HI, just following on from the webinar last week regarding the Certification Process - which was very good thank you – I’ve a couple of questions if that’s OK:
1 - Training / Awareness
Prior to the webinar we had been led to believe that our planned approach – namely:
Publish the IS policy & notify everyone it is available – but not actually record who has read it
Publish a number of awareness bulletins and encourage people to discuss them at team meetings
Run a small number of online sessions whereby information on various aspects of ISO 27001 / Information Security are presented. The attendee list for these events would be retained
would be sufficient. Would you agree with that or, as I think you implied would the auditor expect that we had a more formal approach to training with people being recorded against the training sessions they have completed?
2 - Internal Auditor
Is it mandatory that the internal audit is carried out by a certified auditor (whether that’s an internal member of staff that’s been trained or a 3rd party retained for the audits)? One thought was that following the first initial audit where we would use a qualified third party we would compile questions that would need to be completed for subsequent audits. Selected people would then take those questions round the business at the appropriate time – though they would not necessarily be accredited.
Any information you can give would be greatly appreciated.