Expert Advice Community

Guest

Risk management and the Internal audit

  Quote
Guest
Guest user Created:   Sep 08, 2018 Last commented:   Sep 08, 2018

Risk management and the Internal audit

If In the previous internal audit report, the risk was low after risk treatment, did the risk management plan report on the next internal audit to be taken or omitted?
0 0

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

Guest
Antonio Jose Segovia Sep 08, 2018

Answer: I am sorry, but the Internal Audit, and the Risk management are things completely different in ISO 27001. The Risk management is performed to identify and treat risks. The Internal Audit is performed (after the risk management) to check the compliance with ISO 27001.

Anyway, if one year you identify a risk, and you define a treatment for it, you don’t need to include this risk in your assessment of the next year, because in that moment the treatment will be closed, and won’t be a risk for your business.

And remember that no matter what the results of the risk assessment are, internal audit is mandatory - at least once a year

For more information about the risk management you can see this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

And this course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-internal-auditor-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 08, 2018

Sep 08, 2018