Annual auditing of controls
Assign topic to the user
Answer: After the certification, both the internal audits and the surveillance audits (from the certification body) are mandatory - therefore, you cannot avoid any of them.
2- The other question is what you do see as the benefit of having a minimal annual system penetration testing performed as part of the internal audit?
Answer: Penetration testing, by effectively trying to breach the system, offers the benefit of increasing the assurance that operational systems are well developed, configured and up to date regarding vulnerabilities patching, something that simple documentation review cannot offer.
This article will provide you further explanation about auditing of controls:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/ surveillance-visits-vs-certification-audits/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
These materials will also help you regarding auditing of controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 20, 2017