Aller au contenu

ISO27001

Intro

ISO is for International Organizarion for Standardization. ISMS (Information Security Management System) intended to protecting its information assets. 27001 standard can be audited. 28000 talk about supply chain security.

On what type of assessment and acceptance level (appetite) is ISO 27001 based?

Risks.

ISO 19011

Three type of audits :

  • First-party or internal audit, are typically performed inside a company to measure the strengths and weaknesses relative to its internal business objectives. This ISO audit is basically a conformity assessment to check for compliance gaps and prepare an organization for an external ISO certification audit, i.e., a third-party audit.

  • A second-party audit, or external audit, is usually performed at the request of a customer (or a company contracted to act on the customer’s behalf) on a supplier of products or services.

  • The third-party audit is the certification audit. An organization typically undertakes a third-party audit when it wants to achieve an ISO certification. During the certification audit, a certification body auditor assesses whether an enterprise complies with the appropriate ISO standard.

There are also two kinds of audit methods:

  • Onsite Audit: This is face-to-face; the auditor goes to the physical site and checks all the documentation.

  • Remote Audit: This is done from a distance, using the internet as a tool to achieve the audit objectives. This one can apply to first and second parties’ audits.

Info

Since the pandemic, remote audits are more common, so now you can check official documentation on how to conduct a remote audit. You can check the docs here: https://www.iaf.nu/articles/Mandatory_Documents_/38