Expert Advice Community

Guest

Stage 2 Audit and ISMS completion status and Assets listing

  Quote
Guest
Guest user Created:   Jun 16, 2021 Last commented:   Jun 16, 2021

Stage 2 Audit and ISMS completion status and Assets listing

1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be. I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion. My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

1 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 16, 2021

1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

ISO 27001 does not prescribe the content of an asset list, so organizations are free to define the data they want to record (usually minimal data to be considered are asset name, asset category, and asset owner).

For further information, see:

 Regarding risk management, it is highly improbable to have a risk assessment with only residual risks (i.e., risks with controls already applied to reduce them to acceptable levels), so you should review your assessment to confirm inf any relevant risk has not been missed (including people which works directly with the situation being assessed is a good way to check that). In the case of risk treatment, the objective is to have all listed risks as residual, i.e., by defining a treatment to them.

 For further information, see:

2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be.

I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion.

My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

For certification purposes you need to fulfill all requirements from clauses 4 to 10, i.e., they need to be implemented and audited. The auditor will expect a fully implemented ISMS according to the standard's requirements.

What can be postponed is the implementation of controls related to less relevant risks, and to support this decision you can use management review and work plans to evidence the situation.

This article will provide you a further explanation about certification audit:

These materials will also help you regarding ISO 27001 certification:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 16, 2021

Jun 16, 2021

Suggested Topics