isms internal auditor course.ppt
Post on 29-Nov-2015
155 Views
Preview:
DESCRIPTION
TRANSCRIPT
COMS Vantage Committed to Systems
Internal ISMS Auditor Course
COMS 1
COMS Vantage Committed to Systems2
Learning ObjectivesTo be able to: Have knowledge of concepts of Information & Information Security
Management System
Understand the requirements of ISO 27001 : 2005 in auditing terms
Understand of Risk Assessment Methodology
Plan and conduct an IMS audit
Report the audit
Undertake audit follow-up activities
COMS Vantage Committed to Systems
Course ContentDAY 1 Concepts and Philosophy of ISMS Framework ISO 27001:2005 Requirements Concepts and Principles of Auditing Audit Planning (Audit Schedule & Audit Checklist)
DAY 2 Audit Execution Audit Reporting (Identification of Non-conformances & Preparing
Non-conformance Report) Audit Closing (Verification of Corrective Actions) Examination
3Committed to Systems
COMS Vantage Committed to Systems4
Course Structure
Tutorial sessions
Practical exercises
Quiz
Examination
COMS Vantage Committed to Systems
Concepts and Philosophy of ISMS Framework
5
COMS Vantage Committed to Systems6
Exercise 1 : ISMS Definition
Complete Exercise 1 on definition of ISMS related terms
COMS Vantage Committed to Systems7
Information
Information
is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably
protected.
COMS Vantage Committed to Systems8
Types of Information
Internal Information that you would not want your
competitors to know
Customer/client Information that they would not wish you to divulge
Shared Information that may be shared with other trading
partners/persons
COMS Vantage Committed to Systems9
Types of Information
Company financial data (business performance) Company business plan & strategies Employee data Credit card and bank account numbers Passwords Designs, patents, technical research Bids for contracts, market research, competitive analysis Intelligence (on criminals, hostile nations, etc) Security information (risk assessment, network diagram,
facilities plans)
COMS Vantage Committed to Systems10
Information Lifecycle
Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc)
Information may need protection through its entire lifecycle including deletion or disposal
COMS Vantage Committed to Systems11
Information Security
Information Security means preservation of confidentiality, integrity and availability of information; other properties, such as authenticity, accountability, non-repudiation, and
reliability may also be managed.
COMS Vantage Committed to Systems
Information Security - a Definition
Information security is preservation of;
Confidentiality – ensuring that information is available only
to those with authorised access
Integrity – safeguarding the accuracy and completeness of
information and information processing methods & facilities
Availability – ensuring authorised users have access to
information when required
In some organizations integrity and/or availability maybe more important than confidentiality
COMS Vantage Committed to Systems
Information Security – Why?
In today’s fast-paced, global business environment, access to information is critical to an organisation’s success. Timely, accurate and complete information is a necessary business asset to an organisation, and like any other business asset, information needs to be understood and appropriately secured.
COMS Vantage Committed to Systems14
Information Security Risks
Some categories of risk : Loss Corruption Theft Unauthorized disclosure Accidental disclosure Unauthorized modification Unavailability or denial of service Lack of integrity Intrusion and subversion of system resources
COMS Vantage Committed to Systems
Non – IT Information Security Risks
Paper documents: on desks, in waste bins, left on photocopiers
Whiteboards and flipcharts Telephone conversations overheard Conversations on public transport Social engineering
COMS Vantage Committed to Systems
Information Security - Aim
Information Security aims to : To minimize business damage by preventing and
minimizing the impact of security incidents Reduce the likelihood of a security incident occurring Prevent information security incident from occurring Detect an incident occurring, or its effect Respond to an event to minimize business damage Ensure Business Continuity Ensure preservation of confidentiality, integrity and
availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved
COMS Vantage Committed to Systems
Business Effects of Information Security
Maintain stakeholder confidence in the organization
Preserve business position
Ensure business continuity
COMS Vantage Committed to Systems
Why Are We Here?
