You are performing an ISMS audit at a residential nursing home that provides healthcare services.

 According to ISO/IEC 27001:2022 clause 6.1, the organization must establish, implement and maintain an information security risk management process that includes the following activities:

establishing and maintaining information security risk criteria;

ensuring that repeated information security risk assessments produce consistent, valid and comparable results;

identifying the information security risks;

analyzing the information security risks;

evaluating the information security risks;

treating the information security risks;

accepting the information security risks and the residual information security risks;

communicating and consulting with stakeholders throughout the process;

monitoring and reviewing the information security risks and the risk treatment plan.

According to control A.5.29, the organization must establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during a disruptive situation. The organization must also:

determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster;

establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation;

verify the availability of information processing facilities.

Therefore, the following options will not be in your audit trail, as they are not relevant to the information security risk management process or the information security continuity process:

E. Collect more evidence on how the organisation makes sure all staff periodically conduct a positive Covid test (Relevant to control A.7.2). This is not relevant to the information security aspects of business continuity management, as it is related to the health and safety of the staff, not the protection of information assets. Control A.7.2 is about screening of personnel prior to employment, not during employment.

G. Collect more evidence on how the organisation performs a business risk assessment to evaluate how fast the existing residents can be discharged from the nursing home. (Relevant to clause 6). This is not relevant to the information security aspects of business continuity management, as it is related to the operational and financial aspects of the business, not the identification and treatment of information security risks. Clause 6 is about the information security risk management process, not the business risk management process.

H. Collect more evidence on what resources the organisation provides to support the staff working from home. (Relevant to clause 7.1). This is not relevant to the information security aspects of business continuity management, as it is related to the general provision of resources for the ISMS, not the specific processes, procedures and controls to ensure the continuity of information security during a disruptive situation. Clause 7.1 is about determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS, not the resources needed for the staff working from home.

References:

ISO/IEC 27001:2022, clauses 6.1, 7.1, and Annex A control A.5.29

[PECB Candidate Handbook ISO/IEC 27001 Lead Auditor], pages 14-15, 17, 22-23

ISO 27001:2022 Annex A Control 5.29 - What’s New?

ISO 22301 Business Continuity Management System