![tribes 2 iso tribes 2 iso](https://oldpcgaming.net/wp-content/uploads/2017/11/14-300x225.jpg)
For a sample of the risks you check that they all meet the requirements in terms of the risk acceptance criteria and risk tolerance.You ask for explanations of how the risks were identified and how the likelihood and impacts were assessed and challenge if they do not seem right to you.You check the risk assessment against the objectives, external and internal issues and the list of interested parties and their requirements and then challenge where you think that there may be risks missing from the risk assessment.You check the risk assessment against the scope, and challenge where you think that there may be risks missing from the risk assessment.
![tribes 2 iso tribes 2 iso](http://heavyalternative.weebly.com/uploads/1/2/4/0/124002220/821567123.jpg)
You check that the risk assessment only contains business risks that if they happened would lead to the loss of confidentiality, availability or integrity of information in the scope of the ISMS.You assess if the risk process, risk acceptance criteria and risk tolerance are reasonable for the organisation.If you are still not sure which tribe you are in then given the same scenario of you being a certification auditor on a 4 day audit, how about these more detailed questions (Quiz 2)? If you answer no than you are probably in the “management” tribe. If you answer yes to most of these then you are in the “controls” tribe.
![tribes 2 iso tribes 2 iso](https://alchetron.com/cdn/worms-world-party-ffb0e634-ff0e-4bea-90c3-7575b698be0-resize-750.jpeg)
During the 4 day Stage 2 certification audit you spend about half a day auditing clauses 4 to 10 and the remaining 3 and a half days testing the controls.You raise non conformities if there are any controls that have existing but known problems/conformities even if there is a detailed risk treatment plan in place that will fix the problems in a defined and reasonable timescale.You raise non conformities if there are any controls that are marked in the SOA as “not implemented” even if there is a detailed risk treatment plan in place that will implement it in a defined and reasonable timescale.If the SOA contains controls that are not included in the risk assessment then that is OK with you.You do not accept the justification of “It is referred to in the risk assessment” or “This control is not applicable because it is not helping to manage one or more of my identified risks”. You are only happy with the SOA if it gives a detailed justification of why a control is included or excluded.You do not know what a “custom” control is or if you do your view is that they must only exist in addition to Annex A controls.You do not spend much time looking at the risk assessment apart from perhaps checking that all the risks have owners and all the columns/attributes are filled in.CCTV or hard disk encryption) but has not listed it in the Statement of Applicability (SOA) as applicable. You raise non conformities if you can see that the organisation is operating a control (e.g.Irrespective of what the risk assessment says you expect that most of the Annex A controls will be marked as applicable.Your view is that the risk assessment should only reference Annex A controls and if it doesn’t then something is wrong.
![tribes 2 iso tribes 2 iso](https://images.hothardware.com/contentimages/newsitem/35556/content/1x1_1200x1200_highres-starsiege_tribes_banner.jpg)
Try this quiz based on that scenario (Quiz 1) Imagine that you are an ISO27001 lead auditor undertaking a 4 day Stage 2 certification audit. The people in the second tribe (the “ controls” tribe) think ISO27001 is all about the controls and are not so concerned about the clauses. the clauses and are not so concerned about the actual controls. The people in the first tribe (the “management” tribe) think that ISO27001 is all about the management – i.e. Did you spot the difference? The key word here is “Management”. The second of these tribes is the “ISO27001 is an Information Security Standard”. The first of these tribes is the “ISO27001 is an Information Security Management Standard” tribe. It turns out that most ISO27001 people (consultants, trainers and especially certification auditors) are in one of two tribes when it comes to their view of ISO27001.