Overview: I have been thru several ISO and security audits over the years for various companies offering SaaS products. This post outlines a some of my note around the latest ISO 27001 audit I touched on.
ISO 27001 covers Information Security Management (ISMS) which is about protecting and managing your businesses information assets to reduce your business risks.
Parts to an ISO 27001 audit:
- Part 1 - Check you have the correct documentation.
- Part 2 - Checks you as a business are complying/working to the documentation. Basically evidence based reporting based on visual confirmations and discussing with the staff using interviews to verify compliance (sample based auditing). Findings normally grouped into 3 types of findings: 1) Opportunity for improvement = suggestions, need to review before next audit to see if this is worth implementing 2) Non conformance - Minor = can have a few of these, look to fix 3) Non conformance - Major - won't get certification with a major. There is a period to address/fix major issue/issues. Always complete the phase 2 audit as they may discover other majors.
- Certification
- Yearly: Need to repeat and show you are improving based on the findings and the audit will generally go into specific areas in more detail.
More Info:
Data Protection and Regulation note - see bottom of post for ISO27001
0 comments:
Post a comment