Audit the entire standard?
Assign topic to the user
Answer:
I suppose that your question is related to the internal audit. In relation with the internal audit (section 9.2 of ISO 27001:2013), the standard says: “The organization shall conduct internal audits at planned intervals….”, so you can perform the internal audit as you want, for example once a year.
There is no global accepted way, but my recommendation is that sections 4 to 10 of ISO 27001:2013 should be reviewed in each internal audit, and all security controls can be reviewed in the life cycle of the certificate (3 years), although you can also review all security controls each year (if you have budget and time the best way for me is to audit everything each year).
For the review of the security controls each company have an own method, but one example can be: first year A.5 Information Secur ity Policies, A.6 Organization of information security, A.7 Human resource security, A.8 Asset management and A.15 Supplier relationships (generally not directly related to IT), second year A.12 Operations security, A.13 Communications security, A.16 Information security incident management and A.17 Information security aspects of business continuity management and third year (A.9 Access control, A.10 Cryptography, A.11 Physical and environmental security, A.14 System acquisition, development and maintenance and A.18 Compliance).
Do you need help to perform the internal audit? This article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
By the way, the new version of ISO 27001:2013 has 114 security controls, 133 had the previous version, so this article can be interesting for you “Main changes in the new ISO 27002” : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
Finally, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Feb 05, 2016