SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Audit, acceptance and compliance questions

  Quote
Guest
aduffield Created:   Apr 23, 2019 Last commented:   Apr 24, 2019

Audit, acceptance and compliance questions

Hi, I have 4 questions regarding our current ISO 27001 project: 1. Regarding the first on-site Audit, are we as a company, obliged to have carried out an internal audit ourselves before we engage an official auditor? 2. In relation to controls in Annex A such as the Acceptable Use Policy, are we required to get every employee to read and sign the document in order for us to be compliant? 3. In relation to the Risk Assessment, Risk Treatment, and Statement of Applicability, are we required to have a control in place for all unacceptable risks before we can be certified, or can we be certified if we have a plan in place to treat outstanding risks in the coming months? 4. When we are audited, will an auditor need to see the Risk Assessment Table, Risk Treatment Table, Statement of Applicability and Risk Treatment report, or just the latter? Kind regards, Andy
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 24, 2019
>1. Regarding the first on-site Audit, are we as a company, obliged to have carried out an internal audit ourselves before we engage an official auditor?

Documented information about internal audit program(s) and the internal audit results are an ISO 27001 requirement, so internal audits must be performed on the whole ISMS scope before certification audit.

For additional information see:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

>2. In relation to controls in Annex A such as the Acceptable Use Policy, are we required to get every employee to read and sign the document in order for us to be compliant?

Every person in the ISMS scope must be aware of information security policies and procedures, and you can evidence that by means of physical signatures on each document, physical signatures on a single document listing all related information security policies and procedures the employees must be aware about, o r any electronic way you use to evidence employee consent.

>3. In relation to the Risk Assessment, Risk Treatment, and Statement of Applicability, are we required to have a control in place for all unacceptable risks before we can be certified, or can we be certified if we have a plan in place to treat outstanding risks in the coming months?

The implementation of some controls can be concluded after the certification audit, however you must make sure that you implement all the major controls before the certification audit.

This means that you can implement after the certification audit only the less important controls (those that decrease less significant risks). In such cases the management must accept those risks because at the time of the certification audit those risks will be unacceptable.

For further information see:
- Why is residual risk so important? https://blog.iso27001standard.com/2012/02/13/why-is-residual-risk-so-important/

>4. When we are audited, will an auditor need to see the Risk Assessment Table, Risk Treatment Table, Statement of Applicability and Risk Treatment report, or just the latter?

All these documents are evidences of the risk assessment and treatment process, so the certification auditor can ask for any of these during the certification audit to better understand how your organization performs the process.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 23, 2019

Apr 24, 2019

Suggested Topics

Guest user Created:   May 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit questions

Guest user Created:   May 15, 2022 ISO 27001 & 22301
Replies: 1
0 0

Conformio expert questions