must I finish the project that implements the controls selected for getting ISO
Assign topic to the user
The implementation of controls must be planned through the Risk Treatment Plan - yes, you can plan to implement some of the controls after the certification audit, however you must make sure that you implement all the major controls before the certification audit.
This means that you can implement after the certification audit only the less important controls (those that decrease less significant risks); in such case the management must accept those risks because at the time of the certification those risks will be unacceptable.
See also this article: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Comment as guest or Sign in
Jan 12, 2016