SlideShare a Scribd company logo

Best Practices to Perform an ISMS Internal Audit based on ISO/IEC 27001

PECB
PECB

The purpose of this topic is to convey how to perform Internal Audits on organization's information security management system based on ISO/IEC 27001 standard. Main points covered: • What is Internal Audit? • What is the purpose of Internal Audit? • Best practices to perform ISO 27001:2013 Information Security Management System Internal Audit Presenter: Mr. Chandra Mohan Govindarajula’s record includes 16 years of working experience as an Implementer, Lead Auditor, and QA & QC. Chandra has worked in some big companies such as a Lead Auditor and Technical expert in TUV India Private Limited, a Team Manager in Splash Tech Labs, a Process Associate in GE Capital International and so on. He has an M.sc Degree in Information Technology, and some of the many certificates that he holds are ISO 22301, PCI DSS, ISO 9001 and ISO 27001, ISO 31000, ISO 14001, ISO 18001 and ISO/IEC 20000. Link of the recorded session published on YouTube: https://youtu.be/YJdLS7YYkKw

Education
1 of 17
Chandra Mohan Govindarajula Job Positions Mr. Chandra Mohan Govindarajula’s record includes 16 years of working experience as an Implementer, Lead Auditor, and QA & QC. Chandra has worked in some big companies such as a Lead Auditor and Technical expert in TUV India Private Limited, a Team Manager in Splash Tech Labs, and a Process Associate in GE Capital International and so on. Currently, Chandra is working as a Lead Information Security at Value Labs. Contact Information +919949673325 cmohang@msn.com https://in.linkedin.com/in/chandra-mohan-govindarajula-1726ab7 www.valuelabs.com
Internal Audit – ISO 27001 : 2013 Information Security Management System 1. Audit definitions 2. Planning and preparation for the audit 3. Conducting audit 4. Report the audit findings 5. Audit closure 6. Questions 3
“Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party) and it can be combined audit (combining two or more disciplines) Audit Evidence - records, statements of fact or other information which are relevant to the audit criteria and verifiable NOTE Audit evidence can be qualitative or qualitative Audit Criteria - set of policies, procedures or requirements used as a reference against which audit evidence is comparted Auditor – Person who is qualified to perform the audit Auditee – the organization/ function that is being audited Source - ISO/IEC 27000 - Information technology - Security techniques - Information security management systems - Overview and vocabulary; ISO 9000:2005, definition 3.9.4 Audit Definitions 4
5 Objective Evidence : Data supporting the existence or verify of something NOTE Objective evidence may be obtained through observation, measurement, test, or other means Observation : A statement of fact made during an audit and substantiated by objective evidence Non-conformity : Non-fulfilment of a requirement Audit purpose : • To collect objective evidence to permit an information judgment about status of Information security management system • To evaluate the need for improvement or corrective action • Audit action is a fact finding exercise and not a fault finding exercise Audit Objective : • To verify whether • System is adequately defined (Confirms to ISO 27001:2013 ISMs and organization requirements) • Defined system is implemented • Implement system is effective Source - ISO/IEC 27000 - Information technology - Security techniques - Information security management systems - Overview and vocabulary; ISO 9000:2005, definition 3.9.4 Audit Definitions
6 Responsibilities of Internal Auditor • Complying with acceptable audit requirements • Communicating and clarifying audit requirements • Planning and carrying out assigned responsibilities effectively and efficiently • Documenting the observations and reporting audit results • Retaining and safeguarding documents pertaining to audit • Co-operating with and supporting lead auditor • Being open-minded and mature Responsibilities of Auditee • Inform relevant employees about the scope of audit • Provide access to facilities and evidences as requested by auditor • Be prepared to face audit as per schedule • Attend opening and closing meetings • Co-Operate with auditor • Determine and initiate corrective actions based on audit reports Planning and Preparation for Audit
7 Audit Skills • Communicating – Oral, Written • Tactful / Flexible / Persistent • Time management • Fact finding – Listening, Observing, questioning, sampling • Examination / Tracing • Judgement / Objectivity • Integrity Human aspects in audits • Develop interest with sincerity and friendliness • Be careful in giving advice • Recognize that people hear what they want to • Listen to understand • Be sensitive to feelings, attitudes and motives • Respond in a neutral manner • Repeat or rephrase what they said Planning and Preparation for Audit
