Over the past 6 months, I have been reading a number of articles and publications on the ISO27000 subset of guidance documents:
ISO 19011:2011 clearly states 'An organization needing to conduct audits should establish an audit programme that contributes to the determination of the effectiveness of the auditee's management system.
It is seldom possible or practical to completely eliminate a risk to information in terms of confidentiality, integrity or availability.
The main thrust of Clause 4.1 and 4.2 in a management system is for the organization to take a higher-level overview of the business
New Clients have told us "Management reviews have been a problem area in the past, we have had several Non-Conformances but we want to maintain ISO 27001 or ISO 22301 certification. What are the common issues you see?"
Our Pre Assessment or GAP analysis Audit is designed to allow an organisation to evaluate fully the scope of compliance/certification and determine subsequent decisions on what and how to focus the work ahead.