Expert Advice Community

Guest

ISO 27001 questions

  Quote
Guest
Guest user Created:   Mar 19, 2021 Last commented:   Mar 24, 2021

ISO 27001 questions

Estimados Señores Advisera

Agradeceré su apoyo con las siguientes preguntas:

1.            En una pregunta anterior, sobre si era correcto que el CISO realice las auditorías internas, su respuesta fue que se debe buscar a otra persona porque el CISO no puede auditarse así mismo. Esto me lleva a la siguiente pregunta ¿En las auditorias solo debe participar el CISO, es decir está dirigida solamente a este rol o también participa otro personal de la empresa que debe ser auditado?

2.            ¿Los procedimientos que elaboró un área de la empresa (por ejemplo área de recursos humanos) también son auditados o solo los que la norma indica como obligatorios?

3.            ¿Es obligatorio que cada área de la empresa elabore sus documentos o procedimientos de cómo operan?

4.            El apartado de la norma 7.1 habla de presupuesto financiero ¿Cómo se debe presentar este documento en una auditoría?

5.            Respecto a los riesgos, se decide revisarlos después de haber aprobado la auditoría (al menos una vez al año), en esta segunda revisión si un riesgo ya fue controlado con un control del “Anexo A” ¿Se debe volver a considerar en la nueva evaluación o solo se consideran los nuevos riesgos que se identifiquen? ¿La nueva lista de riesgos reemplaza a la anterior o solo adiciona los nuevos?

6.            ¿En una auditoria de seguimiento (o mantenimiento) pueden quitarnos la certificación?

Dear Sirs Advisera

I will appreciate your support with the following questions:

1. In a previous question about whether it was correct for the CISO to perform internal audits, your answer was that someone else should be sought because the CISO cannot audit itself. This leads me to the following question, should only the CISO participate in the audits, that is, is it directed only to this role or does other company personnel participate that must be audited?

2. Are the procedures developed by an area of the company (for example human resources area) also audited or only those that the standard indicates as mandatory?

3. Is it mandatory for each area of the company to prepare its documents or procedures for how they operate?

4. Section 7.1 of the standard talks about financial budgeting. How should this document be presented in an audit?

5. Regarding the risks, it is decided to review them after having approved the audit (at least once a year), in this second review if a risk has already been controlled with a control in “Annex A”, should it be considered again in the new assessment or are only new risks that are identified considered? Does the new list of risks replace the old one or just add the new ones?

6. In a follow-up audit (or maintenance) can we remove the certification?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 19, 2021

1. In a previous question about whether it was correct for the CISO to perform internal audits, your answer was that someone else should be sought because the CISO cannot audit itself. This leads me to the following question, should only the CISO participate in the audits, that is, is it directed only to this role or does other company personnel participate that must be audited?

Answer: During the audit of other areas or process, the main audit focus will be those persons who work on them (e.g., for IT process would be the IT manager, system admin, technical staff, etc.), and the quantity of a person to be involved will depend upon how many people the auditor needs to talk to be sure about a specific situation. CISO's role in the audit of those areas is more of a liaison, to facilitate the communication between auditor and auditees.

For more information, see:
- 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/

 

2. Are the procedures developed by an area of the company (for example human resources area) also audited or only those that the standard indicates as mandatory?

Answer:  Please note that besides documents prescribed by the standard as mandatory, the auditor also needs to audit documents the organization defined as necessary for information security. The best source to identify such a type of document is the Statement of Applicability because this document presents an overview of how information security is implemented.  

For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

3. Is it mandatory for each area of the company to prepare its documents or procedures for how they operate?

Answer: Besides mandatory documents required by the main clauses of the standard (clauses 4 to 10), other documents should be written only if applicable controls or legal requirement (e.g., laws, regulations, or contracts) require them, or if there is a top management decision to write (usually because they are considered good practice).

For further information, see:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

4. Section 7.1 of the standard talks about financial budgeting. How should this document be presented in an audit?

Answer: First is important to note that clause 7.1 is about resources, not only budgeting (it may involve, equipment, personnel, facilities, etc.).

Considering that, there is no need to present a specific form to evidence budgeting. You can use the normal way your organization uses to present that to, let’s say, top management. You only need to ensure information security resources are clearly indicated.

For further information, see:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

5. Regarding the risks, it is decided to review them after having approved the audit (at least once a year), in this second review if a risk has already been controlled with a control in “Annex A”, should it be considered again in the new assessment or are only new risks that are identified considered? Does the new list of risks replace the old one or just add the new ones?

Answer:  Please note that already identified and treated risks need to be considered in the new assessment, so you can ensure if they had not changed since the last assessment. Newly identified risks need to be included with the old ones (you need to h=keep the old ones as evidence of previously performed assessments).  

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

6. In a follow-up audit (or maintenance) can we remove the certification?

Answer: To stop being certified you need to communicate this decision to the certification body, prior to or during the next follow-up audit. The certification body will then inform you until when your certificate will be valid. 

Quote
0 0
Guest
Guest user Mar 19, 2021

Thanks for your reply. Question six was apparently not understood. I wanted to ask the following:

In a maintenance audit (follow-up), what would be the maximum sanction that our company can receive? Can they (auditor) remove or cancel the certification obtained?

Quote
0 0
Expert
Rhand Leal Mar 24, 2021

First of all, sorry about this misunderstanding.

Based on the auditor's findings, the certification body can remove or cancel your certificate.

In the situation the auditor identifies nonconformities, the organization will have a defined time to solve them. In case nonconformities are not solved in a defined time the certification will be suspended, and after an additional time has passed without a solution, then the certification will be canceled.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 18, 2021

Mar 23, 2021

Suggested Topics