Lack of statement of applicability
Assign topic to the user
First of all you should understand that if this organization is planning to be certified against ISO 27001, the lack of the statement of applicability is a major non conformity that can prevent the certification audit to proceed until an approved statement is available. So, if this internal audit you mentioned is related to an ISMS implementation aiming for certification, you should solve this question as soon as possible to ensure this issue will not compromise the certification audit. For more information about the Statement of Applicability, please read this article: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Regarding internal audits, an organization can decide to proceed with the audit even with the lack of the statement. In practical terms, the lack of the statement of applicability only will make your audit work harder. You should look for the approved risk assessment report and risk treatment plan to identify which risks are to be treated a nd how the organization proposes to treat them. These information will not be sufficient to cover the requirements of the statement of applicability (this lack of documentation will be your first non conformity), but you at least will have some information to audit the controls the organization has decided to implement. In the case you do not have either the approved risk assessment report nor the risk treatment plan then you cannot proceed with the audit, because you will not have enough information to know which controls to audit.
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Nov 08, 2017