Since the standard is licensed, how can we appropriately reference/include ISO27001 Annex A controls and clause requirements in an internal audit report to show which control/clause is not being met?
Assign topic to the user
The easiest way if for you to refer only to the standard's clauses or Annex A controls numbers, describing them in your own way (normally a negative form of the requirement/control). For example:
- Clause 4.2 a) not met: interested parts relevant to the ISMS not determined
- Control A.8.1,1 not met: Asset inventory outdated
This way the text is different enough to not be considered a violation of intellectual property.
For further information, see:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course
Comment as guest or Sign in
Oct 05, 2020