Choosing the best and the most eligible audit firm for evaluation of ISO standards is highly important as only a legitimate and productive auditor would be able to bring value and do justice.
Although there aren’t any regulations about the requirements needed to be fulfilled for being a qualified ISO auditor, an organization must lay down some minimum requirement criteria in choosing the most appropriate auditor. This is important since auditor should have all the necessary qualification and knowledge to carry out a perfect internal audit and understand the framework of information security.
In terms of experience, it is preferable that the auditor may have performed a lead auditor role previously. He or she should have experience as an ISO consultant for at least 3-4 projects.
As far as knowledge is concerned, the auditor should have all the necessary information about information security protocols and best practices. Preferably a certified ISO consultant or auditor having training courses specially in implementation of ISO standards would be a plus.
These criteria are important so that the proficiency of an internal auditor can be gauged based on his experience and knowledge and to carry out a smooth and qualified audit. Some organizations may even scrutinize internal auditors before conducting an audit. In this scenario, they are asked to go through an initial screening and should they pass the test, only then they are allowed to audit.
There are many auditors who have all the necessary knowledge requirements required to conduct audits but have conducted very few audits. On the other hand there are quite a few fellows who may not have all those certifications and but are frequently performing audits for firms. In these scenarios, you may want to see who has the most demonstrable knowledge and grip over ISO standards. An auditor who has the potential to demonstrate his knowledge and define his experience should be worthy of doing the internal audit for ISO.