Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

ISO 27001 certification

I have a prospect working towards 27001 certification but they are using the 2013 revision and I am still on 2005 revision. I have read your blogs on the changes, etc. but have not yet purchased the updated standard. Can you tell me if the 2013 revision still refers to 11 security control clauses, or has that number changed?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: 2013 revision of ISO 27001 has 14 sections in Annex A with 114 controls (it used to be 11 sections with 133 controls in 2005 revision) - see details here: https://blog.iso27001standard.com/2013/10/08/infogr***************************************************

Also, they tell me that they have only done an 'informal' risk assessment to determine their scope (and their scope does not have definite parameters at this point). Does a certification audit require documented evidence of a formal risk assessment as it pertains to Information Security to pass certification?

Answer: ISO 27001 requires you to document both the methodology for risk assessment, and the risk assessment results - if you didn't document these, you will fail the certification. Read also this article: List of mandatory documents required by ISO 27001 (2013 revision) https://blog.iso27001standard.com/2013/09/30/list-of-ma******************************************************

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community