Expert Advice Community

Guest

ISMS system

  Quote
Guest
Guest user Created:   Jun 24, 2020 Last commented:   Jun 24, 2020

ISMS system

Thanks, Dejan. This is useful. Usually, most companies would have their best people in front of the customers. Sadly when it comes to implementation they are not around and the entire activity is left to inexperienced folks who usually go by the book.

1. What isms documents do the auditors look at?  Or to say which document is critical to iso certificationWe have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.

Does the above mentioned is relevant?

2. What isms documents do the auditors look at?  Or to say which document is critical to iso certification

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 24, 2020

1. We have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.
Does the above mentioned is relevant?

Considering your stated status, I think you are referring to internal audit instead of gap assessment (these are different things):

  • gap analysis is not mandatory in the ISO 27001, while the internal audit is.
  • gap analysis is performed at the beginning of the project, while the internal audit is performed at the end
  • gap analysis helps you understand what you already have implemented regarding the standard, while internal audit provides evidence that requirements are implemented and working, and that the ISMS is relevant to the organization and is achieving intended outcomes

For further information, see:

These materials will also help you regarding internal audit:

2. What isms documents do the auditors look at?  Or to say which document is critical to iso certification

The certification auditor will look for all documents and records stated as mandatory by the standard, and those considered applicable by the organization (e.g., policies and procedures related to applied controls).

In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:

  • Scope of the ISMS (clause 4.3)
  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Risk assessment and risk treatment methodology (clause 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Records of training, skills, experience, and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)

These articles will provide you a further explanation about documents required for certification and the certification audit:

These materials will also help you regarding the certification process:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 24, 2020

Jun 24, 2020