Beruflich Dokumente
Kultur Dokumente
ISEB/ IOSH/
BSI BSI Registered Lean Six-Sigma
NEBOSH
Conferences Auditor/ Lead Green Belt
Qualifications
Auditor
BSI Lead
Management Implementer
Representative / BSI Lean Six-Sigma
Advanced
Project Leaders Webinars Black Belt
auditing skills
BSI Distance
Learning
Qualifications
Understanding
Lead Auditor Lean Practitioner
Course
BSI Implementing Course
Course
Awareness Briefing
All Employees Briefing or E- Briefing or E- Lean Six-Sigma
or E-Learning
Learning Module Learning Module Yellow Belt
Module
2
Copyright © 2013 BSI. All rights reserved.
Benefits to you!
3
Copyright © 2013 BSI. All rights reserved.
Welcome!
4
Copyright © 2013 BSI. All rights reserved.
Activity 1
• Delegate Introductions
10 minutes
Click here
to start
5
Copyright © 2013 BSI. All rights reserved.
Course Aim
6
Copyright © 2013 BSI. All rights reserved.
Learning Objectives
7
Copyright © 2013 BSI. All rights reserved.
Course Structure
Materials
• Delegate workbook
• Loan copy of ISO/IEC 27001:2013
Course Format
• Individual assignments
• Group activities
• Classroom discussions
8
Copyright © 2013 BSI. All rights reserved.
Information Security
• What’s an ISMS?
9
Copyright © 2013 BSI. All rights reserved.
Information?
Information asset
10
Copyright © 2013 BSI. All rights reserved.
Storing and communicating
information
11
Copyright © 2013 BSI. All rights reserved.
What is information security?
• Confidentiality
• Integrity
• Availability
12
Copyright © 2013 BSI. All rights reserved.
Need for internal audit
13
Copyright © 2013 BSI. All rights reserved.
ISO 27007
• Managing an ISMS
• Managing IS audit programmes
• Conducting ISMS internal and
external audits
• Competence of ISMS auditors
14
Copyright © 2013 BSI. All rights reserved.
Activity 2
10 minutes
Click here
to start
15
Copyright © 2013 BSI. All rights reserved.
Management System Auditing
What is an audit?
• Systematic, independent
and documented process
for obtaining audit evidence
and evaluating it
objectively to determine the
extent to which audit
criteria are fulfilled
(Clause 3.1, BS EN ISO 19011)
17
Copyright © 2013 BSI. All rights reserved.
Activity 3
• Definition of an audit
10 minutes
Click here
to start
18
Copyright © 2013 BSI. All rights reserved.
Plan, Execute, Report, Close-out/down
PLAN
Pellentesque mollis felis
dolor, quis aliquet sapien
REPORT
Pellentesque mollis felis dolor, quis aliquet
sapien
19
Copyright © 2013 BSI. All rights reserved.
Independent and Documented?
• Independent?
• Can you audit your own work?
• Documented?
• What is a document or
‘documented information’?
• What is a record?
20
Copyright © 2013 BSI. All rights reserved.
Process?
PROCEDURE
(Specified way to safely carry out an activity or
process – may be documented or not)
Resources
(to enable transformation to occur )
21
Copyright © 2013 BSI. All rights reserved.
Activity 4
• Process
10 minutes
Click here
to start
22
Copyright © 2013 BSI. All rights reserved.
Audit Process
Audit Criteria
(Requirements) Audit Findings
EVALUATION
Audit Evidence
(Objective)
23
Copyright © 2013 BSI. All rights reserved.
Audit objectives
• Determine
• Evaluate
• Evaluate
• Identify
24
Copyright © 2013 BSI. All rights reserved.
Activity 5
• Principles of Auditing
10 minutes
Click here
to start
25
Copyright © 2013 BSI. All rights reserved.
Activity 6
15 minutes
Click here
to start
26
Copyright © 2013 BSI. All rights reserved.
