Stage 2 Audit and ISMS completion status and Assets listing

1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

ISO 27001 does not prescribe the content of an asset list, so organizations are free to define the data they want to record (usually minimal data to be considered are asset name, asset category, and asset owner).

For further information, see:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

 Regarding risk management, it is highly improbable to have a risk assessment with only residual risks (i.e., risks with controls already applied to reduce them to acceptable levels), so you should review your assessment to confirm inf any relevant risk has not been missed (including people which works directly with the situation being assessed is a good way to check that). In the case of risk treatment, the objective is to have all listed risks as residual, i.e., by defining a treatment to them.

 For further information, see:

• Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be.

I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion.

My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

For certification purposes you need to fulfill all requirements from clauses 4 to 10, i.e., they need to be implemented and audited. The auditor will expect a fully implemented ISMS according to the standard's requirements.

What can be postponed is the implementation of controls related to less relevant risks, and to support this decision you can use management review and work plans to evidence the situation.

This article will provide you a further explanation about certification audit:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding ISO 27001 certification:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/