When auditing the necessary controls, it is better to audit against the risk treatment plan(s)
Auditing and certification
ISO 17021Conformity assessment — Requirements for bodies providing audit and certification of management systems is the ISO standard that places requirements upon certification bodies and ISO 19011Guidelines for auditing management systems is the ISO standard that provides guidance for certification body auditors. These standards are interpreted in the context of ISO/IEC 27001 by ISO/IEC 27006 and ISO/IEC 27007 respectively. Whilst these standards are primarily aimed at certification bodies, some knowledge of their content is of benefit to organisations that are certified (or are considering) certification to ISO/IEC 27001. This article explains why.
What is in ISO/IEC 27007?
We start with ISO/IEC 27007 as its content is the most useful for ISMS organisations. In particular, it contains an annex which takes each of the major clauses of ISO/IEC 27001 and gives advice on how to audit against them.
Layout of ISO/IEC 27007, Annex A
It cautions auditors to take care when requesting documented information as evidence of conformity. This is because there are only sixteen explicit requirements in ISO/IEC 27001, including the Statement of Applicability. Whilst there are many requirements for which it would be reasonable to expect evidence of conformance to be be found in such documented information, there are requirements where this is not the case. For example:
What else is in ISO/IEC 27007?
The main body of ISO/IEC 27007 provides an interpretation of ISO 19011. There are many cross-references to ISO 19011 and, indeed, the main body of ISO/IEC 27007 cannot be readily understood without a copy of ISO 19011 to hand. Nevertheless, the following are some of the main points:
What does ISO/IEC 27007 say about the Statement of Applicability?
ISO/IEC 27007 points out that the Statement of Applicability (SOA) is another area where the auditor should take care. It stresses:
What about ISO/IEC 27006?
The main body of ISO/IEC 27006 provides an interpretation of ISO 17021. There are many cross-references to ISO 17021 and, indeed, the main body of ISO/IEC 27006 cannot be readily understood without a copy of ISO 17021 to hand. Nevertheless there are two key annexes, and there is an important new development:
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2023|
|Page last updated: August 24, 2023|