ISO 27001 package question
Assign topic to the user
1 - Is a "Inventar der Werte" obligatory? As I understand this it's just a list of all values that appear in the risk analysis. Why is an ID needed?
Please note that ISO 27001 does not prescribe the inventory of assets, but it needs to be written if you mark the control A.8.1.1 as applicable in the Statement of Applicability.
Regarding the need for an ID, this is so because assets need to be identified in a unique manner to make them manageable.
For further information, see:- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
2 - Could you tell me the correct order of internal audit, management review and implementation of measurements? I understood it like this that first all measures have to be implemented, then there is an internal audit by someone of us or a consultant, then we need to do the management review and implement the recommendations from the internal audit and then we can ask for an external audit - is that correct?
Please note that for the implementation and audit of the ISO 27001 Information Security Management System, you need to follow the implementation steps as defined in the toolkit (basically following the documents in the exact order displayed in the toolkit folders).
Comment as guest or Sign in
Jan 22, 2022