| Where does it say we have to audit the scope?

Where does it say we have to audit the scope

Question
Where does it say in ISO/IEC 27001 we have to audit the scope before we engage with a certification auditor?

Answer
To answer this question, we first must look at ISO/IEC 27006 - Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems.

Clause 9.1.3.4 - IS 9.1.3 Review periods

The certification body shall not certify an ISMS unless it has been operated through at least one management review and one internal ISMS audit covering the scope of certification.

Commentary
No matter if it is the first time you are seeking certification for the scope or you are expanding the scope to other offices and facilities, always make sure that a Management review and internal audit has been conducted.

The management review can be used by top management to sign off the management system as operational, this way evidencing to the certification auditor, that they understand their responsibilities.

I will only use your Details to make contact, once any work is completed I will destroy the information

3 DAVENPORT PARK ROAD, STOCKPORT, SK2 6JU, UK