Completing RTP before certification audit
Does all of the RTP need to be completed before certification audit?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
You can leave some of the activities of the Risk Treatment Plan to be completed after the certification audit under the following conditions:
- That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave for conclusion after the certification audit only activities related to less important controls.
- That you have specified the deadlines for the activities related to the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
- That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.
This means that activities related to the most important controls must have "implemented" status at the certification, while the less important controls can have the status "planned" or "partially implemented" at the moment of the certification.
This article will provide you with further explanation:
Comment as guest or Sign in
May 22, 2023