61823, 1550 (70) 2Por qué los aucitores 1S027001 audit los control? | Linkedin Mo & & ££ @ Ince Mite ——Empleos— Mensis Nfccone: Yew Fa negeos® ee éPor qué los auditores 1SO27001 auditan los controles? oa searialoe (7 Sind @ Expert en 15027001 yer de opin Y Staion 18 de uo de 2023, Supongo que te estas diciendo a ti mismo “Es obvio". Bueno, no lo es. .a mayoria de las personas ISO27001 que conozco no entienden esto, Te insto a que sigas leyendo. En realidad, esta es una buena pregunta dado que los, controles no son parte de los requisitos de 16027001, que son solo las 9 paginas de las cléusulas 4 a 10. Entonces, gpor qué auditarlos? The answer is simple. In order to check that the requirements of clauses 4 to 10 have been met the auditors need to sample check some of the controls, To give some examples: ‘= in 6.1.3 d) in the Statement of Applicability (SCA) each control needs to be annotated with a statement about ifit is implemented or not. In order to check that SOA is correct the auditor will need to undertake some sampling of the controls to confirm that the contro is implemented or not. Ferversely ifthe SOA says a hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hall trackingli=9280a5G JOWZKOMoCOSXH7KJg3%30%3D 1561823, 1550 (70) gPor qué los ausitores 15027001 audian fs contoles? | Linkedin control is not implemented but it is then strictly speaking that is a non conformity against 6.1.3 d), # In8.1 the requirement is to plan, implement and control the processes needed to meet the information security requirements. This is an extremely important clause and in order to check that this has been achieved the auditor will need to undertake some sampling of the controls to confirm that the controls are implemented and operating effectively # In83 the requirement is to implement the risk treatment plan and this includes implementation of the controls. In order to check that this has happened the auditor will need to undertake some sampling of the controls to confirm that they have been implemented. If not then that is a nonconformity against clause 83. # In 9.1 the requirement is to monitor and measure in some way the operation of the ISMS and the controls, and in order to check that this is being done correctly the auditor will need to look at some of the controls. If the performance management approach says control X is working but the auditor finds that itis not then that, is anonconformity against 9.1 * In92 the requirement is to undertake internal audit(s) of the ISMS and the controls. In order to check that this is being done correctly the auditor may need to look at some of the controls. Ifthe last internal audit id that control X was working X but the auditor finds that itis not then, depending on when the internal audit took place that is a nonconformity against 92 # In Clause 5.1 the organisation has to demonstrate leadership and commitment and if the controls are not implemented or are not operating effectively then this could demonstrate a lack of leadership and commitment. A non conformity against 5.1 would normally be accompanied by a number of other nor conformities against other clauses A few more points on this «This means that in theory an agenda for an ISO27001 audit should simply list only the clauses 4 to 10. When the auditor then gets to one of the clauses above they then spend some time sampling some of the controls to check that the clause is OK. There should not be e hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hall trackingli=9280a5G JOWZKOMoCOSXH7KJg3%30%3D 21561823, 1550 (70) ¢Por qué los ausitoras'S02700! aust los conralas? | Linkedin, separate list of controls to be tested. But of course auditors never ever do it this way. They audit clauses 4 to 10 and then audit the controls. Its what | do and | think itis reasonable to do it this way as long as the auditor fully understands why they are auditing the controls and they are only sampling. There is also some guidance on what an audit agenda should look like ir https://www.linkedin.com/pulse/what-should- is027001-audit-planagenda-contain-chris-hall/ * Acertification auditor does not need to test all the controls. They need to sample enough of them to get reasonable but not absolute assurance that the requirements of clauses 4 to 10 are being met. # You can never get a nonconformity raised against a control, It must be raised against a clause * Ifyou have serious issues with a single control this should not lead to a major nonconformity as itis just one control out of all of your controls. This is covered in some detail in this article. https://wwwlinkedin.com/pulse/why-you-should- Nnever-get-major-minor-non-conformity-against-hall/ Examples of how such NCs could be worded There are some examples of how to word such NCs in this article https://www.linkedin.com/pulse/guide-raising- documenting-iso27001-non-conformity-chris-hall/ Chris An index of all my articles is here https://btrp.co.uk/Articles2 Denunciar est Publicado por @ Chis Hall 6 aisle SRT Ee an house ede fade pba Poona Why do 15027001 auitors aut the controls? | suppose you ae saying to youre" iscbvious”. elitist Most ofthe $0270" people | meet donot understand this urge you to read on #4027001 #io2700Tauding SS Pecomendar GD comentar > Compatit hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hall trackingli=9280a5G JOWZKOMoCOSXH7KJg3%30%3D 3561823, 1550 hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hal tracking (70) 2Por qué los auctitores 1S027001 auditan los controle? | Linkedin (0805719 coments Reacciones ~OREEE &@. 19 comentarios ree ay Mes conran oa Koenraad Béroudiau = +30 sara tad) + ‘What do you mean by auditing conte? 27006 #3122 Todo ths the aut shall focus on the cen’) plementation of contol (se AnnexD), taking into account the external and internal contest and related risks, the organization's monitoring ‘reasurement and analysis of information secrtypraceses and ver mie Reeomendar 1 | Responder Trespass @ Kotnrasd Béroudioux | think that 8027006 coud be viewed as being slighty inconsistent about his. On the one hand it states lal thatthe aud crite should be 5027001 but onthe ater hand it sys the aud) ver mae Recomendar | Responder Koenraad Béroudiaux +30 Desa 02701: Tink wht story enc oks he Chris Haindeed itis Steve holding the pen. As | already mentioned 1 some previous discussion rather see contol as objectives hat can be auted as 6.2/8, Now its a semantic thing with dole plurals “contral nd met theistated information security bjecives vee mie comands | Responder 0 Hilary Estall» +3 2 semanas ‘An important pont well made. Following on from tis the question do 50 27001 auditors need to have extensive 1S technical knowledge o aut thismanagement system standad? Those who d have habit af going own rabbit holes of techical jargon and exploratory questions and dre ‘ay consutany) ad risk missing the pont of what management system Fcamandsr GO 2 | Seponder 3 espueas ‘argar respuesta ates | svesHa-sovirso Hiory sal Ie isthe case that most 5027001 creation autor | se think her job so assess information security rather than conformance to requirements. However this not helped by the fact that ver me Recomendar 11 | Responder 280856 JOuZXOMoCO3KH7K Jg%30%3D 4561823, 1550 (70) 2Por qué los auctitores 1S027001 auditan los controle? | Linkedin Mostrar més comentarios y Chris Hall '$027001 Expert and Thought Lease Y Siguiendo) Mas de Chris Hall =a" How to define objectives for How to create an [$02700' |s02700t (clause 6.2), Risk Teatment Plan (clause 6136 his Hall en Liked (hs Halen ike What should you do when an 15027001 cetfcation auditor vant to rise 2. ‘his Hall en Linker Ver todos los articulos (86) 280856 JOuZXOMoCO3KH7K Jg%30%3D 55 hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hal tracking