ISO - Training - Day - 3

What is an Audit ?

• systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

Why Audit ?

• Promote continuous improvement of the management system

• Monitor and measure the management system

• Requirement of ISO 27001

Terms & Definition related to Auditing

• Audit Criteria: The set of standards, policies, or regulations against which the audit is conducted.

• Audit Evidence: The information or data collected during the audit process to support audit findings and conclusions.

• Audit Findings: The results or observations made by the auditor during the audit, indicating conformity or non-conformity with the criteria.

• Audit Conclusion: The final assessment or judgment made by the auditor based on the audit findings, reflecting whether the ISMS is compliant with the set criteria.

• Audit Scope: The boundaries and extent of the audit, including what areas of the ISMS will be assessed.

• Audit Client (Auditee): The organization or entity being audited, responsible for providing access and information.

• Auditor: A qualified individual responsible for conducting the audit and assessing the ISMS against established criteria.

• Audit Team: A group of auditors with different expertise working together to conduct the audit.

• Technical Expert: An individual with specialized knowledge or skills who may assist the audit team in assessing specific technical aspects of the ISMS.

• Observer: An individual who observes the audit process but does not actively participate in the audit activities.

• Guide: A reference document or person providing advice and direction during the audit process.

• Risk: The potential for loss or harm arising from a security vulnerability or threat that may affect the ISMS.

• Competence: The necessary knowledge, skills, and abilities required by an auditor or audit team to effectively perform the audit.

Types of Audit

Stages of Third party Audit

1. Pre-Assessment / Gap Assessment: An initial review to identify gaps between current practices and the required standards before the formal audit process begins.

2. Certification Audit: The comprehensive evaluation process conducted by a third party to assess whether an organization meets the required standards for certification.

   1. Stage 1: The first phase of the certification audit where the auditor reviews the organization's ISMS documentation, policies, and readiness for Stage 2.

   2. Stage 2: The second phase of the certification audit, where the auditor conducts a thorough on-site assessment to verify the implementation and effectiveness of the ISMS.

3. Surveillance Audit: Periodic audits conducted after certification to ensure that the organization continues to comply with the standards and maintain its ISMS.

4. Recertification Audit: A comprehensive audit conducted at the end of the certification cycle to evaluate whether the organization still meets the standards for continued certification.

5. Follow-up Audit: A subsequent audit performed to verify that corrective actions have been taken and non-conformities identified in previous audits have been addressed.

Dimensions of Auditing

Process Approach to Auditing

In the process approach to auditing auditors ensure that the auditee:

• Has defined the objectives, inputs, outputs, activities, and resources for its processesn

• Analyzes, monitors, measures, and improves its processesn

• Understands the sequence and interaction of its processesn

The Audit Process - PERC

ISO 19011 provides guidance on:

• Principles of Auditing (Clause 4): The fundamental principles that guide the auditing process, including integrity, objectivity, confidentiality, and evidence-based assessments.

  • Integrity: the foundation of professionalism

  • Fair presentation: the obligation to report truthfully and accurately

  • Due professional care: the application of diligence and judgment in auditing

  • Confidentiality: security of information

  • Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions

  • Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. Audit evidence should be verifiable.

  • Risk-based approach: an audit approach that considers risks and opportunities

• Managing Audit Programs (Clause 5): The process of planning, establishing, and overseeing audit activities to ensure audits are effective and aligned with organizational objectives.

• Conducting Internal and External Audits (Clause 6): The procedures for performing both internal and external audits to assess the effectiveness of an ISMS and its compliance with relevant standards.

• Competence & Evaluation of Auditors (Clause 7): Ensuring that auditors possess the necessary skills, knowledge, and experience to effectively perform audits, and evaluating their performance to maintain high audit quality.

Audit Program

Audit program includes:

• One or more audits depending on, size, nature and complexity of the auditee

• All activities necessary for planning, organizing, and providing resources to conduct audits

• Audit program processes should include:

  • Planning and scheduling audits

  • Assuring competence of auditors and audit teams

  • Conducting audits and audit follow-up

  • Monitoring the performance of the audit program

• Top management should authorize responsibility for program management

• Those assigned responsibility should:

  • Establish, implement, monitor, review, and improve the audit program

  • Identify the necessary resources and ensure they are provided

• An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits Commonly known as risk–based auditing

Audit Program (3rd Party)

• An audit programme for the full certification cycle shall be developed to clearly identify the audit activity(ies) required to demonstrate that the client's management system fulfils the requirements for certification to the ISO 27001

• Includes:

  • a two-stage initial audit,

  • surveillance audits in the first and second years, and

  • a recertification audit in the third year prior to expiration of certification.

Managing an Audit Program

Audit Record

Audit Plans/Schedules

Audit Team Selection

Audit Checklist

Non-conformance Report

Corrective and Preventive Action Reports

Audit Report

Auditor competencies and performance evaluation

Maintenance & Improvement of competence

Hacker's Mantra: I wasn't a hacker for the money, and it wasn't to cause damage. -- Kevin Mitnick