Always Audit-Ready
ISOPlanner™ is certified & Compliant
Stay on top and subscribe
- PlatformControlInsightAdoptionAccelerate
- SolutionsYour SituationFrameworksBy Industry
- ResourcesCommunityDiscover & Learn
A chronological, tamper-evident record of system or process activity that allows an event to be traced from origin to conclusion. In compliance, audit trails serve as evidence that controls were operating as intended. Auditors review audit trails to verify access control, change management, and incident response activities.
A measure that modifies or reduces a risk. In ISO 27001, controls are selected from Annex A based on the organization's risk assessment results. A control can be a policy, a technical measure, a process, or a physical safeguard. Each implemented control requires evidence that it is operating effectively.
A documented action taken to eliminate the root cause of a nonconformity and prevent recurrence. Corrective actions differ from corrections (which fix the immediate problem) by addressing why the problem occurred. Auditors verify that corrective actions are proportionate, completed, and confirmed effective.
A structured assessment required under GDPR Article 35 when processing is likely to result in high risk to individuals. A DPIA identifies the nature and purpose of the processing, assesses necessity and proportionality, and documents measures to address identified risks. DPIAs are mandatory before processing involving systematic profiling, large-scale sensitive data, or systematic monitoring of public areas.
The system of policies, procedures, processes, and controls an organization uses to manage information security risks. An ISMS is not a software product; it is a management framework. ISO 27001 defines what an ISMS must include and how it must operate. ISOPlanner™ provides the structure and tooling to build and maintain an ISMS inside Microsoft 365.
A formal, documented review conducted by top management at planned intervals to assess the suitability, adequacy, and effectiveness of the management system. Required inputs include audit results, nonconformity status, risk register updates, and performance metrics. Outputs must include decisions on improvement actions and resource requirements. Auditors verify that management reviews occurred, were documented, and produced actionable outputs.
A failure to meet a requirement. Nonconformities are identified during internal audits, external audits, or through ongoing monitoring. Each nonconformity requires documentation of what was found, a correction (immediate fix), and a corrective action (root cause elimination). Unresolved nonconformities are a common reason for certification delays.
The process of selecting and implementing options to modify an identified information security risk. ISO 27001 defines four treatment options: accept (tolerate the risk), treat (apply controls to reduce it), transfer (shift it to a third party, such as through insurance), or terminate (avoid the activity that creates the risk). Each treatment decision must be documented with rationale and linked to the relevant Annex A controls.
A document required by ISO 27001 that lists all 93 Annex A controls, states whether each is implemented, and provides justification for inclusions and exclusions. The SOA is one of the primary documents auditors review. It demonstrates that the organization has considered all controls and made deliberate, documented decisions about each one. A missing or incomplete SOA is a common major nonconformity.
Log in to your ISOPlanner™ workspace, or start a free trial.
Log in Start your free trial