The correct answer is A, because ISO/IEC 27001 and ISO 19011 require internal audits to be objective and impartial, but they do not impose an absolute prohibition on individuals holding both operational and audit roles. What is required is that auditors do not audit their own work and that conflicts of interest are avoided.

In smaller organizations, it is common for staff to perform multiple roles. ISO 19011 recognizes this reality and allows auditors to conduct internal audits provided they are independent of the activities being audited. Clearly documented job descriptions, role separation, and audit assignment controls help ensure impartiality.

Option B is incorrect because ISO standards do not mandate a fixed “cooling-off” period such as one year. The key consideration is whether the auditor is independent of the audited activities, not the passage of time. Option C is incorrect because it imposes an unrealistic and unnecessary restriction, especially for small or medium-sized organizations.

Objectivity is achieved through planning, role separation, competence, and management oversight, not by rigid role exclusion rules. Therefore, allowing auditors to perform unrelated operational roles with proper safeguards is acceptable and standards-compliant.