email-svg
Get in touch
info@canadiancyber.ca

ISO 27001 Internal Audit Interview Questions

A clause-by-clause ISO 27001 internal audit interview script for 2022. Includes evidence prompts, red flags, and practical auditor guidance for consistent, risk-based audits.

Main Hero Image
ISO/IEC 27001:2022 • Clauses 4–10 • Interview Script

ISO 27001 Internal Audit Interview Questions

Clause-by-Clause Script for Auditors (ISO/IEC 27001:2022)

A practical, factual interview script you can use to run consistent, evidence-based internal audits mapped to ISO 27001 clauses 4–10, with example prompts, expected evidence, and common red flags.

Best use
Use as a repeatable interview script so audits stay consistent across teams and quarters.
What it includes
Interview prompts, evidence to request, and red flags clause-by-clause.
Auditor mindset
Verify the ISMS works in practice. Don’t audit “intent” audit evidence.

How to use this script in a real internal audit

Internal audits are not “asking people if they comply.” They’re verifying that the ISMS is working as designed.

A solid interview approach
  • Ask how the process works in practice
  • Request evidence (records, logs, tickets, minutes, outputs)
  • Confirm consistency (what people say matches what evidence shows)
  • Sample a few recent examples and trace end-to-end
Auditor tip: Avoid yes/no questions. Ask “Show me…” and “Walk me through…”.

Clause 4 — Context of the Organization

4.1 Understanding the organization and its context
Goal: confirm context is current and drives risk decisions.
Interview questions
  • What internal and external issues could affect our information security outcomes?
  • How is this context reviewed and kept current?
  • What changed recently (business model, suppliers, technology, legal/regulatory) that could affect risk?
Evidence to request
  • Context analysis / ISMS context document
  • Risk register inputs reflecting changes
  • Management review notes mentioning changes
Red flags: context is one-time only; major changes not reflected in risk assessment.

4.2 Needs and expectations of interested parties
Goal: confirm obligations are owned, tracked, and linked to controls.
Interview questions
  • Who are our key interested parties (customers, regulators, insurers, partners)?
  • What security requirements do they impose (contracts, privacy expectations, questionnaires)?
  • How do we track and update these requirements?
Evidence to request
  • Interested parties register
  • Contract security requirements / customer security addenda
  • Regulatory obligations list (privacy laws, sector guidance)
Red flags: no owner for obligations; requirements “known” but not documented or linked to controls.

4.3 Scope of the ISMS
Goal: confirm scope is clear, auditable, and boundaries are managed.
Interview questions
  • What’s included in scope (sites, units, products, services, systems)?
  • What is explicitly excluded—and why is that justified?
  • How are interfaces/dependencies outside scope still managed?
Evidence to request
  • ISMS scope statement
  • Network/system diagrams showing boundaries
  • Supplier/service dependency documentation
Red flags: scope is vague or too broad to audit; exclusions used to dodge key risks.

4.4 Information Security Management System
Goal: confirm ISMS is a managed system, not a document folder.
Interview questions
  • What are the main ISMS processes (risk, treatment, incidents, audit, mgmt review)?
  • How are these processes maintained and improved?
  • Who is accountable for ISMS performance?
Evidence to request
  • ISMS process map
  • Roles/responsibilities (RACI)
  • Metrics/KPIs and reports
Red flags: people can’t explain daily ISMS operations; “the ISMS is a folder.”

Clause 5 — Leadership

5.1 Leadership and commitment
Goal: verify commitment is evidenced in decisions, not slogans.
Interview questions
  • How does top management demonstrate commitment beyond approving policies?
  • What security decisions did leadership make last quarter (risk, budget, resourcing)?
  • How are security objectives integrated into business planning?
Evidence to request
  • Leadership communications
  • Budget/resourcing approvals tied to risks
  • Management review decisions and follow-ups
Red flags: support is verbal only; objectives exist but aren’t tracked or resourced.

5.2 Information security policy
Goal: verify the policy is current, communicated, and used.
Interview questions
  • What is the policy purpose and who does it apply to?
  • How is it communicated and enforced?
  • When was it last reviewed, and what changed?
Evidence to request
  • Approved policy with version control
  • Policy distribution/acknowledgements
  • Review schedule and revision history
Red flags: policy is outdated/generic; staff unaware of key rules (data handling, acceptable use).

5.3 Organizational roles, responsibilities and authorities
Goal: confirm named ownership for risks, controls, and response.
Interview questions
  • Who owns risk management? controls? incident response?
  • How are responsibilities included in job roles or contracts?
  • How do we handle accountability for third parties?
Evidence to request
  • Role descriptions / org chart
  • Security responsibilities in HR documentation
  • Supplier ownership and escalation contacts
Red flags: critical tasks have no named owner; “IT owns everything,” including business risk decisions.

Clause 6 — Planning

6.1.2 Information security risk assessment
Goal: confirm method is consistent and traceable end-to-end.
Interview questions
  • What risk methodology do we use (likelihood/impact, criteria, thresholds)?
  • How do we identify risks (assets, threats, vulnerabilities, processes)?
  • How often do we reassess risk, and what triggers off-cycle review?
  • Show me one recent risk from identification to evaluation.
Evidence to request
  • Risk assessment procedure
  • Risk register (current version)
  • Risk criteria and scoring definitions
Red flags: inconsistent scoring; risks don’t map to business impact or assets.