Information security management: the key to confidence and trust for business
CustomerRequirements
BusinessRequirements
Government Laws and Regulations
COMS Vantage Committed to Systems
Interested Parties
IT department Line managers Senior managers Company Boards Government Business and Trading Partners Customers
COMS Vantage Committed to Systems
Managers Must Understand
Poor information security outcomes are commonly the
result of poor management and not poor technical
controls
COMS Vantage Committed to Systems
Information Security is Not all about Technology
Business Service 3Business Service 3
Business Service 1Business Service 1
Business Service 2Business Service 2
IT DependentIT Dependent IT IndependentIT Independent
80%80% 20%20%
50% 50% 50%50%
20%20% 80%80% Business Service 3Business Service 3
Business Service 1Business Service 1
Business Service 2Business Service 2
IT DependentIT Dependent IT IndependentIT Independent
80%80% 20%20%
50% 50% 50%50%
20%20% 80%80%
(Source: Office of E-Government. (2002). PowerPoint presentation)
COMS Vantage Committed to Systems
Information Security Management System
Information Security Management System (ISMS) is : That part of the overall management system, based on a
business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
A management process
Not a technological process
COMS Vantage Committed to Systems
What is an ISMS
An ISMS is a set of processes designed to produce
predictable information security outcomes (well managed
security risks)
Implementation must cover Requirements and policies Planning implementation Implementation and operations Monitoring and reviewing Improving the management system
COMS Vantage Committed to Systems
Information Security Framework
(Source: Government of Western Australia: Department of Industry and Technology. (2002). Pamphlet - Managing Risks in the Internet Economy - An Executive’s Guide. p.5).
COMS Vantage Committed to Systems
Benefits of an ISMS
An operational framework for operation
- Focus on outcomes
- Outcomes are predictable
Basis for stakeholder trust
- The general public
- Clients and customers
- Business partners, suppliers, service providers &
outsources
- Line management & senior management
COMS Vantage Committed to Systems
ISO 27001:2005 Requirements
26
COMS Vantage Committed to Systems27
ISO/IEC 27001:2005
Information Technology – Security Techniques – Information Security Management Systems – Requirements
Requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an ISMS
Information security is a Management process, more than just IT
ISO 27001 can be used for assessment and certification
COMS Vantage Committed to Systems28
ISO/IEC 27002:2005
Information Technology – Security Techniques – Code of practice for information security management
Provides guidance on good practice for Information Security Management Prime objectives A common basis for organisations Confidence in inter-organisational dealings
Defines a set of control objectives, controls and implementation guidance
It cannot be used for assessment and certification
COMS Vantage Committed to Systems29
PDCA model & ISMS Processes
InterestedParties
ManagedManagedInformationInformationSecuritySecurity
InterestedParties
InformationInformationsecuritysecurityrequirementsrequirementsandandexpectationsexpectations
Monitorandreviewthe ISMS
EstablishISMS
Implementandoperatethe ISMS
Maintainandimprovethe ISMS
Plan
Do
Check
Act
COMS Vantage Committed to Systems30
ISO 27001:20050 Introduction1 Scope2 Normative references3 Terms & definitions
Clauses 4 to 8
Annex A Control objectives & controlsA.5 to A.15
Annex B OECD principlesAnnex C Correspondence between standards
Clauses within ISO 27001:2005
COMS Vantage Committed to Systems31
Plan - Do - Check - Act Cycle
PDCA model used in the ISO/IEC 27001: 2005
Process approach for Establish ISMS (Plan) Implement and operate ISMS (Do) Monitor and review ISMS (Check) Maintain and improve ISMS (Act)
COMS Vantage Committed to Systems32
ISO 27001:2005, Clauses 4 to 8 Clause 4 : Information Security Management System
Clause 5 : Management Responsibility
Clause 6 : Internal ISMS Audits
Clause 7 : Management Review of the ISMS
Clause 8 : ISMS Improvement
Annex A – Controls (A.5 to A.15)
COMS Vantage Committed to Systems33
Clause 4 - Information Security Management System
4.3DocumentationRequirements
4.2Establish &
Manage ISMS
4.1General
Requirements
4.2.1 Establish ISMS4.2.2 Implement & operate ISMS4.2.3 Monitor & review ISMS4.2.4 Maintain & improve ISMS
4.3.1 General4.3.2 Document control4.3.3 Record control
COMS Vantage Committed to Systems34
Clause 4.2.1 Establish the ISMS (Plan)
Scope and boundaries
Policy - objectives, business and legal or regulatory requirements, strategy, criteria, approved by management
COMS Vantage Committed to Systems35
Scope and Boundaries of ISMSScope to be described in terms of Characteristics of the business Organization Location Information Assets Technology
Boundaries to include interface with Other organisations Third party suppliers Partners Other IT systems
COMS Vantage Committed to Systems36
ISMS PolicyStatement of management commitment & set out organisation’s approach to managing information security Definition of information security, objectives & scope Statement of management intent, supporting goals & principles Include framework for setting control objectives & controls Brief explanation of security policies, principles and standards
Compliance with legislative, regulatory & contractual requirements
