Support re. internal audit section of ISO 27001 2022

1 - Who exactly needs to be audited

You need to audit the persons who perform activities included in the ISMS scope (e.g., users, technical staff, and managers). The exact persons and how many of them you need to audit will depend on the size and complexity of the process.

2 - Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?

The main rules of internal audit are that no one can audit his own work and that the internal auditor needs to have competence related to the ISO 27001 standard and audit techniques.

Considering that, the project manager cannot perform an internal audit, and you should look for a person with proper competencies and who is not involved in the audited process, to perform the audit.

For further information, see:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

This course will provide required knowledge for the audit job.

3 - Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?

Your understanding is correct. The checklist provided with the toolkit covers all clauses of the main sections (4 to 10), and all controls from Annex A, but please note that you can add more questions in case you identify such a need.

4 - If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?

No. Please note that section 1 covers ISO 27001, and section 2 covers ISO 22301, which is related to business continuity. If you are auditing only ISO 27001, then you need to use only the questions from section 1.

5 - I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

Please note that the Measurement Report is an input for the Management Review step, and it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results. It is not created by the internal auditor and is used by management to conclude how effective information security is in your company.

For further information about measurements, see:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
• ISO 27001 control objectives - Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

This article will provide you with further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/