Ive watched several of your webinars, which I have found very helpful, and I have a question for you. Im working on doing an assessment of our current ISMS and Im trying to find what questions to ask and what types of evidence is normally obtained for each of the controls. Some of the controls are very straightforward but some of them are somewhat vague so Im looking to find some guidance. For example, control A.12.1.1 regarding documented operating procedures I feel could be interpreted several different ways. I looked on your website and could not locate any guidance when performing an assessment of these controls. Do you have any suggestions on where you think I could find this guidance?
Us ually 3 types of evidence are obtained: documentation/records, personal observation of an auditor, and interviews with the employees.
Regarding your question on how to audit controls which seem to be vague, you should actually study more carefully what the controls say. So for instance, the control you refer to (A.12.1.1) requires you to document the operating procedures and that they are available to all users who need them - so you have to check (1) if they are documented, and (2) if they are available to users - there is nothing vague about that.
> What is vague to me is what operating procedures are in the control A.12.1.1. I work at a very large company and we have many different operating segments and thousands of people that work in operations so that is why I was unsure on how much detail is needed.
The objective of section A.12.1 is "To ensure correct and secure operations of information processing facilities" - therefore, the operating procedures here refer to IT operations. In other words, for control A.12.1.1 you need to check only your IT procedures.
Regarding the question of detail - I would say that each of the controls that you select as applicable from the section A.12 should be covered with some document - they can all be covered in a single document, or each could have a separate document; the documents could be more or less detailed - all this doesn't matter as long as you have all these controls documented.
But if you are a larger organization, chances are that you already do have all of these documents.