Integrated Management System

1. We have integrated the 3 risk registers and have been having monthly risk meetings but we would like to find out how often would the SOA change from the ISO 27001 perspective?  Would it be after each risk meeting?  What happens if a control has been implemented and another risk is identified to the same control? 

 ISO 27001 does not prescribe how often the SoA should change, but you should consider updating the SoA every time there is a need for significant change in applicable controls (e.g., a new control is included, a control is excluded from SoA, an implementation method is changed, etc.). This need can come not only from risk meetings but also from management review, non-conformity treatment, etc.

In case a control has been implemented and another risk is identified to the same control, you have to evaluate the impact of not treating this risk until the next planned review of the implemented control to decide if an early change is needed.

For further information:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

2. We are approaching our surveillance audit soon and would like to find out what an auditor would typically look out for during the surveillance audit.

The surveillance audit is performed the same way as a certification audit. The difference is that it covers only part of the ISMS scope (evidence of the fulfillment of the mandatory requirements and of part of the applicable controls in a sample of the process in the ISMS scope).

These materials will provide you a further explanation about surveillance audits:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit