Risk management and the Internal audit
Assign topic to the user
Answer: I am sorry, but the Internal Audit, and the Risk management are things completely different in ISO 27001. The Risk management is performed to identify and treat risks. The Internal Audit is performed (after the risk management) to check the compliance with ISO 27001.
Anyway, if one year you identify a risk, and you define a treatment for it, you don’t need to include this risk in your assessment of the next year, because in that moment the treatment will be closed, and won’t be a risk for your business.
And remember that no matter what the results of the risk assessment are, internal audit is mandatory - at least once a year
For more information about the risk management you can see this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
And this course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Sep 08, 2018