Security education, training & awareness requirements Business continuity management Consequences of information security policy violations
Definition of general & specific responsibilities References to documentation supporting policy Communicated throughout the organisation
COMS Vantage Committed to Systems37
Clause 4.2.1 Establish the ISMS (Plan) (cont)
Define the risk assessment approach of the organization Identify risks (assets and owners, threats, vulnerabilities,
impacts) Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls for the treatment of
risks (select from Annex A) Obtain management approval of proposed residual risks Obtain management authorization to implement and
operate the ISMS Prepare a Statement of Applicability
COMS Vantage Committed to Systems38
Identify a suitable risk assessment methodology Develop criteria for accepting risks and identify
acceptable levels of risk (5.1f) Ensure that risk assessments produce comparable and
reproducible results Method is decided by organization and audited against
its information security scope, boundaries and policy
Risk Assessment Approach
COMS Vantage Committed to Systems39
Risk Assessment
Risk (and decision on which risks to mitigate with
controls) depends on : Asset value Threat Vulnerability Likelihood and frequency of threat exploiting vulnerability Impact on organization of successful exploitation
COMS Vantage Committed to Systems40
Asset Identification & Classification
Identify: Assets within the scope of the ISMS (Primary Assets &
Supporting Assets)
- Documents /Data
- Physical/ Hardware
- Software
- People
- Services ( e.g. Lighting, Airconditioning, DG etc) Classification – V. Confidential, Confidential, Internal &
Public Asset owners & Users
COMS Vantage Committed to Systems41
Asset Value
Asset Value : Confidentiality X Integrity X Availability
Ranking of Assets done based on Asset Value : Low Medium High Critical
COMS Vantage Committed to Systems42
Identification of Threats and Vulnerabilities
Threat A potential cause of an
unwanted incident which may result in harm to a system or organization.
e.g. Network failure
Vulnerability A weakness of an asset or
group of assets, which can be exploited by a threat.
A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset .
e.g. No system monitoring
COMS Vantage Committed to Systems43
Assessment of Threats and Vulnerabilities
Assess the likelihood that combination of threats and vulnerabilities occur
Threats and vulnerabilities may be assessed Separately Together
COMS Vantage Committed to Systems44
Security Risk – Calculations
Risk =
Asset Value x Threat Value x Vulnerability Value x Probability x Impact Value
*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets
COMS Vantage Committed to Systems45
Identify and Evaluate options for the Treatment of Risks
Manage and treat risks appropriately within business context :
Apply appropriate controls Accept risks Avoid risk Transfer risk
COMS Vantage Committed to Systems46
Exercise 2 : Information Risk Assessment
Complete Exercise 2 to test understanding of Information Risk Methodology.
COMS Vantage Committed to Systems47
Control Objectives and Controls(Annexure A of ISO 27001:2005)
11 Control Objectives
39 Sub-Control Objectives
133 Controls
COMS Vantage Committed to Systems
Control Objectives & Controls (Annexure A of ISO 27001:2005 Standard)
A.5 Security PolicyA.5.1 Information Security Policy
A.6 Organization of Information SecurityA.6.1 Internal organizationA.6.2 External parties
A.7 Asset ManagementA.7.1 Responsibility for assetsA.7.2 Information classification
A.8 Human Resources Security A.8.1 Prior to employmentA.8.2 During employmentA.8.3 Termination or change of employment
COMS Vantage Committed to Systems
Annexure A of ISO 27001:2005 Standard
A.9 Physical and Environmental SecurityA.9.1 Secure areasA.9.2 Equipment security
A.10 Communications and operations managementA.10.1 Operational procedures and responsibilitiesA.10.2 Third party service delivery management A.10.3 System planning and acceptanceA.10.4 Protection against malicious and mobile codeA.10.5 Back-upA.10.6 Network security managementA.10.7 Media handlingA.10.8 Exchange of informationA.10.9 Electronic commerce servicesA.10.10 Monitoring
COMS Vantage Committed to Systems
Annexure A of ISO 27001:2005 Standard
A.11 Access ControlA.11.1 Business requirement for access controlA.11.2 User access managementA.11.3 User responsibilityA.11.4 Network access controlA.11.5 Operating system access controlA.11.6 Application and information access controlA.11.7 Mobile computing and teleworking
A.12 Information systems acquisition, Development and MaintenanceA.12.1 Security requirements of information systemsA.12.2 Correct processing in applications A.12.3 Cryptographic controlsA.12.4 Security of system filesA.12.5 Security in development and support processesA.12.6 Technical vulnerability management
COMS Vantage Committed to Systems
Annexure A of ISO 27001:2005 Standard
A.13 Information Security Incident ManagementA.13.1 Reporting information security events and weaknessesA.13.2 Management of information security incidents and improvements
A.14 Business Continuity ManagementA.14.1 Information security aspects of business continuity management
A.15 ComplianceA.15.1 Compliance with legal requirements A.15.2 Compliance with security policies and standards, and technical complianceA.15.3 Information system audit considerations
COMS Vantage Committed to Systems52
Selection of Security Controls
Additional control objectives and controls organisation might consider that additional control objectives and
