Independent review
Can this requirement for 'Independent Review' be satisfied internally? That is, review of the ISMS policies and procedures by an in-house team that is not directly attached to the ISO 27001 effort?
Can this requirement be satisfied through the ISO 27001 Certification process, citing the 2 minor audits between major certification as our Independent Review?
Otherwise, what is the best course of action to meet this requirement, and could we gain and keep certification without using this control?
Assign topic to the user
Can this requirement for 'Independent Review' be satisfied internally? That is, review of the ISMS policies and procedures by an in-house team that is not directly attached to the ISO 27001 effort?
Answer: You understanding is correct. The ISMS review by anyone with proper competence (i.e., knowledge, education or experience on ISO 27001 requirements) that is not related to the ISMS scope, or does not review his/her own work, is a way to fulfill this requirement.
Can this requirement be satisfied through the ISO 27001 Certification process, citing the 2 minor audits between major certification as our Independent Review?
Answer: You assumption is correct, it is possible to achieve compliance with A.18.2.1 by means of certification / surveillance audit.
Otherwise, what is the best course of action to meet this requirement, and could we gain and keep certification without using this control?
Answer: The certification / surveillance audit is the best course of action because internal audits are mandatory.
This article will p rovide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
For further information about internal audit, please see:
- ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Aug 31, 2019