Internal and external issues, requirements of interested parties
Assign topic to the user
Answer:
ISO 27001 does not require you to document internal and external issues, you only have to take them into account (doing this through the process of risk assessment is fine) - very often the auditors do not understand this so in your case I would challenge this auditor. This article can also help you: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Regarding requirements of interested parties, you should develop a list of all their requirements (which is also required by control A.18.1.1) - this ar ticle will help you: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Comment as guest or Sign in
Jan 13, 2016