Which methods are typically used in internal auditing?

The correct answer indicates a comprehensive approach to internal auditing that encompasses multiple techniques essential for a thorough evaluation of an organization's processes and controls. Internal auditing is not limited to a single method; instead, it typically involves a combination of reviewing documentation, interviewing employees, and observing activities.

Reviewing documentation allows auditors to assess compliance with policies, standards, and procedures, ensuring that documented practices align with actual operations. Interviewing employees provides insights into their understanding of processes, their roles in information security, and any concerns they might have, which can shed light on potential areas for improvement. Observing activities gives auditors firsthand experience of how processes are executed in practice, helping to identify gaps or inefficiencies that may not be apparent from documents or discussions alone.

This multifaceted approach aligns well with the goals of internal auditing, which are to evaluate the effectiveness of risk management, control, and governance processes. Such thorough methods help in providing a more accurate, objective evaluation of the organization's adherence to ISO 27001 standards and other relevant regulatory requirements.