ISO 27001-2005 Internal Audit Course

1
Information Security
Management System
ISO/IEC 27001:2005
Internal Audit
MANAGEMENT SYSTEM
INTERNAL AUDIT FOR
ISO/IEC 27001:2005
Topics
3
ISO/IEC 27007:2011 and 27008:2011
What is Audit?
Why Audit is Important?
What Makes Meaningful Audit?
What Types of Audit are there?
Outcome of Internal Audit Reports
Auditor Attributes
Auditor Responsibilities
The Audit Planning Process
Initiating the Audit
Topics
4
(Cont.)
Planning Output
Guidance When Conducting an Audit
Conducting Audit
How to Conduct an Audit
Why Checklist?
Questioning Techniques
Audit Evidence
Taking Notes
Topics
5
(Cont.)
Effective Communication
Audit Reporting and Follow-up
Conformity vs. Non-Conformity
What key things to look for and where?
Audit Report
Items shouldnt be included in the report
Following Up
ISO/IEC 19011:2011
ISO/IEC 27007:2011
6
ISO/IEC 27007 is part of a growing family of ISO/IEC Information

Security Management System (ISMS) standards, the 'ISO/IEC 27000
series'.
Its current title is Information technology -- Security techniques -Guidelines for Information security management systems auditing.
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO
standard for auditing quality and environmental management systems management systems of course being the common factor linking it to
the ISO27k standards. It provides additional ISMS-specific guidance.
ISO/IEC 27007:2011
7
ISO/IEC 27007 will provide guidance for those auditing ISMSs for
various purposes other than certified compliance with ISO/IEC 27001
(which is covered by ISO/IEC 27006), purposes such as:
Internal auditing, for example for IT auditors to confirm that an

organization's information security controls adequately mitigate its
information security risks
External auditing, including IT audits conducted as part of financial

audits
ISO/IEC 27007:2011 Structure

8
The standard covers the ISMS-specific aspects of compliance auditing:
Managing the ISMS audit program (determining what to audit, when

and how; assigning appropriate auditors; managing audit risks;
maintaining audit records; continuous process improvement)
Performing an ISMS MS audit (audit process - planning, conduct,

key audit activities including fieldwork, analysis, reporting and
follow-ups)
Managing ISMS auditors (competencies, skills, attributes,

evaluation)
ISO/IEC 27008:2011
9
This standard (actually a technical report) on technical auditing

complements ISO/IEC 27007. It concentrates on auditing the
information security controls, whereas 27007 concentrates on auditing
the management system elements of the ISMS.
Its current title is Information technology Security techniques

Guidelines for auditors on information security management systems
controls
ISO/IEC 27008:2011
10
This standard provides guidance for all auditors regarding information

security management systems controls selected through a risk-based
approach (e.g. as presented in a statement of applicability) for
information security management. It supports the information security
risk management process and internal, external and third-party audits
of an ISMS by explaining the relationship between the ISMS and its
supporting controls. It provides guidance on how to verify the extent to
which required ISMS controls are implemented. Furthermore, it
supports any organization using ISO/IEC 27001 and ISO/IEC 27002 to
satisfy assurance requirements, and as a strategic platform for
information security governance.
ISO/IEC 27008:2011
11
The standard:
Is applicable to all organizations, including public and private

companies, government entities and not-for-profit organizations and
organizations of all sizes regardless of the extent of their reliance on
information
Supports planning and execution of ISMS audits and the information

security risk management process
ISO/IEC 27008:2011
12
(Cont.)
Further adds value and enhances the quality and benefit of the
ISO27k standards by closing the gap between reviewing the ISMS
in theory and, when needed, verifying evidence of implemented
ISMS controls (e.g. in the ISO27k user organizations, assessing
security elements of business processes, IT systems and IT
operating environments)
Provides guidance for auditing information security controls based

on the controls guidance in ISO/IEC 27002
ISO/IEC 27008:2011
13
(Cont.)
Improves ISMS audits by optimizing the relationships between the

