#audit
6 artikelen met dit onderwerp
Evidence for access reviews: what to keep and where
A review without evidence is, as far as an auditor is concerned, a review that never happened. Here's what to retain, in what format, and for how long.
Access reviewsSample-based or full access review: what does the auditor accept?
At larger scale, a full review becomes unworkable. Risk-based sampling is the answer — provided you can clearly explain how you sampled.
Access reviewsPeriodic access reviews: process, frequency, and audit evidence
An access review is an audit requirement that nearly every SMB struggles with. Once you set it up properly the first time, the second round won't cost you a whole week.
ComplianceISO 27001 pre-audit checklist: 2 weeks before Stage 2
Stage 2 is two weeks away. This 22-point checklist covers everything auditors typically ask for — if even one box is missing, fix it now.
ComplianceISO 27001 Annex A.9: What the Auditor Really Wants to See
Annex A.9 — Access Control — is the most demanding of the 14 sections. Here's a practical breakdown per sub-control: A.9.1 through A.9.4, with what actually works as evidence in an SMB context.
ComplianceISO 27001 for SMBs without €50k in consultancy fees
ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.