61823, 1550 (70) 2Por qué los aucitores 1S027001 audit los control? | Linkedin
Mo & & ££ @
Ince Mite ——Empleos— Mensis Nfccone: Yew Fa negeos®
ee
éPor qué los auditores
1SO27001 auditan los
controles?
oa
searialoe (7 Sind
@ Expert en 15027001 yer de opin Y Staion
18 de uo de 2023,
Supongo que te estas diciendo a ti mismo “Es obvio".
Bueno, no lo es. .a mayoria de las personas ISO27001 que
conozco no entienden esto, Te insto a que sigas leyendo.
En realidad, esta es una buena pregunta dado que los,
controles no son parte de los requisitos de 16027001, que
son solo las 9 paginas de las cléusulas 4 a 10. Entonces,
gpor qué auditarlos?
The answer is simple. In order to check that the
requirements of clauses 4 to 10 have been met the auditors
need to sample check some of the controls, To give some
examples:
‘= in 6.1.3 d) in the Statement of Applicability (SCA) each
control needs to be annotated with a statement about
ifit is implemented or not. In order to check that SOA
is correct the auditor will need to undertake some
sampling of the controls to confirm that the contro is
implemented or not. Ferversely ifthe SOA says a
hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hall trackingli=9280a5G JOWZKOMoCOSXH7KJg3%30%3D 1561823, 1550
(70) gPor qué los ausitores 15027001 audian fs contoles? | Linkedin
control is not implemented but it is then strictly
speaking that is a non conformity against 6.1.3 d),
# In8.1 the requirement is to plan, implement and
control the processes needed to meet the information
security requirements. This is an extremely important
clause and in order to check that this has been
achieved the auditor will need to undertake some
sampling of the controls to confirm that the controls
are implemented and operating effectively
# In83 the requirement is to implement the risk
treatment plan and this includes implementation of the
controls. In order to check that this has happened the
auditor will need to undertake some sampling of the
controls to confirm that they have been implemented.
If not then that is a nonconformity against clause 83.
# In 9.1 the requirement is to monitor and measure in
some way the operation of the ISMS and the controls,
and in order to check that this is being done correctly
the auditor will need to look at some of the controls. If
the performance management approach says control X
is working but the auditor finds that itis not then that,
is anonconformity against 9.1
* In92 the requirement is to undertake internal audit(s)
of the ISMS and the controls. In order to check that
this is being done correctly the auditor may need to
look at some of the controls. Ifthe last internal audit
id that control X was working X but the auditor finds
that itis not then, depending on when the internal
audit took place that is a nonconformity against 92
# In Clause 5.1 the organisation has to demonstrate
leadership and commitment and if the controls are not
implemented or are not operating effectively then this
could demonstrate a lack of leadership and
commitment. A non conformity against 5.1 would
normally be accompanied by a number of other nor
conformities against other clauses
A few more points on this
«This means that in theory an agenda for an ISO27001
audit should simply list only the clauses 4 to 10. When
the auditor then gets to one of the clauses above they
then spend some time sampling some of the controls
to check that the clause is OK. There should not be e
hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hall trackingli=9280a5G JOWZKOMoCOSXH7KJg3%30%3D 21561823, 1550
(70) ¢Por qué los ausitoras'S02700! aust los conralas? | Linkedin,
separate list of controls to be tested. But of course
auditors never ever do it this way. They audit clauses 4
to 10 and then audit the controls. Its what | do and |
think itis reasonable to do it this way as long as the
auditor fully understands why they are auditing the
controls and they are only sampling. There is also some
guidance on what an audit agenda should look like ir
https://www.linkedin.com/pulse/what-should-
is027001-audit-planagenda-contain-chris-hall/
* Acertification auditor does not need to test all the
controls. They need to sample enough of them to get
reasonable but not absolute assurance that the
requirements of clauses 4 to 10 are being met.
# You can never get a nonconformity raised against a
control, It must be raised against a clause
* Ifyou have serious issues with a single control this
should not lead to a major nonconformity as itis just
one control out of all of your controls. This is covered
in some detail in this article.
https://wwwlinkedin.com/pulse/why-you-should-
Nnever-get-major-minor-non-conformity-against-hall/
Examples of how such NCs could be
worded
There are some examples of how to word such NCs in this
article
https://www.linkedin.com/pulse/guide-raising-
documenting-iso27001-non-conformity-chris-hall/
Chris
An index of all my articles is here
https://btrp.co.uk/Articles2
Denunciar est
Publicado por
@ Chis Hall 6 aisle
SRT Ee an house ede
fade pba Poona
Why do 15027001 auitors aut the controls? | suppose you ae saying to youre"
iscbvious”. elitist Most ofthe $0270" people | meet donot understand this
urge you to read on #4027001 #io2700Tauding
SS Pecomendar GD comentar > Compatit
hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hall trackingli=9280a5G JOWZKOMoCOSXH7KJg3%30%3D 3561823, 1550
hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hal tracking
(70) 2Por qué los auctitores 1S027001 auditan los controle? | Linkedin
(0805719 coments
Reacciones
~OREEE &@.
19 comentarios
ree
ay Mes conran oa
Koenraad Béroudiau = +30 sara tad) +
‘What do you mean by auditing conte?
27006 #3122 Todo ths the aut shall focus on the cen’)
plementation of contol (se AnnexD), taking into account the external
and internal contest and related risks, the organization's monitoring
‘reasurement and analysis of information secrtypraceses and ver mie
Reeomendar 1 | Responder Trespass
@
Kotnrasd Béroudioux
| think that 8027006 coud be viewed as being slighty inconsistent
about his. On the one hand it states lal thatthe aud crite
should be 5027001 but onthe ater hand it sys the aud) ver mae
Recomendar | Responder
Koenraad Béroudiaux +30 Desa
02701: Tink wht story enc oks he
Chris Haindeed itis Steve holding the pen. As | already mentioned
1 some previous discussion rather see contol as objectives
hat can be auted as 6.2/8, Now its a semantic thing with dole
plurals “contral nd met theistated information security
bjecives vee mie
comands | Responder
0 Hilary Estall» +3 2 semanas
‘An important pont well made. Following on from tis the question do
50 27001 auditors need to have extensive 1S technical knowledge o aut
thismanagement system standad? Those who d have habit af going
own rabbit holes of techical jargon and exploratory questions and dre
‘ay consutany) ad risk missing the pont of what management system
Fcamandsr GO 2 | Seponder 3 espueas
‘argar respuesta ates
| svesHa-sovirso
Hiory sal
Ie isthe case that most 5027001 creation autor | se think
her job so assess information security rather than conformance to
requirements. However this not helped by the fact that ver me
Recomendar 11 | Responder
280856 JOuZXOMoCO3KH7K Jg%30%3D 4561823, 1550 (70) 2Por qué los auctitores 1S027001 auditan los controle? | Linkedin
Mostrar més comentarios
y
Chris Hall
'$027001 Expert and Thought Lease
Y Siguiendo)
Mas de Chris Hall
=a"
How to define objectives for How to create an [$02700'
|s02700t (clause 6.2), Risk Teatment Plan (clause
6136
his Hall en Liked
(hs Halen ike
What should you do when an
15027001 cetfcation auditor
vant to rise 2.
‘his Hall en Linker
Ver todos los articulos (86)
280856 JOuZXOMoCO3KH7K Jg%30%3D 55
hitps:lwwu linkedin com/pulselwhy-o-is027001-auditors-audi-controls-chis-hal tracking