ISO 27001 Audit
Hi - I have a question regarding the ISO 27001 audit.
My company is going through this audit process.
We are currently going through a restructure in our People team and have 2 junior people in the department. We are in the process of recruiting an HR manager but will have the junior staff in the interim so no senior HR person within the business.
Would we fail on an audit because of this?
Assign topic to the user
The absence of an HR manager would be a problem in an audit only in case this absence impacts negatively information security in an unacceptable way (e.g., the relevant information is lost or information security processes are interrupted), and you do not have a planned treatment for this situation.
If there are no negative impacts to information security due HR manager's absence, or devised actions like formally designating a temporary substitute (that could be one of the junior employees or a manager from another area) have reduced the risks to acceptable levels, this absence wouldn’t be a problem in the audit.
The best way to handle this situation is to include some kind of risk like “Loss of key personnel” in your information security risk management process and use the process to define if the risk is relevant or not, and in case it is relevant, define proper actions to treat the risk.
These articles will provide you with further explanation:
Comment as guest or Sign in
Aug 22, 2022