controls are necessary
Not all the controls will be relevant to every situation Consider local environmental or technological constraints In a form that suits every potential user in an organisation
Review controls already in place Remove Improve
Implement additional controls
COMS Vantage Committed to Systems53
Residual risk
The risk remaining after risk treatment Assess how much controls will reduce risk Reduced residual risk
Acceptable or unacceptable Implement more controls May have to accept Obtain Management Approval of proposed residual risk
COMS Vantage Committed to Systems54
Statement of ApplicabilityDefinitionDocumented statement describing the control objectives and controls that are relevant and applicable to the organisation’s ISMS.
Contents of Statement of Applicability Control objectives and controls selected Reasons for selection Control objectives and controls currently implemented Exclusion of any control objectives and controls to be listed in
Annex A and the justification for their exclusion
The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
COMS Vantage Committed to Systems55
Statement of Applicability
Why a control has not been fully implemented Risk – not justified by risk exposure Budget – financial constraints Environment – influence on safeguards, climate, space etc Technology – some measures are not technically feasible Culture – sociological constraints Time – some requirements cannot be implemented now. N/A – not applicable Others – ?
COMS Vantage Committed to Systems56
Select Control Objectives and Controls for the Treatment of Risks
Select and implement Control Objectives and Controls To meet requirements identified by risk assessment and
risk treatment process
Take into account of criteria for accepting risks (4.2.1c)
Legal, regulatory and contractual requirements
Control objectives & controls selected from Annex A of ISO 27001:2005
COMS Vantage Committed to Systems57
Clause 4.2.2 Implement and operate the ISMS (Do)
Formulate and implement risk treatment plan Implement controls Training and awareness (Also covered in clause 5.2.2) Manage operations & resources Implement procedures
COMS Vantage Committed to Systems58
Clause 4.2.3 Monitor and review the ISMS (Check)
Execute monitoring and review procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Conduct Internal ISMS Audits at planned intervals (Clause 6) Undertake Management Review of the ISMS (Clause 7) Update security plans Record actions and events
COMS Vantage Committed to Systems59
Clause 4.2.4 Maintain and improve the ISMS (Act)
Also covered in Clause 8 Implement the identified improvements in the ISMS Appropriate corrective and preventive action Communicate actions and improvements Ensure improvements achieve their intended
objectives
COMS Vantage Committed to Systems60
Clause 5 - Management Responsibility
5.1 Management commitment Management shall provide evidence of commitment
5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training awareness and competency
- employees, people (outside scope) interfacing
with company, customers, suppliers/ third party
service providers
COMS Vantage Committed to Systems61
Training and AwarenessTraining is to be provided for : Understanding and complying with the information security policy
and objectives Understanding security responsibilities What to do regarding:
Reporting security incidents, weaknesses Applying virus protection Doing backups Complying with relevant Local and International legislation Correct use of company equipment Correct use of e-mail and the internet and others
COMS Vantage Committed to Systems62
Monitoring of ISMS
Execute monitoring procedures and other controls: Promptly detect errors Promptly identify attempted and successful security
breaches and incidents Security activities delegated to people or implemented by
information technology are performing as expected Help detect security events
Prevent security incidents Determine whether actions taken to resolve a breach of
security were effective
COMS Vantage Committed to Systems63
Monitoring of ISMS Undertake regular reviews of effectiveness of ISMS
ISMS policy and objectives Security controls
Take into account Security audits Incidents Effective measurements Suggestions and feedback from interested parties
Measure the effectiveness of controls Verify security requirements are met
COMS Vantage Committed to Systems64
Clause 6 – Internal ISM Audits
Conduct internal audits at planned intervals
Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits
Responsibilities for audit planning, conducting and reporting is defined in procedure
Auditee is responsible for taking timely corrective action
COMS Vantage Committed to Systems65
Clause 7 - Management Review Undertake planned reviews of effectiveness of ISMS (atleast once a year) Review inputs
ISMS policy and objectives Audit results Suggestions and feedback from interested parties Threats and vulnerabilities not adequately addressed Result from effective measurements
Review outputs Improvement of effectiveness of ISMS Update Risk Assessment & Risk Treatment Plan Modification of procedures & controls Resource needs Improvements in measuring effectiveness of controls
COMS Vantage Committed to Systems66
Clause 8 – ISMS Improvements
Continual Improvement Corrective Action
Preventive Action
COMS Vantage Committed to Systems67
Exercise 3: Quiz on ISO 27001:2005
Complete the Quiz on ISO 27001 to test your understanding of the standard.
