With our team being global, we can't do in-person internal audits anymore. I’m worried that a remote audit might miss things that an auditor would normally see on-site. How do I effectively audit our cloud infrastructure and employee awareness without being there in person? What tools are best for capturing evidence during a Zoom or Teams audit session?
3 answers
Remote audits are actually very effective for ISO 27001 because most of the evidence is digital anyway. Use screen sharing to witness the configuration of your AWS or Azure environments and to see your MDM dashboard in real-time. For employee awareness, you can conduct "spot-check" interviews via video calls. I recommend using a centralized audit management tool or even a dedicated SharePoint site where all evidence can be uploaded and timestamped. This creates a clear trail for the external auditor to follow later, showing exactly what you verified and how.
Have you considered using a "pre-audit" questionnaire sent via Microsoft Forms to gather basic data before the actual interview? This can save hours of time during the live video call and lets you focus on the high-risk areas.
Video evidence is your best friend. Recording the parts of the audit where processes are demonstrated provides undeniable proof for your external certification body.
Definitely, Donna. We recorded our walkthrough of the server room (via a mobile phone camera) and the auditor was perfectly happy with that as "physical" evidence of restricted access.
Robert, I love that idea. If I use a questionnaire for the "low-risk" controls, how do I ensure that the employees aren't just "googling" the answers instead of actually knowing the security policies? Should I follow up with a live screen-share?