Guest user Created: Jul 01, 2022 Last commented: Jul 01, 2022

ISO 27001 Toolkit Support

I would like to see if you can provide any advice on how to approach the ISO 27001 toolkit. We had a third-party internal audit that was quite brutal and while I thought I ticked all of the boxes as per the Advisera toolkit, it was clear that these documents were very inadequate for us. We failed the audit miserably, and I am left even more confused than ever before. I have many examples, but I want to start with one in particular. For A.6.5, the 2022 version toolkit says I need to use the Confidentiality Statement (09.22). Yet the guidance in 27002 for 6.5 states requirements that the confidentiality statement does not address. In our audit, I supplied the confidentiality statements as well as a work instruction to remove access upon termination. The auditor's comment was "The leaving procedure of people is only technical; Must be reviewed with HR point of view." Saying nothing about the confidentiality statement. Can you help me understand how the document pack addresses this control? Hopefully we can unlock the mystery of all of the other missing items for me.

0 1

Assign topic to the user

Select user

Expert

Rhand Leal Jul 01, 2022

First is important to note that guidance provided by ISO 27002 is not mandatory to be implemented when implementing ISO 27001, so auditors cannot raise non-conformities based on ISO 27002 when auditing against ISO 27001.

Specifically for control A.6.5 Responsibilities after termination or change of employment, the auditor needs to look for, and only for, responsibilities and duties defined for those that are no longer working for the organization, or that changed activity, how these are enforced, and how these are communicated to relevant personnel and interested parties (the Confidentiality Statement cover these requirements). It does not prescribe the development of a leaving procedure, nor which roles need to develop or review the way the control is implemented.

Considering that, the comment "The leaving procedure of people is only technical; Must be reviewed with HR point of view." Can be at most an opportunity for improvement, not a non-conformity.

As for the other situations you have, a tip for evaluating them is to compare the auditor’s comments considering only what is required by ISO 27001.

This article will provide you with further explanation about nonconformities:

Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

These materials will also help you regarding internal audit:

Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 01, 2022

Expert Advice Community