SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Annual auditing of controls

  Quote
Guest
Guest user Created:   Feb 20, 2017 Last commented:   Feb 20, 2017

Annual auditing of controls

1- Once a company has secured their ISO27K certification and are performing annual internal audits of the controls is there any reason for them to pay for an annual exterior audit versus providing the internal audit results to the firm that provided the certification?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 20, 2017

Answer: After the certification, both the internal audits and the surveillance audits (from the certification body) are mandatory - therefore, you cannot avoid any of them.

2- The other question is what you do see as the benefit of having a minimal annual system penetration testing performed as part of the internal audit?

Answer: Penetration testing, by effectively trying to breach the system, offers the benefit of increasing the assurance that operational systems are well developed, configured and up to date regarding vulnerabilities patching, something that simple documentation review cannot offer.

This article will provide you further explanation about auditing of controls:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/ surveillance-visits-vs-certification-audits/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

These materials will also help you regarding auditing of controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 20, 2017

Feb 20, 2017