Controls effectiveness review
Assign topic to the user
Answer: First it is important to understand that ISO 27001 does not require procedures to check the effectiveness, only that activities are performed (it is not mandatory to document them, but in some cases documentation is a best practice).
Considering that, regarding technical measures, you should consider activities for penetration tests and vulnerability assessments. For organizational measures you should consider an audit activities.
These articles will provide you further explanation about penetration tests and internal audit:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- 8 criteria to deci de which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Jul 10, 2018