The three reports needed for your ISO 27001 audit

Conducting an audit is an essential step towards achieving ISO 27001 accreditation. The audit process can take anywhere from several months to more than a year, depending on the size of the organization and resources at its disposal. It can be an intimidating process, especially if this is the first time you are auditing your organization’s information security management system (ISMS).

The reports that you prepare and deliver to the certification body need to be concise, accurate, comprehensive and up to date. This will be necessary to demonstrate that your organisation has a functional, active ISMS in place.

Statement of Applicability (SoA)

The SoA is one of the most crucial ISO 27001 documents you will produce. It is necessary for the management and control of an ISMS, and mandatory for your ISO 27001 audit.

The SoA is a list of the controls the organization has selected, with justifications, and any controls from ISO 27001 that it decided not to chose, also with justifications. Depending on the number of risks identified, and whether or not the organization chooses to use additional control sets, The SoA can be a lengthy document. The SoA also provides justification for each of the controls it has put in place.

Risk treatment plan (RTP)

The RTP is also a mandatory document to include in the ISO 27001 audit. It is created after your organization conducts a risk assessment and summarises the:

  • Identified risks
  • Responses designed to address each risk
  • Parties responsible for managing risks and
  • Target date to apply risk treatment

The RTP is essentially a detailed schedule that identifies specific actions in order to mitigate risks.

Risk assessment report

The risk assessment report contains information about residual risks identified by the risk assessment. The report provides useful information about assets that remain moderately vulnerable and can help your organization apply measures in case of an incident or business continuity threat.

Simplify the risk assessment

Take adequate steps to reduce risk assessment error. vsRisk also provides users with the ability to automatically produce the:

  • SoA
  • Risk assessment report
  • Risk comments report and
  • Control usage report

Find out more about vsRisk software >>