These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended.
Ongoing involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001. Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. This stage serves to familiarize the auditors with the organization and vice versa. Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process defined by the ISO/IEC 17021 and ISO/IEC 27006 standards: Act (update and improvement of the ISMS) Undertake corrective and preventive actions, on the basis of the results of the ISMS internal audit and management review, or other relevant information to continually improve the said system. Check (monitoring and review of the ISMS) Assess and, if applicable, measure the performances of the processes against the policy, objectives and practical experience and report results to management for review. Do (implementing and workings of the ISMS) Implement and exploit the ISMS policy, controls, processes and procedures. Plan (establishing the ISMS) Establish the policy, the ISMS objectives, processes and procedures related to risk management and the improvement of information security to provide results in line with the global policies and objectives of the organization. 27001:2005 applied this to all the processes in ISMS. 
The 2002 version of BS 7799-2 introduced the Plan-Do-Check-Act (PDCA) cycle aligning it with quality standards such as ISO 9000.
0 kommentar(er)
