Guest user Created: Jan 27, 2017 Last commented: Jan 27, 2017

Schedule for testing controls under ISO 27001

Do you provide any guidance documents or recommendations with regard to ISO 27001, 27002 as to the 'schedule or frequency' recommended for testing of required and recommended controls? I have not found any specific requirement beyond assuring presence and functioning either in what I have seen of ISO27001, NIST 800, OWASP or SANS? If you offer a template that suggests how frequently specific server logs should be examined as well as other controls that should be looked at I would recommend it to a client.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jan 27, 2017

Answer: Specific guidance for control testing is difficult to provide since each organization context and risks are unique, but you can use some of the criteria applied to planning internal audits to help define a proper test schedule, like:
- Criticality of the assets under protection of the control: the more critical the asset, the more frequent should be controls testing.
- Frequency of changes: the more frequent changes in assets or in the environment where the asset operates, the more frequent should be controls testing.
- Results of previous test: previous tests pointing corrections or improvement to be made, should be considered to reduce interval between tests.

It is important to note that testing of controls should not be confused with internal audit; in smaller companies, internal audit is usually performed once a year by people independent of the audited process, while testing generally is performed by people involved in the process.

Regarding documentation, unfortunately we do not have a template that covers controls testing, but I suggest you to take a look at the following templates, since I believe that with some adaptations you can make them more general and use them to help you testing a wider range of controls :

- Annual Internal Audit Program https://advisera.com/27001academy/documentation/annual-internal-audit-program/
- Exercising and Testing Plan https://advisera.com/27001academy/documentation/exercising-and-testing-plan/
- Form – Exercising and Testing Report https://advisera.com/27001academy/documentation/form-exercising-and-testing-report/

This article will provide you further explanation about scheduling controls testing:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

These materials will also help you regarding scheduling controls testing:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 27, 2017

Expert Advice Community