An ISMS audit schedule contains all the scheduled and prospective audits for the entire year related to the information security management system. It includes the internal audits, supplier audits, third-party audits and audits to be carried out as appropriate.
The ISMS audits should be carried out as the need arises and only by carried out by proficient personnel who are independent of the subject area being audited. Every member of the audit team would be appointed by the Information Security Management Representative (ISMR) and the lead auditor supervises the activities of the ISMS audit team.
The ISMS lead auditor prepares a yearly audit programme which is authorized by the CEO of the organization or assigned management representative. This program should be flexible to suit any alteration in the schedule or changing priorities during the year. The lead auditor prepares the corresponding audit plans based on the ISMS audit programme which is then communicated to every auditee and the auditor. The audit plan has to be able to accommodate changes during the audit based information collected while it is conducted.
The plan should include;
Several checklists are to be used by the auditors to perform the ISMS audit. Below are some of the checklists;
Findings of ISMS audits are gathered by going through of documents, observations of the actions and conditions in the concerned areas and also through interviews. All these findings would be written on the checklists mentioned above.
All significant evidence that suggests non-conformities has to be noted, even if the checklist doesn’t cover it. Other observations or evidence that might have a positive or negative reflection on the ISMS must also be noted on the appropriate checklist.
It is important to highlight audit checklists are to be used as guides, as a given finding may lead you down another audit trail to investigate an issue further.
After the ISMS audit has been concluded, all the auditors then have a meeting. The purpose of the meeting is to;
Assessment is then made on whether findings should be reported as observations or as non-conformities. However, the ISMS audit findings have to be backed by concrete objective evidence. The lead auditor then consolidates all the findings to prepare the audit report. Below are the various classifications of audit findings;
Major non-conformity: This regards to a huge deficiency in the Information Security Management System. It also means that some elements of ISO 27001 are not implemented. Non-conformities directly affects the ISMS particularly the preservation of integrity, confidentiality and the accessibility of information assets.
Minor non-conformity: This regards to a minor deficiency in the ISMS. This means that some elements of the ISMS are only partially compliant. This conformity indirectly affects the information security.
Note that minor and major non-conformities require proper corrective measures to be acknowledged and implemented.
As the auditors are in charge of recognizing non-conformities, the auditees are in charge of resolving the non-conformities. Authorized corrective measures should be as arranged with the auditors based on time scale. The lead auditor has to follow up on implemented corrective meassures. Usually, ISMS audit follow-ups involve checking the conclusion and efficiency of the approved preventive or corrective measures according to the arranged timeline.
An efficient ISMS audit is not finished until all corrective measures have been effectively implemented.
If you are interested in implementing an internal audit program for your information security management system, feel free to contact us for a free consultation on how we can support and add value to your organisation.
Contact us to discuss your needs and see how we can support to reach your goal.
In the current days and age, organisations are always looking ways to more efficient ways to manage their environmental impact and reduce their carbon footprint. With a robust HSEQ (Health,...
Calibration is the process of verifying and adjusting the accuracy of a measurement instrument to ensure that it provides consistent and reliable results. In many industries, calibration is critical to...
Introduction ISO 45001 is the global standard for occupational health and safety management. It was published in March 2018 and replaced OHSAS 18001. ISO 45001 is a framework that provides...