ISMS processes and required controls
Supports an ISMS-based assurance and information security

governance approach and audit thereof
Ensures effective and efficient use of audit resources.
ISO/IEC 27008:2011 vs. ISO/IEC 27007:2011

14
Whereas ISO/IEC 27007 focuses on auditing the management system

elements of an ISMS as described in ISO/IEC 27001, ISO/IEC 27008
focuses on checking some of the information security controls
themselves, such as (for example) those as described in ISO/IEC
27002 and outlined in Annex A of ISO/IEC 27001.
ISO/IEC 27008 focuses on reviews of information security controls,
including checking of technical compliance, against an information
security implementation standard, which is established by the
organization. It does not intend to provide any specific guidance on
compliance checking regarding measurement, risk assessment or audit
of an ISMS as specified in ISO/IEC 27004, 27005 or 27007
respectively.
ISO/IEC 27008:2011 vs. ISO/IEC 27007:2011

15
Technical compliance checking/auditing is explained as a process of

examining technical security controls, interviewing those associated
with the controls (managers, technicians, users etc.), and testing the
controls. The methods should be familiar to experienced IT auditors.
Technical controls, while not explicitly defined in the standard, appear

to be what are commonly known as IT security controls, in other words
a subset of the information security controls described in ISO/IEC
27001 and especially 27002.
What is Audit?
16
Definition:
A Systematic, independent and documented process for obtaining

audit evidence and evaluating it to determine the extent to which the
management system audit criteria set by the organization are fulfilled."
Why Audit is Important?

17
To ensure conformance with requirements
To determine the effectiveness of Management System
To detect and correct non-conformities
To identify training needs
To highlight strengths as well as weaknesses
What Makes Meaningful Audit?

18
Good planning.
Cooperation and honest answers.
Full report of auditing.
Competence of the auditor.
Communicational skills.
Time management.
Follow up.

19
First party audit
Second party audit

3
Third party/external audit

20
First Party: An audit by the organization of its own systems and

procedures. (Internal Audit/Self inspection)
Second Party: An audit conducted by its supplier/customer or an

audit/consultant agency.
Third Party/External: An audit by a certification body which is

commercially and contractually independent of the organization, its
suppliers and customers.
Outcome of Internal Audit Reports

21
Non conformity :
Non fulfillment of a
requirement
Corrective action:
Action to eliminate the cause of
detected nonconformity
Preventive action:
Action to eliminate the cause of
potential nonconformity
22
Audit Criteria :
Set of policies, procedures or

requirements used as a reference
against which audit evidence is
compared.
Audit Evidence :
Records, statements of fact or other

information, which are relevant to the
audit criteria and verifiable.
Audit findings :
results of the evaluation of the

collected audit evidence against
audit criteria
Auditor :
23
person with competence to conduct an

audit
Audit Scope :
extent and boundaries of an audit; generally
includes a description of the physical locations,
organizational units, activities and processes, as well
as the time period covered.
Audit Plan:
description of the activities and
arrangements for an audit
Auditee:
organization being audited
Auditor Attributes
24
Open minded.
Diplomacy.
Decisive.
Firm.
Fair.
Patient.
Cooperating.
Able to analyze complex situations.
Auditor Attributes
25
Auditor should remain polite, calm and professional at all time.
Familiar with the purpose/scope
Listen to others
Speak clearly and carefully
Stay within the audit scope.
Communicate the audit requirements.
Collect evidence (for and against)
Document non-compliances.
Verify the corrective actions/compliances
Give compliments/Appreciate for good things
Auditor Responsibilities
26
Complying with the audit requirement (e.g. remaining in scope, time

management).
Planning and performing audit activities.
Reporting audit findings.
Verifying the effectiveness of corrective action .
Auditee Responsibilities
27
Informing employees about the objectives and scope of the audit.
Providing facilities needed by the audit team.
Appointing responsible staff to accompany members of the audit

team to act as guides.
Co-operating with the auditor.
Ensuring auditors are aware of health and safety requirement.
28
The Audit Planning Process