Auditor Responsibilities
1. Arrive on time
2. Maintain confidentiality
3. Be objective and ethical
4. Support the audit team and team leader
5. Plan and prepare work documents
6. Inform auditee of the audit process
7. Document and support all findings
8. Keep auditee informed
9. Safeguard all documents
10. Prepare the audit report
27
Copyright © 2013 BSI. All rights reserved.
The Audit Triangle
By Sight By Sound
Objective
Evidence
Documents
and Records
29
Copyright © 2013 BSI. All rights reserved.
Activity 7
• Audit Process
15 minutes
Click here
to start
30
Copyright © 2013 BSI. All rights reserved.
First, Second & Third-party Certification audits
31
Copyright © 2013 BSI. All rights reserved.
Audit Process
• Similarities
• 1st, 2nd 3rd party certification
audit
Prezi PowerPoint
32
Copyright © 2013 BSI. All rights reserved.
ISO 19011 – Figure 2: Typical Audit Activities
6.2 Initiating the audit
6.2.1 General
6.2.2 Establishing initial contact with the auditee
6.2.3 Determining the feasibility of the audit
• Audit plan
20 minutes
Click here
to start
34
Copyright © 2013 BSI. All rights reserved.
Check Lists
36
Copyright © 2013 BSI. All rights reserved.
Activity 9
• Check Lists
30 minutes
Click here
to start
37
Copyright © 2013 BSI. All rights reserved.
Effective Communication
Words: 7%
38
Copyright © 2013 BSI. All rights reserved.
Activity 10
• Opening meeting
15 minutes
Click here
to start
39
Copyright © 2013 BSI. All rights reserved.
The opening meeting
40
Copyright © 2013 BSI. All rights reserved.
Activity 11
• Conduct an Audit
60 minutes
Click here
to start
41
Copyright © 2013 BSI. All rights reserved.
Evening Work
42
Copyright © 2013 BSI. All rights reserved.
ISMS Internal Auditor
(ISO 27001:2013)
Day 2
30 minutes
Click here
to start
44
Copyright © 2013 BSI. All rights reserved.
Activity 13
• Work documents
30 minutes
Click here
to start
46
Copyright © 2013 BSI. All rights reserved.
Activity 14
• Conduct an Audit
60 minutes
Click here
to start
47
Copyright © 2013 BSI. All rights reserved.
Nonconformities
“Non-fulfilment of a requirement”
• A non-fulfilment of a specified
requirement in …
• The security policy
• The ISO 27001 information security
management standard
• The ISMS processes or procedures
• Performance targets for processes or controls
(effectiveness)
• Legal or regulatory requirements
49
Copyright © 2013 BSI. All rights reserved.
Nonconformity (Knowledge)
• Minor
• Major
50
Copyright © 2013 BSI. All rights reserved.
Activity 15
• Nonconformities
40 minutes
Click here
to start
51
Copyright © 2013 BSI. All rights reserved.
Example nonconformity – good
54
Copyright © 2013 BSI. All rights reserved.
Nonconformity
(Good Report Example)
Requirement:
Nonconformity finding:
The organisation outsources software development to a 3rd party but in the SoA (document
number ABC 99 version 1.5) the justification for the exclusion of Control A.14.2.7
“Outsourced Development” is missing.
55
Copyright © 2013 BSI. All rights reserved.
Closing meeting
56
Copyright © 2013 BSI. All rights reserved.
Audit Report
• Contents
57
Copyright © 2013 BSI. All rights reserved.
Activity 16
• Audit report
60 minutes
Click here
to start
58
Copyright © 2013 BSI. All rights reserved.
Audit Report
AUDIT REPORT RELEASE
DATE:
REVIEW:
APPROVAL:
59
Copyright © 2013 BSI. All rights reserved.
Activity 17
• Audit follow-up
10 minutes
Click here
to start
60
Copyright © 2013 BSI. All rights reserved.
Course Review and Final Questions
• Knowledge
• Skills
61
Copyright © 2013 BSI. All rights reserved.
Contact Information
Address: BSI
Kitemark Court
Davy Avenue, Knowlhill
Milton Keynes, MK5 8PP
United Kingdom
62
Copyright © 2013 BSI. All rights reserved.