Behavioural Trainer & Manager
Hr & Admin
Hr & Admin Executive
Information Security,it Infrastructure
if i am be sharing the format, then i would be violating ISO27001:2005 Policies of my company itself.
however these are the mail business areas you should be looking at
Physical and Environmental Security - Admin
Asset Classification & Control, Access Control – Windows
Compliance, Information Security Incidents – Information Security Head
Operations Management, Access Control, Information System acquisition & maintenance, BCP – Operations Management, IT Security Head, Team Representatives (Wintel, N&S)
Human Resource Security – HR Head
2.1. Six Phases of audit
The Internal audit would be conducted in six phases.
Planning and Scheduling Audit
Selecting Appropriate Audit teams, assigning roles and responsibilities.
Conducting Follow up audits.
Maintaining Audit programme records
Monitoring performance and effectiveness of audit programme and reporting to the top management of the non-conformities.
2.2. Planning and Scheduling Audit
ISD will ensure that audits will be conducted once in 3 months. The audit plan will be published once a year. Both the audit parts (documentation and Implementation) would be covered each time the audit is conducted.
The ISD will inform Auditors about the audit dates 15 days in-advance and will confirm their availability. ISD shall also confirm the top-management, respective process owners presence for the audit.
Apart from the published audits, ISD shall perform informal audits as and when required to ensure BS7799 compliance.
2.3. Selecting Appropriate Audit teams, assigning roles and responsibilities
The management shall ensure that audit teams are announced and shall also assign proper roles and responsibilities. The audit teams shall be selected based on the following skill set. The auditor cannot audit his own work.
The auditor shall possess these personal attributes.
• Auditor shall be ethical i.e. be faithful sincere and honest.
• Auditor shall be open-minded i.e. willing to consider alternative ideas or point of view.
• Auditor shall be diplomatic i.e. tactful in dealing with people.
• Auditor shall be observant i.e. actively aware of physical surroundings.
The auditor shall possess these general skills.
• Audit leader shall organize the audit effectively
• Auditor shall collect information through effective interviewing, listening, observing and reviewing documents, records and data.
• Auditor shall maintain confidentiality and security of information.
• Auditor shall prepare the audit report.
The auditor shall possess these technical skills.
• Auditor shall be technically good to access the implementation part.
2.4. Conducting Audit
The audit shall start with an opening meeting and end with a closing meeting. The meetings shall be held with the management representative.
The purpose of the opening meeting is
• To Confirm the audit plan
• To provide a short summary of how the audit activities will be undertaken
• To confirm the communication channels
• To provide opportunity for the auditee to ask questions.
• To introduce with the participants.
The purpose of the closing meeting is
• To Present the audit findings and conclusions
• To solve the disputes in the audit findings
• To agree upon the time frame for the corrective and preventive actions
The audit will be conducted in two parts
• Documentation audit.
• Implementation audit.
The documentation audit will allow the auditor to gain an understanding of ISMS in the context of the organization’s security policy, objectives and approach to risk management. The documentation audit includes documentation review that has to be completed before starting the implementation audit.
The audit team shall review all the documents related to ISMS including
The security policy statement
ISMS scope definition
All procedures and controls supporting ISMS
Risk assessment report
Risk treatment plan
All procedures regarding planning, operations and effective control of information security processes
All records confirming conformity and effectiveness of ISMS operation.
Statement of Applicability
The results of documentation audit will be contained in the report. Based on the finding the auditor will decide for the implementation audit or to postpone the implementation audit.
The Implementation audit will cover
Confirmation of the organization’s compliance with its own policies, objectives and procedures.
Confirmation of the ISMS' compliance with all ISO 27001 requirements and of its attainment of the organization’s policy objectives (includes checking that the organization has a system of processes in place to cover the requirements given in Clauses 4 to 8 inclusively of the ISO 27001 standard)
Assessment of information security related risks and the resulting design of its ISMS
The approach to risk assessment
o Risk identification
o Risk assessment
o Risk treatment
o The choice of control objectives and controls for risk treatment
o Preparation of a Statement of Applicability.
Performance monitoring, measuring, reporting and reviewing against the objectives and targets. This should include checking that processes are in place and being used for at least the following
o Clause 4.2.3 Monitor and review the ISMS
o Clause 7 Management review of the ISMS
o Clause 8 ISMS improvement.
