Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Documentation and audit

  Quote
Guest
Guest user Created:   Apr 25, 2019 Last commented:   Apr 25, 2019

Documentation and audit

1. I have documented ISMS policy for small organization.How long should I wait to perform internal audit for organization?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 25, 2019

Answer: For certification purposes, you should wait until all mandatory policies and procedures have been implemented, and at least a couple of mandatory records had been generated, so you can have enough evidences to verify if the ISMS is properly implemented and working. The precise time frame will depend on the duration of the cycles of the process included in the ISMS scope.

2. I have documented the policy. Am I eligible to perform internal audit? I am pursuing my mba in information security.

Answer: The main criteria to perform internal audit is compete, by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). Considering that, if you can demonstrate that you have the necessary competence, and you do not audit your own work, you can perform internal audit.

This article will provide further information:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

3. Do I need to document Access control policy separately from ISMS policy(A.9.1.1) or do I just need to mention it in ISMS itself? What are the mandatory operating procedure apart from incident management, change management?

Answer: Although ISO 27001 allows merging documents, the ISMS Policy is a high level document (to be used for all organization), while the remaining policies, like Access Control Policy, are considered operational policies (to be used by specific areas or processes), so we do not recommend to merge them in a single document, because this document would become unnecessarily big and difficult to read and manage.

The same applies for procedures which have different purposes (if they will become to big they should be created as separated documents).

These articles will provide you further explanation about developing policies:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 25, 2019

Apr 25, 2019

Suggested Topics

Guest user Created:   Jun 02, 2020 ISO 27001 & 22301
Replies: 1
0 0

Cryptographic Policy

Guest user Created:   Sep 05, 2017 ISO 27001 & 22301
Replies: 1
0 0

Filling documentation