Expert Advice Community

Guest

Certification Process

  Quote
Guest
Guest user Created:   Jun 23, 2021 Last commented:   Jun 23, 2021

Certification Process

HI, just following on from the webinar last week regarding the Certification Process - which was very good thank you – I’ve a couple of questions if that’s OK:

1 - Training / Awareness

Prior to the webinar we had been led to believe that our planned approach – namely:

Publish the IS policy & notify everyone it is available – but not actually record who has read it
Publish a number of awareness bulletins and encourage people to discuss them at team meetings
Run a small number of online sessions whereby information on various aspects of ISO 27001 / Information Security are presented. The attendee list for these events would be retained
would be sufficient. Would you agree with that or, as I think you implied would the auditor expect that we had a more formal approach to training with people being recorded against the training sessions they have completed?

2 - Internal Auditor

Is it mandatory that the internal audit is carried out by a certified auditor (whether that’s an internal member of staff that’s been trained or a 3rd party retained for the audits)? One thought was that following the first initial audit where we would use a qualified third party we would compile questions that would need to be completed for subsequent audits. Selected people would then take those questions round the business at the appropriate time – though they would not necessarily be accredited.

Any information you can give would be greatly appreciated.

Thanks

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 23, 2021

HI, just following on from the webinar last week regarding the Certification Process - which was very good thank you – I’ve a couple of questions if that’s OK:

1 - Training / Awareness

Prior to the webinar we had been led to believe that our planned approach – namely:

Publish the IS policy & notify everyone it is available – but not actually record who has read it
Publish a number of awareness bulletins and encourage people to discuss them at team meetings
Run a small number of online sessions whereby information on various aspects of ISO 27001 / Information Security are presented. The attendee list for these events would be retained
would be sufficient. Would you agree with that or, as I think you implied would the auditor expect that we had a more formal approach to training with people being recorded against the training sessions they have completed?

Please note that while your proposed approaches cover the communication from organization to employees, you are not considering an approach to ensure employees have understood your message, i.e., that they understand the importance of information security, the impacts in case it is compromised, and what they can do to protect information.

So, you should also consider the application of small quizzes or other methods to evaluate employees' understanding.

For further information, see:

2 - Internal Auditor

Is it mandatory that the internal audit is carried out by a certified auditor (whether that’s an internal member of staff that’s been trained or a 3rd party retained for the audits)? One thought was that following the first initial audit where we would use a qualified third party we would compile questions that would need to be completed for subsequent audits. Selected people would then take those questions round the business at the appropriate time – though they would not necessarily be accredited.

Any information you can give would be greatly appreciated.

Thanks

You do not need a certified auditor to perform an internal audit, provided that you can evidence his audit competencies by other means, like previous experience, or formal education in an audit.

These articles will provide you a further explanation about internal auditor:

These materials will also help you regarding internal audit:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 23, 2021

Jun 23, 2021

Suggested Topics