29
Initiate
Research
Prepare
plan
Communicate
Initiating the Audit

30
Define the audit objectives, scope and criteria.
Determine the time scale for the audit.
Initial contact with the auditee- establish communication, timing,

request access to any documentation, confirm plan.
Research, particularly if the site has not been visited before.
Review the processes associated with the site .
Planning Output
31
Information about auditee.
Checklist.
Audit Plan.
Understanding of the audit criteria.
Guidance When Conducting an Audit

32
Auditing should be seen as a positive process not a fault finding.
Audits need to be documented.
Prior to the audit date, an auditor needs to review the system

documentation, corrective and preventive actions, and develop a
checklist.
During an audit, an auditor need to see evidence that the processes

are being done in accordance to procedures and policies.
Conducting Audit
33
Obtaining Information by:
Interviewing people
Examining documents and records
Observing activities and conditions
How to Conduct an Audit

34
Refer to
check list
Ask open
ended
question
(how,
when,
where,
what,
who).
Take
notes.
Examine
evidence.
Why Checklist?
35
Focus the auditor.
Ensure issues are not forgotten.
Assist with reporting.
Help with time keeping.
Now prepare a checklist as an exercise!
Questioning Techniques
36
The funnel technique:

i.
Open Questions
ii.
Probing Questions
iii.
Closed Questions
Audit Evidence
37
Record or Document
Physical Entity
Condition
Verbal Statement
Taking Notes
38
Record objective evidence for reporting. All necessary facts should

be recorded.
If there is a need to follow-up an another issue later during the audit.
To record the details of the samples taken, including references to

procedures.
To record that an area has been covered.
39
Effective communication is vital in an audit scenario. Verbal and

non-verbal communication must be considered
(it is not logical- it is psychological- it is what we do to give and get
understanding)
Rapport:
Voice, language, appearance/clothing, gesture, posture and
expression
40
(Cont.)
Active listening (means showing you are listening)
Keep eye-contact, show open body language (the impact of the

spoken message is 7% verbal, 30% vocal and 55% facial)
Use commenting words
Audit Reporting and Follow-up

41
Audit findings:
Observations:
Nonconformities
Potential problem, ineffectiveness, inefficiencies
Noteworthy efforts:
High level of commitment and motivation
Adoption of best practice.
What is Non-Conformity?
42
Non-Conformity is the non-fulfilment of a requirement
Conditions of a contract
ISMS Standard
ISMS Control
Legal or regulatory requirement
Non-Conformity explained
43
There will be a non-conformity for one three reasons:

a)
the process does not comply with the requirements of the standard;
b)
the process has not been put into practice is the way the procedure
describes;
c)
the practice (what is actually being done) is not effective, i.e. the
required objective is not achieved.
Magnitude of Non-Conformity
44
Conformity:
What exists, is what should be.
(Major) Non-Conformity:
What exists, is significantly different than what should be.
Minor Non-Conformity:
There are minor differences between what exists and what should
be.
Major vs. Minor Non-Conformity

45
Major and minor nonconformities (as separate categories) are

generally used only in certification audits (not so often in internal
audits), and the main purpose is the following: if the auditor raises a
major nonconformity, a company cannot get certified.
What is considered to be a major nonconformity?
If a company completely failed to fulfill a certain requirement

e.g., it didnt perform management review at all, although this
was required by the standard.

46
If your process has completely fallen apart e.g., your

procedure required you to perform backup once a day, whereas
the backup was performed only a couple of times per month,
randomly.
If a certification mark is misused e.g., you claim to your

customers that your product is ISO certified (certification of ISO
management standards covers only the processes and
management systems, not the products themselves).

47
If a minor nonconformity, raised during the previous audit, has

not been resolved within the deadline such a small
nonconformity automatically becomes a major one.
If you have several minor nonconformities that are related to the

same process or to the same element of your management
system e.g., you have several minor nonconformities related
to your Human resources department: some of the training
records are missing, not all employees are trained as they
should be, some of the employment records are missing, etc.
this becomes a major nonconformity because there is obviously
something very wrong with this department.
Nonconformity exists only if there is
Requirem
ent
48
Failure
Evidence
NC=R+F+E
What key things to look for and where?

