Guest user Created: Feb 05, 2016 Last commented: Feb 05, 2016

Audit the entire standard?

How can audits be planned to cover the entire standard? Is there an accepted way to sample different portions of the standard over cycles? (Ex. how can all 133 controls be audited each time without missing other areas of the Standard?)

0 0

Assign topic to the user

Select user

Guest

Antonio Jose Segovia Feb 05, 2016

Answer:
I suppose that your question is related to the internal audit. In relation with the internal audit (section 9.2 of ISO 27001:2013), the standard says: “The organization shall conduct internal audits at planned intervals….”, so you can perform the internal audit as you want, for example once a year.

There is no global accepted way, but my recommendation is that sections 4 to 10 of ISO 27001:2013 should be reviewed in each internal audit, and all security controls can be reviewed in the life cycle of the certificate (3 years), although you can also review all security controls each year (if you have budget and time the best way for me is to audit everything each year).

For the review of the security controls each company have an own method, but one example can be: first year A.5 Information Secur ity Policies, A.6 Organization of information security, A.7 Human resource security, A.8 Asset management and A.15 Supplier relationships (generally not directly related to IT), second year A.12 Operations security, A.13 Communications security, A.16 Information security incident management and A.17 Information security aspects of business continuity management and third year (A.9 Access control, A.10 Cryptography, A.11 Physical and environmental security, A.14 System acquisition, development and maintenance and A.18 Compliance).

Do you need help to perform the internal audit? This article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

By the way, the new version of ISO 27001:2013 has 114 security controls, 133 had the previous version, so this article can be interesting for you “Main changes in the new ISO 27002” : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/

Finally, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 05, 2016

Expert Advice Community