Documentation and audit
Assign topic to the user
Answer: For certification purposes, you should wait until all mandatory policies and procedures have been implemented, and at least a couple of mandatory records had been generated, so you can have enough evidences to verify if the ISMS is properly implemented and working. The precise time frame will depend on the duration of the cycles of the process included in the ISMS scope.
2. I have documented the policy. Am I eligible to perform internal audit? I am pursuing my mba in information security.
Answer: The main criteria to perform internal audit is compete, by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). Considering that, if you can demonstrate that you have the necessary competence, and you do not audit your own work, you can perform internal audit.
This article will provide further information:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
3. Do I need to document Access control policy separately from ISMS policy(A.9.1.1) or do I just need to mention it in ISMS itself? What are the mandatory operating procedure apart from incident management, change management?
Answer: Although ISO 27001 allows merging documents, the ISMS Policy is a high level document (to be used for all organization), while the remaining policies, like Access Control Policy, are considered operational policies (to be used by specific areas or processes), so we do not recommend to merge them in a single document, because this document would become unnecessarily big and difficult to read and manage.
The same applies for procedures which have different purposes (if they will become to big they should be created as separated documents).
These articles will provide you further explanation about developing policies:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Comment as guest or Sign in
Apr 25, 2019