We have a defined and certified scope. If we have a business event that impacts

Question

We have a defined and certified scope. If we have a business event that impacts the services or a building that is "in" scope and we have to shut that building down and recover services to another site that does not have an equitable set of physical and logical security controls how does that impact the validity of the certification?

Do we need to notify the auditor? Can we simply work on corrective actions to ensure that at the next audit we are aligned with the standard and control operation? Is there anything else we need to do?

Thanks.

Explanation / Answer

27001 certification is about your ISMS, not your controls. If a control stops working, it doesn't impact your certification.

Of course, if a control stops working, and your ISMS doesn't detect and fix that problem, then that impacts your certification....

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects