Internal Audits Specifically for Your ISMS

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Lesson 7.2
00:04
internal orders specifically for the ice mess.
00:11
In this video, we will cover what the internal order for your SMS is.
00:16
What the order should cover
00:19
considerations for selecting an auditor
00:21
as well as the required documentation.
00:25
This lesson is focused on Clause 9.2 internal audit.
00:32
So one of my very first misunderstandings with regards to the eye So 27,001 was related to this close.
00:40
I'm not too sure what brought about the misunderstanding potentially previous work history,
00:45
but nonetheless take note of this point. Whether it seems obvious or not,
00:49
simply having internal order to performed within your organization
00:53
will not fulfill this close requirement.
00:57
What the I so 27,001 standard once year
01:00
is for your organization to have an ice 0 27,001 ordered performed on your eyes miss
01:07
prior to having your external certification or surveillance order to take place
01:12
as well as during your ice. Smith Operating normally, even if you're not going for a certification audit, that is one of the requirements
01:22
These internal audits can be performed by an external service provider
01:26
by a supplier or partner with whom you have a reciprocal agreement,
01:30
basically anyone that is independent from the ice mess but also has knowledge of ice or 27,001 and auditing and ice mess
01:41
during this order, Do you want to check the performance of the ice mess
01:45
and whether or not it is conforming to its requirements?
01:49
Because this is an internal audit
01:52
is generally friendlier than a certification ordered,
01:56
as the auditors are acting from an internal support perspective
02:00
to help identify issues so that these can be rectified prior to the certification ordered.
02:07
Some of the principles that would govern an internal audit
02:09
include integrity,
02:12
fair presentation,
02:14
do you Professional care,
02:15
confidentiality,
02:17
independence
02:20
and an evidence based approach
02:23
that comes from is er
02:25
19 0 Double one guidelines for auditing management systems.
02:37
So what should the internal order cover?
02:39
If we look at ISO 27,003, it gives us a bit of guidance.
02:46
The internal order should cover the adequacy and effectiveness off your processes and controls
02:53
the fulfillment of information security objectives.
02:58
The compliance with clauses 4 to 10
03:01
compliance with the organization's own information security requirements,
03:07
the statement of applicability relative to the information security risk assessment,
03:15
your risk treatment. And it's alignment with risks and acceptance criteria,
03:21
as well as the management review, effectiveness and derived improvements.
03:27
So the second point here talks about compliance with the organization's own information security requirements.
03:34
These requirements can include the following
03:37
requirements that have been stated in the information security policies and procedures,
03:43
requirements for setting information, security objectives
03:46
and outputs of risk assessments,
03:50
any legal and contractor requirements which are present,
03:54
as well as how the documented information is being managed.
04:05
So how do you go about selecting an internal water?
04:12
There are a couple of factors that your organization should consider.
04:15
It is important that the selected order to meet the organization's requirements
04:20
for its ESO 27,001 internal auditor
04:25
as you want an effective audit and value to assist you in obtaining and maintaining your eye. So 27,001 certification, or
04:32
if you are just remaining compliant
04:36
if you're implementing and ice maze for the first time,
04:41
I would recommend getting most of the is mess in place and operating for a couple of months before having an intern ordered.
04:48
I would also ensure I leave a couple of months between your intern orders
04:54
and going through the externals location ordered.
04:58
This will allow you enough time
05:00
to raise the appropriate nonconformity documents
05:02
and remediate thes appropriately prior to the external order taking place.
05:09
This is especially important if major nonconformity is that could affect the outcome of the extra ordered are discovered.
05:17
If your organization has an existing internal order team
05:21
and wants to leverage them for intern audit,
05:25
it is important that they are independent from any design or implementation activities off the ice mess
05:30
and that they have sufficient knowledge off is a 27,001
05:35
a swell as information security and how to order it a nice miss.
05:41
If this skill is not available within your organization,
05:44
it is possible to contract external personnel to perform the internal audits,
05:48
listen shires independence
05:51
and would provide a way to demonstrate their skill set in this area.
05:57
External personnel would probably require a bit more time to understand the organizational context, so factor that in
06:04
the third option is if your organization has a partner or supplier or something similar along those lines
06:12
that is also going through the process of implementing their own ice mess,
06:15
you can enter reciprocal agreement to perform the internal orders of each other's ice messes.
06:21
So your organization's most capable personal involved in Nice Miss
06:27
would order your partner's ice miss
06:30
and vice versa.
06:31
This is often a cost effective method
06:33
and inches independence.
06:38
So the four points to remember when selecting an into an auditor
06:42
is to identify the competence requirements for the intern. Auditors,
06:46
select the internal auditors that meet thes competence requirements,
06:51
establish a process and a responsible person to monitor and manage the internal order teams
06:59
and ensure that the Internal Order Team is appropriately skilled in ISO 27,001,
07:04
as well as information security and auditing. Isom S Systems.
07:16
The internal order is a great dry run for the certification orders.
07:20
Having an independent set of eyes will add a lot of value to the process and can show areas of improvement that were overlooked.
07:29
Another great aspect off these audits
07:31
is that it shows you how to be prepared for the actual certification orders,
07:35
which evidence to prepare
07:39
and how to organize it so that it's ready for the certification ordered.
07:43
The awkward feeling of knowing you have a piece of evidence but not being able to find it during the certification or audit
07:49
is best avoided, if at all possible.
07:51
You will learn a lot during these audits, especially if you haven't experienced I so 27,001 ice, Miss Auditor
07:59
as these auditors often share tips and tricks from the hundreds of different ice messes and organizations that they have been exposed to.
08:09
So the required documentation for Clause 9.2 would be in order plan,
08:13
which should specify the interval in which internal audits will be performed.
08:18
It would also be beneficial to include any other planned audits, including your certification audits on this plan.
08:28
Once the internal order has been complete,
08:30
you will be left with an order to report that contains the findings and recommendations. From the orders,
08:37
you will end up creating your own nonconformity and corrective action reports and trackers
08:43
from the ordered report.
08:46
You will also have evidence off the order being procured or scheduled.
08:50
Such is the contract in place with the auditor and the scheduled time.
08:58
There is also a possibility that your certification auditors would want to speak to the internal auditors about their audit and results,
09:05
so bear that in mind
09:13
in this lesson recovered what is required with regards to the internal order of your ice mess,
09:18
especially that this is specific to an SMS intern. Order it, and thats simply having intern orders of security controls or something else within your organization does not suffice.
09:31
We also examined some factors to consider when selecting your intern auditor
09:35
and recovered the required documentation for Clause 9.2.
Up Next