Hi Guys!!
We are an ISMS 27001:2005 certified BPO company! We are planning to conduct our internal audit soon. I am unsure about how to conduct an internal audit and what an auditor should look for. The entire responsibility falls on me, so please help me, guys. If you have any format for internal audit (even for 9001 or any other standard), that would be great. Otherwise, please guide me on what we should look for in the internal audit.
Thank you,
Krunal
From India, Ahmadabad
Acknowledge(0)
Amend(0)
We are an ISMS 27001:2005 certified BPO company! We are planning to conduct our internal audit soon. I am unsure about how to conduct an internal audit and what an auditor should look for. The entire responsibility falls on me, so please help me, guys. If you have any format for internal audit (even for 9001 or any other standard), that would be great. Otherwise, please guide me on what we should look for in the internal audit.
Thank you,
Krunal
From India, Ahmadabad
Acknowledge(0)Amend(0)
Krunal,
if i am be sharing the format, then i would be violating ISO27001:2005 Policies of my company itself.
however these are the mail business areas you should be looking at
Physical and Environmental Security - Admin
Asset Classification & Control, Access Control – Windows
Compliance, Information Security Incidents – Information Security Head
Operations Management, Access Control, Information System acquisition & maintenance, BCP – Operations Management, IT Security Head, Team Representatives (Wintel, N&S)
Human Resource Security – HR Head
2.1. Six Phases of audit
The Internal audit would be conducted in six phases.
Planning and Scheduling Audit
Selecting Appropriate Audit teams, assigning roles and responsibilities.
Conducting Audit
Conducting Follow up audits.
Maintaining Audit programme records
Monitoring performance and effectiveness of audit programme and reporting to the top management of the non-conformities.
2.2. Planning and Scheduling Audit
ISD will ensure that audits will be conducted once in 3 months. The audit plan will be published once a year. Both the audit parts (documentation and Implementation) would be covered each time the audit is conducted.
The ISD will inform Auditors about the audit dates 15 days in-advance and will confirm their availability. ISD shall also confirm the top-management, respective process owners presence for the audit.
Apart from the published audits, ISD shall perform informal audits as and when required to ensure BS7799 compliance.
2.3. Selecting Appropriate Audit teams, assigning roles and responsibilities
The management shall ensure that audit teams are announced and shall also assign proper roles and responsibilities. The audit teams shall be selected based on the following skill set. The auditor cannot audit his own work.
The auditor shall possess these personal attributes.
• Auditor shall be ethical i.e. be faithful sincere and honest.
• Auditor shall be open-minded i.e. willing to consider alternative ideas or point of view.
• Auditor shall be diplomatic i.e. tactful in dealing with people.
• Auditor shall be observant i.e. actively aware of physical surroundings.
The auditor shall possess these general skills.
• Audit leader shall organize the audit effectively
• Auditor shall collect information through effective interviewing, listening, observing and reviewing documents, records and data.
• Auditor shall maintain confidentiality and security of information.
• Auditor shall prepare the audit report.
The auditor shall possess these technical skills.
• Auditor shall be technically good to access the implementation part.
2.4. Conducting Audit
2.4.1. Meetings
The audit shall start with an opening meeting and end with a closing meeting. The meetings shall be held with the management representative.
The purpose of the opening meeting is
• To Confirm the audit plan
• To provide a short summary of how the audit activities will be undertaken
• To confirm the communication channels
• To provide opportunity for the auditee to ask questions.
• To introduce with the participants.
The purpose of the closing meeting is
• To Present the audit findings and conclusions
• To solve the disputes in the audit findings
• To agree upon the time frame for the corrective and preventive actions
2.4.2. Audit
The audit will be conducted in two parts
• Documentation audit.
• Implementation audit.
The documentation audit will allow the auditor to gain an understanding of ISMS in the context of the organization's security policy, objectives and approach to risk management. The documentation audit includes documentation review that has to be completed before starting the implementation audit.
The audit team shall review all the documents related to ISMS including
The security policy statement
ISMS scope definition
All procedures and controls supporting ISMS
Risk assessment report
Risk treatment plan
All procedures regarding planning, operations and effective control of information security processes
All records confirming conformity and effectiveness of ISMS operation.
Statement of Applicability
The results of documentation audit will be contained in the report. Based on the finding the auditor will decide for the implementation audit or to postpone the implementation audit.
