Expert Advice Community

Guest

Internal and external issues, requirements of interested parties

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Internal and external issues, requirements of interested parties

We are BPO organization and external auditor marked us following NC "Internal and External Issues are addressed in Risk Assessments which can be more clearly established. Also the requirements of Interested parties can be further elaborated." How can we overcome on above mentioned NC?
0 0

Assign topic to the user

ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS

Basics of identification of interested parties and their requirements.

ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS

Basics of identification of interested parties and their requirements.

Guest
DejanK Jan 13, 2016

Answer:

ISO 27001 does not require you to document internal and external issues, you only have to take them into account (doing this through the process of risk assessment is fine) - very often the auditors do not understand this so in your case I would challenge this auditor. This article can also help you: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

Regarding requirements of interested parties, you should develop a list of all their requirements (which is also required by control A.18.1.1) - this ar ticle will help you: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016