Management responsibility for the information security policy
2.5. Audit Report
The audit team leader shall be responsible for the preparation and contents of the audit report. The audit report shall be provided to security management forum. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include
• Identification of audit team leader and members.
• The audit criteria.
• The audit findings.
• The audit conclusions.
• Recommendations for the audit findings. (corrective and preventive actions)
2.6. Corrective Actions
The organization shall take action in order to eliminate the causes of non-compliance resulting from the implementation and operations, and so prevent re-occurrence. Procedure for corrective action shall include the following information:
• Identification of non-compliance in implementation or operations;
• Identification of the causes for non-compliance;
• Determination of the actions required to eliminate re-occurrence;
• Definition and implementation of the required corrective action;
• Results obtained by the corrective action (see record control);
• Review of the corrective action.
Improvement does not happen without implementing changes. This requirement is related to ensuring that actions are identified, taken and verified for implementation/effectiveness. If a problem occurs, action needs to be taken to ensure that the problem is corrected and that it does not re-occur. This involves finding the cause of the problem, recording the results of the action taken and verifying that the action was effective. The intent of this requirement is to have a disciplined approach for making sure that actions happen and are effective.
make sure each and every process is documented.
thought this part might help you
13.4.1 You Cannot Fail
It is impossible to fail certification (unless you quit). The worst thing that can
happen is that it might take a little longer and cost a little more.
The final point that we wish to make in our discussion of the direct
sequence manual is that you cannot fail an initial assessment, unless you simply
quit. The worst thing that can happen is that is might take longer and cost
more. This is an established fact for the initial systems assessment (certification
assessment). One does not fail a third-party assessment; it is a part of the ISO
mythology. One does get nonconformances that need to be corrected. The
worst case is a major finding that could delay the certification process by up
to three months and cost some more to pay the registrar’s lead assessor to
come back and clear the nonconformance. But that is it. This is the primary
reason that so many consulting groups will agree to guarantee certification/
The steward’s task is to make sure that there are no major findings possible.
This is accomplished via in-depth internal audits by well-trained auditors.
The audits should be evenly distributed throughout the creation process and
not left to the last moment prior to the document review. The audits not only
increase the probability of a major nonconformance-free certification assessment,
but they form the base of a dynamic corrective and preventive action
Inevitably there will be minor findings at the initial systems assessment,
the first surveillance, the second surveillance, the recertification assessment,
and the re-recertification assessment. That is what continuous improvement is
all about. I still come up with nonconformances with clients that I have
audited for over 8 years.
Organizations undergo all manner of change over 3 years (e.g., top management
changes; mergers; acquisitions; moves to new facilities; market ups
and downs; national and international tragedies, including war, floods, and
fires). Without sufficient audits, the documentation falls behind reality and
even the act of auditing begins to evaporate. It is equivalent to firing the sales
staff because sales are down. Find the root causes, make the necessary
changes to match the changed scenario, and move forward.
There, of course, can be major findings. By major findings we mean, for
example, an ineffectual management review, a poorly managed training program,
a lack of internal quality audits, a corrective and preventive action program
that is uncertain and loosely managed. The stewards must pay close
attention to these areas. One of the traps in the management review process is
for the top manager to use the management review as a “rah rah” session
instead of focusing on the enterprise’s deviations from its planned goals based
on firm and quantitative metrics. You say, “Never happens”? It does.
Another danger area is the loss of internal auditors due to downsizing,
burnout, disinterest, and promotion. It is important to maintain a constantly
trained group of auditors to cover such contingencies. A safe level of auditors
depends on the organization’s size in both people and square footage and the
degree of outsourcing. Today, we have situations where the organization consists
of one person in the site and everything else is outsourced. Your registrar
will work with you to cover this event. It does happen and people get certified.
13.4.2 Audit Focus
An experienced assessor pays special attention to the requirements in the
◗ Section 4: Quality Management System—In this set lies the superstructure of
the QMS and where change is controlled, especially with regard to
processes and continual improvement.
◗ Section 5.4: Planning—This determines how closely quality objectives are
planned and measured.
◗ Section 5.6: Management Review—This somewhat prescriptive set of paragraphs
contains the review of continual improvement drivers of internal
13.4 Certification Audits 221
audits, customer feedback, process performance, product conformity,
preventive and corrective actions taken, and the manner in which
top management responds to required change and opportunities for
◗ Section 7.3: Design and Development—Special attention is to be directed to
the design review, verification, and validation functions.