49
Tasks: work methods defined, efficiency
People:
Equipment, Work Environment:
training, skills, competence and motivation
identification, capability, condition, safety, sanitation
Documents / Records:
identification, issue, content, correctness and distribution
retention, preservation, legibility, accessibility
Audit Report
50
Objectives
Audit scope
Identification of audit team
Date and place where the on-site audit activities were conducted
Audit criteria as findings
Reference documents against which the audit performed
Conclusions
Items shouldnt be included in the report

51
Politically sensitive issues that bear no relevance to conclusions of

the audit
Items not in the scope of the audit
Items not mentioned or discussed during the audit
Following Up
52
FOLLOW UP is the term given to the actions of verifying and

assessing the effectiveness of corrective and preventive actions
resulting from an audit.
53
ISO/IEC 19011:2011
GUIDELINES FOR AUDITING
MANAGEMENT SYSTEMS
ISO 19011:2011
54
Is a management system auditing standard.
To carry out first or second party audits.
Can be used to:
establish an audit program.
to enhance the effectiveness of an existing program
to improve auditing practices and processes
Primarily proposed for auditing management systems based on

ISO/IEC 9000 and ISO/IEC 14000 group of standards, but later
expanded to all management systems like ISO/IEC 27000
ISO 19011:2011 Explained: Audit Principles

55
A. Have integrity and be professional.

Comply with all applicable legal requirements.
Withstand the pressures that may be exerted and the
influences that may affect your professional judgment.
B. Present fair and truthful results.
Make sure that audit results are fairly presented.
Make sure that important concerns are reported.
C. Exercise due professional care.
Perform auditing tasks with due care and diligence.
Make reasoned judgments in all audit situations.
ISO 19011:2011 Explained: Audit Principles

56
D. Care about confidentiality.

Care about confidentiality and information security.
Handle information with due care and discretion.
Protect information that is sensitive or confidential.
E. Be independent and impartial.
Be independent of the activities being audited.
Be impartial and always be free of bias.
F. Use an evidence-based approach.
Use an evidence-based approach to reach reliable and
reproducible audit conclusions.
ISO 19011:2011 Explained: Audit Program

57
5.1. Create your audit program.

Establish a management system audit program.
Use your audit program to evaluate the overall effectiveness of your
auditees management systems.
Monitor and measure the implementation of your management
system audit program.
Review your management system audit program in order to identify
possible improvements.

58
5.2. Set your program objectives.

Ensure that audit program objectives are established.
Make sure that your audit program objectives support and are
consistent with management system objectives.
Consider all relevant information when you establish your audit
program objectives.
Use program objectives to ensure that your audit program is
implemented and applied effectively.
Use program objectives to direct audit planning.
Use program objectives to direct audit activities.

59
5.3. Establish your audit program.

5.3.1. Perform audit program management tasks.
Clarify the extent of your audit program.

Define auditors roles and responsibilities.
Develop procedures to manage audit program.
Determine the resources that the program needs.
Implement and apply your audit program.
Establish records for your audit program.
Monitor your management system audit program.
Review your management system audit program.
Improve your management system audit program.
Discuss your audit program with top management.

60

5.3.2. Clarify managers competence requirements.
Make sure that your audit manager is competent.
Make sure that audit manager has the competence to manage the
program efficiently and effectively.
Make sure that your audit manager has the appropriate specialized
knowledge and skills.
Ensure that audit manager continues to be competent.
Ensure that audit manager continues to carry out appropriate
professional development activities.

61

5.3.3. Specify the extent of your audit program.
Establish the extent of your management system audit program (its
focus and reach).
Consider the nature of your audits.
Consider the nature of your audit criteria.
Consider the nature of the auditee organization.
Consider the nature of the systems being audited.
Consider the nature and results of previous reviews.