8 Auditee reactions • Volunteered information – results in particular line of investigation • Diversionary tactics • Arguments • Active co-operation • Challenging Audit Planning • Objectives and scope of audit • Focus areas of audit • Audit schedule • Audit team (s) • Reference documentation • Audit Preparation • Auditor • Study the audit objectives, scope, and focus areas • Study the function/project – current status • Study previous audit reports • Prepare audit checklist / worksheet • Auditee • Organize for and be prepared to face scheduled audit Planning and Preparation for Audit
9 Audit checklist • Keeps audit objectives clear • Evidence of planning • Maintains audit pace and continuity • Reduces auditor bias • Reduces work road during audit • Reduces audit sample • “There is no ideal checklist ! “ Conducting audit Opening Meeting • Company management, Auditee, Lead auditor, and Auditors • Review the scope of the audit cycle • Clarify and reconfirm the audit schedule • Confirm resources and facilities needed for audit are available • Explain audit process Planning and Preparation for Audit
10 • Audit Process • Initiation • Investigation and Verification • Identification • Reporting • Audit Techniques • Sampling • Interviewing • Tracing Audit Sampling • Audit Sampling • Audit is a sampling exercise • Samples taken need to be representative • Sample size typically varies (3 – 12 ) • Samples have to be selected at random by the auditor • The result is unbiased, objective, defensible and repeatable Conducting Audit
11 Interviewing • Ask right questions • Put people at ease – audit a constructive exercise • Explain your purpose • Find out what Auditee is doing • Analyse what Auditee is doing • Make tentative conclusions • Explain next steps • Exhibit professionalism Tracing • Used to collect evidence during the audit • Could involve almost every facet of the system • Results in well defined picture of the actual practices • Mechanisms of tracing • Transaction sequence • Date sequence • Task sequence Verification • Examine documents • Collect all the evidence – documents, records, plans, …. • Check “actual practices” against “defined process” • Make notes of what you see • Make notes of discrepancies Conducting Audit
12 Taking Notes • As a reference • As objective evidence • Admissible statements • Documents numbers and revisions • Other information Identifying problems • Focus on the factors critical to quality • Decide whether or not Auditee is in control • Consider if there are further symptoms • Could this minor problem be a symptom of a fatal condition? • Where in the process could be the root cause lie? • Always verify evidence of non-compliance • Audit Observations • List problems (possible non-conformities) identified along with objective evidence • Keep the Auditee informed • Audit Closure • Thank the Auditee and their team • De-brief the Auditee (need not tell which is NC, but summarize the findings) • Close the audit Conducting Audit
13 Audit findings • Facts acknowledged by the Auditee at the time they are found using only objective evidence • Where was non-conformity observed? • Why it is a non-conformity? • Who was involved (only when non-conformity is based on admissible spoken evidence)? Non-conformity (NC) • Minor • An isolated, witnessed incident or failure to comply with a procedure or Information security management system requirements. A minor problem that warrants attention • Major • A significant non-conformity with the requirements of the ISO 27001 standard • A failure of a complete system or the lack of Information security management system requirements Reporting Audit Findings
14 Reporting audit findings Non-conformity reporting • The objective of non-conformity writing is to get effective corrective action • Complete and accurate non-conformity statements help in casual analysis • Non-conformity description can be short but should contain all relevant facts Audit report • Audit information • General observations • Non-conformities • Improvement opportunities Reporting Audit Findings Example of Non-conformity: What – What was found? Where – Where it was found? Why - Why it is a non-conformity? What – Disciplinary process is not evidenced Where – While performing Human Resource department of PECB at conference hall, Auditee was “Mr Ali” Why – ISO 27001: 2013 – Information security management system requirements - Control A.7.2.3 says “There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach”
15 • Closure of non- conformities • Closure action – action taken to correct the non-conformity (where possible) • Closure action to be implemented by Auditee • Closure action to be verified by Auditor • Causal analysis of non-conformity: • Cause/effect analysis – Cause category, control failure • Corrective action – function/project level, organization level Audit closure
16 • Audit report preparation • Summary of audit planned and conducted • Analysis of audit coverage and non-conformities • Recurrence of non-conformities • Corrective action plan and schedule • Closing Meeting • Participants – Top management, Auditee’s, auditors and Lead auditor • Audit report distribution • Agree on corrective action plan Audit closure
THANK YOU ? QUESTIONS? Contact Information +919949673325 cmohang@msn.com https://in.linkedin.com/in/chandra-mohan-govindarajula-1726ab7 www.valuelabs.com

