Internal Audits Specifically for Your ISMS

00:01

Lesson 7.2

00:04

internal orders specifically for the ice mess.

00:11

In this video, we will cover what the internal order for your SMS is.

00:16

What the order should cover

00:19

considerations for selecting an auditor

00:21

as well as the required documentation.

00:25

This lesson is focused on Clause 9.2 internal audit.

00:32

So one of my very first misunderstandings with regards to the eye So 27,001 was related to this close.

00:40

I'm not too sure what brought about the misunderstanding potentially previous work history,

00:45

but nonetheless take note of this point. Whether it seems obvious or not,

00:49

simply having internal order to performed within your organization

00:53

will not fulfill this close requirement.

00:57

What the I so 27,001 standard once year

01:00

is for your organization to have an ice 0 27,001 ordered performed on your eyes miss

01:07

prior to having your external certification or surveillance order to take place

01:12

as well as during your ice. Smith Operating normally, even if you're not going for a certification audit, that is one of the requirements

01:22

These internal audits can be performed by an external service provider

01:26

by a supplier or partner with whom you have a reciprocal agreement,

01:30

basically anyone that is independent from the ice mess but also has knowledge of ice or 27,001 and auditing and ice mess

01:41

during this order, Do you want to check the performance of the ice mess

01:45

and whether or not it is conforming to its requirements?

01:49

Because this is an internal audit

01:52

is generally friendlier than a certification ordered,

01:56

as the auditors are acting from an internal support perspective

02:00

to help identify issues so that these can be rectified prior to the certification ordered.

02:07

Some of the principles that would govern an internal audit

02:09

include integrity,

02:12

fair presentation,

02:14

do you Professional care,

02:15

confidentiality,

02:17

independence

02:20

and an evidence based approach

02:23

that comes from is er

02:25

19 0 Double one guidelines for auditing management systems.

02:37

So what should the internal order cover?

02:39

If we look at ISO 27,003, it gives us a bit of guidance.

02:46

The internal order should cover the adequacy and effectiveness off your processes and controls

02:53

the fulfillment of information security objectives.

02:58

The compliance with clauses 4 to 10

03:01

compliance with the organization's own information security requirements,

03:07

the statement of applicability relative to the information security risk assessment,

03:15

your risk treatment. And it's alignment with risks and acceptance criteria,

03:21

as well as the management review, effectiveness and derived improvements.

03:27

So the second point here talks about compliance with the organization's own information security requirements.

03:34

These requirements can include the following

03:37

requirements that have been stated in the information security policies and procedures,

03:43

requirements for setting information, security objectives

03:46

and outputs of risk assessments,

03:50

any legal and contractor requirements which are present,

03:54

as well as how the documented information is being managed.

04:05

So how do you go about selecting an internal water?

04:12

There are a couple of factors that your organization should consider.

04:15

It is important that the selected order to meet the organization's requirements

04:20

for its ESO 27,001 internal auditor

04:25

as you want an effective audit and value to assist you in obtaining and maintaining your eye. So 27,001 certification, or

04:32

if you are just remaining compliant

04:36

if you're implementing and ice maze for the first time,

04:41

I would recommend getting most of the is mess in place and operating for a couple of months before having an intern ordered.

04:48

I would also ensure I leave a couple of months between your intern orders

04:54

and going through the externals location ordered.

04:58

This will allow you enough time

05:00

to raise the appropriate nonconformity documents

05:02

and remediate thes appropriately prior to the external order taking place.

05:09

This is especially important if major nonconformity is that could affect the outcome of the extra ordered are discovered.

05:17

If your organization has an existing internal order team

05:21

and wants to leverage them for intern audit,

05:25

it is important that they are independent from any design or implementation activities off the ice mess

05:30

and that they have sufficient knowledge off is a 27,001

05:35

a swell as information security and how to order it a nice miss.

05:41

If this skill is not available within your organization,

05:44

it is possible to contract external personnel to perform the internal audits,

05:48

listen shires independence

05:51

and would provide a way to demonstrate their skill set in this area.

05:57

External personnel would probably require a bit more time to understand the organizational context, so factor that in

06:04

the third option is if your organization has a partner or supplier or something similar along those lines

06:12

that is also going through the process of implementing their own ice mess,

06:15

you can enter reciprocal agreement to perform the internal orders of each other's ice messes.

06:21

So your organization's most capable personal involved in Nice Miss

06:27

would order your partner's ice miss

06:30

and vice versa.

06:31

This is often a cost effective method

06:33

and inches independence.

06:38

So the four points to remember when selecting an into an auditor

06:42

is to identify the competence requirements for the intern. Auditors,

06:46

select the internal auditors that meet thes competence requirements,

06:51

establish a process and a responsible person to monitor and manage the internal order teams

06:59

and ensure that the Internal Order Team is appropriately skilled in ISO 27,001,

07:04

as well as information security and auditing. Isom S Systems.

07:16

The internal order is a great dry run for the certification orders.

07:20

Having an independent set of eyes will add a lot of value to the process and can show areas of improvement that were overlooked.

07:29

Another great aspect off these audits

07:31

is that it shows you how to be prepared for the actual certification orders,

07:35

which evidence to prepare

07:39

and how to organize it so that it's ready for the certification ordered.

07:43

The awkward feeling of knowing you have a piece of evidence but not being able to find it during the certification or audit

07:49

is best avoided, if at all possible.

07:51

You will learn a lot during these audits, especially if you haven't experienced I so 27,001 ice, Miss Auditor

07:59

as these auditors often share tips and tricks from the hundreds of different ice messes and organizations that they have been exposed to.

08:09

So the required documentation for Clause 9.2 would be in order plan,

08:13

which should specify the interval in which internal audits will be performed.

08:18

It would also be beneficial to include any other planned audits, including your certification audits on this plan.

08:28

Once the internal order has been complete,

08:30

you will be left with an order to report that contains the findings and recommendations. From the orders,

08:37

you will end up creating your own nonconformity and corrective action reports and trackers

08:43

from the ordered report.

08:46

You will also have evidence off the order being procured or scheduled.

08:50

Such is the contract in place with the auditor and the scheduled time.

08:58

There is also a possibility that your certification auditors would want to speak to the internal auditors about their audit and results,

09:05

so bear that in mind

09:13

in this lesson recovered what is required with regards to the internal order of your ice mess,

09:18

especially that this is specific to an SMS intern. Order it, and thats simply having intern orders of security controls or something else within your organization does not suffice.

09:31

We also examined some factors to consider when selecting your intern auditor