001academy/documentation/internal-audit-report/

In those pages you just need to scroll down the screen a little to find the tab with the free demo preview.

These materials will also help you regarding security objectives and audit process:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/