Evaluation of ISMS risk assessment and risk treatment (ISO/IEC 27001:2013 & ISO/IEC 27001:2022)

Dear colleagues,

When conducting ISMS audits (including Stage 2 and recertification) it is crucial to ensure that detailed evidence is recorded in the auditor notes section of the project file with respect to the design, methodology and effective implementation of the client’s system. In particular, this is important when recording such evidence relating to information security risk assessment (Cl. 6.2.2 and 8.2) and information security risk treatment (Cl. 6.2.3 and 8.3).

Ensure that your evaluation evidence covers the following as a minimum:

  • Whether the criteria of the management system for the respective clause is suitable and conforms to the standard
  • Whether the methodology of analysing and assessing risk is suitable and conforms to the standard
  • Whether the identified controls are suitable and conform to the standard
  • Evidence of effective implementation

Please refer also to the following work instruction WI05 Objective Evidence.