You are on page 1of 146

Internal ISMS Auditor Course

COMS Vantage

Committed to Systems

Learning Objectives
To be able to: Have knowledge of concepts of Information & Information Security Management System

Understand the requirements of ISO 27001 : 2005 in auditing terms Understand of Risk Assessment Methodology Plan and conduct an IMS audit Report the audit Undertake audit follow-up activities
Committed to Systems 2

COMS Vantage

Course Content
DAY 1 Concepts and Philosophy of ISMS Framework ISO 27001:2005 Requirements Concepts and Principles of Auditing Audit Planning (Audit Schedule & Audit Checklist)

DAY 2 Audit Execution Audit Reporting (Identification of Non-conformances & Preparing Non-conformance Report) Audit Closing (Verification of Corrective Actions) Examination

COMS Vantage
3

Committed to Systems

Course Structure

Tutorial sessions Practical exercises Quiz Examination

COMS Vantage

Committed to Systems

Concepts and Philosophy of ISMS Framework

COMS Vantage

Committed to Systems

Exercise 1 : ISMS Definition

Complete Exercise 1 on definition of ISMS related terms

COMS Vantage

Committed to Systems

Information
Information is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably protected.

COMS Vantage

Committed to Systems

Types of Information
Internal Information that you would not want your competitors to know Customer/client Information that they would not wish you to divulge Shared Information that may be shared with other trading partners/persons

COMS Vantage

Committed to Systems

Types of Information

Company financial data (business performance) Company business plan & strategies Employee data Credit card and bank account numbers Passwords Designs, patents, technical research Bids for contracts, market research, competitive analysis Intelligence (on criminals, hostile nations, etc) Security information (risk assessment, network diagram, facilities plans)

COMS Vantage

Committed to Systems

Information Lifecycle

Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal

COMS Vantage

10

Committed to Systems

Information Security
Information Security means preservation of confidentiality, integrity and availability of information; other properties, such as authenticity, accountability, non-repudiation, and reliability may also be managed.

COMS Vantage

11

Committed to Systems

Information Security - a Definition


Information security is preservation of; Confidentiality ensuring that information is available only to those with authorised access Integrity safeguarding the accuracy and completeness of

information and information processing methods & facilities


Availability ensuring authorised users have access to information when required In some organizations integrity and/or availability may be more important than confidentiality COMS Vantage Committed to Systems

Information Security Why?


In todays fast-paced, global business environment, access to information is critical to an organisations success. Timely, accurate and complete information is a necessary business asset to an organisation, and like any other business asset, information needs to be understood and appropriately secured.

COMS Vantage

Committed to Systems

Information Security Risks


Some categories of risk : Loss Corruption Theft Unauthorized disclosure Accidental disclosure Unauthorized modification Unavailability or denial of service Lack of integrity Intrusion and subversion of system resources

COMS Vantage

14

Committed to Systems

Non IT Information Security Risks

Paper documents: on desks, in waste bins, left on photocopiers Whiteboards and flipcharts Telephone conversations overheard Conversations on public transport Social engineering

COMS Vantage

Committed to Systems

Information Security - Aim


Information Security aims to : To minimize business damage by preventing and minimizing the impact of security incidents Reduce the likelihood of a security incident occurring Prevent information security incident from occurring Detect an incident occurring, or its effect Respond to an event to minimize business damage Ensure Business Continuity Ensure preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved

COMS Vantage

Committed to Systems

Business Effects of Information Security

Maintain stakeholder confidence in the organization Preserve business position

Ensure business continuity

COMS Vantage

Committed to Systems

Why Are We Here?


Information security management: the key to confidence and trust for business

Customer Requirements

Business Requirements

Government Laws and Regulations

COMS Vantage

Committed to Systems

Interested Parties

IT department Line managers Senior managers Company Boards Government Business and Trading Partners Customers

COMS Vantage

Committed to Systems

Managers Must Understand

Poor information security outcomes are commonly the


result of poor management and not poor technical controls

COMS Vantage

Committed to Systems

Information Security is Not all about Technology


IT Dependent 80% 50% 20% IT Independent 20% Business Service 1 50% Business Service 2 80% Business Service 3

(Source: Office of E-Government. (2002). PowerPoint presentation)

COMS Vantage

Committed to Systems

Information Security Management System


Information Security Management System (ISMS) is : That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security

A management process Not a technological process

COMS Vantage

Committed to Systems

What is an ISMS
An ISMS is a set of processes designed to produce predictable information security outcomes (well managed security risks) Implementation must cover Requirements and policies Planning implementation Implementation and operations Monitoring and reviewing Improving the management system

COMS Vantage

Committed to Systems

Information Security Framework

(Source: Government of Western Australia: Department of Industry and Technology. (2002).


