ISO - Training - Day - 3
What is an Audit ?
systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Why Audit ?
Promote continuous improvement of the management system
Monitor and measure the management system
Requirement of ISO 27001
Terms & Definition related to Auditing
Audit Criteria: The set of standards, policies, or regulations against which the audit is conducted.
Audit Evidence: The information or data collected during the audit process to support audit findings and conclusions.
Audit Findings: The results or observations made by the auditor during the audit, indicating conformity or non-conformity with the criteria.
Audit Conclusion: The final assessment or judgment made by the auditor based on the audit findings, reflecting whether the ISMS is compliant with the set criteria.
Audit Scope: The boundaries and extent of the audit, including what areas of the ISMS will be assessed.
Audit Client (Auditee): The organization or entity being audited, responsible for providing access and information.
Auditor: A qualified individual responsible for conducting the audit and assessing the ISMS against established criteria.
Audit Team: A group of auditors with different expertise working together to conduct the audit.
Technical Expert: An individual with specialized knowledge or skills who may assist the audit team in assessing specific technical aspects of the ISMS.
Observer: An individual who observes the audit process but does not actively participate in the audit activities.
Guide: A reference document or person providing advice and direction during the audit process.
Risk: The potential for loss or harm arising from a security vulnerability or threat that may affect the ISMS.
Competence: The necessary knowledge, skills, and abilities required by an auditor or audit team to effectively perform the audit.
Types of Audit
Stages of Third party Audit
Pre-Assessment / Gap Assessment: An initial review to identify gaps between current practices and the required standards before the formal audit process begins.
Certification Audit: The comprehensive evaluation process conducted by a third party to assess whether an organization meets the required standards for certification.
Stage 1: The first phase of the certification audit where the auditor reviews the organization's ISMS documentation, policies, and readiness for Stage 2.
Stage 2: The second phase of the certification audit, where the auditor conducts a thorough on-site assessment to verify the implementation and effectiveness of the ISMS.
Surveillance Audit: Periodic audits conducted after certification to ensure that the organization continues to comply with the standards and maintain its ISMS.
Recertification Audit: A comprehensive audit conducted at the end of the certification cycle to evaluate whether the organization still meets the standards for continued certification.
Follow-up Audit: A subsequent audit performed to verify that corrective actions have been taken and non-conformities identified in previous audits have been addressed.
Dimensions of Auditing
Process Approach to Auditing
In the process approach to auditing auditors ensure that the auditee:
Has defined the objectives, inputs, outputs, activities, and resources for its processesn
Analyzes, monitors, measures, and improves its processesn
Understands the sequence and interaction of its processesn
The Audit Process - PERC
ISO 19011 provides guidance on:
Principles of Auditing (Clause 4): The fundamental principles that guide the auditing process, including integrity, objectivity, confidentiality, and evidence-based assessments.
Integrity: the foundation of professionalism
Fair presentation: the obligation to report truthfully and accurately
Due professional care: the application of diligence and judgment in auditing
Confidentiality: security of information
Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. Audit evidence should be verifiable.
Risk-based approach: an audit approach that considers risks and opportunities
Managing Audit Programs (Clause 5): The process of planning, establishing, and overseeing audit activities to ensure audits are effective and aligned with organizational objectives.
Conducting Internal and External Audits (Clause 6): The procedures for performing both internal and external audits to assess the effectiveness of an ISMS and its compliance with relevant standards.
Competence & Evaluation of Auditors (Clause 7): Ensuring that auditors possess the necessary skills, knowledge, and experience to effectively perform audits, and evaluating their performance to maintain high audit quality.
Audit Program
Audit program includes:
One or more audits depending on, size, nature and complexity of the auditee
All activities necessary for planning, organizing, and providing resources to conduct audits
Audit program processes should include:
Planning and scheduling audits
Assuring competence of auditors and audit teams
Conducting audits and audit follow-up
Monitoring the performance of the audit program
Top management should authorize responsibility for program management
Those assigned responsibility should:
Establish, implement, monitor, review, and improve the audit program
Identify the necessary resources and ensure they are provided
An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits Commonly known as risk–based auditing
Audit Program (3rd Party)
An audit programme for the full certification cycle shall be developed to clearly identify the audit activity(ies) required to demonstrate that the client's management system fulfils the requirements for certification to the ISO 27001
Includes:
a two-stage initial audit,
surveillance audits in the first and second years, and
a recertification audit in the third year prior to expiration of certification.
Managing an Audit Program
Audit Record
Audit Plans/Schedules
Audit Team Selection
Audit Checklist
Non-conformance Report
Corrective and Preventive Action Reports
Audit Report
Auditor competencies and performance evaluation
Maintenance & Improvement of competence
Hacker's Mantra:
I wasn't a hacker for the money, and it wasn't to cause damage. -- Kevin Mitnick
Last updated
Was this helpful?