◗ Paragraph 8.2.2: Internal Audit—This looks especially at whether all areas
of the organization have been audited against all appropriate paragraphs
and the audits have included all pertinent regulatory requirements.
◗ Paragraph 8.5.2: Corrective Action—This applies especially the management
of customer complaints.
◗ Paragraph 8.5.3: Preventive Action—This requirement indicates clearly the
degree to which the organization is either reactive to nonconformances
(e.g., performs root-cause analysis on a set of nonconformances
reported during corrective action) or takes a proactive perspective (e.g.,
performs risk analysis and designs in safety and introduces best practices
to all operating groups based on improvements in one group to prevent
nonconformities ) not only during the initial assessment but at every
subsequent surveillance assessment. It is customary for registrars to
require management review, design and development, internal audits,
review of customer complaints, and review of QMS document changes
to be mandatory for some percentage of the surveillance audits (e.g.,
every 6 months for internal audits and every 12 months for the design
Special attention to these requirements ensures that the continuous
improvement cycle is maintained throughout the life of the ISO 9000 program.
When the Shewhart cycle is enforced, the odds are very high that the
supplier will derive the benefits inherent from an effective QMS .
13.4.3 Assessor Role
Indeed, the role of the assessor is to teach and clarify. If this goal is met, the
assessor feels fulfilled at the end of a long and intense audit, and the client feels
that the effort was worth it. Alternately, if the assessor feels that the goal is to
catch the client, both parties will end up with a feeling of uselessness, and the
client will begin to seek out other registrars . That the audit findings must be
substantive, and of value to the client, is the foundation upon which the ISO
third-party schema will either continue to expand or eventually decline.
In the search for added value, my most effective rule is to ask the gutoriented
question: does the method sound stupid? If it sounds stupid, it is—try
another approach. This works every time. I always consider whether my finding
will be of economic value to the enterprise. There is a fine line between
conformance to the Standard and worth to the client. No system is perfect to
start with, and no system becomes perfect in the process. Organizations are in
constant change through new products, new technologies, acquisitions, mergers,
the vagaries of markets, and the potential horrors of nationalistic power
It is vital that the organization continually stretch its processes for
improvement but not stretch beyond its economic boundaries. The auditor
can play an important role in this scenario. It is best to try to get inside the
mind of the top executive and see what makes sense within the strategic
parameters of the operation. Auditors with this perspective will find themselves
welcomed back more times than not.
13.4.4 Structure of the Audit
To carry out an effective audit of the Standard requires that we apply the pertinent
clauses of the Standard against every enterprise process. This also
means that we also ensure that each subprocess is covered in detail. Table 13.5
uses the same core competencies as shown in Figure 1.2.
Our example, shown in Table 13.5, is based on a small organization hierarchy.
We have assumed that the departmental processes contain the following
1. Executive: business plan, management review, and steering committee;
2. Marketing and sales: servicing, product managers, marketing, sales, and
3. RDT&E: research and development, design, product support, engineering
change, and document and engineering records control.
4. Operations: QA&RA, manufacturing, production control, purchasing,
inventory control, and shipping and receiving;
5. QA&RA: ISO management representative, document and record control,
metrology, corrective and preventive action, audits, quality
control inspection, reliability, and data analysis and trending;
6. Finance: human resources, management information systems, financial
control and analysis, and cost of quality support;
13.4 Certification Audits 223
Human resources: hiring, training, and employee development;
8. Servicing: customer service, repair, and installation.
The chart suggests which clauses to apply to which process and thereby suggests
which employees are to be interviewed. The planned date of the audit and
auditors could also be placed in the box instead the star. Other usual audit
activities are also implied, such as auditing the distribution of documents
throughout the facility, auditing records in various file cabinets, asking employees
what they believe the quality policy means and who they think is the ISO
9000 management representative, and examining the status of training.
Unfortunately, there is no end of concern with regard to the manner
in which we are to audit either (1) the requirement that no procedure is
required for many clauses, or (2) the sometimes extremely descriptive language
of some clauses (e.g., Clause 7.5.5: Preservation of Product). This clause
is about as short and sweet as you can get with regard to a most complex and
extensive issue that includes electrostatic discharge protection, shelf-life control,
and a number of different types of preservation coatings as well as packaging
and delivery. Fortunately, the topic of audit management has received
wide recognition and many authors offer sensible ideas on how to approach
the subject .
