Below are the reasons why numerous incidents need to be removed:
- We created just for testing.
- We recently changed our incident management procedure in a way that incidents which are already put-in are not really relevant.
Since currently incidents from the Incident Register cannot be removed, What are we supposed to be doing now with respect to external auditing? We are quite concerned that numerous incidents contradict the incident procedure and can be marked as non-conformity which will cause a failure. ( Client wants to remove incidents under the incident register in Conformio, but for now, we do not have the possibility to delete)
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that the incident registers are records, and as such, they should not be deleted and should be evaluated in the context when they were created.
Considering that, for the first case, you need to document which incidents were created only for testing purposes and store this document as a management decision.
For the second case, you need to show to the auditor the incident procedure that was valid at the time the incidents were recorded. The auditor needs to evaluate the processes at that time considering that procedure, not the current one.
Comment as guest or Sign in
Aug 03, 2022