Looking for some guidance or feedback based on previous experience regarding the implementation of controls under ISO27001 Annex A.
There are 114 controls here, which need to be considered with respect to their inclusion or exclusion on the SOA as a result of the risk assessment and treatment process.
So here's my question, during a Stage 2 audit, is it typically expected by the CB auditor that all controls have been implemented (as captured on the SOA)? Or is it sufficient to be able to simply demonstrate that a risk assessment and treatment process has been documented and implemented, even with the controls only partially implemented?
I'd imagine that the full implementation of controls for many organisations could take a very long time, so it would be common to undergo a certification audit having addressed the highest risk (therefore highest priority) risks.
Thanks in anticipation. I've implemented many HSEQ management systems through to certification over the years, but this is my first ISMS.
There are 114 controls here, which need to be considered with respect to their inclusion or exclusion on the SOA as a result of the risk assessment and treatment process.
So here's my question, during a Stage 2 audit, is it typically expected by the CB auditor that all controls have been implemented (as captured on the SOA)? Or is it sufficient to be able to simply demonstrate that a risk assessment and treatment process has been documented and implemented, even with the controls only partially implemented?
I'd imagine that the full implementation of controls for many organisations could take a very long time, so it would be common to undergo a certification audit having addressed the highest risk (therefore highest priority) risks.
Thanks in anticipation. I've implemented many HSEQ management systems through to certification over the years, but this is my first ISMS.
