ISO/IEC 27001:2022, Clause 9.2.2, mandates that an organization's internal audit programme must be planned, established, and maintained. A key input for this planning is "the importance of the processes concerned." This risk-based approach ensures that audit efforts and resources are prioritized and focused on the processes most critical to the organization's information security objectives. Audits for high-importance processes may be more frequent or in-depth compared to those for less critical processes, thereby making the audit programme more effective and efficient.

A. The standard requires auditors to be objective and impartial, but does not mandate the use of third parties for internal audits.

B. This is directly contrary to the standard, which requires that the "results of previous audits" MUST be considered when planning the programme.

D. The standard does not prescribe a fixed audit cycle. Audit frequency must be determined based on process importance and risk, not a generic timeframe.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 9.2.2 states: "The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits."

2. Calder, A., & Watkins, S. (2020). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page.

Chapter 12, Section 'The Audit Programme', explains that the audit programme should be risk-based, meaning that the frequency and intensity of audits should reflect the business importance and risk level of the processes being audited.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Chapter 15, Section '9.2 Internal Audit', clarifies that the audit programme needs to be dynamic, taking into account process importance and past performance (audit results) to determine what to audit and when.