COMS Vantage Committed to Systems
ISMS Documentation
68
COMS Vantage Committed to Systems04/17/23
Documentation Structure
Level - ILevel - I
Level - IILevel - II
Level - III Level - III
Level - IVLevel - IV
IMS MANUAL
(Apex Document)
STANDARD OPERATING PROCEDURE POLICIES
FORMATS,
Log-Books, Registers
Dep1Dep1 Dep2Dep2 Dep3Dep3 Dep4Dep4 Dep5Dep5 Dep6Dep6
CHECKLISTS, GUIDELINES ETC,
COMS Vantage Committed to Systems
ISMS Documentation
The ISMS Documentation includes: Documented statements of a ISMS policy and ISMS
objectives Information Security Manual Information Security Risk Assessment Statement of Applicability Information Security Policies Procedures Formats/ Logs/ Records
70
COMS Vantage Committed to Systems
Concepts & Principles of Auditing
71
COMS Vantage Committed to Systems72
Audit
Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the
extent to which agreed criteria are fulfilled.
ISO 9000:2005
COMS Vantage Committed to Systems73
Objective Evidence
Data supporting the existence or verity of something – ISO 9000:2005
May be obtained through
- Records
- Observation
- Measurement or test
- Stated or verbal
Can be verified
COMS Vantage Committed to Systems74
Specified Requirements
Organization system requirements Manuals Policies & Procedures
ISO 27001 standard requirements
Legal requirements-statutory, regulatory or industry body
COMS Vantage Committed to Systems75
Audit Purpose
To collect objective evidence to permit an informed judgement about the status and effectiveness of the integrated management system.
COMS Vantage Committed to SystemsCOMS 76
Principles of Auditing
Ethical Conduct • Trust, integrity, confidentiality, discretion
Fair Presentation • Audit findings and conclusions are accurate and truthful
Due Professional Care
• Exercise care according to the confidence placed in them by their clients
• Competence is essential
Independence • Auditors are independent of the activities being audited and are free from bias or conflict of interest
• Conclusions will be objective and based only on audit evidence
Evidence-Based Approach
• Audit evidence is based on samples of information
• Conclusions are verifiable
COMS Vantage Committed to SystemsCOMS 77
CORPORADV MANAGEMENT SERVICES
Conformity vs. Compliance
Conformity:
• Fulfillment of a requirement
• Nonconformity can lead to suspension or revocation of registration
• Voluntary
Compliance:
• Fulfillment of legal/statutory requirements
• Noncompliance can lead to fines/incarceration
• Mandatory
COMS Vantage Committed to Systems
Types of Audit
Internal External
1st Party
2nd Party
3rd Party
Audit one’s own company
QMS
Audit of a supplier by a customer
Audit by an Independentbody
COMS Vantage Committed to Systems
Other Types of Audit
Pre-assessment Certification Surveillance Process Product
COMS Vantage Committed to SystemsCOMS 80
Reasons for Internal Audits
Requirement of all management system standards
Source of information for use by management
Powerful tool for continual improvement through: Employee involvement Communication Employee awareness, etc.
