How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.
Assign topic to the user
I’m assuming that:
- the ISMS scope covers only the company’s head office and the sub-sites only interact with the ISMS scope (they are not part of it)
- you are referring to an internal audit, not to a certification audit.
Considering that, when the scope is only the head office, you do not need to audit the sub-sites.
In this case, the sub-sites can be audited as part of the supplier monitoring process, which is a completely separated process.
At most, during the audit of the head office, you can ask for the audit reports from the sub-sites, to check if audits were performed and if treatment of raised non-conformities is being followed up, but you do not need to enter in further detail.
This article will provide you with further explanation about auditing:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit
These materials will also help you regarding auditing:
Comment as guest or Sign in
Sep 23, 2022