6.1.3 Information security risk treatment
Goal: confirm controls are selected, tracked, and evidenced.
Interview questions
  • How do we decide treatment options (mitigate, transfer, accept, avoid)?
  • How are controls selected and tracked to completion?
  • Show me a treatment plan and evidence it’s being executed.
Evidence to request
  • Risk treatment plan(s)
  • Statement of Applicability (SoA)
  • Risk acceptance records with approval
Red flags: SoA exists but status is unclear; risk acceptances lack rationale/owner/expiry date.

6.2 Information security objectives and planning to achieve them
Goal: verify objectives are measurable, owned, and tracked.
Interview questions
  • What are our security objectives for this year/quarter?
  • How are they measured (KPIs) and who owns them?
  • Show progress reporting and corrective actions when off track.
Evidence to request
  • Documented objectives with metrics
  • KPI dashboards or reports
  • Project plans / improvement initiatives
Red flags: vague objectives; no evidence of monitoring or follow-up.

6.3 Planning of changes
Goal: confirm changes are planned and risk-assessed before deployment.
Interview questions
  • How are ISMS changes planned (scope, policies, controls, major systems)?
  • How do you assess impact and ensure changes don’t break compliance?
  • Show an example of a significant change and how it was managed.
Evidence to request
  • Change management records
  • Risk assessments tied to changes
  • Approval records and testing evidence
Red flags: changes happen informally; security brought in after deployment.

Clause 7 — Support

7.1 Resources
Interview questions
  • Do we have enough people, tools, and budget to run the ISMS?
  • How are resource gaps identified and escalated?
Evidence to request
  • Resourcing plans and budgets
  • Open risks/issues linked to lack of resources
Red flags: known gaps persist for months with no decisions recorded.

7.2 Competence
Interview questions
  • What security competencies are required by role?
  • How do we verify competence for critical roles?
  • Show evidence of training or qualification.
Evidence to request
  • Training matrix by role
  • Certifications / training completion logs
  • Onboarding checklists
Red flags: ad hoc training with no tracking; high-risk roles have no requirements.

7.3 Awareness
Interview questions
  • How do employees learn key security rules (classification, phishing, incident reporting)?
  • What happens when people don’t follow rules?
  • Ask a sample employee: “How do you report a suspected incident?”
Evidence to request
  • Awareness program plan
  • Phishing simulations and results
  • Communications and acknowledgements
Red flags: employees can’t explain reporting steps; awareness isn’t measured.

7.4 Communication
Interview questions
  • What security communications are required internally and externally?
  • Who communicates during incidents?
  • How do we communicate requirements to suppliers?
Evidence to request
  • Communication plan
  • Incident comms templates
  • Supplier communication requirements
Red flags: no comms owners for incidents; notification triggers unclear.

7.5 Documented information (7.5.1 / 7.5.2 / 7.5.3)
Interview questions
  • How do we control ISMS documents (approvals, versioning, access)?
  • How do we ensure people use the current version?
  • How do we retain records and protect them from unauthorized access/changes?
Evidence to request
  • Document control procedure
  • Version history and access permissions
  • Record retention schedule
Red flags: conflicting versions; no evidence of review/approval controls.

Clause 8 — Operation

8.1 Operational planning and control
Interview questions
  • What operational controls ensure security processes run consistently?
  • How do we ensure outsourced processes meet requirements?
  • Show operational evidence (tickets, logs, approvals) for a sample period.
Evidence to request
  • Operational procedures/runbooks
  • Supplier oversight records
  • Change/incident/problem records
Red flags: procedures exist but aren’t used; operational work isn’t traceable.

8.2 Information security risk assessment (operational)
Interview questions
  • When was the last risk assessment performed? What triggered it?
  • How do operational teams contribute risk inputs (incidents, changes, vulnerabilities)?
Evidence to request
  • Risk assessment records over time
  • Inputs from incidents/vulnerability management
Red flags: risk assessment is only done for audits.

8.3 Information security risk treatment (operational)
Interview questions
  • How do we implement selected controls and validate they work?
  • How do we track progress and handle exceptions?
Evidence to request
  • Control implementation evidence (configs, screenshots, logs)
  • Exception/risk acceptance records
Red flags: control “implemented” with no operational proof of effectiveness.

Clause 9 — Performance Evaluation

9.1 Monitoring, measurement, analysis and evaluation
Interview questions
  • What do we measure to know security is improving (not just activity)?
  • Who reviews metrics, and how often?
  • What actions were taken based on metrics?
Evidence to request
  • KPI definitions (what, how, frequency)
  • Reports/dashboards and meeting notes
  • Improvement actions
Red flags: metrics tracked but never acted on; only tool metrics (no risk indicators).