Recommended

Top 10 iso auditor interview questions and answers
Top 10 iso auditor interview questions and answersTop 10 iso auditor interview questions and answers
Top 10 iso auditor interview questions and answerssugsgman
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 

Recommended

Top 10 iso auditor interview questions and answers
Top 10 iso auditor interview questions and answersTop 10 iso auditor interview questions and answers
Top 10 iso auditor interview questions and answerssugsgman
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?PECB
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 

More Related Content

More from PECB

ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?PECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?PECB
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 

More from PECB (20)

ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?ISO/IEC 27001 and ISO 22301: How do they map?
ISO/IEC 27001 and ISO 22301: How do they map?
 
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 

Recently uploaded

How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

Recently uploaded (20)

How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 

Best Practices to Perform an ISMS Internal Audit based on ISO/IEC 27001

  • 1.
  • 2. Chandra Mohan Govindarajula Job Positions Mr. Chandra Mohan Govindarajula’s record includes 16 years of working experience as an Implementer, Lead Auditor, and QA & QC. Chandra has worked in some big companies such as a Lead Auditor and Technical expert in TUV India Private Limited, a Team Manager in Splash Tech Labs, and a Process Associate in GE Capital International and so on. Currently, Chandra is working as a Lead Information Security at Value Labs. Contact Information +919949673325 cmohang@msn.com https://in.linkedin.com/in/chandra-mohan-govindarajula-1726ab7 www.valuelabs.com
  • 3. Internal Audit – ISO 27001 : 2013 Information Security Management System 1. Audit definitions 2. Planning and preparation for the audit 3. Conducting audit 4. Report the audit findings 5. Audit closure 6. Questions 3
  • 4. “Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled” Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party) and it can be combined audit (combining two or more disciplines) Audit Evidence - records, statements of fact or other information which are relevant to the audit criteria and verifiable NOTE Audit evidence can be qualitative or qualitative Audit Criteria - set of policies, procedures or requirements used as a reference against which audit evidence is comparted Auditor – Person who is qualified to perform the audit Auditee – the organization/ function that is being audited Source - ISO/IEC 27000 - Information technology - Security techniques - Information security management systems - Overview and vocabulary; ISO 9000:2005, definition 3.9.4 Audit Definitions 4
  • 5. 5 Objective Evidence : Data supporting the existence or verify of something NOTE Objective evidence may be obtained through observation, measurement, test, or other means Observation : A statement of fact made during an audit and substantiated by objective evidence Non-conformity : Non-fulfilment of a requirement Audit purpose : • To collect objective evidence to permit an information judgment about status of Information security management system • To evaluate the need for improvement or corrective action • Audit action is a fact finding exercise and not a fault finding exercise Audit Objective : • To verify whether • System is adequately defined (Confirms to ISO 27001:2013 ISMs and organization requirements) • Defined system is implemented • Implement system is effective Source - ISO/IEC 27000 - Information technology - Security techniques - Information security management systems - Overview and vocabulary; ISO 9000:2005, definition 3.9.4 Audit Definitions
  • 6. 6 Responsibilities of Internal Auditor • Complying with acceptable audit requirements • Communicating and clarifying audit requirements • Planning and carrying out assigned responsibilities effectively and efficiently • Documenting the observations and reporting audit results • Retaining and safeguarding documents pertaining to audit • Co-operating with and supporting lead auditor • Being open-minded and mature Responsibilities of Auditee • Inform relevant employees about the scope of audit • Provide access to facilities and evidences as requested by auditor • Be prepared to face audit as per schedule • Attend opening and closing meetings • Co-Operate with auditor • Determine and initiate corrective actions based on audit reports Planning and Preparation for Audit
  • 7. 7 Audit Skills • Communicating – Oral, Written • Tactful / Flexible / Persistent • Time management • Fact finding – Listening, Observing, questioning, sampling • Examination / Tracing • Judgement / Objectivity • Integrity Human aspects in audits • Develop interest with sincerity and friendliness • Be careful in giving advice • Recognize that people hear what they want to • Listen to understand • Be sensitive to feelings, attitudes and motives • Respond in a neutral manner • Repeat or rephrase what they said Planning and Preparation for Audit
