An ISMS audit schedule contains all the scheduled and prospective audits for the entire year related to the information security management system. It includes the internal audits, supplier audits, third-party audits and audits to be carried out as appropriate.
The ISMS audits should be carried out as the need arises and only by carried out by proficient personnel who are independent of the subject area being audited. Every member of the audit team would be appointed by the Information Security Management Representative (ISMR) and the lead auditor supervises the activities of the ISMS audit team.
Planning an ISMS Audit
The ISMS lead auditor prepares a yearly audit programme which is authorized by the CEO of the organization or assigned management representative. This program should be flexible to suit any alteration in the schedule or changing priorities during the year. The lead auditor prepares the corresponding audit plans based on the ISMS audit programme which is then communicated to every auditee and the auditor. The audit plan has to be able to accommodate changes during the audit based information collected while it is conducted.
The plan should include;
- The audit scope and objectives.
- Sections and people in charge.
- The team members.
- Type of system to be audited.
- The time, date and place of audit as well as the distribution date of audit report.
ISMS Audit Execution
Several checklists are to be used by the auditors to perform the ISMS audit. Below are some of the checklists;
- Audit Checklist: This checklist contains particular items which are specific to the organizational department to be audited. The auditors assigned for the audit are in charge of using this form to generate question.
- Systemic Requirements Checklist: This checklist contains items concerning the requirements of ISO/IEC 27001.
- Control Requirements Checklist: This contains items relating to the controls of ISO/IEC 27001.
Findings of ISMS audits are gathered by going through of documents, observations of the actions and conditions in the concerned areas and also through interviews. All these findings would be written on the checklists mentioned above.
All significant evidence that suggests non-conformities has to be noted, even if the checklist doesn’t cover it. Other observations or evidence that might have a positive or negative reflection on the ISMS must also be noted on the appropriate checklist.
It is important to highlight audit checklists are to be used as guides, as a given finding may lead you down another audit trail to investigate an issue further.
After the ISMS audit has been concluded, all the auditors then have a meeting. The purpose of the meeting is to;
- Review and analyse findings.
- Combine all findings including tabulations and groupings.
- Classify the findings.
- Prepare the audit reports and recommendations.
Assessment is then made on whether findings should be reported as observations or as non-conformities. However, the ISMS audit findings have to be backed by concrete objective evidence. The lead auditor then consolidates all the findings to prepare the audit report. Below are the various classifications of audit findings;
Major non-conformity: This regards to a huge deficiency in the Information Security Management System. It also means that some elements of ISO 27001 are not implemented. Non-conformities directly affects the ISMS particularly the preservation of integrity, confidentiality and the accessibility of information assets.
Minor non-conformity: This regards to a minor deficiency in the ISMS. This means that some elements of the ISMS are only partially compliant. This conformity indirectly affects the information security.
Note that minor and major non-conformities require proper corrective measures to be acknowledged and implemented.
Audit Follow-up and Closure
As the auditors are in charge of recognizing non-conformities, the auditees are in charge of resolving the non-conformities. Authorized corrective measures should be as arranged with the auditors based on time scale. The lead auditor has to follow up on implemented corrective meassures. Usually, ISMS audit follow-ups involve checking the conclusion and efficiency of the approved preventive or corrective measures according to the arranged timeline.
An efficient ISMS audit is not finished until all corrective measures have been effectively implemented.
If you are interested in implementing an internal audit program for your information security management system, feel free to contact us for a free consultation on how we can support and add value to your organisation.