Delay in implementing the controls
Assign topic to the user
Answer: If you already passed the certification audit and got certified, you should definitely try to implement all the planned controls until the next (surveillance) audit because otherwise the auditor might raise a major nonconformity.
You should implement all the controls that are marked as applicable in Statement of Applicability - you should plan this implementation through the Risk Treatment Plan - these articles will help you:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
In most cases, you will implement the controls by writing various policies and procedures - these materials will help you:
- article How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- ISO 27001 Documentation Toolkit with all the required templates for policies and procedures: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Is it acceptable to shift the dates for risk treatment forward during risk review and provide justification for that?
Yes, it is acceptable, but you need to have a really good reason - shifting the dates without any justification will bring you trouble with the certification auditor.
Comment as guest or Sign in
Aug 04, 2016