Expert Advice Community

Guest

How often should the controls be audited

  Quote
Guest
Guest user Created:   Jan 18, 2017 Last commented:   Jan 18, 2017

How often should the controls be audited

I have a few questions following watching the video.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Jan 18, 2017

1. Do we need to annually test every control that is in scope in the SoA? Or do we do this over a 3 year period?

Answer: If your question is about internal audit, then it would be better if you audit all controls each year, but you can also do it in the 3-year period. If your question was about control A.14.2.8 System security testing or A.12.6.1 Management of technical vulnerabilities (which could also include e.g. pen tests), those activities should be performed continuously or at least periodically, but certainly not only once in 3 years.

2. How should we best structure our audit plan? Should the audit scope reflect the department or the control objectives being reviewed? For example I could see it would make sense for the audit scope in the plan to be 8 Asset management and then using the checklist provided we can assign the specific tests and responsibilities to the auditors. I could then make up an annual checklist for each control area. What do you think?

Answer : You can do it both ways - by controls or by departments. If the auditor has more experience, it is probably better to do it by department; if he/she has less experience, then it will be easier by controls.

By the way, this free online training will teach you everything about performing internal audit: ISO 27001 Internal Auditor Course: https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-internal-auditor-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 18, 2017

Jan 18, 2017