Your internal audit team (even if non-technical) can use ISO 27008 to know when to call in technical experts. The standard provides "questions to ask" for each control family.
They are looking for guidelines on auditing information security controls — specifically the controls listed in ISO/IEC 27001 (Annex A) and ISO/IEC 27002 .
The next revision of ISO 27008 (expected around 2026-2027) may include more automated assessment techniques and integration with continuous monitoring tools.
Avoid free PDFs shared on GitHub, Scribd, or dubious document-sharing sites. These are often outdated drafts (pre-2019), incomplete previews, or copyright violations. Using obsolete versions can lead to non-conforming audits.
