Expert Advice Community

CONTROLS A.18.2.1 AND A.18.2.2

  Quote
Adalnei Gomide Created:   Dec 15, 2021 Last commented:   Dec 17, 2021

CONTROLS A.18.2.1 AND A.18.2.2

How to implement this control when the company is very small, that is, it has 6 employees? Critical analyzes are usually carried out by the entire company team. In this situation, would it always be necessary to hire a specialized external organization, as suggested by the ISO27002 standard?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 17, 2021

For control 18.2.1 Independent review of information security, please note that this control is usually done in the form of an internal audit or certification audit.

In companies very small like yours, the common approach for the internal auditor is hiring an external party for the task, because the organization wouldn’t have enough work to justify contracting a full-time auditor, and a part-time internal auditor would have difficulty keeping his independence over all organization processes for performing his task.

About certification audits, they are conducted by accredited organizations (the certification bodies) to evidence that an organization is compliant with all requirements of the ISO 27001 standard.

For further information, see:

Regarding control 18.2.2 Compliance with security policies and standards, it does not require independence of the reviewed area. In fact, it is quite the opposite (the management is the focus of this control - they have to do the review). So, your current implementation for critical analysis is acceptable to fulfill the control.

This article will provide you a further explanation about management review:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 15, 2021

Dec 17, 2021