DeeCorp, established in 1989, is one of the first companies to offer wireless technology services in South America. With more than 400 employees, they specialize in providing innovative engineering services, including network planning, deployment, integration, and optimization. Complying with ISO/IEC 27001 is very important to DeeCorp. They hope to finally gain their certification this year.

Eva was appointed to be the audit team leader for DeeCorp’s audit. Her job was to evaluate the current state of DeeCorp’s information security management system and present the audit findings in a comprehensive report. This would allow her to determine whether she should issue a recommendation for certification to DeeCorp.

Eva has thorough theoretical and practical knowledge of the audit principles and procedures. She is also experienced in information security. Her team consisted of two other auditors, Tom and Ben. Eva has already worked with Tom and Ben previously, so a socializing event (e.g., audit opening meeting) was deemed unnecessary.

Eva, Tom, and Ben decided to structure an audit test plan before proceeding. Eva’s job was to verify DeeCorp’s conformity to Annex A 5.1 Policies for information security of ISO/IEC 27001. To do so, she used individual interviews as an evidence collection procedure and audit sampling as a tool. She chose a statistically reliable and easy-to-use sampling method. Ben and Tom, on the other hand, were responsible for the sampling procedure. They selected a sample size of 10 employees based on a fixed interval.

Based on the scenario above, answer the following questions:

According to the general principles for determining the sample size, did Tom and Ben select a valid sample size of 10 employees based on a fixed interval?

The sampling population in this case is higher than 400. According to the general principles for determining the sample size, for a population higher than 366, the minimum number of selections should be at least 25.

According to the scenario, Eva wanted an easy-to-use and statistically reliable sampling method. Which method fits that description?

Systematic sampling is the most statistically reliable and easy-to-use method. Additionally, the scenario states that the sample size is selected based on a fixed interval, which is also a characteristic of systematic sampling.

The scenario states that there is no need for a socializing event. Is “socializing” the main purpose of an audit opening meeting?

According to ISO 19011, clause 6.4.3 Conducting opening meeting, the purpose of the opening meeting is to confirm the agreement of all participants (e.g. auditee, audit team) to the audit plan, introduce the audit team and their roles, and ensure that all planned audit activities can be performed.

What important information could Eva gather from the individual interviews that would be of help for her final audit report?

Individual interviews can help Eva gain detailed information on whether the controls operate effectively and continuously and are error-free.

Eva’s team structured an audit test plan in order to:

An audit test plan based on audit procedures used for evidence collection helps validate conformity to requirements.