PECB ISO-IEC-27001-Lead-Auditor Exam With Confidence Using Practice Dumps

No, the audit scope should reflect all of the organization's divisions that are covered by the ISMS. If the ISMS scope stated that it includes the whole company, the audit scope should align with this unless specifically justified and agreed upon by all stakeholders.

The correct answer is A, because internal and external audits serve different but complementary purposes within an ISO/IEC 27001-based ISMS. Internal audits are conducted by or on behalf of the organization to regularly assess the effectiveness, conformity, and continual improvement of the ISMS. Their results help management identify weaknesses, risks, and opportunities for improvement before they become systemic issues.

ISO/IEC 27001 requires organizations to conduct internal audits at planned intervals to ensure the ISMS conforms to both internal requirements and the standard. These audits provide valuable input into management reviews, corrective actions, and readiness for external audits. In this way, internal audits act as an early warning and improvement mechanism.

External audits, conducted by an independent certification body, rely partly on the maturity demonstrated through internal audit outcomes. They verify whether the organization’s ISMS meets ISO/IEC 27001 requirements and whether internal audits are effective and properly implemented.

Option B is incorrect because internal audits are not passive reviews of external audit outputs; they are independent assessments with their own scope and objectives. Option C is incorrect because the roles are reversed: internal audits focus on ongoing internal improvement, while external audits focus on certification conformity.

Therefore, internal audits directly support and complement external audits by strengthening ISMS readiness and effectiveness.