Professional Documents
Culture Documents
14 Clauses
35 Control objetives
114 Controls
2. Certification Schema
The certification process involves the following parties:
Accreditation authorities (responsible for the assessment
and the accreditation of certification organizations): ANAB &
ANSI, SCC, UKAS, COFRAC, etc.
Certification bodies (responsible for managing the
certification activities of their customers and performing audits
on their customers’ management system): BSI, SGS, Bureau
Veritas, DNV, TUV, etc.
Organizations certifying persons, like PECB, will certify not
only auditors but also training organizations and trainers.
Organizations whose management system is subject to
certification and who are customers of certification bodies.
4. Information Security
Here is a list of several potential impacts (see ISO 27005, Annex B.2)
that can affect either availability, integrity, confidentiality or a
combination of any:
01.Financial losses;
02.Loss of assets or of their value;
03.Loss of customers, loss of suppliers;
04.Lawsuits and penalties;
05.Loss of competitive advantage;
06.Loss of technological advantage;
07.Loss of efficiency or effectiveness;
08.Violation of the privacy of users or customers;
09.Service interruption;
10.Inability to provide service;
11.Loss of branding or reputation;
12.Disruption of operations;
13.Disruption or third party operations (suppliers, customers…);
14.Inability to fulfill legal obligations;
15.Inability to fulfill contractual obligations;
16.Endangering safety of staff, users.
4.3 Relationjships
5.1 Organization
5.1.3 Documentation
6. Auditing (Day 2)
1. Scope;
2. Informative references;
3. Terms and definitions;
4. Principles of auditing;
5. Managing an audit programme;
6. Performing an audit;
7. Competence and evaluation of auditors.
8. Annex A: Guidance and illustrative examples of discipline-
specific knowledge and skills of auditors
9. Annex B: Additional guidance for auditors for planning and
conducting audits
1. Scope;
2. Normative references;
3. Terms and definitions;
4. Principles;
5. General requirements;
6. Structural requirements;
7. Resource requirements;
8. Information requirements;
9. Process requirements;
10. Management system requirements related for certification
bodies.
11. Annex A: Analysis of a client organization’s complexity
and sector-specific aspects
12. Annex B: Example areas of auditor competence
13. Annex C: Audit time
14. Annex D: Guidance for review of implemented ISO/IEC
27001:2013, Annex A controls
7. Auditing (Day 3)
8. Evidence Collection
At the action plans submission step, the auditee does not have to
submit detailed action plans with the information on the systems to
be installed, the costs, the firms selected the project plan, etc. Only a
general statement related to the actions that will be taken is required.