ISO - Training - Day - 4
Audit Prepare Work Documents
Checklists
Audit sampling plans
Use as a reference and for recording audit proceedings
Keep checklists flexible to allow changes resulting from information collected during the audit
Safeguard any confidential and proprietary information
Retain work documents and records
Audit Work Documents – Benefits & Potential Drawbacks
Benefits
Keep audit scope and objectives clearn
Serve as aide-memoir
Provide evidence of audit planning
Maintain audit pace and continuity
Reduce auditor bias
Reduce workload during audit
Provide space for auditor notes
Identify expected evidencen
Potential Drawbacks
Work documents tend to lose value if they are:
Tick lists
Questionnaires
Too focussed
Inflexible
Checklists may lead to rigid adherence to pre-planned questions
Prepare them as aide-memoir
Nonconformity
Non-fulfillment of a specified requirement:
Not doing it
Partially doing it
Doing it the wrong way
Specified requirements:
Conditions of customer contract
ISMS standard (ISO 27001)
Implemented information security management system
Statutory or regulatory requirements related to ISMS
Nonconformity – Minor
Nonconformity that does not affect the capability of the management system to achieve the intended results
Single observed lapse or isolated incident
Minimal risk of nonconforming product or service
A human error
Examples:
A previous corrective action as a result of an audit has not been assessed for its effectiveness
A record is not available or is incomplete
Nonconformity – Major
Nonconformity that affects the capability of the management system to achieve the intended results
Absence or total breakdown of a systems’ ability to meet a requirement
A number of minor nonconformities related to the same clause or requirement that shows there is a breakdown of the system
The complete failure of a process
Examples:
No evaluation of training or records of competence
Changes to the system made without authorization
No future planned internal audits
Classifying the Nonconformity
Consider the Seriousness:
What could go wrong if the nonconformity remains uncorrected?
What is the likelihood of such a thing going wrong?
Is it likely the system would detect it before the customer is affected?
If you are not certain it is a nonconformity, it is not. You must have:
A requirement that has been broken
Proof and evidence that it has been broken
Nonconformity – Poor Finding Examples
The nonconformity statements below are inadequate due to the lack of specified requirements and detailed evidence:
Customer meeting minutes are not adequate
The change management process does not meet the requirements of the standard
Up-to-date information on known errors was not available during the audit.
Internal audits have not been carried out
Checkpoint Form for Point 7: Support
Commitment from Top Management
What to Check:
Ensure top management is actively involved in the ISMS and provides clear direction and support for its implementation.
Evidence:
Minutes from management review meetings.
ISMS policy signed by top management.
Documentation of top management’s roles and responsibilities regarding ISMS.
Interviews or statements from senior management demonstrating commitment.
Information Security Roles and Responsibilities
What to Check:
Confirm that roles and responsibilities related to information security are clearly defined and assigned.
Evidence:
Organizational chart showing roles for information security.
Job descriptions or roles related to ISMS.
Assigned roles and responsibilities documented in ISMS procedures.
Resources for Implementing the ISMS
What to Check:
Verify that sufficient resources (financial, human, technical) are allocated to support the ISMS.
Evidence:
Resource allocation plan.
Budgetary allocation for information security initiatives.
Records showing training and staff development for ISMS implementation.
Competence and Awareness of Staff
What to Check:
Ensure that all relevant staff are competent and aware of information security policies, controls, and their responsibilities.
Evidence:
Training records or certificates.
Awareness programs or workshops conducted.
Evidence of regular communication (emails, intranet posts) about security awareness.
Interviews with employees regarding their awareness of ISMS requirements.
Internal and External Communication
What to Check:
Check that there are proper channels for communication related to ISMS both internally (within the organization) and externally (with stakeholders).
Evidence:
Internal communication protocols for ISMS.
Documentation of communication with external parties (e.g., auditors, regulators, third-party suppliers).
Evidence of feedback mechanisms.
Documented Information and Records Management
What to Check:
Ensure that information related to ISMS, such as policies, procedures, records, etc., are documented and properly maintained.
Evidence:
Document control records (e.g., version control, approval process).
List of all ISMS-related documents and records.
Audit logs or reports showing document review and updates.
Management Reviews and Audits
What to Check:
Verify that regular management reviews and internal audits are conducted to assess the effectiveness of the ISMS.
Evidence:
Management review meeting minutes.
Audit reports and corrective action records.
Follow-up actions and evidence of continuous improvement.
Corrective and Preventive Actions
What to Check:
Ensure that any identified issues (nonconformities, incidents, etc.) are addressed through corrective and preventive actions.
Evidence:
Records of corrective and preventive actions.
Root cause analysis documentation.
Evidence that corrective actions have been implemented and are effective.
Hacker's Mantra: Growth hacking is the future of marketing. It has to be. -- Ryan Holiday
Last updated
Was this helpful?