An ISO 27001 audit – whether the actual certification audit or an internal audit – can be quite intimidating, especially if it’s the first time that your ISMS (information security management system) has been audited.
The best way to succeed at your audit is to be doubly prepared. This blog provides a few pointers on what you should do to ensure you meet the auditor’s demands.
Reports that will impress your auditors
Being able to produce a set of accurate, concise and updated reports is sure to impress even the most critical of auditors.
Your auditor will pay particular attention to the information security risks you have identified during your risk assessment and the controls that have been applied to treat, tolerate, transfer or terminate these risks.
He/she will also want to see that your Statement of Applicability is clear about how you have justified the controls you have included, and why you have excluded any controls from Annex A of ISO 27001:2013.
Let’s take a look at some of the important reports you should produce based on your risk assessment findings. Some of them are mandatory; others will help you gain valuable audit brownie points.
1. The Statement of Applicability (SoA)
A crucial, mandatory report for the audit, the SoA is essential for the proper management and control of an ISMS. The SoA identifies the controls relevant to your business and explains why those controls have been selected (or not selected) to treat the identified risks. Read more about the SoA here >>
2. The risk treatment plan (RTP)
Another mandatory report for audit purposes, the RTP provides a summary of each of the identified risks, the responses that have been designed for each risk, the parties responsible for those risks and the target date for applying the risk treatment. This document essentially outlines how the organisation intends to manage information security. Read more about this report here >>
3. The risk assessment report
The risk assessment report provides a detailed overview of the risk assessment in brief. It lists the relevant assets, the treatment applied, impact/likelihood values of the risk affecting the confidentiality, integrity and availability of each asset before and after treatment, any comments related to the justification for the treatment, the owner of the risk, the order of priority of treating the risks, the control applied, and the target date for applying the treatment.
4. The risk summary report
The risk summary report provides full information about the residual risks, as determined by the risk assessment. This can be useful because it provides information about assets that remain moderately vulnerable, and can help the organisation prepare responses and continuity plans based on the likelihood or severity of the residual risks. It is also useful for providing information regarding the residual risks to the board or other stakeholders, ensuring that this is accepted by the appropriate authority. Below is another example produced by vsRisk.
5. Comments report
Comments attached to your risk assessment are most useful if they relate to varying applications of controls, or those controls you have chosen not to implement. For instance, some assets may not need all features of a specific control in order to be effective. Including comments to this end within the risk assessment ensures not only that the organisation applies controls more effectively and efficiently, it also provides a log that can be presented to an auditor to explain any variations. Another one of the reports produced by vsRisk.
6. Controls usage report
vsRisk™ produces this report, which is automatically populated with all of the controls you have applied in your risk assessment. Unlike the Statement of Applicability, it does not include controls that you have not selected. This report is useful to show all of the controls in place, as well as indicating which controls from Annex A have been selected.
vsRisk provides all of these reports at the click of a button. Easy to export to Excel, PDF or in a CSV format, reporting to auditors has never been easier, or more accurate. To find out how vsRisk can help you improve your risk assessments, visit the website or email firstname.lastname@example.org.