  • 8. 8 Auditee reactions • Volunteered information – results in particular line of investigation • Diversionary tactics • Arguments • Active co-operation • Challenging Audit Planning • Objectives and scope of audit • Focus areas of audit • Audit schedule • Audit team (s) • Reference documentation • Audit Preparation • Auditor • Study the audit objectives, scope, and focus areas • Study the function/project – current status • Study previous audit reports • Prepare audit checklist / worksheet • Auditee • Organize for and be prepared to face scheduled audit Planning and Preparation for Audit
  • 9. 9 Audit checklist • Keeps audit objectives clear • Evidence of planning • Maintains audit pace and continuity • Reduces auditor bias • Reduces work road during audit • Reduces audit sample • “There is no ideal checklist ! “ Conducting audit Opening Meeting • Company management, Auditee, Lead auditor, and Auditors • Review the scope of the audit cycle • Clarify and reconfirm the audit schedule • Confirm resources and facilities needed for audit are available • Explain audit process Planning and Preparation for Audit
  • 10. 10 • Audit Process • Initiation • Investigation and Verification • Identification • Reporting • Audit Techniques • Sampling • Interviewing • Tracing Audit Sampling • Audit Sampling • Audit is a sampling exercise • Samples taken need to be representative • Sample size typically varies (3 – 12 ) • Samples have to be selected at random by the auditor • The result is unbiased, objective, defensible and repeatable Conducting Audit
  • 11. 11 Interviewing • Ask right questions • Put people at ease – audit a constructive exercise • Explain your purpose • Find out what Auditee is doing • Analyse what Auditee is doing • Make tentative conclusions • Explain next steps • Exhibit professionalism Tracing • Used to collect evidence during the audit • Could involve almost every facet of the system • Results in well defined picture of the actual practices • Mechanisms of tracing • Transaction sequence • Date sequence • Task sequence Verification • Examine documents • Collect all the evidence – documents, records, plans, …. • Check “actual practices” against “defined process” • Make notes of what you see • Make notes of discrepancies Conducting Audit
  • 12. 12 Taking Notes • As a reference • As objective evidence • Admissible statements • Documents numbers and revisions • Other information Identifying problems • Focus on the factors critical to quality • Decide whether or not Auditee is in control • Consider if there are further symptoms • Could this minor problem be a symptom of a fatal condition? • Where in the process could be the root cause lie? • Always verify evidence of non-compliance • Audit Observations • List problems (possible non-conformities) identified along with objective evidence • Keep the Auditee informed • Audit Closure • Thank the Auditee and their team • De-brief the Auditee (need not tell which is NC, but summarize the findings) • Close the audit Conducting Audit
  • 13. 13 Audit findings • Facts acknowledged by the Auditee at the time they are found using only objective evidence • Where was non-conformity observed? • Why it is a non-conformity? • Who was involved (only when non-conformity is based on admissible spoken evidence)? Non-conformity (NC) • Minor • An isolated, witnessed incident or failure to comply with a procedure or Information security management system requirements. A minor problem that warrants attention • Major • A significant non-conformity with the requirements of the ISO 27001 standard • A failure of a complete system or the lack of Information security management system requirements Reporting Audit Findings
  • 14. 14 Reporting audit findings Non-conformity reporting • The objective of non-conformity writing is to get effective corrective action • Complete and accurate non-conformity statements help in casual analysis • Non-conformity description can be short but should contain all relevant facts Audit report • Audit information • General observations • Non-conformities • Improvement opportunities Reporting Audit Findings Example of Non-conformity: What – What was found? Where – Where it was found? Why - Why it is a non-conformity? What – Disciplinary process is not evidenced Where – While performing Human Resource department of PECB at conference hall, Auditee was “Mr Ali” Why – ISO 27001: 2013 – Information security management system requirements - Control A.7.2.3 says “There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach”
  • 15. 15 • Closure of non- conformities • Closure action – action taken to correct the non-conformity (where possible) • Closure action to be implemented by Auditee • Closure action to be verified by Auditor • Causal analysis of non-conformity: • Cause/effect analysis – Cause category, control failure • Corrective action – function/project level, organization level Audit closure
  • 16. 16 • Audit report preparation • Summary of audit planned and conducted • Analysis of audit coverage and non-conformities • Recurrence of non-conformities • Corrective action plan and schedule • Closing Meeting • Participants – Top management, Auditee’s, auditors and Lead auditor • Audit report distribution • Agree on corrective action plan Audit closure
  • 17. THANK YOU ? QUESTIONS? Contact Information +919949673325 cmohang@msn.com https://in.linkedin.com/in/chandra-mohan-govindarajula-1726ab7 www.valuelabs.com