One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 440667 |
| Date de publication | 2017-11-28 22:34:29 (vue: 2017-11-28 22:34:29) |
| Titre | ISO27k internal audits for small organizations |
| Texte |  Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.Independence is the overriding factor in auditing of all forms. For internal auditing, it's not just a question of who the auditors report to and their freedom to 'say what needs to be said' (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term 'cultural' issues that are part of the fabric in any established organization. That's hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I've mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., |
| Envoyé | Oui |
| Condensat | another 27001 able about achieving across added additional advantage again all allow although among another any approach appropriate are areas ask aspects attitude audit auditing auditor auditors audits awkward baggage baton beauty being believe benefits best between biases bid blind both bring business but can careful carry certification certified challenging chance checklist cisa commercial competence competent compliance compliant concepts conduct confidentiality consider constraints consultant consultants consulting conveniently cost costs course courses cover creative critical cultural culture customer day deal decision deep deeper designed designing different dig discussing documenting does doing down each effort employees end engage enough enterprise entirely especially established etc even exactly excellent existing experience experience/training eyes fabric factor figuring first focused forms free freedom fresh fully fundamentally general get giving good guidance habits hand hard have having help here hopefully how ideally immersed important improvements independence independent individuals information instead internal introduce involved isaca isms iso/iec iso27k iso27k/isms issue issues job jump just keeping latitude lead least level like line long lower manage management management: managers may mentioned might mindset more much necessary need needs newcomers next normally not obviously one only option organization organization: organizations organize other out outweigh own part parties partly partner passing people perform performing perhaps personally perspective perspectives plenty pointing possibility potential practises probably process processes providing put qualified question quite race recommend recommends relatively relay report reporting resource responsibility responsible reviews risk rotate routines: running said same say scoped seated security see send set sharing similar simple small solid specific specify spots standardized start started strategy successive suited support swapping system take teach technically templates term than that the overriding them things think though tightly time top totally training truly trust two very view want way well what whatever where who whole will within without work worth would yet you your … |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.