27001 certification audit

Hello. If the company have established the BCP but have not yet tested it prior to Stage 2 audit, they do have the date for conducting the test. Would it be a minor NC or an observation?

Answer: I'm assuming that by BCP establishment and testing you are referring to implementation of controls A.17.1.2 Implementing information security continuity and A.17.1.3 Verify, review and evaluate information security continuity
Considering that, the implementation of some controls can be concluded after the certification audit, however you must make sure that you implement all the major controls before the certification audit.

This means that you can implement after the certification audit only the less important controls (those that decrease less significant risks). In such cases the management must accept those risks because at the time of the certification audit those risks will be unacceptable.

In short, if the BCP test is not a major control, and your organization accept the related risks associated to this control you can go for certification audit Stage 2.

This article will provide you further explanation about certification audit:
- Which questio ns will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Thank you very much Rhand.