Stage 1 and stage 2 in internal audit
Hi, I would like to know more about stage 1 and stage 2 in the internal audit. Will be great if the expert sends me an email about stage 1 and its contents and stage 2 as well, for the ISO 27001 2013 internal audit.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First, it is important to note that stages 1 and 2 refer only to certification/surveillance audits. Internal audits do not need to follow this approach (all activities described below are performed in a single "stage").
Considering that, Stage 1 covers "Documentation review" - the internal auditor will evaluate whether you have all the mandatory documentation.
You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding stage 2, the internal auditor goes around the company, speaks to employees, looks for logs and other records, observes the effectiveness of safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.
In the Internal Auditor course you attended, you can find explains about the steps that need to be taken.
This article will provide you a further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
Thank you Rhand for your reply, to sum up the role of the internal auditor in stage one only to evaluate whether the company has all the mandatory documents that is all, during the main audit in stage two what kind of questions the auditor should ask the auditees during the interview in order to make sure that the control is implemented the way it has been described in the SoA ?
Specific questions will depend on each audited control, but generally speaking, the questions are related to:
- how actions are performed. E.g., how do you perform backup procedures?
- information knowledge. E.g., what can you tell me about the information security policy?
Additionally, verifications can be made by observing behavior, like asking someone to do something to keep him/her away from his/her workstation and see if the person locks his/her computer when he/she leaves, or by asking for evidence demonstration, like requiring to see the reported incidents from last week.
The important thing is that audit questions are open questions, i.e., they cannot be answered simply by a Yes or No, the answer needs to be developed by the auditee.
In the ISO 27001 Internal Auditor Online Course you bought you can find more details in Module 10 - The main audit “Interviewing techniques”
These articles will provide you a further explanation about auditor questions:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Comment as guest or Sign in
May 15, 2021