The auditor will perform The Stage 1 audit, also referred to as the Document review – in this audit, the auditor will look for the registered extent, ISMS policy and goals, description of the risk assessment methodology, Risk Assessment Report, Statement of Applicability, Risk Treatment Plan, procedures for document control, corrective and preventive actions and for internal audit. You will also have to document a few of the controllers from Annex A (only if you discovered them applicable in the Statement of Applicability) – stock of resources (A.7.1.1), acceptable use of resources (A.7.1.3), functions and responsibilities of employees, contractors and third party users (A.8.1.1), provisions and conditions of employment (A.8.1.3), procedures for the operation of data processing centers (A.10.1.1), access control policy (A.11.1.1) and identification of applicable laws (A.15.1.1). You will need records of at least one internal audit and management review.
If any of these components are missing, it follows that you are not prepared for Phase 2 audit. If you find it necessary, Needless to say, you could have a lot files. To put it differently, the auditor will assess whether your ISMS is it a dead letter, or has materialized in your business. The auditor will assess this through observation but mainly. The compulsory records include education, training, abilities, experience and credentials (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventative (8.3) actions nonetheless, that the auditor will be expecting to see a lot more records as a consequence of carrying out your processes.
Please, be careful here – some Auditor will notice straight away if any portion of your ISMS is artificial and has been created for the purpose of audit. The process goes Like this – the auditor will say the findings (such as the significant non-conformity) from the audit file and provide you the deadline until which the non-conformity has to be solved (usually 90 days). Your task is to take actions that are proper; but you must be careful – this activity must resolve the reason for the non-conformity the auditor may not accept what you have done. Send him/her the proof of what you have done and you need to inform the auditor As soon as you are certain iso 27001 training action is taken. In the vast majority of cases, when you have done your work your actions will be accepted by the auditor and trigger the procedure for issuing the certificate.