Pamphlet - Managing Risks in the Internet Economy - An Executives Guide. p.5).

COMS Vantage

Committed to Systems

Benefits of an ISMS

An operational framework for operation - Focus on outcomes - Outcomes are predictable Basis for stakeholder trust - The general public - Clients and customers - Business partners, suppliers, service providers & outsources - Line management & senior management
Committed to Systems

COMS Vantage

ISO 27001:2005 Requirements

COMS Vantage

Committed to Systems

26

ISO/IEC 27001:2005
Information Technology Security Techniques Information Security Management Systems Requirements

Requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS

Information security is a Management process, more than just IT


ISO 27001 can be used for assessment and certification

COMS Vantage

27

Committed to Systems

ISO/IEC 27002:2005
Information Technology Security Techniques Code of practice for information security management Provides guidance on good practice for Information Security Management Prime objectives A common basis for organisations Confidence in inter-organisational dealings Defines a set of control objectives, controls and implementation guidance It cannot be used for assessment and certification

COMS Vantage

28

Committed to Systems

PDCA model & ISMS Processes


Plan Establish ISMS Do Interested Parties Implement and operate the ISMS Monitor and review the ISMS Check Maintain and improve the ISMS Act Interested Parties

Information security requirements and expectations

Managed Information Security

COMS Vantage

Committed to Systems 29

Clauses within ISO 27001:2005


ISO 27001:2005
0 1 2 3 Introduction Scope Normative references Terms & definitions

Clauses 4 to 8

Annex A Control objectives & controls A.5 to A.15


Annex B OECD principles Annex C Correspondence between standards

COMS Vantage

30

Committed to Systems

Plan - Do - Check - Act Cycle

PDCA model used in the ISO/IEC 27001: 2005


Process approach for Establish ISMS (Plan) Implement and operate ISMS (Do) Monitor and review ISMS (Check) Maintain and improve ISMS (Act)

COMS Vantage

31

Committed to Systems

ISO 27001:2005, Clauses 4 to 8

Clause 4 : Information Security Management System

Clause 5 : Management Responsibility


Clause 6 : Internal ISMS Audits Clause 7 : Management Review of the ISMS Clause 8 : ISMS Improvement Annex A Controls (A.5 to A.15)
32
Committed to Systems

COMS Vantage

Clause 4 - Information Security Management System


4.1 General Requirements
4.2.1 4.2.2
4.2.3 4.2.4

4.2 Establish & Manage ISMS


Establish ISMS Implement & operate ISMS Monitor & review ISMS Maintain & improve ISMS

4.3 Documentation Requirements


4.3.1 General 4.3.2 Document control 4.3.3 Record control

COMS Vantage

33

Committed to Systems

Clause 4.2.1 Establish the ISMS (Plan)

Scope and boundaries Policy - objectives, business and legal or regulatory requirements, strategy, criteria, approved by management

COMS Vantage

34

Committed to Systems

Scope and Boundaries of ISMS


Scope to be described in terms of Characteristics of the business Organization Location Information Assets Technology Boundaries to include interface with Other organisations Third party suppliers Partners Other IT systems COMS Vantage Committed to Systems
35

ISMS Policy
Statement of management commitment & set out organisations approach to managing information security Definition of information security, objectives & scope Statement of management intent, supporting goals & principles Include framework for setting control objectives & controls Brief explanation of security policies, principles and standards Compliance with legislative, regulatory & contractual requirements Security education, training & awareness requirements Business continuity management Consequences of information security policy violations Definition of general & specific responsibilities References to documentation supporting policy Communicated throughout the organisation

COMS Vantage

36

Committed to Systems

Clause 4.2.1 Establish the ISMS (Plan) (cont)


Define the risk assessment approach of the organization Identify risks (assets and owners, threats, vulnerabilities, impacts) Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls for the treatment of risks (select from Annex A) Obtain management approval of proposed residual risks Obtain management authorization to implement and operate the ISMS Prepare a Statement of Applicability
37
Committed to Systems