62

5.3.4. Consider potential audit program risks.
Consider the risks that could potentially affect the achievement of
your audit program objectives.
Identify and evaluate program planning risks.
Identify and evaluate program resource risks.
Identify and evaluate program staffing risks.
Identify and evaluate program implementation risks.
Identify and evaluate program record keeping risks.
Identify and evaluate program monitoring risks.
Identify and evaluate program review risks.

63

5.3.5. Develop procedures to manage program.
Establish procedures to manage and control your management
system audit program.
Use procedures to manage and control your management system
audit program.

64

5.3.6. Identify program resource requirements.
Identify financial resource requirements.

Identify methodological resource requirements.
Identify technological resource requirements.
Identify human resource requirements.

65
5.4. Implement your audit program.

5.4.1. Apply your unique audit program.
Communicate and share pertinent information about the audit
program with all relevant parties.
Define objectives for each individual audit.
Coordinate and control audit program activities.
Appoint competent audit team members.
Provide needed resources to audit teams.

66

5.4.2. Define the focus of each individual audit.
Define and document the objectives that each individual audit
should achieve.
Define and document the scope of each audit.
Define and document the criteria that individual audits use to assess
conformity.

67

5.4.3. Select methods for each individual audit.
Select and determine the methods that should be used to conduct
audits.
Make sure that all audit managers agree on audit methods
whenever two or more auditing organizations need to conduct a joint
audit of the same auditee.

68

5.4.4. Appoint personnel for each individual audit.
Appoint audit team members for each separate audit.
Appoint an audit team leader for each separate audit.
Appoint technical experts for each separate audit.

69

5.4.5. Assign responsibility for individual audits.
Assign responsibility for an individual audit to a specific audit team
leader.
Give the audit team leader enough time to plan the audit whenever
audit assignments are allocated.
Give the audit team leader the information that he or she needs in
order to carry out the audit.

70

5.4.6. Manage your audit program outcomes.
Ensure that audit program outcomes are managed efficiently and
effectively.
Ensure that audit findings are evaluated.
Ensure that root cause analyses are reviewed.
Ensure that remedial actions are reviewed.
Ensure that audit reports are reviewed.

71

5.4.7. Establish and maintain audit records.
Ensure that audit program records are established and maintained.
Ensure that a record of each individual audit is established and
maintained.
Ensure that audit personnel records are established and
maintained.

72
5.5. Monitor and modify your program.

Monitor the implementation of your program.
Modify your audit program whenever evidence indicates that change
is required.

73
5.6. Review and improve your program.

Review your management system audit program.
Summarize your results and report to top management.
Improve your management system audit program.
ISO 19011:2011 Explained: Audit Activities

74
6.1. Manage your audit activities.

Perform audit activities that comply with your management system
audit program.
6.2. Initiate your audit activities.
6.2.1. Conduct and control audit activities.
Make sure that an audit team leader is appointed for each individual
audit.
Make sure that audit team leaders initiate management system
audits.

75
6.2. Initiate your audit activities.

6.2.2. Establish initial contact with auditee.
Establish communications with the auditee.

Confirm your agreement with the auditee.
Share information with the auditee.
Gather information about the auditee.
Request access to documents and records.
Make arrangements to conduct the audit.

76
6.3. Get ready for your audit.

6.3.1. Perform document review.
Select management system documentation for review.

Review auditees management system documents.
Gather information to prepare for audit activities.
Establish an overview of system documentation.

77

6.3.2. Develop your audit plan.
6.3.2.1 Study source documents.
Allocate audit planning responsibility to team leader.
Consider how you plan to conduct your audit.
Think about how you intend to use your audit plan.
6.3.2.2 Prepare official audit plan.
Prepare your management system audit plan.
Discuss your audit plan with the audit client.
Present your audit plan to the auditee.

78

6.3.3. Assign work to audit team members.
Consult with audit team members before assigning roles and
responsibilities.
Assign roles and responsibilities to each auditor.
Hold team meetings or briefings whenever work assignments need
to be changed or reallocated.