9.2 Internal audit
Interview questions
  • How is the audit program planned (scope, frequency, methods)?
  • How is auditor independence ensured?
  • How do you track findings to closure?
  • Show a completed audit with evidence and corrective actions.
Evidence to request
  • Audit program and schedule
  • Audit reports and evidence trails
  • Corrective action tracker and closure verification
Red flags: checklist-only audits; findings closed without verifying effectiveness.

9.3 Management review
Interview questions
  • When was the last management review? What inputs were included?
  • What decisions were made (actions, resources, improvements)?
  • How do you follow up and verify completion?
Evidence to request
  • Management review minutes
  • Action list with owners and deadlines
  • Follow-up evidence
Red flags: reviews produce no decisions; actions repeat quarter after quarter.

Clause 10 — Improvement

10.1 Nonconformity and corrective action
Interview questions
  • How do you record nonconformities (audits, incidents, KPI failures)?
  • How do you determine root cause and corrective actions?
  • How do you verify actions are effective and prevent recurrence?
Evidence to request
  • Corrective action procedure
  • Root cause analyses (RCA)
  • Effectiveness verification records
Red flags: symptom-only fixes; no effectiveness checks after closure.

10.2 Continual improvement
Interview questions
  • What improvements were implemented in the last 6–12 months?
  • How do you select improvements (risk, audit results, incidents, objectives)?
  • What’s the next improvement plan?
Evidence to request
  • Improvement roadmap
  • Completed initiatives with outcomes
  • Updated risk register/objectives reflecting improvements
Red flags: continual improvement claimed but not evidenced; same gaps persist across cycles.

Optional add-on: Annex A interview prompts (if you audit controls too)

ISO 27001:2022 references Annex A controls (aligned to ISO/IEC 27002:2022). Many internal audits include sampling key control areas.
Here’s a fast, high-value set to append:

  • Access control / Identity: MFA, admin reviews, joiner-mover-leaver, recertification
  • Asset management: inventory, ownership, acceptable use
  • Supplier security: requirements, reviews, incident notification
  • Incident management: reporting, triage, lessons learned
  • Backup and recovery: restore tests, RTO/RPO alignment
  • Secure configuration & patching: baselines, remediation SLAs
  • Logging & monitoring: alerting, response times, coverage
  • Cryptography: key management, encryption at rest/in transit
If you want, we can convert Annex A into the same “control-by-control” script style.

Practical auditor tips to keep the audit factual

Keep it evidence-based
  • Triangulate: interview + system evidence + record sampling
  • Sample recent items: last 30–90 days is more reliable than “in theory”
  • Follow the trail: a policy without evidence of use is not implementation
  • Write findings with facts: what you saw, the requirement, and the supporting evidence

Make internal audits feel like real assurance (not paperwork)
A vCISO-led internal audit approach helps you standardize interviews, collect evidence cleanly, and turn findings into measurable improvements.
  • Standardize interviews across teams
  • Build clean, repeatable evidence trails
  • Convert findings into tracked improvement actions
  • Prepare for certification or surveillance audits with confidence

Follow Canadian Cyber
Practical cybersecurity + compliance guidance for Canadian teams:

 

Related Post

blog thum
2026
Mar

ISO 27001 Control 5.23 Cloud Services

ISO 27001 Control 5.23 cloud services requires clear governance, vendor review, configuration security, and ongoing monitoring. Use this audit-ready script and evidence checklist to prepare clean, defensible proof.
blog thum
2026
Mar

ISO 27001 Internal Audit Interview Questions

A clause-by-clause ISO 27001 internal audit interview script for 2022. Includes evidence prompts, red flags, and practical auditor guidance for consistent, risk-based audits.
blog thum
2026
Mar

Ransomware Readiness for Leadership

Ransomware readiness is a leadership responsibility. Use these 10 vCISO assessment questions to evaluate containment, backups, recovery, and executive decision-making before the next attack.
blog thum
2026
Mar

AI Use Policy for Canadian Teams

Employees are already using GenAI tools like ChatGPT and Copilot. This vCISO-approved AI use policy template helps Canadian teams protect data, meet privacy obligations, and enable safe innovation.
blog thum
2026
Mar

A vCISO Template for Quarterly Business Reviews (QBRs)

Board-ready cyber risk reporting helps Canadian organizations translate technical security metrics into business risk decisions. Learn how to structure a QBR your board will understand and act on.
blog thum
2026
Feb

Master Your ISO 27001 Risk Assessment

Master your ISO 27001 risk assessment with our free template. Learn Clause 6.1 requirements, scoring methodology, and how to build a compliant risk register that auditors trust.
blog thum
2026
Feb

CIS Controls v8

CIS Controls v8 give Canadian SMBs a practical, prioritized cybersecurity roadmap. Learn how to start with IG1, reduce real-world risk, and build a strong foundation for ISO 27001, SOC 2, and cyber insurance readiness without an enterprise budget.
blog thum
2026
Feb

Saved by the Standard

ISO 27018 cloud privacy controls helped a Canadian SaaS company prevent a potential data breach by enforcing strict PII governance and cloud monitoring.
blog thum
2026
Feb

Using ISMS Data to Continuously Improve Security

ISMS continuous improvement transforms ISO 27001 from a compliance exercise into a data-driven security strategy that strengthens governance and reduces risk.