Support regarding ISO 27001:2022
I'm unclear on a few things on the overall ISO process (I have sent through a separate email on the auditing process, but having reviewed the rest of the process, I'm unsure).
Essentially, I get stuck once we get to the point in the project checklist where the procedure for corrective action needs to be written.
Is the idea at this point to roll out the ISMS we have developed, and then give the process some time to settle before then determining what the nonconformities are, and therefore able to perform the audit, perform corrective actions that have been determined as part of the audit and then complete the management review?
If so, how much do you suggest is given to operate the ISMS?
Assign topic to the user
Your understanding of the sequence of implementation is correct.
Please note that nonconformities can be identified either by the personnel performing the activities, during daily operations, as well as during internal audits (in fact, in a mature ISMS the majority of identified nonconformities came from operation personnel than from internal audit, because at this level the personnel has already understood the value of nonconformities).
Regarding how long to operate the ISMS so as to have enough evidence to assess nonconformities, an operation period between 15 days and 1 month is a good starting point. Please note that security process cycles can vary (e.g., some processes are performed on a daily, weekly, or monthly basis).
For further information see:
- Complete guide to corrective action vs. preventive action https://advisera.com/articles/complete-guide-to-corrective-action-vs-preventive-action/
Comment as guest or Sign in
Feb 10, 2023