How long should a company operate the ISMS before an internal audit takes place
Assign topic to the user
Answer:
ISO 27001 does not specify this time frame, so basically as soon as you finish the implementation phase you should start your internal audit - this way the gaps in the implementation will be the most visible. You could repeat the internal audit a couple of months after the implementation, once a number of records is created.
You should start your certification audit only after you finish the management review (management review has to be done after the internal audit and before the certification audit), and after you close all the corrective actions. In prac tice, for smaller companies you could have 2 weeks of difference, while for larger companies you could have e.g. 2 months of difference between internal and certification audit.
Comment as guest or Sign in
Mar 03, 2016