We're currently kicking off the process of becoming ISO accredited. Having looked through the documentation, the section that i'm having difficulty understanding is the internal auditing requirements.
- Who exactly needs to be audited
- Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?
- Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?
- If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?
- I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?
Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.