CCTV or hard disk encryption) but has not listed it in the Statement of Applicability (SOA) as applicable. You raise non conformities if you can see that the organisation is operating a control (e.g.Irrespective of what the risk assessment says you expect that most of the Annex A controls will be marked as applicable. Your view is that the risk assessment should only reference Annex A controls and if it doesn’t then something is wrong.Try this quiz based on that scenario (Quiz 1) Imagine that you are an ISO27001 lead auditor undertaking a 4 day Stage 2 certification audit. The people in the second tribe (the “ controls” tribe) think ISO27001 is all about the controls and are not so concerned about the clauses. the clauses and are not so concerned about the actual controls. The people in the first tribe (the “management” tribe) think that ISO27001 is all about the management – i.e. Did you spot the difference? The key word here is “Management”. The second of these tribes is the “ISO27001 is an Information Security Standard”. The first of these tribes is the “ISO27001 is an Information Security Management Standard” tribe. It turns out that most ISO27001 people (consultants, trainers and especially certification auditors) are in one of two tribes when it comes to their view of ISO27001.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |