Assign topic to the user
In such cases, to decide if this is a finding or not you need to check if the events that trigger the procedure to be performed had occurred or not.
For example, if the trigger is something like “every 6 months” or “6 months of the last occurrence”, and such period has not been completed yet by the time of the audit, then it is acceptable that the procedure has not been carried yet, and it is not a finding. Otherwise, it should be considered a finding.
An example of a document that may not be activated when an audit takes place is the Disaster Recovery Plan or an incident treatment for a specific incident.
For further information, see:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
Comment as guest or Sign in
Jan 26, 2022