The ISMS internal audit :
The ISMS internal audit ISO 27001 Clause 6 sets out the requirement for ISMS internal audits at planned intervals to:
Identify and address non-conformances in the design of the ISMS against ISO 27001 (e.g. as a result of People/Process/Technology/Regulatory change since certification or last audit)
Identify and address non-conformances in the operation of the ISMS against the documented policies, processes, procedures and controls
Identify opportunities for improvement in efficiency and effectiveness of ISMS operation
To form an integral part of the “Plan-Do-Check-Act” continuous improvement cycle required by ISO 27001
Feed into the Management Review process (ISO 27001 Clause 7)
In-house audit challenges :
In-house audit challenges Unnecessary and unsustainable management overhead, hassle and worry
Objectivity of internal staff may be questionable, especially if security department audit themselves (despite ‘Chinese walls’ approach)
Impacts on the overall effectiveness of the assurance function, as focus shifted away from high-risk audit areas
Results in ISMS being a burden rather than a business enabler and risk management instrument Scheduling and resourcing nightmare – both the business assurance plan and ISMS audit requirement must be met, often with the same resources
Internal ISMS audit skills shortage and dependency on key individuals
Valuable audit resources tied up in planning, performing and managing ‘routine’ ISMS audits
Our approach :
Our approach Our engagement model is flexible to suit your specific ISMS assurance requirements
You can engage us on an audit by audit basis (co-sourcing), or to manage and resource the end-to-end ISMS assurance programme (managed assurance service).
Co-sourcing example:
You decide whether to use internal, CS Risk or mixed resources for your audits.
We operate under your direction in terms of scope and audit process.
Charged on an agreed day-rate for the number of CS Risk resources used.
Managed Assurance Service example:
You set the objectives of the assurance programme.
We develop and run your ISMS audit programme on your behalf, tailored to your ISMS, aligned with your security objectives and ISMS scope.
Fixed fee for agreed audit plan plus time and materials for ad-hoc audit work.
The audit approach :
The audit approach Annual ISMS Audit Plan Audit objective and scope
Department/Section and responsible individuals in charge.
Audit team members. The number of auditors depends on the audit area size.
Type of management system to be audited
Date, place, time of the audit and distribution date of the audit report Ensure the availability of all the resources needed and other logistics that may be required by the auditor.
Verify the scope of the audit Improvement Plan &
Management Review Audit findings collected through interviews, examination of documents and observation of activities and conditions
Non-conformance evidence noted along with other objective evidence and observations reflecting the effectiveness of the information security management system Contains all scheduled and potential audits for the whole calendar year
Include internal audits, audits done on suppliers, audit to be performed by clients and 3rd-party audits Review and analysis of findings
Consolidation of findings including grouping and initial classification
Interim agreement and clarification of findings with key stakeholders Final classification of findings
Preparation of recommendations and audit report
Formal report issued to audit sponsor Closing meeting attended by the audit team and the auditees
Auditors report their findings, observations and recommendations
Resolution of outstanding queries and clarifications
Why us :
Why us We have the credentials – CISSP, CISM, CISA, ISO27001 Lead Implementer, ISO27001 Lead Auditor
We have a broad background in security, IT, business, audit, compliance and risk management
We have a broad industry background
We are looking to establish our consultancy as a market leader in Information Security compliance – so we will pull out all the stops to deliver compliance
We are committed to high-quality delivery and to provide you with value-for-money services
As a smaller-sized consultancy, we are able to provide very competitive rates and give your business the focus it demands
Our services :
Our services Information security management
Security health checks and risk assessments
ISO27001/ISO27002 compliance
Virtual Information Security Officer (VISO)
Technical security reviews
Penetration testing and vulnerability scanning
Vulnerability management
Employee security awareness training programmes
Data protection
Health checks and risk assessments
Data protection solutions
Employee awareness training programmes
PCI payment card industry compliance
PCI:DSS compliance gap analyses
Compliance solutions
Vulnerability scanning (PCI ASV) Sarbanes-Oxley IT compliance
IT control assessment and design
IT control testing
Compliance programme management
Business continuity management
BCP effectiveness reviews
Business impact assessments
BC strategy and planning support
BS25999 compliance
Outsourced business continuity management (BCM-in-a-box )
IT Audit
Co-sourced IT auditors
Managed IT audit services