79

6.3.4. Prepare audit working papers.
Prepare appropriate audit working papers.

Use working papers to collect audit information.
Control your audit working papers and records.
Review your audit working papers and records.

80
6.4. Carry out your audit.

6.4.1. Establish audit sequence.
Conduct your opening audit meeting.

Review auditees documents during your audit.
Communicate with participants during the audit.
Assign responsibilities to guides and observers.
Collect and verify information during the audit.
Develop and document your audit findings.
Discuss and prepare audit conclusions.
Present audit findings and conclusions.

81

6.4.2. Conduct opening meeting.
Plan your opening meeting.
Hold your opening meeting.
Introduce all participants.
Discuss communication channels.
Describe how the audit will be conducted.
Clarify your approach to risk management.
Explain how audit findings will be reported.
Confirm that support services will be available.
Specify the conditions that could cause the premature termination of
the audit.
Identify feedback systems that the auditee could use to file a
complaint or issue an appeal.

82

6.4.3. Perform document review.
Review relevant documents provided by the auditee.

Decide whether or not documents are adequate.
Use document review to gather relevant information.
Consider reviewing documents throughout the audit.
6.4.4. Communicate during audit.

Consider establishing formal communication arrangements that can
be used during the audit.
Communicate with audit team members.
Communicate with the auditee and the audit client.
Communicate with external agencies (as required).

83

6.4.5. Assign guides and observers.
Consider asking or allowing guides and observers to accompany
your audit team.
Assign roles and responsibilities to your audit guides and observers.
6.4.6. Collect and verify information.
Select your information gathering methods.

Collect information to support your audit findings.
Record evidence used to establish audit findings.
Address unusual evidence discovered during audit.

84

6.4.7. Generate your audit findings.
Establish audit findings by evaluating your audit evidence and
comparing it with your audit criteria.
Discuss your audit findings with audit team members whenever
necessary or appropriate.
6.4.8. Prepare your audit conclusions.
Review audit findings and other related information.

Discuss and consider your audit conclusions.
Formulate and document your audit conclusions.
Prepare recommendations (if audit plan requires it).
Consider audit follow-up (whenever this is applicable).

85

6.4.9. Present findings and conclusions.
Plan your closing meeting.

Hold your closing meeting.
Explain your audit methods.
Present your audit findings.
Describe your audit conclusions.
Make your recommendations (if appropriate).
Discuss diverging opinions (if any).
Develop a post-audit action plan.

86
6.5. Report your audit results.

6.5.1. Prepare your audit report.
Consider reporting options and plan your audit report.

Prepare your management system audit report.
Include or refer to your audit objectives.
Specify or refer to the scope of your audit.
Identify or refer to sponsors and participants.
Mention or refer to your audit agenda.
Discuss or reference your audit criteria.
Present or refer to your audit findings.
Document or refer to your audit conclusions.

87
6.5. Report your audit results.

6.5.2. Distribute your audit report.
Finalize your management system audit report in accordance with
your audit program procedures.
Distribute your management system audit report in accordance with
your audit procedures or audit plan.
6.6. Complete your audit.
Verify that your audit has been completed.
Protect all audit documents and related information.
Keep a record of lessons learned during the audit.

88
6.7. Follow-up on your audit.

Consider whether remedial actions should be taken.
Ask auditee to provide remedial action status reports.
Verify that remedial actions were actually taken.
ISO 19011:2011 Exp.: Auditor Competence

89
7.1. Establish an auditor evaluation process.
Develop a process to evaluate audit team members.

Plan the evaluation of your audit team members.
Evaluate the competence of audit team members.
Maintain the competence of audit team members.
Improve the competence of audit team members.

90
7.2. Define auditor competence requirements.

7.2.1. Consider the work that auditors need to do.
Consider the work your auditors are expected to do when you think
about the knowledge and skill they should have.
Consider the nature of your audit program.
Consider the organizations to be audited
Consider the management systems to be audited.
Consider the requirements that must be met.

91
7.2.2. Be a professional and have good character.