COMS Vantage Committed to Systems81
Benefits of Auditing
Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the
system to management Reduces risk of system failure Identifies improvement opportunities Precipitates the corrective action cycle Precipitates the preventive action cycle
COMS Vantage Committed to Systems82
Key Stages in the Internal Auditing processPERC
Closing
Reporting
Execution
Planning
Audit Process - Overview
COMS Vantage Committed to Systems
Audit Planning & Preparation
83
COMS Vantage Committed to Systems84
Audit Planning
Audit Schedule
Audit Checklist
COMS Vantage Committed to SystemsCOMS 85
Audit Schedule
Audit Schedule is based on : Frequency of audit (as mentioned in procedure) Processes/ area to be audited Duration of audit Qualified internal auditors Audit Team to have applicable technical expertise Independence of audit team (Cross functional
audit)
COMS Vantage Committed to Systems86
Audit Schedule-1
P = Planned A = Additional
Processes J F M A M J J A S O N D
Marketing P P
P P
P A P
P P
IT Technology P A
System Administration
P
HR A P
Administration P
COMS Vantage Committed to SystemsCOMS 87
Audit Schedule - 2Day 1Time Processes Auditors
1000 – 1300 Software Dev A & B
Real Estate Dev C & D
1400 - 1700 BPO E & F
Educational Portal G & H
Day 21000 – 1300 Executive Search I & J
IT K & L
1400 - 1700 HR M & N
Administration O & P
cc : To all Department Heads and Auditors
COMS Vantage Committed to Systems88
Checklists
Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditee’s IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.
A checklist should not be a list of questions to ask the
auditee. It is simply a “prompt” for aspects of the system
which require review
COMS Vantage Committed to Systems89
Checklists
Checklists may be :
Generic
Or
Tailored
COMS Vantage Committed to Systems90
Checklists- Benefits
A well constructed aide memoir will help to:
Keep audit objectives clear Provide evidence of audit planning Maintain audit pace and continuity Reduce auditor bias Reduce workload during audit
COMS Vantage Committed to Systems91
Checklist Drawbacks
Checklists tend to lose value if they are:
Tick (√) lists Questionnaires Too focused Inflexible
Prepare them as aides-memoir
COMS Vantage Committed to Systems92
Checklists Preparation - Inputs
Company Policies and Procedures Process information Customer requirements Applicable legal requirements Codes of practice Management priorities Previous incidents and accidents Previous audits reports Known problems
COMS Vantage Committed to Systems
Sample Checklist FormatProcess/Deptt: Auditee:
Auditor/s: Date:
S.No. Requirements Standard Clause No.
Objective Evidence
COMS Vantage Committed to Systems94
Exercise 4 : Audit Checklist
In your teams, prepare checklist for an ISMS audit.
Checklist may be prepared for your department.
COMS Vantage Committed to Systems
Audit Execution
95
COMS Vantage Committed to Systems96
Audit System
Various roles of an auditor: A catalyst Management instrument An interface with
supplierscustomerscolleagues
A ‘consultant’ (NOT 3rd Party)
COMS Vantage Committed to Systems97
Some Attributes of a Good Auditor
Open minded
Diplomatic
Decisive
Perceptive
Observant
Tenacious
Self-reliant
Ethical
Any More?
COMS Vantage Committed to Systems98
Auditor Qualification
Auditors must be competent in –
Reasoning of nonconformities
Evaluating effectiveness of corrective action
COMS Vantage Committed to Systems
Managing Communications
Put auditee at ease Ask questions and listen Have the appropriate body language Smile and show eye contact Avoid interruptions Avoid sarcastic & condescending remarks Give praise and feedback Acknowledge and show interest Be tactful and polite Show patience and understanding Thank the auditee on completing the audit
COMS Vantage Committed to Systems
Personality Types
The Everything is Absolutely Fine
Stick to the Bare Facts
Detail, Detail, Detail
I Always Have the Right and Best Answer
COMS Vantage Committed to Systems101
Managing Communications
Effective communication
Questioning
Listening
Body Language
COMS Vantage Committed to Systems102
Resolving Differences
Types of conflict Dealing with conflict
COMS Vantage Committed to Systems
Conduct of the Audit Meet the auditee
Explain what you want to see
Sampling audit
Investigate to the depth necessary
No problems found, move on
Don’t keep on auditing until problems are found
COMS Vantage Committed to Systems
Sampling Why ?..............Reduces time and costs
Sample/ sample frame
Representative
Random
Chosen by the auditor
Permission sought
COMS Vantage Committed to Systems105
Audit Execution
The Audit Process
Gathering information
Validating the findings
Evaluating the findings
COMS Vantage Committed to Systems
Procedure for Gathering Evidence
Question
ObserveCheck
COMS Vantage Committed to Systems
Collecting & Verifying informationSources of information
Collecting by appropriate
sampling and verifying
Evaluating against audit
criteria
Reviewing
Audit conclusions
Audit Evidence
Audit Findings
COMS Vantage Committed to Systems
Sources of Information
