I would like to see if you can provide any advice on how to approach the ISO 27001 toolkit. We had a third-party internal audit that was quite brutal and while I thought I ticked all of the boxes as per the Advisera toolkit, it was clear that these documents were very inadequate for us. We failed the audit miserably, and I am left even more confused than ever before. I have many examples, but I want to start with one in particular.
For A.6.5, the 2022 version toolkit says I need to use the Confidentiality Statement (09.22). Yet the guidance in 27002 for 6.5 states requirements that the confidentiality statement does not address. In our audit, I supplied the confidentiality statements as well as a work instruction to remove access upon termination. The auditor's comment was "The leaving procedure of people is only technical; Must be reviewed with HR point of view." Saying nothing about the confidentiality statement.
Can you help me understand how the document pack addresses this control? Hopefully we can unlock the mystery of all of the other missing items for me.
First is important to note that guidance provided by ISO 27002 is not mandatory to be implemented when implementing ISO 27001, so auditors cannot raise non-conformities based on ISO 27002 when auditing against ISO 27001.
Specifically for control A.6.5 Responsibilities after termination or change of employment, the auditor needs to look for, and only for, responsibilities and duties defined for those that are no longer working for the organization, or that changed activity, how these are enforced, and how these are communicated to relevant personnel and interested parties (the Confidentiality Statement cover these requirements). It does not prescribe the development of a leaving procedure, nor which roles need to develop or review the way the control is implemented.
Considering that, the comment "The leaving procedure of people is only technical; Must be reviewed with HR point of view." Can be at most an opportunity for improvement, not a non-conformity.
As for the other situations you have, a tip for evaluating them is to compare the auditor’s comments considering only what is required by ISO 27001.
This article will provide you with further explanation about nonconformities: