ISO 27001 is an international standard that outlines the requirements for an organization’s information security management system (ISMS). When planning an interview to assess an organization’s compliance with ISO 27001, you should consider interviewing a range of people within the organization, including:
- Senior management: It is important to interview members of senior management to understand the organization’s commitment to information security and its approach to implementing the ISMS.
- Information security personnel: Interviewing information security personnel will give you an understanding of the day-to-day management of the ISMS, including how it is implemented and maintained.
- Employees: Employees at all levels of the organization should be interviewed to understand their understanding of, and compliance with, the organization’s information security policies and procedures.
- Third-party service providers: If the organization uses third-party service providers to handle sensitive information, it is important to interview these providers to understand their information security practices and how they protect the organization’s information.
It is also important to review documentation related to the organization’s information security management, including policies, procedures, and records of information security incidents and their resolutions.