ADEQUACY AUDIT IN ISMS

What is it
How to benefit from it

01-March-2011

By:
RosYusoff

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 1 What Is It

2 How Do You Benefit From It

Topics for Today 2

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 Establish ISMS policy,
objectves, processes &
PLAN procedures relevant to
managing risk & improving
Take correctve & preventve informaton security (4.2.1)
actons, based on the results of
the internal ISMS audit &
management review or other
relevant informaton, to achieve
contnual improvement (4.2.4)
Embedding
ACT Into the DO
Culture Implement & operate the
ISMS policy, controls,
processes & procedures
(4.2.2)
Assess & measure process
performance against ISMS
policy, objectves & practcal
experience & report the
results to management for
CHECK
review (4.2.3)

3 Where is Audit Within the PDCA Cycle? 3

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 Process Involved 4
Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
Establish and document the procedure
–
Include purpose & scope
–
Define the various roles involved
–
Define the process step by step
–
Determine the audit reporting method &
frequency
–
Detail out the minimum qualifications for the
auditors
–
List down the records associated to the
procedure

Establish Procedure 5
Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
Plan your activities
–
Figure out how and when audits should be done
–
Select the auditors
–
Draft / review your detail checklists
–
Schedule your audits with the auditees
–
Clarify scope & method
–
Document the audit program

Plan the Audit 6

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
Carry out regular internal / adequacy audits
–
Review the relevant ISMS documents. Below
are the documents generally audited:
• Framework & scope documents
• Policy documents
• Risk assessment procedure
• Risk assessment report
• Mapping threats to assets
• Risk treatment and action plan
• Statement of applicability
• BCP, BCP testing procedure & test results
• Metrics
• Procedure & guideline documents

Conduct the Audit 7

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 –
Perform implementation audit
• Audit your organization’s ISMS practices against all
relevant policies, processes and procedures (Clauses
4 to 8 from ISO 27001)
• Audit your organization’s ISMS controls and their
objectives (Controls within ISO 27002)
• Audit your organization’s ISMS practices against all
relevant regulations
• Perform user awareness audit
• Perform on-floor audit for physical security
• A technical security assessment is one of the fastest
ways to have an overall overview of gaps (findings)
from the technical control point of view
–
You can re-use the results from your annual
independent security assessment

… Conduct the Audit 8

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
Take remedial actions
–
Auditees are to eliminate non-conformities and
their causes by taking follow up actions
–
Auditors to verify that remedial actions have
actually been taken
–
Auditors to report the results of verification
activities

Take Actions 9
Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
Internal ISMS Audit (adequacy audit) should be
performed minimally 2 months before the
Certification Audit from a CB
–
To allow ample time to perform corrective & preventive
actions

When is the Best Time to Audit? 10

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 1 What Is It

2 How Do You Benefit From It

Topics for Today 11

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
Since the main aim of internal auditing
is to assist the organization to achieve
its objectives, risk-based audit would
be beneficial
–
The simplest way to think about risk-
based audit conceptually is to audit the
things that really matter to your
organization
–
Results of audit can now be prioritized
based on criticality & importance of the
assets to your organization

Risk Based Audit 12

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 •
We all have to start looking at audit as one
of the ways to identify relevant areas that
need improvement
•
Audit is also designed to allow the review of
operations or programs to ascertain
whether practices are consistent with
established objectives and goals and
whether the operations or programs are
being carried out as planned

Benefits of Audit 13
Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.
 "Unless we learn from history,
we are doomed to repeat it."

THANK YOU!

Copyright ARTIO SDN BHD 2011. No part of this document may be reproduced, republished or transmitted without the prior written permission from ARTIO SDN BHD.