Internal Audit Process : Ensuring compliances and Finding Non-conformities

By

Image: TechTarget

The sole purpose of the internal audit is to check compliance with the documented organization ISMS requirements. Internal auditing is a key component and essential for ISO 27001 compliance. Therefore internal audits need to be carried out regularly, and effectively at planned intervals. Internal audits help identify and rectify any issues of the ISMS before an external certification audit is carried out for ISO 27001 certification. It also identifies non-conformities and opportunities for improvement. Conducting internal audits reassure the organization and external auditor that a continuous review of the ISMS is done. It also reminds the employees of their responsibilities to comply with ISMS requirements for the protection of organizational information assets.

An internal audit is a systematic and planned process that reviews the 114 controls in Annex A. They are identified in a statement of applicability for compliance with ISO 27001 standards.  Internal auditing is a time-consuming process that requires a thorough review of policies, procedures,  existing processes, and practices. It's a team effort that requires sharing of the security controls based on the skills and experiences of auditors. 


For instance, an auditor with an IT background will focus on:  

  • A.9 Access control
  • A.10 Cryptography
  • A.11 Physical and environmental security
  • A.12 Operational security
  • A.13 Communications Security
  • A.14 System acquisition, development, and maintenance

An auditor with a business and management background will focus on: 

  • A.5 Information security policies
  • A.6 Organization of information security
  • A.7 Human resources security
  • A.8 Asset management
  • A.15 Supplier relationships
  • A.16 Incident management
  • A.17 Business continuity management
  • A.18 Compliance

It's possible to have overlapping functions of business and technology, which require auditor collaboration. The audit team must prepare well before conducting the audit. The Statement of Applicability (SOA) is the central document for conducting the internal audit. The audit team must ensure that all information is available including previous audit findings, organization procedures, and policies. 

The internal audit procedure should define who is responsible for performing the audit, the audit process, the main rules for performing the audit, etc.

The following document(s) are needed to handle internal audits

  • Internal audit procedure
  • Audit program
  • Internal Audit Plan

The audit program should define a series of individual audits while defining activities during an individual audit is done through the audit plan. The audit program is typically made for 1 to 3 years. The audit program should contain methods used for auditing.

The audit plan should define the details of each audit.

The options to organize the internal audit are:

  • Department by department
  • Clause by clause of the standard
  • Process by process

Prepare an audit checklist and an audit plan based on documentation review. The plan should include time allocations for each department and locations you will be visiting. The plan should include activities of meeting auditees, document verification, observations,  testing, compiling the report, and follow-up meetings. You must develop an in-depth understanding of the requirements in the statement of applicability. Then communicate the audit plan and objectives in advance to auditees to avoid misunderstandings. The internal audit needs to involve all departments and employees responsible for information security. You need to check if the staff understands the security requirements of the ISMS, related to their work.

Example

The Human Resources department needs to ensure employee confidentiality, and secure recruitment, contracting, training, disciplinary, and termination procedures based on ISMS guidelines. 

The IT teams need to perform periodic backups, implement security measures, and carry out system patching based on ISMS guidelines. 

Customer services need to maintain customer confidentiality and follow service procedures.

The auditors need to verify that employees clearly understand the purpose of the ISMS, and why they have to do a task according to a defined procedure to ensure information security.  The audit needs to find if the employees need additional training.

Auditing is not a disciplinary process. It must provide constructive feedback to auditees to improve the ISMS. Auditor's feedback can be provided during or after the meetings, or after compiling the report. It is important to share your findings with them, as well as answer any queries that they may have on auditing. 

Agree on follow-up and corrective actions and time frames after the audit. They must be logged for future verification for effectiveness. 

An internal audit performed for an ISMS to obtain  ISO 27001 certification,  ensure that you cover the following activities in the audit process.

Document review:

Conduct an in-depth document review of your ISMS,  and become acquainted with the business and security processes. Find out if there are nonconformities in the documentation about ISO 27001.

Create a checklist :

This must be done as you are conducting the document review. Ensure you understand organization policies and procedures. Make notes of the specific requirements such as backup intervals, backup responsibilities, etc. The audit for compliance requires following this checklist.

Your checklist should include 

1. Reference - to the policy, standard, or control, 

2. What to look for in the verification 

3 How to audit – what locations, which equipment, whom to speak to, questions to ask,  records to look for, which process to observe, what records to check, etc.

4. Compliance –  Yes or No

5  Findings – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.

Planning the main audit:

Create a plan to visit departments. Allocate time for meetings and focus areas of business functions that may have security requirements. List down security controls defined in the statement of applicability that you will audit.

Meeting people:

The audit process requires you to meet people, make observations of the processes, test them and verify security controls and records for compliance with ISMS requirements. Ask questions to ensure clarity and understanding. When doing interviews with employees, make sure to speak to a couple of people from the same process to examine whether they all perform the process in the same way. Open-ended questions are better than closed-end questions. Avoid using jargon. Use plain and simple language. When selecting record samples, do it yourself and ensure they are random and cover different areas. Make detailed notes of your findings to help write a precise report.

Audit report: 
Your report will be the basis for performing corrective actions for ISMS. Agree on corrective actions and time frames which you will follow up on later. Corrective actions must be initiated for nonconformities identified during an internal audit. The internal audit report is a mandatory document according to ISO standards.

Follow-up work: 

This involves checking corrective actions after the internal audit is completed. The internal audit only ends when nonconformities are closed.

Corrective Actions:

Before a full solution is implemented for corrective actions, ensure to take an action to solve the problem temporarily. A permanent fix requires identifying the root cause of the problem, after reviewing all of the symptoms. You need to get rid of the root cause to prevent a problem from happening again.

Niranjan Meegammana 





Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more