Guest post Created: Jan 12, 2016 Last commented: Jan 12, 2016

must I finish the project that implements the controls selected for getting ISO

27001 certification?When I am in process of implementation of ISO27001 I will have to implement several controls that going of Risk Analysis. This controls are going to generate some projects that can extend in the time. If I want to get a ISO 27001 certificacion, then I must wait to finished the projects for getting the ISO 27001 certification? or isn´t necessary? Thanks you for your comments and feedback

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

The implementation of controls must be planned through the Risk Treatment Plan - yes, you can plan to implement some of the controls after the certification audit, however you must make sure that you implement all the major controls before the certification audit.

This means that you can implement after the certification audit only the less important controls (those that decrease less significant risks); in such case the management must accept those risks because at the time of the certification those risks will be unacceptable.

See also this article: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community