COMS Vantage

Risk Assessment Approach

Identify a suitable risk assessment methodology Develop criteria for accepting risks and identify acceptable levels of risk (5.1f) Ensure that risk assessments produce comparable and reproducible results Method is decided by organization and audited against its information security scope, boundaries and policy

COMS Vantage

38

Committed to Systems

Risk Assessment
Risk (and decision on which risks to mitigate with controls) depends on : Asset value Threat Vulnerability Likelihood and frequency of threat exploiting vulnerability Impact on organization of successful exploitation

COMS Vantage

39

Committed to Systems

Asset Identification & Classification


Identify: Assets within the scope of the ISMS (Primary Assets & Supporting Assets) - Documents /Data - Physical/ Hardware - Software - People - Services ( e.g. Lighting, Airconditioning, DG etc) Classification V. Confidential, Confidential, Internal & Public Asset owners & Users

COMS Vantage

40

Committed to Systems

Asset Value
Asset Value : Confidentiality X Integrity X Availability Ranking of Assets done based on Asset Value : Low Medium High Critical

COMS Vantage

41

Committed to Systems

Identification of Threats and Vulnerabilities


Threat Vulnerability A potential cause of an A weakness of an asset or unwanted incident which group of assets, which can may result in harm to a be exploited by a threat. system or organization. e.g. Network failure

A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset . e.g. No system monitoring

Committed to Systems

COMS Vantage

42

Assessment of Threats and Vulnerabilities

Assess the likelihood that combination of threats and vulnerabilities occur

Threats and vulnerabilities may be assessed Separately Together

COMS Vantage

43

Committed to Systems

Security Risk Calculations


Risk = Asset Value x Threat Value x Vulnerability Value x Probability x Impact Value

*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets

COMS Vantage

44

Committed to Systems

Identify and Evaluate options for the Treatment of Risks


Manage and treat risks appropriately within business context :

Apply appropriate controls Accept risks Avoid risk Transfer risk

COMS Vantage

45

Committed to Systems

Exercise 2 : Information Risk Assessment

Complete Exercise 2 to test understanding of Information Risk Methodology.

COMS Vantage

Committed to Systems

46

Control Objectives and Controls (Annexure A of ISO 27001:2005)


11 Control Objectives
A.15
Compliance

A.5
Security Policy

A.6
Organisation of Information Security

39 Sub-Control Objectives

A.14
Business Continuity Management Information Security Incident Management Information Systems Acquisition, Development and Maintenance

A.7
Asset Management

133 Controls
Control Objectives and Controls

A.13

Human Resources Security

A.8

Physical and Environmental Security Access Control Communications and Operations Management

A.12

A.9

A.11

A.10
Committed to Systems 47

COMS Vantage

Control Objectives & Controls


(Annexure A of ISO 27001:2005 Standard)
A.5 Security Policy A.5.1 Information Security Policy

A.6 Organization of Information Security A.6.1 Internal organization A.6.2 External parties
A.7 Asset Management A.7.1 Responsibility for assets A.7.2 Information classification A.8 Human Resources Security A.8.1 Prior to employment A.8.2 During employment A.8.3 Termination or change of employment

COMS Vantage

Committed to Systems

Annexure A of ISO 27001:2005 Standard


A.9 Physical and Environmental Security A.9.1 Secure areas A.9.2 Equipment security A.10 Communications and operations management A.10.1 Operational procedures and responsibilities A.10.2 Third party service delivery management A.10.3 System planning and acceptance A.10.4 Protection against malicious and mobile code A.10.5 Back-up A.10.6 Network security management A.10.7 Media handling A.10.8 Exchange of information A.10.9 Electronic commerce services A.10.10 Monitoring

COMS Vantage

Committed to Systems

Annexure A of ISO 27001:2005 Standard


A.11 Access Control A.11.1 Business requirement for access control A.11.2 User access management A.11.3 User responsibility A.11.4 Network access control A.11.5 Operating system access control A.11.6 Application and information access control A.11.7 Mobile computing and teleworking A.12 A.12.1 A.12.2 A.12.3 A.12.4 A.12.5 A.12.6 Information systems acquisition, Development and Maintenance Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management
Committed to Systems

