Including WFH or teleworking in audit plan
problem statement: an external auditor company did not include WFH or teleworking in their audit plan, but the company had already implemented an "ad hoc" WFH during this pandemic without consultation with employees and without government regulatory approval.
1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?
2 - is there such thing as partial certification?
Assign topic to the user
1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?
Even if WFH or teleworking is not included in the audit plan, if the auditor identifies this practice affects the stated ISMS scope, he can include it in the audit (because it may compromise the security of the information the ISMS is intended to protect), checking if relevant requirements were identified, risk assessment and treatment were performed, and, in case there are required controls if they are implemented and working properly.
In case such items are not properly fulfilled, this could mean a non-conformity that can prevent the certification to be awarded.
2 - is there such thing as partial certification?
What is possible is that you limit the scope of your ISMS, and therefore limit the scope of certification - see this article for more information:
- How to set the ISMS scope according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Comment as guest or Sign in
Oct 09, 2020