How do perform an ISMS audit with efficient suggestion to consultant and client to ease the gap on the risk and controls in the standard?
Assign topic to the user
I’m assuming you are referring to an ISMS certification audit.
Considering that, to ease the gap between assessed risks and implemented controls, you should consider including in the risk management process personnel involved in the processes included in the ISMS scope, because these are the people most familiar with the most expected information compromise events and their consequences, which will make the identification of the relevant risks (i.e., those to be treated), easier.
Additionally, their familiarity with the processes in the ISMS scope will help define the most adequate controls and how to implement them.
For example, if the sales process is included in the ISMS scope, then, by including the sales manager and key users of the sales department to help the information security team identify risks, the gap between relevant risks and implemented controls will be smaller.
For further information see:
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
Comment as guest or Sign in
Feb 02, 2023