COMS Vantage

Annexure A of ISO 27001:2005 Standard


A.13 Information Security Incident Management A.13.1 Reporting information security events and weaknesses A.13.2 Management of information security incidents and improvements A.14 Business Continuity Management A.14.1 Information security aspects of business continuity management A.15 Compliance A.15.1 Compliance with legal requirements A.15.2 Compliance with security policies and standards, and technical compliance A.15.3 Information system audit considerations

COMS Vantage

Committed to Systems

Selection of Security Controls

Additional control objectives and controls organisation might consider that additional control objectives and controls are necessary
Not all the controls will be relevant to every situation Consider local environmental or technological constraints In a form that suits every potential user in an organisation Review controls already in place Remove Improve Implement additional controls

COMS Vantage

52

Committed to Systems

Residual risk
The risk remaining after risk treatment Assess how much controls will reduce risk Reduced residual risk Acceptable or unacceptable Implement more controls May have to accept Obtain Management Approval of proposed residual risk

COMS Vantage

53

Committed to Systems

Statement of Applicability
Definition Documented statement describing the control objectives and controls that are relevant and applicable to the organisations ISMS.
Contents of Statement of Applicability Control objectives and controls selected Reasons for selection Control objectives and controls currently implemented Exclusion of any control objectives and controls to be listed in Annex A and the justification for their exclusion The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.

COMS Vantage

54

Committed to Systems

Statement of Applicability
Why a control has not been fully implemented Risk not justified by risk exposure Budget financial constraints Environment influence on safeguards, climate, space etc Technology some measures are not technically feasible Culture sociological constraints Time some requirements cannot be implemented now. N/A not applicable Others ?

COMS Vantage

55

Committed to Systems

Select Control Objectives and Controls for the Treatment of Risks

Select and implement Control Objectives and Controls To meet requirements identified by risk assessment and risk treatment process Take into account of criteria for accepting risks (4.2.1c) Legal, regulatory and contractual requirements

Control objectives & controls selected from Annex A of ISO 27001:2005


56
Committed to Systems

COMS Vantage

Clause 4.2.2 Implement and operate the ISMS (Do)


Formulate and implement risk treatment plan Implement controls Training and awareness (Also covered in clause 5.2.2) Manage operations & resources Implement procedures

COMS Vantage

57

Committed to Systems

Clause 4.2.3 Monitor and review the ISMS (Check)

Execute monitoring and review procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Conduct Internal ISMS Audits at planned intervals (Clause 6) Undertake Management Review of the ISMS (Clause 7) Update security plans Record actions and events
58
Committed to Systems

COMS Vantage

Clause 4.2.4 Maintain and improve the ISMS (Act)

Also covered in Clause 8 Implement the identified improvements in the ISMS Appropriate corrective and preventive action Communicate actions and improvements Ensure improvements achieve their intended objectives

COMS Vantage

59

Committed to Systems

Clause 5 - Management Responsibility


5.1 Management commitment
Management

shall provide evidence of commitment

5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training awareness and competency - employees, people (outside scope) interfacing with company, customers, suppliers/ third party service providers

COMS Vantage

60

Committed to Systems

Training and Awareness


Training is to be provided for : Understanding and complying with the information security policy and objectives Understanding security responsibilities What to do regarding: Reporting security incidents, weaknesses Applying virus protection Doing backups Complying with relevant Local and International legislation Correct use of company equipment Correct use of e-mail and the internet and others COMS Vantage Committed to Systems
61

Monitoring of ISMS
Execute monitoring procedures and other controls: Promptly detect errors Promptly identify attempted and successful security breaches and incidents Security activities delegated to people or implemented by information technology are performing as expected Help detect security events Prevent security incidents Determine whether actions taken to resolve a breach of security were effective

COMS Vantage

62

Committed to Systems

Monitoring of ISMS

Undertake regular reviews of effectiveness of ISMS ISMS policy and objectives Security controls Take into account Security audits Incidents Effective measurements Suggestions and feedback from interested parties Measure the effectiveness of controls Verify security requirements are met
63
Committed to Systems

COMS Vantage

Clause 6 Internal ISM Audits

Conduct internal audits at planned intervals Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits Responsibilities for audit planning, conducting and reporting is defined in procedure Auditee is responsible for taking timely corrective action
Committed to Systems

COMS Vantage

64

Clause 7 - Management Review


Undertake planned reviews of effectiveness of ISMS (atleast once a year) Review inputs

ISMS policy and objectives Audit results Suggestions and feedback from interested parties Threats and vulnerabilities not adequately addressed Result from effective measurements Improvement of effectiveness of ISMS Update Risk Assessment & Risk Treatment Plan Modification of procedures & controls Resource needs Improvements in measuring effectiveness of controls
65
Committed to Systems

Review outputs

COMS Vantage

Clause 8 ISMS Improvements


Continual Improvement Corrective Action Preventive Action

COMS Vantage

66

Committed to Systems

Exercise 3: Quiz on ISO 27001:2005

Complete the Quiz on ISO 27001 to test your understanding of the standard.

