Hi, I would like to know more about stage 1 and stage 2 in the internal audit. Will be great if the expert sends me an email about stage 1 and its contents and stage 2 as well, for the ISO 27001 2013 internal audit.
First, it is important to note that stages 1 and 2 refer only to certification/surveillance audits. Internal audits do not need to follow this approach (all activities described below are performed in a single "stage").
Considering that, Stage 1 covers "Documentation review" - the internal auditor will evaluate whether you have all the mandatory documentation.
Regarding stage 2, the internal auditor goes around the company, speaks to employees, looks for logs and other records, observes the effectiveness of safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.
In the Internal Auditor course you attended, you can find explains about the steps that need to be taken.
Thank you Rhand for your reply, to sum up the role of the internal auditor in stage one only to evaluate whether the company has all the mandatory documents that is all, during the main audit in stage two what kind of questions the auditor should ask the auditees during the interview in order to make sure that the control is implemented the way it has been described in the SoA ?
Specific questions will depend on each audited control, but generally speaking, the questions are related to: - how actions are performed. E.g., how do you perform backup procedures? - information knowledge. E.g., what can you tell me about the information security policy?
Additionally, verifications can be made by observing behavior, like asking someone to do something to keep him/her away from his/her workstation and see if the person locks his/her computer when he/she leaves, or by asking for evidence demonstration, like requiring to see the reported incidents from last week.
The important thing is that audit questions are open questions, i.e., they cannot be answered simply by a Yes or No, the answer needs to be developed by the auditee.
In the ISO 27001 Internal Auditor Online Course you bought you can find more details in Module 10 - The main audit “Interviewing techniques”
These articles will provide you a further explanation about auditor questions: