How does external auditing firms (for ISO27001 certification) view clients who call “Standard Operating Procedures” Policies? We both know there is a clear difference between Policies, Procedures, and Guidelines. However, this firm calls SOP policies, and in most cases it looks like it.
What’s your perspective?
Assign topic to the user
Provided the documentation fulfills the requirements of the audit criteria, auditing firms consider irrelevant for audit purposes how organizations call their documentation.
For example, a backup policy can include either the guidelines to plan backup and recovery activities (e.g., periodicity, technology, etc.), and the step by step activities to perform backup an recovery.
This article will provide you a further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Nov 18, 2020