COMS Vantage

Committed to Systems

67

ISMS Documentation

COMS Vantage

Committed to Systems

68

Documentation Structure
IMS MANUAL (Apex Document) Level - I STANDARD OPERATING PROCEDURE POLICIES CHECKLISTS, GUIDELINES ETC, Level - III FORMATS, Log-Books, Registers Level - IV Dep1 Dep2 Dep3 Dep4 Dep5
Dep6

Level - II

COMS Vantage 10/31/2013

Committed to Systems

ISMS Documentation
The ISMS Documentation includes: Documented statements of a ISMS policy and ISMS objectives Information Security Manual Information Security Risk Assessment Statement of Applicability Information Security Policies Procedures Formats/ Logs/ Records

COMS Vantage
70

Committed to Systems

Concepts & Principles of Auditing

COMS Vantage

Committed to Systems

71

Audit
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled. ISO 9000:2005

COMS Vantage

Committed to Systems

72

Objective Evidence

Data supporting the existence or verity of something ISO 9000:2005 May be obtained through - Records - Observation - Measurement or test - Stated or verbal Can be verified
Committed to Systems

COMS Vantage

73

Specified Requirements

Organization system requirements Manuals Policies & Procedures ISO 27001 standard requirements Legal requirements-statutory, regulatory or industry body

COMS Vantage

Committed to Systems

74

Audit Purpose
To collect objective evidence to permit an informed judgement about the status and effectiveness of the integrated management system.

COMS Vantage

Committed to Systems

75

Principles of Auditing
Ethical Conduct Fair Presentation Due Professional Care Independence Trust, integrity, confidentiality, discretion Audit findings and conclusions are accurate and truthful Exercise care according to the confidence placed in them by their clients Competence is essential Auditors are independent of the activities being audited and are free from bias or conflict of interest

Evidence-Based Approach

Conclusions will be objective and based only on audit evidence


Audit evidence is based on samples of information Conclusions are verifiable

COMS Vantage

Committed to Systems COMS

76

Conformity vs. Compliance


Conformity:
Fulfillment of a requirement

Compliance:
Fulfillment of legal/statutory requirements Noncompliance can lead to fines/incarceration Mandatory

Nonconformity can lead to suspension or revocation of registration


Voluntary

COMS Vantage CORPOR ADV


MANAGEMENT

Committed to Systems COMS

77

Types of Audit
Internal External

1st Party

Audit ones own company QMS Audit of a supplier by a customer Audit by an Independent body
Committed to Systems

2nd Party

3rd Party

COMS Vantage

Other Types of Audit

Pre-assessment Certification Surveillance Process Product

COMS Vantage

Committed to Systems

Reasons for Internal Audits

Requirement of all management system standards Source of information for use by management Powerful tool for continual improvement through: Employee involvement Communication Employee awareness, etc.

COMS Vantage

Committed to Systems COMS

80

Benefits of Auditing

Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the system to management Reduces risk of system failure Identifies improvement opportunities Precipitates the corrective action cycle Precipitates the preventive action cycle

COMS Vantage

Committed to Systems

81

Audit Process - Overview


Key Stages in the Internal Auditing process PERC

Planning Execution Reporting

Closing

COMS Vantage

Committed to Systems

82

Audit Planning & Preparation

COMS Vantage

Committed to Systems

83

Audit Planning

Audit Schedule Audit Checklist

COMS Vantage

Committed to Systems

84

Audit Schedule
Audit Schedule is based on : Frequency of audit (as mentioned in procedure) Processes/ area to be audited Duration of audit Qualified internal auditors Audit Team to have applicable technical expertise Independence of audit team (Cross functional audit)

COMS Vantage

Committed to Systems COMS

85

Audit Schedule-1
Processes Marketing J P P P P A F M A M J J A S P P P P O N D

IT Technology
System Administration HR Administration
P = Planned A = Additional

P
P A P P

COMS Vantage

Committed to Systems

86

Audit Schedule - 2
Day 1
Time 1000 1300 1400 - 1700 Processes Software Dev Real Estate Dev BPO Educational Portal Auditors A& B C&D E&F G&H

Day 2
1000 1300 1400 - 1700 Executive Search IT HR Administration I&J K&L M&N O&P

cc : To all Department Heads and Auditors

COMS Vantage

Committed to Systems COMS

87

Checklists
Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditees IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.

