I am getting ready for our first ISO27001 audit and looking for advice on how other people have managed with the justification clause.
Are people using the description field for the justification for inclusion or exclusion? At the moment I have been using it for describing in more detail how we comply but the auditors feel that is not correct. Looking at some other systems the justification would be “Risk Assessment”, “Contractual Liability” or “Legal Liability”.
Whilst I can say there is a liability in Eramba I can only select one of the liabilities. There may be a control that has multiple liabilities. ie multiple contractual and legal liabilities.
I have used the description field for both issues. As well as the reason for being included as well as a bit about the implementation. I also used the at minimum one of the compliance drivers (asset risks, …) to show the need for the control.
In the last audits the auditor was satisfied with the implementation.
Yep - i used “Compliance Exceptions” in the past and in the end was more stuff to maintain on the system…now i switched to a description field on compliance analysis too.
The “nice” part of using “Compliance Exceptions” (when doing compliance against contractual or customer obligations) is that I would create two notifications:
Warning (when the exception due date was about to come)
Awareness (every 60 days i would send an email to the owner of the exception to remind him that becuase of his / her decision we are not compliant with something).
Again, in ISO i think is not worth the effort too.