Mandatory processes

There is a crucial difference between ISO 27001 and ISO 27002. The first one is a set of requirements for an information security management system. The second one a ‘code of practice’ with a list of controls to operate and manage information security and can be uses without relation with ISO 27001.

SO 27001 requires an audit and a system of audits. This is a mandatory procedure to make sure the ISMS still complies with the documentation and, if certified, with the certificate.

This is not the case for ISO 27002 where the controls are to be selected them through a risk management process. None is, initially a mandatory procedure.

ISO 27002:2013 control 12.7.1  covers the risk that an audit would disturb the business process and the operation. So the intention is completely different to the requirement in ISO 27001 and there is no reason worry about.

The following references may help you further:
- ISO 27001 vs. ISO 27002 (103): https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- MANDATORY DOCUMENTED PROCEDURES REQUIRED BY ISO 27001 (108): https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to maintain the ISMS after the certification (3): https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/