A checklist should not be a list of questions to ask the auditee. It is simply a prompt for aspects of the system which require review

COMS Vantage

Committed to Systems

88

Checklists
Checklists may be :

Generic Or

Tailored

COMS Vantage

Committed to Systems

89

Checklists- Benefits
A well constructed aide memoir will help to:

Keep audit objectives clear Provide evidence of audit planning Maintain audit pace and continuity Reduce auditor bias Reduce workload during audit

COMS Vantage

Committed to Systems

90

Checklist Drawbacks
Checklists tend to lose value if they are:

Tick () lists Questionnaires Too focused Inflexible

Prepare them as aides-memoir

COMS Vantage

Committed to Systems

91

Checklists Preparation - Inputs


Company Policies and Procedures Process information Customer requirements Applicable legal requirements Codes of practice Management priorities Previous incidents and accidents Previous audits reports Known problems

COMS Vantage

Committed to Systems

92

Sample Checklist Format


Process/Deptt: Auditor/s: S.No. Auditee: Date: Objective Evidence

Requirements Standard Clause No.

COMS Vantage

Committed to Systems

Exercise 4 : Audit Checklist

In your teams, prepare checklist for an ISMS audit. Checklist may be prepared for your department.

COMS Vantage

Committed to Systems

94

Audit Execution

COMS Vantage

Committed to Systems

95

Audit System

Various roles of an auditor: A catalyst Management instrument An interface with suppliers customers colleagues A consultant (NOT 3rd Party)

COMS Vantage

Committed to Systems

96

Some Attributes of a Good Auditor


Ethical Open minded Diplomatic

Observant Perceptive Selfreliant Tenacious Decisive

Any More?

COMS Vantage

Committed to Systems

97

Auditor Qualification
Auditors must be competent in

Reasoning of nonconformities

Evaluating effectiveness of corrective action

COMS Vantage

Committed to Systems

98

Managing Communications

Put auditee at ease Ask questions and listen Have the appropriate body language Smile and show eye contact Avoid interruptions Avoid sarcastic & condescending remarks Give praise and feedback Acknowledge and show interest Be tactful and polite Show patience and understanding Thank the auditee on completing the audit
Committed to Systems

COMS Vantage

Personality Types

The Everything is Absolutely Fine

Stick to the Bare Facts


Detail, Detail, Detail I Always Have the Right and Best Answer

COMS Vantage

Committed to Systems

Managing Communications

Effective communication Questioning

Listening
Body Language

COMS Vantage

Committed to Systems

101

Resolving Differences

Types of conflict Dealing with conflict

COMS Vantage

Committed to Systems

102

Conduct of the Audit

Meet the auditee

Explain what you want to see


Sampling audit Investigate to the depth necessary No problems found, move on Dont keep on auditing until problems are found
Committed to Systems

COMS Vantage

Sampling
Why ?..............Reduces time and costs

Sample/ sample frame Representative Random Chosen by the auditor Permission sought
Committed to Systems

COMS Vantage

Audit Execution
The Audit Process Gathering information

Validating the findings

Evaluating the findings

COMS Vantage

Committed to Systems

105

Procedure for Gathering Evidence


Question

Check

Observe
Committed to Systems

COMS Vantage

Collecting & Verifying information


Sources of information

Collecting by appropriate sampling and verifying Audit Evidence Evaluating against audit criteria Audit Findings Reviewing

Audit conclusions

COMS Vantage

Committed to Systems

Sources of Information

Interviews Documents (procedures, instructions, specifications, etc) Records Data Summaries (analysis and performance) Reports (customer feedback, supplier ratings) Databases Observations (of activities and conditions)

