Guest user Created: May 24, 2019 Last commented: May 24, 2019

Evidences for audit

1. My organization is 2 months old and i have implemented ISMS for ISO certification and operating it for the past 10 days. We have documented standard procedures for Incident and change management.For Certification audit, Do we need to give any kind of evidence if there is no incident or normal change happened yet in our organization?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 24, 2019

Answer: ISO 27001 does not prescribe the need to evidence what did not happen (i.e., if there was no incident or no change), but it could make sense during the measurement and monitoring process to create a record that says that none of these things have happened.

2. As a part of implementation process we have installed firewall in our organization for log generation. Can we conduct internal audit based on logs of 10 days?

Answer: A good reference you can use to define the time you need a process or control to be operating to have enough data to be audited is to ensure it has already completed at l east three cycles of operation. For example, if a full backup process is performed once a week, then you should wait at least three weeks to audit this process.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 24, 2019

Expert Advice Community