Certification audit questions

1. Is it a requirement for policy & procedure for the SOA to be approved?

Answer:

It is not a requirement, but a best practice to avoid rework, to approve policies and procedures only after the SoA has been approved, because any changes in the applicability status of controls in the SoA can impact the development, or review of policies and procedures.

These article will provide you further explanation about steps for implementation and SoA:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - Another question is it requirement to have 3 month ISMS evidence/records before ISMS external audit?

Answer:

It is not mandatory by the standard to have 3 month ISMS evidence/records before ISMS external audit, however, some certification bodies, as part of their own processes, require the management system to be 3 months in operation before going for the certification (you should verify this situation with your own certification body).

This article will provide you further explanation about certification process:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

These materials will also help you regarding certification process:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/