Expert Advice Community

Guest

Including WFH or teleworking in audit plan

  Quote
Guest
Guest user Created:   Oct 09, 2020 Last commented:   Oct 09, 2020

Including WFH or teleworking in audit plan

problem statement: an external auditor company did not include WFH or teleworking in their audit plan, but the company had already implemented an "ad hoc" WFH during this pandemic without consultation with employees and without government regulatory approval.

1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?

2 - is there such thing as partial certification?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 09, 2020

1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?

Even if WFH or teleworking is not included in the audit plan, if the auditor identifies this practice affects the stated ISMS scope, he can include it in the audit (because it may compromise the security of the information the ISMS is intended to protect), checking if relevant requirements were identified, risk assessment and treatment were performed, and, in case there are required controls if they are implemented and working properly.

In case such items are not properly fulfilled, this could mean a non-conformity that can prevent the certification to be awarded.

2 - is there such thing as partial certification?

What is possible is that you limit the scope of your ISMS, and therefore limit the scope of certification - see this article for more information:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 09, 2020

Oct 09, 2020