Guest user Created: Feb 20, 2017 Last commented: Feb 20, 2017

Annual auditing of controls

1- Once a company has secured their ISO27K certification and are performing annual internal audits of the controls is there any reason for them to pay for an annual exterior audit versus providing the internal audit results to the firm that provided the certification?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Feb 20, 2017

Answer: After the certification, both the internal audits and the surveillance audits (from the certification body) are mandatory - therefore, you cannot avoid any of them.

2- The other question is what you do see as the benefit of having a minimal annual system penetration testing performed as part of the internal audit?

Answer: Penetration testing, by effectively trying to breach the system, offers the benefit of increasing the assurance that operational systems are well developed, configured and up to date regarding vulnerabilities patching, something that simple documentation review cannot offer.

This article will provide you further explanation about auditing of controls:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/ surveillance-visits-vs-certification-audits/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

These materials will also help you regarding auditing of controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 20, 2017

Expert Advice Community