Interviews Documents (procedures, instructions, specifications, etc) Records Data Summaries (analysis and performance) Reports (customer feedback, supplier ratings) Databases Observations (of activities and conditions)
COMS Vantage Committed to Systems
Conducting Interviews
Interviews are an important means of collecting information
and should be carried out in a manner adapted to the
situation and the person interviewed
May start with asking the auditee
to describe the work Avoid misleading questions Listen carefully & make notes Summarize the results of interview
& discuss with auditee
COMS Vantage Committed to Systems
Questions
Open questions
- Encourage auditee to speak
Probing questions
Closed questions
Questions should be asked like a funnel – starting with open questions and ending with closed questions
COMS Vantage Committed to Systems
Questioning Techniques Hypothetical
Obvious
Answered
Repetitive
Non-verbal
COMS Vantage Committed to Systems
Open Questions
Six friends (To gather information) Who (does it) What (is done) Where (is it done) Why (is it done) When (does it get done) How (is it done; often is it done)
And seventh friend (For verification) Show me
COMS Vantage Committed to Systems
7 Tips for Interviewing
Use appropriate types of question Adopt a logical approach Follow a natural sequence Actively listen to what is being said Use silence appropriately Seek clarification, where necessary Verify responses, where necessary
COMS Vantage Committed to Systems
Documents Policy & Objectives Plans Policies and procedures / instructions Specifications/ drawings Contracts/ Orders Licenses/ permits
Review documents which describe activities, plans, controls,
Strategies and tests
COMS Vantage Committed to Systems
Records
Records are evidence of an activity performed Test records Training records Performance monitoring records Audit Report Management Review – Minutes of Meetings Non-conformance records Customer Satisfaction records Vendor performance evaluation records
and ……………………………
COMS Vantage Committed to Systems
Observations
Observations of : Activities being performed Housekeeping Condition of infrastructure and hardware Work environment
COMS Vantage Committed to Systems
Control of the Audit Checklist is a servant not a master
Audit the complete scope
If potential audit trails appear, decide: disregard note for later follow up immediately
Might affect the sample size
Might affect the audit programme
COMS Vantage Committed to Systems
Notes
Recording the objective evidence: Admissible statements (Quotes and statements) Document / Record numbers and issue/revision levels Identifiers (Product identification) Surroundings Name of auditee or preferably job titles Issues which may impact other functions
COMS Vantage Committed to Systems
Mental Notes
Workload
Employee behaviour
Management approach
Organization culture
Reactions
COMS Vantage Committed to Systems
Notes
Notes is an evidence of the professionalism of the auditor Evidence of sample size and observation Should be legible & retrievable Shall be an input to the audit report May be used for further investigation & subsequent audits
COMS Vantage Committed to Systems
Verify Facts
Discuss concerns with auditee Auditee may provide correct information Record all the evidence in detail Establish why a nonconformity or otherwise & who
(preferably by job title) Audit focus must be on conformity and effectiveness, not
on finding nonconformities
Therefore, auditors must be competent in – Reasoning of nonconformities Evaluating effectiveness of corrective action
COMS Vantage Committed to Systems122
Good Practices Ask the right person - the person with the responsibility
for what it is you are auditing Don’t talk down or be rude/ sacarstic Ensure questions are clear and understood - avoid
jargon, use plain and simple language, rephrase the question if not understood.
Do not confuse, ask one question at a time. Allow time for auditee to answer any questions you ask Do not take sides, stay impartial, do not jump to
conclusions; always look for the evidence Be polite at all times, regardless of any provocation you
may encounter
COMS Vantage Committed to Systems
Handling Difficult Situations
Time Wasting
Descrimination
Hostility
Avoidance
Finger - pointing
Undermining
Deception
Obstruction
Usurping Control
Flattery
COMS Vantage Committed to Systems
Audit Reporting
124
COMS Vantage Committed to SystemsCOMS 125
Nonconformity
Non fulfilment of a requirement
Specified requirements: Company policies and procedures ISO 27001 standard requirements legal requirements
COMS Vantage Committed to SystemsCOMS 126
Nonconformity
The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness.
Non conformities could arise out of two reasons:
- System deficiencies
- Human slip ups
Internal audits should be aimed at
identifying system deficiencies
COMS Vantage Committed to Systems
Reporting Categories
Categories such as Non-conformance or Non-
compliance represent a “non-fulfilment of a specified
requirement”, and for many organisations are given the
highest priority when determining corrective actions.
A lower priority is often given to Observations or Areas
Requiring Attention. These findings are recognised as
being of lower risk to the organisation.