COMS Vantage

Committed to Systems

Conducting Interviews
Interviews are an important means of collecting information and should be carried out in a manner adapted to the situation and the person interviewed

May start with asking the auditee to describe the work Avoid misleading questions Listen carefully & make notes Summarize the results of interview & discuss with auditee
Committed to Systems

COMS Vantage

Questions

Open questions - Encourage auditee to speak Probing questions Closed questions Questions should be asked like a funnel starting with open questions and ending with closed questions

COMS Vantage

Committed to Systems

Questioning Techniques

Hypothetical
Obvious Answered Repetitive Non-verbal

COMS Vantage

Committed to Systems

Open Questions
Six friends (To gather information) Who (does it) What (is done) Where (is it done) Why (is it done) When (does it get done) How (is it done; often is it done) And seventh friend (For verification) Show me

COMS Vantage

Committed to Systems

7 Tips for Interviewing

Use appropriate types of question Adopt a logical approach Follow a natural sequence Actively listen to what is being said Use silence appropriately Seek clarification, where necessary Verify responses, where necessary

COMS Vantage

Committed to Systems

Documents

Policy & Objectives Plans Policies and procedures / instructions Specifications/ drawings Contracts/ Orders Licenses/ permits

Review documents which describe activities, plans, controls, Strategies and tests

COMS Vantage

Committed to Systems

Records
Records are evidence of an activity performed Test records Training records Performance monitoring records Audit Report Management Review Minutes of Meetings Non-conformance records Customer Satisfaction records Vendor performance evaluation records and COMS Vantage
Committed to Systems

Observations
Observations of : Activities being performed Housekeeping Condition of infrastructure and hardware Work environment

COMS Vantage

Committed to Systems

Control of the Audit

Checklist is a servant not a master Audit the complete scope If potential audit trails appear, decide: disregard note for later follow up immediately

Might affect the sample size

Might affect the audit programme COMS Vantage Committed to Systems

Notes
Recording the objective evidence: Admissible statements (Quotes and statements) Document / Record numbers and issue/revision levels Identifiers (Product identification) Surroundings Name of auditee or preferably job titles Issues which may impact other functions

COMS Vantage

Committed to Systems

Mental Notes

Workload Employee behaviour Management approach Organization culture Reactions

COMS Vantage

Committed to Systems

Notes

Notes is an evidence of the professionalism of the auditor Evidence of sample size and observation Should be legible & retrievable Shall be an input to the audit report May be used for further investigation & subsequent audits

COMS Vantage

Committed to Systems

Verify Facts

Discuss concerns with auditee Auditee may provide correct information Record all the evidence in detail Establish why a nonconformity or otherwise & who (preferably by job title) Audit focus must be on conformity and effectiveness, not on finding nonconformities

Therefore, auditors must be competent in Reasoning of nonconformities Evaluating effectiveness of corrective action

COMS Vantage

Committed to Systems

Good Practices
Ask the right person - the person with the responsibility for what it is you are auditing Dont talk down or be rude/ sacarstic Ensure questions are clear and understood - avoid jargon, use plain and simple language, rephrase the question if not understood. Do not confuse, ask one question at a time. Allow time for auditee to answer any questions you ask Do not take sides, stay impartial, do not jump to conclusions; always look for the evidence Be polite at all times, regardless of any provocation you may encounter COMS Vantage Committed to Systems

122

Handling Difficult Situations

Time Wasting Descrimination Hostility Avoidance

Undermining Deception Obstruction Usurping Control

Finger - pointing

Flattery

COMS Vantage

Committed to Systems

Audit Reporting

COMS Vantage

Committed to Systems

124

Nonconformity

Non fulfilment of a requirement Specified requirements: Company policies and procedures ISO 27001 standard requirements legal requirements

COMS Vantage

Committed to Systems COMS

125

Nonconformity

The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness. Non conformities could arise out of two reasons: - System deficiencies - Human slip ups

Internal audits should be aimed at identifying system deficiencies COMS Vantage


Committed to Systems COMS

126

Reporting Categories
Categories such as Non-conformance or Noncompliance represent a non-fulfilment of a specified requirement, and for many organisations are given the highest priority when determining corrective actions.

A lower priority is often given to Observations or Areas Requiring Attention. These findings are recognised as being of lower risk to the organisation.