The Implementation audit will cover
Confirmation of the organization's compliance with its own policies, objectives and procedures.
Confirmation of the ISMS' compliance with all ISO 27001 requirements and of its attainment of the organization's policy objectives (includes checking that the organization has a system of processes in place to cover the requirements given in Clauses 4 to 8 inclusively of the ISO 27001 standard)
Assessment of information security related risks and the resulting design of its ISMS
The approach to risk assessment
o Risk identification
o Risk assessment
o Risk treatment
o The choice of control objectives and controls for risk treatment
o Preparation of a Statement of Applicability.
Performance monitoring, measuring, reporting and reviewing against the objectives and targets. This should include checking that processes are in place and being used for at least the following
o Clause 4.2.3 Monitor and review the ISMS
o Clause 7 Management review of the ISMS
o Clause 8 ISMS improvement.
Management responsibility for the information security policy
2.5. Audit Report
The audit team leader shall be responsible for the preparation and contents of the audit report. The audit report shall be provided to security management forum. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include
• Identification of audit team leader and members.
• The audit criteria.
• The audit findings.
• The audit conclusions.
• Recommendations for the audit findings. (corrective and preventive actions)
2.6. Corrective Actions
The organization shall take action in order to eliminate the causes of non-compliance resulting from the implementation and operations, and so prevent re-occurrence. Procedure for corrective action shall include the following information:
• Identification of non-compliance in implementation or operations;
• Identification of the causes for non-compliance;
• Determination of the actions required to eliminate re-occurrence;
• Definition and implementation of the required corrective action;
• Results obtained by the corrective action (see record control);
• Review of the corrective action.
Improvement does not happen without implementing changes. This requirement is related to ensuring that actions are identified, taken and verified for implementation/effectiveness. If a problem occurs, action needs to be taken to ensure that the problem is corrected and that it does not re-occur. This involves finding the cause of the problem, recording the results of the action taken and verifying that the action was effective. The intent of this requirement is to have a disciplined approach for making sure that actions happen and are effective.
make sure each and every process is documented.
Regards,
Roopa
From India, Bangalore
Acknowledge(2)Amend(0)
19if i am be sharing the format, then i would be violating ISO27001:2005 Policies of my company itself.
however these are the mail business areas you should be looking at
Physical and Environmental Security - Admin
Asset Classification & Control, Access Control – Windows
Compliance, Information Security Incidents – Information Security Head
Operations Management, Access Control, Information System acquisition & maintenance, BCP – Operations Management, IT Security Head, Team Representatives (Wintel, N&S)
Human Resource Security – HR Head
2.1. Six Phases of audit
The Internal audit would be conducted in six phases.
Planning and Scheduling Audit
Selecting Appropriate Audit teams, assigning roles and responsibilities.
Conducting Audit
Conducting Follow up audits.
Maintaining Audit programme records
Monitoring performance and effectiveness of audit programme and reporting to the top management of the non-conformities.
2.2. Planning and Scheduling Audit
ISD will ensure that audits will be conducted once in 3 months. The audit plan will be published once a year. Both the audit parts (documentation and Implementation) would be covered each time the audit is conducted.
The ISD will inform Auditors about the audit dates 15 days in-advance and will confirm their availability. ISD shall also confirm the top-management, respective process owners presence for the audit.
Apart from the published audits, ISD shall perform informal audits as and when required to ensure BS7799 compliance.
2.3. Selecting Appropriate Audit teams, assigning roles and responsibilities
The management shall ensure that audit teams are announced and shall also assign proper roles and responsibilities. The audit teams shall be selected based on the following skill set. The auditor cannot audit his own work.
The auditor shall possess these personal attributes.
• Auditor shall be ethical i.e. be faithful sincere and honest.
• Auditor shall be open-minded i.e. willing to consider alternative ideas or point of view.
• Auditor shall be diplomatic i.e. tactful in dealing with people.
• Auditor shall be observant i.e. actively aware of physical surroundings.
The auditor shall possess these general skills.
• Audit leader shall organize the audit effectively
• Auditor shall collect information through effective interviewing, listening, observing and reviewing documents, records and data.
• Auditor shall maintain confidentiality and security of information.
• Auditor shall prepare the audit report.
The auditor shall possess these technical skills.
• Auditor shall be technically good to access the implementation part.
