Tag Archives: iso 27001

Understanding ISMS: Scope and Key Clauses Explained

Scope and Applicability It is applicable to all organisations whether commercial, government or Non profit. It covers and specify the requirements for the following: PDCA Cycle Clauses: Clause 4: Context of Organization Clause 5: Leadership Clause 6: Planning Clause 7: Support Clause 8: Operation Clause 9: Performance evaluation Clause 10: Improvement

Stage 2 audit

Objectives of Stage 2 Audit Step 1 Conducting the opening meeting ISO 19011, Clause 6.4.3 The purpose of the opening is to: Step 2 Collecting Information Information can be collected in the form of: and many more… Audit Procedure – Interview Ask employees and other interested persons (third parties) questions (verbal or written) to gatherContinue reading “Stage 2 audit”

Phases of Audit

Below is the diagram to demonstrate steps involved in an audit: The following documents can be used as reference: Audit Checklist Audit Plan Sample Policy Format Audit Report Template Risk Register Statement of Applicability (SOA)

The Audit (ISO 19011)

What is an Audit? Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Auditing means asking the auditee what he does, and checking to see if he does it. Types of Audit Actors in audit Auditing Principles

A.8 Technological Controls (34 Controls)

A.8.1 User end point devices Information stored on, processed by or accessible via user end point devices shall be protected. A.8.2 Privileged access rights The allocation and use of privileged access rights shall be restricted and managed. A.8.3 Information access restriction Access to information and other associated assets shall be restricted in accordance with theContinue reading “A.8 Technological Controls (34 Controls)”

A.6 People Controls (8 Controls)

A.6.1 Screening Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. A.6.2 Terms andContinue reading “A.6 People Controls (8 Controls)”

A.5 Organizational Controls (37 Controls)

A.5.1 Policies for information security Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. A.5.2 Information security roles and responsibilities Information security roles and responsibilities shall be defined and allocatedContinue reading “A.5 Organizational Controls (37 Controls)”