COMS Vantage

Committed to Systems

Minor Non-conformance

Violation or failure to meet a requirement of the standard Any minor lapse in the system Examples - Training not planned for two employees from Customer Care Department - Background verification not done for x,y & z employee prior to hiring

COMS Vantage

Committed to Systems

Major Non-conformity

Complete absence or total breakdown of any clause of the standard(s) Complete non-compliance of company policy or procedure Non-compliance of legislative requirement A number of nonconformities leading to system breakdown Examples - Management Review has not been conducted since more than a year. - Information Security Policy not defined

COMS Vantage

Committed to Systems

Consider the Seriousness


Three questions to be answered 1. What could go wrong if the nonconformity remains uncorrected? 2. What is the likelihood of such a thing going wrong? 3. How likely is it to be detected if it did go wrong? A nonconformity with moderate consequences but High probability could be a Major

A nonconformity with serious consequences but with negligible probability could be a Minor COMS Vantage
Committed to Systems 130

Observation
Observation or Opportunity for Improvement (OFI) is a situation where there is a weakness where there is not enough evidence for a nonconformity/issue, but if allowed to remain, could result in a nonconformity/issue

COMS Vantage

131

Committed to Systems

Exercise 5 : Identifying Non-conformances


10 statement were presented by an audit team. Identify if there is a non-conformance. If yes, identify the ISO 27001:2005 Clause / Control Objective Number . If no, then state what further action should be taken by the auditor

COMS Vantage

Committed to Systems

132

Writing Statements of Nonconformity

Objective Evidence

Deficiency Statement

Reference

Explanation

COMS Vantage

Committed to Systems

Writing Statements of Nonconformity

Use auditees terminology Make it retrievable Must be factual Make it complete

Make it concise

COMS Vantage

Committed to Systems

134

Nonconformity Statement (1)


Procedure KCL-Pl-15 requires that access to server room is only to 2 System Administrators and the IT Head. If required others could access along with the 3 persons with authorised access and they were to enter in the Entry Log Register. The auditor entered the server room with the System Administrator, however no entry was made in the Entry Log Register. Nonconformity to Procedure KCL-15 and ISO 27001:2005 clause A.9.1.5

COMS Vantage

Committed to Systems

135

Nonconformity Statement (2)


Policy for Compliance states that that no software, unless provided by corporate IT, must be loaded onto the network without the prior permission of the IT manager SW department were currently using a new data analysis tool which was sent to them direct from the developers after their agreement to take part in the testing of the new tool in return for a free copy of the finished product. Nonconformity to Policy for Compliance and ISO 27001, Control 15.1

COMS Vantage

Committed to Systems

136

Ethos of Auditing

Positive approach Aim to help improve system

Dont look for blame


Aid identification of solutions

COMS Vantage

Committed to Systems

137

Audit Report

Date Process/Area of Audit Auditor(s) Auditee NCR Root cause Proposed Corrective Action Corrective Action taken Verification of effectiveness of corrective action Review

COMS Vantage

Committed to Systems

Reporting
After Audit Report is generated , Auditor Submits report to auditee Gets auditee to agree on nonconformance Agrees dates for corrective action Ensures that action is taken effectively

COMS Vantage

139

Committed to Systems

Exercise 6 : Nonconformance Report

Write the nonconformance report for any nonconformance in Exercise 5

COMS Vantage

Committed to Systems

140

Audit Closing

COMS Vantage

Committed to Systems

141

Conducting Audit Follow-up


The auditor is responsible for : Identifying the nonconformance and Closing the nonconformance

COMS Vantage

Committed to Systems

142

Conducting Audit Follow-Up


At the conclusion of the follow up audit, the auditor must make a conclusion as to the completion and effectiveness of the previously proposed corrective actions :

Has the action been taken and has it been effective?


Has the action not been taken or is it incomplete? Has the action been taken but is ineffective?

COMS Vantage

Committed to Systems

143

Follow-up Action
Receive NCR

Auditee Auditee Auditee Auditor Auditee Auditee Auditee Auditee Auditor

Records made of all actions taken

Identify Root Cause Corrective action plan prepared Evaluates response Implements plan Evaluates effectiveness Revises plan if necessary Documents the changes Verifies implementation & effectiveness

COMS Vantage

Committed to Systems

Exercise 7 : Corrective Action

Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.

COMS Vantage

Committed to Systems

145

Thank You
Working Together For Better Environment.

COMS Vantage

Committed to Systems

146