2.4. Conducting Audit
2.4.1. Meetings
The audit shall start with an opening meeting and end with a closing meeting. The meetings shall be held with the management representative.
The purpose of the opening meeting is
• To Confirm the audit plan
• To provide a short summary of how the audit activities will be undertaken
• To confirm the communication channels
• To provide opportunity for the auditee to ask questions.
• To introduce with the participants.
The purpose of the closing meeting is
• To Present the audit findings and conclusions
• To solve the disputes in the audit findings
• To agree upon the time frame for the corrective and preventive actions
2.4.2. Audit
The audit will be conducted in two parts
• Documentation audit.
• Implementation audit.
The documentation audit will allow the auditor to gain an understanding of ISMS in the context of the organization's security policy, objectives and approach to risk management. The documentation audit includes documentation review that has to be completed before starting the implementation audit.
The audit team shall review all the documents related to ISMS including
The security policy statement
ISMS scope definition
All procedures and controls supporting ISMS
Risk assessment report
Risk treatment plan
All procedures regarding planning, operations and effective control of information security processes
All records confirming conformity and effectiveness of ISMS operation.
Statement of Applicability
The results of documentation audit will be contained in the report. Based on the finding the auditor will decide for the implementation audit or to postpone the implementation audit.
The Implementation audit will cover
Confirmation of the organization's compliance with its own policies, objectives and procedures.
Confirmation of the ISMS' compliance with all ISO 27001 requirements and of its attainment of the organization's policy objectives (includes checking that the organization has a system of processes in place to cover the requirements given in Clauses 4 to 8 inclusively of the ISO 27001 standard)
Assessment of information security related risks and the resulting design of its ISMS
The approach to risk assessment
o Risk identification
o Risk assessment
o Risk treatment
o The choice of control objectives and controls for risk treatment
o Preparation of a Statement of Applicability.
Performance monitoring, measuring, reporting and reviewing against the objectives and targets. This should include checking that processes are in place and being used for at least the following
o Clause 4.2.3 Monitor and review the ISMS
o Clause 7 Management review of the ISMS
o Clause 8 ISMS improvement.
Management responsibility for the information security policy
2.5. Audit Report
The audit team leader shall be responsible for the preparation and contents of the audit report. The audit report shall be provided to security management forum. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include
• Identification of audit team leader and members.
• The audit criteria.
• The audit findings.
• The audit conclusions.
• Recommendations for the audit findings. (corrective and preventive actions)
2.6. Corrective Actions
The organization shall take action in order to eliminate the causes of non-compliance resulting from the implementation and operations, and so prevent re-occurrence. Procedure for corrective action shall include the following information:
• Identification of non-compliance in implementation or operations;
• Identification of the causes for non-compliance;
• Determination of the actions required to eliminate re-occurrence;
• Definition and implementation of the required corrective action;
• Results obtained by the corrective action (see record control);
• Review of the corrective action.
Improvement does not happen without implementing changes. This requirement is related to ensuring that actions are identified, taken and verified for implementation/effectiveness. If a problem occurs, action needs to be taken to ensure that the problem is corrected and that it does not re-occur. This involves finding the cause of the problem, recording the results of the action taken and verifying that the action was effective. The intent of this requirement is to have a disciplined approach for making sure that actions happen and are effective.
make sure each and every process is documented.
Regards,
Roopa
From India, Bangalore
Acknowledge(2)Amend(0)
Hi Roopa,
Thank you very much for your kind information. Yes, I understand the consequences of security nonconformance, but I think you did a great job for me even though following your rules.
Thanks again,
KRUNAL
From India, Ahmadabad
Acknowledge(0)Amend(0)
Thank you very much for your kind information. Yes, I understand the consequences of security nonconformance, but I think you did a great job for me even though following your rules.
Thanks again,
KRUNAL
From India, Ahmadabad
Acknowledge(0)Amend(0)
In addition to this, the following departments are to be covered:
Finance & Accounts
Purchase
Third-Party Vendors - Payroll, Transport, etc.
Check the training results also, i.e., ask employees all questions about what they have been taught.
Thanks,
Siddharth
Acknowledge(0)Amend(0)
Finance & Accounts
Purchase
Third-Party Vendors - Payroll, Transport, etc.
Check the training results also, i.e., ask employees all questions about what they have been taught.
Thanks,
Siddharth
Acknowledge(0)Amend(0)
The basic principle of any ISO system developed is: Plan - Do - Check - Act. Your audit should also follow the same principle.
