How and what should be audited in your Information Security Management System ISMS? ISO 27001

Your audit programme and philosophy should be derived from the issues, the scope, e.g. locations, depts., processes, products etc., along with considering the Statement of Applicability, risks and so on,  However, you will have to demonstrate that you have audited against the entire standard – management requirements and Annex a controls – at least once during the 3-year ISO 27001 certification cycle, and that you can provide sample evidence of controls working to your requirements. We’ve built on that approach in the standard audit programme to ensure that audits represent what the business needs. In AECISO view, audits must be business-led and ‘real’ for people to buy into it as a valid investment and to make the audit meaningful.

Leave a Reply

Your email address will not be published. Required fields are marked *