Guest user Created: Mar 03, 2016 Last commented: Mar 03, 2016

How long should a company operate the ISMS before an internal audit takes place

I appreciate if you could assist me with the following question related to the ISO 27001 implementation process. Once the controls (technical, develop policies, etc.) are implemented, any best practice on how long should a company operate the ISMS before an internal audit takes place, and what is the time frame between the internal audit and the certification audit.

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Mar 03, 2016

Answer:

ISO 27001 does not specify this time frame, so basically as soon as you finish the implementation phase you should start your internal audit - this way the gaps in the implementation will be the most visible. You could repeat the internal audit a couple of months after the implementation, once a number of records is created.

You should start your certification audit only after you finish the management review (management review has to be done after the internal audit and before the certification audit), and after you close all the corrective actions. In prac tice, for smaller companies you could have 2 weeks of difference, while for larger companies you could have e.g. 2 months of difference between internal and certification audit.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 03, 2016

Expert Advice Community