COMS Vantage Committed to Systems
Minor Non-conformance
Violation or failure to meet a requirement of the standard
Any minor lapse in the system
Examples
- Training not planned for two employees from Customer
Care Department
- Background verification not done for x,y & z employee
prior to hiring
COMS Vantage Committed to Systems
Major Non-conformity Complete absence or total breakdown of any clause of the
standard(s) Complete non-compliance of company policy or procedure Non-compliance of legislative requirement A number of nonconformities leading to system breakdown Examples
- Management Review has not been conducted since
more than a year.
- Information Security Policy not defined
COMS Vantage Committed to Systems130
Consider the Seriousness
Three questions to be answered
1. What could go wrong if the nonconformity remains uncorrected?
2. What is the likelihood of such a thing going wrong?
3. How likely is it to be detected if it did go wrong?
A nonconformity with moderate consequences but
High probability could be a Major
A nonconformity with serious consequences but
with negligible probability could be a Minor
COMS Vantage Committed to Systems131
Observation
Observation or Opportunity for Improvement (OFI)
is a situation where there is a weakness where there is
not enough evidence for a nonconformity/issue, but if
allowed to remain, could result in a nonconformity/issue
COMS Vantage Committed to Systems132
Exercise 5 : Identifying Non-conformances
10 statement were presented by an audit team.
Identify if there is a non-conformance. If yes, identify the
ISO 27001:2005 Clause / Control Objective Number .
If no, then state what further action should be taken by the
auditor
COMS Vantage Committed to Systems
Writing Statements of Nonconformity
COMS Vantage Committed to Systems134
Writing Statements of Nonconformity
Use auditee’s terminology
Make it retrievable
Must be factual
Make it complete
Make it concise
COMS Vantage Committed to Systems135
Nonconformity Statement (1)
Procedure KCL-Pl-15 requires that access to server room is only to 2 System Administrators and the IT Head. If required others could access along with the 3 persons with authorised access and they were to enter in the Entry Log Register.
The auditor entered the server room with the System Administrator, however no entry was made in the Entry Log Register.
Nonconformity to Procedure KCL-15 and ISO 27001:2005 clause A.9.1.5
COMS Vantage Committed to Systems136
Nonconformity Statement (2)
Policy for Compliance states that that no software, unless provided by
corporate IT, must be loaded onto the network without the prior
permission of the IT manager
SW department were currently using a new data analysis tool which was sent to them direct from the developers after their agreement to take part in the testing of the new tool in return for a free copy of the finished product.
Nonconformity to Policy for Compliance and ISO 27001, Control 15.1
COMS Vantage Committed to Systems137
Ethos of Auditing
Positive approach
Aim to help improve system
Don’t look for blame
Aid identification of solutions
COMS Vantage Committed to Systems
Audit Report
Date Process/Area of Audit Auditor(s) Auditee NCR Root cause Proposed Corrective Action Corrective Action taken Verification of effectiveness of corrective action Review
COMS Vantage Committed to Systems139
Reporting
After Audit Report is generated , Auditor Submits report to auditee Gets auditee to agree on nonconformance Agrees dates for corrective action Ensures that action is taken effectively
COMS Vantage Committed to Systems140
Exercise 6 : Nonconformance Report
Write the nonconformance report for any nonconformance in Exercise 5
COMS Vantage Committed to Systems
Audit Closing
141
COMS Vantage Committed to Systems142
Conducting Audit Follow-up
The auditor is responsible for :
Identifying the nonconformance
and
Closing the nonconformance
COMS Vantage Committed to Systems143
Conducting Audit Follow-Up
At the conclusion of the follow up audit, the auditor must
make a conclusion as to the completion and effectiveness
of the previously proposed corrective actions :
Has the action been taken and has it been effective?
Has the action not been taken or is it incomplete?
Has the action been taken but is ineffective?
COMS Vantage Committed to Systems
Follow-up ActionReceive NCR
Identify Root Cause
Corrective action plan prepared
Evaluates response
Implements plan
Evaluates effectiveness
Revises plan if necessary
Documents the changes
Verifies implementation & effectiveness
Auditee
Auditee
Auditee
Auditor
Auditee
Auditee
Auditee
Auditee
Auditor
Rec
ord
s m
ade
of
all
acti
on
s ta
ken
COMS Vantage Committed to Systems145
Exercise 7 : Corrective Action
Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.
COMS Vantage Committed to Systems146
Thank YouWorking Together For Better
Environment.
top related