Statement 2 is correct. An internal audit is conducted by the organization itself to review its own Information Security Management System (ISMS) for conformity and is therefore classified as a first-party (1st party) audit. A certification audit is conducted by an independent, accredited certification body to assess conformity with the ISO/IEC 27001 standard, making it a third-party (3rd party) audit.

Statement 1 is incorrect because the certification process involves a three-year cycle. It begins with an initial certification audit, followed by annual surveillance audits, and concludes with a re-certification audit before the certificate expires. Describing the "certification audit" as an annual event is an inaccurate simplification of this cycle.

A. Only 1 is true: This is incorrect. Statement 1 is factually inaccurate regarding the frequency and terminology of certification audits, which operate on a three-year cycle, not a single annual event.

C. Both 1 and 2 are true: This is incorrect because Statement 1 is inaccurate. While Statement 2 is true, the combination is false.

D. Neither 1 or 2 is true: This is incorrect because Statement 2 provides a standard, correct definition of internal (1st party) and certification (3rd party) audits.

1. ISO/IEC 19011:2018, Guidelines for auditing management systems.

Section 3.1, Note 3 to entry: This standard explicitly defines the types of audits. It states, "Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself... Third-party audits are conducted by independent auditing organizations, such as those providing certification/registration of conformity to the requirements of ISO 9001 or ISO 14001." (This principle applies directly to ISO 27001 certification audits).

2. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Clause 9.2.1 General: This clause mandates that "The organization shall conduct internal audits at planned intervals..." This supports the first part of Statement 1 but does not specify the frequency of external audits.

3. Calder, A., & Watkins, S. G. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 14, "Certification and continual improvement," p. 188: This chapter details the certification process, explaining, "Certification is for a fixed period, usually three years, at the end of which you will need to apply for recertification... In the intervening years, your certification body will carry out periodic surveillance audits to ensure that you are continuing to maintain the ISMS." This confirms that the certification audit is not a single annual event.