Behave in a professional manner and exhibit good character
whenever you're acting as an auditor.
Be ethical (be truthful and honest).
Be versatile (be adaptable and flexible).
Be perceptive (be attentive and watchful).
Be receptive (be willing to learn and improve).
Be observant (be aware of your surroundings).
Be collaborative (be capable of working with others).
Be open-minded (be willing to consider alternatives).
Be decisive (be able to draw timely conclusions).
Be tenacious (be persistent and focused).
Be self-reliant (be able to act independently).
Be diplomatic (be tactful and try to be discreet).
Be respectful (be sensitive to the auditee's culture).

92

7.2.3. Possess appropriate knowledge and skills.
7.2.3.1 Possess knowledge needed to achieve results.
Possess the knowledge and skill that you need in order to be able to
achieve intended audit results.
Possess the knowledge and skill that you need in order to provide
leadership to your audit team.

93

7.2.3.2 Possess necessary generic knowledge and skills.
A. Have generic auditing knowledge and skills.
Possess the knowledge and skill that you need in order to ensure
that your audits are conducted in a systematic and consistent
manner.
Be able to plan audits and organize work.
Be able to collect appropriate information.
Be able to prioritize and focus on important matters.

94
(Cont.)
Be able to understand and use auditing knowledge.

Be able to understand and consider expert opinion.
Be able to verify accuracy of information collected.
Be able to use working papers to record activities.
Be able to evaluate the adequacy of audit evidence.
Be able to meet confidentiality and security needs.
Be able to document findings and conclusions.
Be able to communicate clearly and effectively.
Be able to stay on schedule and finish on time.
Be able to prepare appropriate audit reports.
Be able to comprehend auditing risks.

95

B. Have management system knowledge and skills.
Possess the knowledge and skill that will ensure that you
comprehend your audit scope and apply your audit criteria.
Understand and know how to use audit criteria.
Understand how management system standards have been applied
by organizations in general.
Understand management system components and how they interact
with one another.
Understand all relevant reference documents.

96

C. Have organizational knowledge and skills.
Possess the knowledge and skill that will ensure that you
comprehend the auditee organization's structure, business, and
management practices.
Understand organizational types and functions.
Understand general business concepts and terms.
Understand cultural and social characteristics.

97

D. Have relevant legal knowledge and skills.
Possess the knowledge and skill that will ensure that you are aware
of, and will comply with, the auditee organization's legal and
contractual requirements.
Understand relevant legal jurisdictions.
Understand relevant governing agencies.
Understand relevant legal concepts.
Understand relevant laws and regulations.

98

7.2.3.3 Possess specialized auditing knowledge and skills.
Possess the discipline-specific and sector-specific knowledge and
skill that you need in order to be able to audit specialized
management systems and sectors, to evaluate auditees' activities,
processes, and products, and to generate appropriate audit findings
and reach valid conclusions.
Understand management system concepts.
Understand legal requirements and obligations.
Understand the expectations of interested parties.
Understand discipline-specific fundamentals.
Understand risk management methodologies.

99

7.2.3.4 Possess team leadership knowledge and skills.
Possess the additional management and leadership knowledge and
skill that is needed in order to be able to ensure that audit teams are
efficient and effective.
Understand how to manage the audit process.
Understand how to communicate with people.
Understand how to balance the strengths and weaknesses of
individual audit team members.

100
(Cont.)
Understand how to develop harmonious working relationships
amongst audit team members.
Understand how to help audit team members reach reliable audit
conclusions.
Understand how to prepare and complete accurate, clear, and
concise audit reports.

101

7.2.3.5 Possess multidisciplinary knowledge and skills.
Possess the discipline-specific competence that you need in order
to be able to audit multiple management systems that involve
multiple disciplines.
Possess the competence needed to audit at least one of the
management systems and understand how the various
management systems interact.

102

7.2.4. Get appropriate auditing knowledge and skills.
Use formal education to acquire needed sector-specific and
discipline-specific management system knowledge and skill.
Use practical training services to acquire the appropriate auditing
knowledge and skill.
Use work experience to acquire general technical, managerial, and
professional knowledge and skill.