The seven friends of auditors (6 Ws and 1 H) are: Who - What - Where - When - Which - Why - How.
Frame your audit checklist with the above.
Keep the standard copy with you, create columns for elements of the standard (Requirement), document reference (manual, procedure, work instructions, etc.), record reference (forms, register, log, etc.), interview reference (who you would like to audit), inspection reference (looking for evidence - location), and special notes or remarks.
With the above paragraph, you might have an idea to use the 6 Ws and 1 H. For easy remembering, I call it as 6 wives and one husband.
While you are conducting the audit, check for:
Plan - What procedures are available, what forms are used for documenting and recording, resources, who does what when, etc.
Do - Investigate whether the function is being carried out as per procedure. Check relevant records, interview persons, etc.
Check - Check how they evaluate the functional performance, the analysis, outcome, the results - what methods they use to do the same.
Act - Check what corrective and preventive actions are taken for the non-conformities raised or any deviations observed during their evaluation.
This is the simplest way to understand auditing principles. If needed, I can help you with the format.
Email: nandish@wadeadams.com
From United Arab Emirates, Dubai
Acknowledge(0)Amend(0)
The seven friends of auditors (6 Ws and 1 H) are: Who - What - Where - When - Which - Why - How.
Frame your audit checklist with the above.
Keep the standard copy with you, create columns for elements of the standard (Requirement), document reference (manual, procedure, work instructions, etc.), record reference (forms, register, log, etc.), interview reference (who you would like to audit), inspection reference (looking for evidence - location), and special notes or remarks.
With the above paragraph, you might have an idea to use the 6 Ws and 1 H. For easy remembering, I call it as 6 wives and one husband.
While you are conducting the audit, check for:
Plan - What procedures are available, what forms are used for documenting and recording, resources, who does what when, etc.
Do - Investigate whether the function is being carried out as per procedure. Check relevant records, interview persons, etc.
Check - Check how they evaluate the functional performance, the analysis, outcome, the results - what methods they use to do the same.
Act - Check what corrective and preventive actions are taken for the non-conformities raised or any deviations observed during their evaluation.
This is the simplest way to understand auditing principles. If needed, I can help you with the format.
Email: nandish@wadeadams.com
From United Arab Emirates, Dubai
Acknowledge(0)Amend(0)
Hello Ken,
I have recently started my Master's thesis at a leading car company in the ISMS department. I have to develop/enhance their existing internal auditing tool, etc. Can you please send me the said auditing ebook? It will definitely be of huge help for me.
Thank you in advance.
Sohail
MSc. Student
University of Magdeburg
From Germany, Wolfsburg
Acknowledge(0)Amend(0)
I have recently started my Master's thesis at a leading car company in the ISMS department. I have to develop/enhance their existing internal auditing tool, etc. Can you please send me the said auditing ebook? It will definitely be of huge help for me.
Thank you in advance.
Sohail
MSc. Student
University of Magdeburg
From Germany, Wolfsburg
Acknowledge(0)Amend(0)
No one is sending or sharing any ebook so please stop sending requests emails to him (Ken). He doesn’t respond at all!
From Germany, Wolfsburg
Acknowledge(0)Amend(0)
From Germany, Wolfsburg
Acknowledge(0)Amend(0)
Pls. find attachments of Cause Analysis & Corrective Action Hope u shall find a good sample... Thanks Deepak 09336154871
From India, Calcutta
Acknowledge(1)Amend(0)
From India, Calcutta
Acknowledge(1)Amend(0)
The basic principle of any ISO system developed is: Plan - Do - Check - ACT. Your audit should also follow the same principle. Additionally, there are seven friends of auditors (5 Ws and 1 H) - Who, What, Where, When, Why, and How.
Rgs
From Vietnam, Ho Chi Minh City
Acknowledge(0)Amend(0)
Rgs
From Vietnam, Ho Chi Minh City
Acknowledge(0)Amend(0)CiteHR is an AI-augmented HR knowledge and collaboration platform, enabling HR professionals to solve real-world challenges, validate decisions, and stay ahead through collective intelligence and machine-enhanced guidance. Join Our Platform.
TS16949 Internal Audit (Jul05) NCRs.ppt
Internal Audit Checksheet EMS-OHSAS.xls
5s Check List Audit for workshops.pdf