To formulate such an audit structure, it is important to realize that this
process-oriented scenario has an intrinsic hierarchal structure of the type
If you want more material- the Ebook
Send me your mail ID and Ill send it to you
seven friends of auditors (6 W and 1 H) - Who - What - Where - When - Which - Why - How.
Frame your audit checklist with the above.
keep the standard copy with you, make columns for elements of standard (Requirement), document reference (manual, procedure, work instructions, etc), record reference (forms, register, log, etc), interview refererence (who are all those, you would like to audit), inspection reference (looking for evidence - location), and special notes or remarks.
with the above paragraph, you might have got the idea to use 6 W and 1 H. for easy remembering, i call it as 6 wives and one husband
While you are doing the audit, check for
Plan - what are the procedures available, what forms are used for documenting and recording, resources, who does - what - when, etc
Do - investigate wether the function is being carried out as per procedure. check relevant records, interview persons, etc.
Check - check how do they evaluate the functional performance, the analysis, outcome, the results, - what methods they use to do the same
Act - check what corrective and preventive actions are taken for the non conformatives raised so that or any deviations observed during their evaluation.
this is the simplest way of understanding the auditing principles. still if you need, i can help you with the format.
I have recently started my masters thesis at a leading car company, in the ISMS department. I have to develop/enhance their existing internal auditing tool etc. Can you please send me the said auditing ebook? It will definitely be of huge help for me.
Thanking you in advance.
University of Magdeburg
VSDi (VSD - Home) offers a complete range of IT Services to our customers. VSDi focuses on delivery, technology and process excellence in providing top-notch infrastructure management and information security services.
We have an developed a ISMS implementation toolkit named called EIRA (Enterprise Information Risk-Mitigation Automator) which is a result of research and feedback attained from Lead Auditors, ISMS Lead Auditors Trainers and some Senior Level executives of the Companies in the process of implementation of ISMS under ISO/IEC 27001. EIRA is a software tool to help the organization to implement ISMS in their organization (commercial enterprises, government agencies, non-profit organization).
- Organizations that are planning or have just completed the training of their team and are ready to implement.
- Organizations practicing ISMS and ISMS Auditors
- Organizations who want to upgrade from BS7799 to ISO/IEC27001:2
Services Offerings in Information Security Management:
VSDi offers a broad range of services related to Information Security Management. Have a look at the following illustrative list:
oHigh level network security architecture review
oNetwork Security Review
oVulnerability Assessment of critical server & network devices
oRemote penetration testing of systems connected to internet
oConsultancy and guidance in system hardening
oStage 1 Auditing of IT infrastructure identifying security weaknesses against industry
oDevelopment of security policies and procedures
oReview of security policy
oInformation Security Risk assessment using automated test tools (EIRA)
oGuidance for implementation of IT Security best practices
oVendor Site Compliance Certificate (VSCC)
- Gap analysis
- Build controls, procedures and documents as per the standard
- Application Site testing
- Website testing
- Includiting using accredited certifying bodies
We do not stop with that. Together, You and VSDi can explore further avenues to promote Information security culture.
VSDi believes that human resources- employees and clients are the first line of defence to fortify information security. At the same time, they are the weakest link in information security chain. So what do we do? Empowerment, motivation and driving for ethical values is the only option. Therefore, we are planning to render the training services in Information Security in conjunction with STQC through corporate alliance.
VSDi is endowed with Senior and Experienced faculty who have decades of exposure to a wide range of industries say Manufacturing, Software, Finance, Insurance, Research & Development, Hospitality Management, Health Care services , Academics, etc..
oInformation Security Management - Best Practices -3 days
This workshop aims at training Junior and Middle management, to adopt ISMS Standards and best practices in their day to day operations.
oInformation Security Risk Management Workshop -2 days
This workshop aims on guiding Senior Management in collaboration with CISO / CIO of the organisation which has embarked upon ISO27000 certification process..
oIT Service Management Foundation (based on ITIL®)-5days
This program aims at imparting knowledge of the ITIL® terminology, structure and basic concepts to IT professionals, business managers and business process owners. Training enables the participants comprehend the key principles of ITIL® practices for Service Management.
oInformation Security Awareness Training-2 days
Focus is on the User / Employee ,as well as Vendor / Service Provider staff gaining awareness about various security issues and to follow security policies
procedures and guidelines so that they do not fall victim to external threats or become perpetrators of cyber crime.