Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Guest

What types of evidence is normally obtained for each of the controls

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

What types of evidence is normally obtained for each of the controls

I’ve watched several of your webinars, which I have found very helpful, and I have a question for you. I’m working on doing an assessment of our current ISMS and I’m trying to find what questions to ask and what types of evidence is normally obtained for each of the controls. Some of the controls are very straightforward but some of them are somewhat vague so I’m looking to find some guidance. For example, control A.12.1.1 regarding documented operating procedures I feel could be interpreted several different ways. I looked on your website and could not locate any guidance when performing an assessment of these controls. Do you have any suggestions on where you think I could find this guidance?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 12, 2016

I assume you are asking me which techniques to use during the internal audit? Basically, you should develop an audit checklist, this article will help you with it: How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Us ually 3 types of evidence are obtained: documentation/records, personal observation of an auditor, and interviews with the employees.

Regarding your question on how to audit controls which seem to be vague, you should actually study more carefully what the controls say. So for instance, the control you refer to (A.12.1.1) requires you to document the operating procedures and that they are available to all users who need them - so you have to check (1) if they are documented, and (2) if they are available to users - there is nothing vague about that.

Quote
0 0
Guest
DejanK Jan 12, 2016

Further question:

> What is vague to me is what ‘operating procedures’ are in the control A.12.1.1. I work at a very large company and we have many different operating segments and thousands of people that work in operations so that is why I was unsure on how much detail is needed.

The objective of section A.12.1 is "To ensure correct and secure operations of information processing facilities" - therefore, the operating procedures here refer to IT operations. In other words, for control A.12.1.1 you need to check only your IT procedures.

Regarding the question of detail - I would say that each of the controls that you select as applicable from the section A.12 should be covered with some document - they can all be covered in a single document, or each could have a separate document; the documents could be more or less detailed - all this doesn't matter as long as you have all these controls documented.

But if you are a larger organization, chances are that you already do have all of these documents.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016