Audit report finding
Assign topic to the user
Could you please let me know what type of document I should deliver to auditors? whether it is checklist which compare ISO27001 control with our policy or any other type of document?
Answer: I will assume that even though your organization is not ISO 27001 certified it considers relevant to follow its practices. Considering this, since ISO 27001 was updated on 2013, and organizational practices are based on 2005 version, your organization should present:
1) a management decision considering if it is still relevant to be aligned to ISO 27001 practices after the standard's update (this can be part of management review content)
2) if management has decided to maintain alignment, you also should provide a gap analysis between the organization's practices and the 2013 version o f ISO 27001, the management decision about how to proceed considering the gap analysis findings (e.g., what practices to update, what to keep and what to discontinue), and the action plans regarding the changes deemed relevant.
These articles will provide you further explanation about handling this audit finding:
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
- Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
These materials will also help you regarding handling audit findings:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Comment as guest or Sign in
May 03, 2017