1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.
2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be. I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion.
My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.