The internal audit department is responsible for providing independent, objective assurance on the effectiveness of an organization's governance, risk management, and internal control processes. A primary function of internal audit is to check compliance with internal policies and procedures at planned intervals. This includes verifying that the information security policy is being followed throughout the company. This role is explicitly defined within information security management standards like ISO/IEC 27001, which forms the basis for the EXIN ISMP certification.

B. External forensics investigators are specialized professionals engaged reactively, after a security incident or breach has occurred, to investigate the cause and impact.

C. The company that checks the yearly financial statement (external financial auditors) focuses primarily on controls that impact financial reporting, not comprehensive information security policy compliance.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Section 9.2, "Internal audit," explicitly states: "The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to: 1) the organization’s own requirements for its information security management system..." The information security policy is a core component of these requirements.

2. Fomin, V. V. (2011). ISO/IEC 27001 Information Security Management Standard: A case of a local government context. In Standards and Standardization: Concepts, Methodologies, Tools, and Applications (pp. 1210-1225). IGI Global.

This academic text, discussing the implementation of ISO 27001, reinforces that the standard "requires an organization to conduct internal audits of the ISMS at planned intervals" (p. 1217). This highlights the planned, ongoing nature of compliance checking as an internal function.

3. The Institute of Internal Auditors (IIA). (2017). IIA International Standards for the Professional Practice of Internal Auditing.

Standard 2100 – Nature of Work, states: "The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes..." and Standard 2120.A1 specifies that the internal audit activity must evaluate risk exposures relating to the "reliability and integrity of financial and operational information" and "compliance with laws, regulations, policies, procedures, and contracts." This officially sanctioned standard defines the role of internal audit in policy compliance.