103

7.2.5. Encourage team leaders to get experience.
Acquire additional audit experience by working under the direction
and guidance of other knowledgeable audit team leaders.

104
7.3. Develop auditor evaluation criteria.
Select qualitative auditor evaluation criteria.

Select behavioral and character based criteria.
Select knowledge and skill based criteria.
Select quantitative auditor evaluation criteria.

105
7.4. Select auditor evaluation methods.
Select two or more auditor evaluation methods.

Consider using record reviews to evaluate auditors.
Consider using feedback to evaluate auditors.
Consider using interviews to evaluate auditors.
Consider using observation to evaluate auditors.
Consider using audit reviews to evaluate auditors.
Consider using testing to evaluate auditors.

106
7.5. Evaluate the competence of auditors.

Evaluate your management system auditors.
Compare the information collected about the auditor against your
particular auditor evaluation criteria.
Help auditors to improve whenever they fail to meet your audit
program's evaluation criteria.
Encourage auditors to get more training.
Encourage auditors to get more experience.

107
7.6. Maintain and improve auditor competence.

Maintain and continually improve the competence of both auditors
and audit team leaders.
Update your professional development activities whenever relevant
requirements change.
Establish suitable evaluation mechanisms that you can use to
continually evaluate the performance of both auditors and audit
team leaders.
Any questions?
109

ISO 27001-2005 Internal Audit Course

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ISO 27001-2005 Internal Audit Course

Hochgeladen von

Copyright:

Verfügbare Formate

1

ISO/IEC 27007:2011 and 27008:2011

Why Audit is Important?

What Makes Meaningful Audit?

What Types of Audit are there?

Outcome of Internal Audit Reports

The Audit Planning Process

Initiating the Audit

Guidance When Conducting an Audit

How to Conduct an Audit

Audit Reporting and Follow-up

Conformity vs. Non-Conformity

What key things to look for and where?

Items shouldnt be included in the report

ISO/IEC 27007 is part of a growing family of ISO/IEC Information

Internal auditing, for example for IT auditors to confirm that an

External auditing, including IT audits conducted as part of financial

ISO/IEC 27007:2011 Structure

The standard covers the ISMS-specific aspects of compliance auditing:

Managing the ISMS audit program (determining what to audit, when

Performing an ISMS MS audit (audit process - planning, conduct,

Managing ISMS auditors (competencies, skills, attributes,

This standard (actually a technical report) on technical auditing

Its current title is Information technology Security techniques

This standard provides guidance for all auditors regarding information

Is applicable to all organizations, including public and private

Supports planning and execution of ISMS audits and the information

Provides guidance for auditing information security controls based

Improves ISMS audits by optimizing the relationships between the

Supports an ISMS-based assurance and information security

Ensures effective and efficient use of audit resources.

ISO/IEC 27008:2011 vs. ISO/IEC 27007:2011

Whereas ISO/IEC 27007 focuses on auditing the management system

ISO/IEC 27008:2011 vs. ISO/IEC 27007:2011

Technical compliance checking/auditing is explained as a process of

Technical controls, while not explicitly defined in the standard, appear

A Systematic, independent and documented process for obtaining

Why Audit is Important?

To ensure conformance with requirements

To determine the effectiveness of Management System

To detect and correct non-conformities

To identify training needs

To highlight strengths as well as weaknesses

What Makes Meaningful Audit?

Cooperation and honest answers.

Full report of auditing.

Competence of the auditor.

What Types of Audit are there?

First party audit

Second party audit

Third party/external audit

What Types of Audit are there?

First Party: An audit by the organization of its own systems and

Second Party: An audit conducted by its supplier/customer or an

Third Party/External: An audit by a certification body which is

Outcome of Internal Audit Reports

Set of policies, procedures or

Records, statements of fact or other

results of the evaluation of the

person with competence to conduct an

organization being audited

Able to analyze complex situations.

Auditor should remain polite, calm and professional at all time.

Familiar with the purpose/scope