2. The ISMS internal audit ISO 27001 Clause 6 sets out the requirement for ISMS internal audits at planned intervals to: Identify and address non-conformances in the design of the ISMS against ISO 27001 (e.g. as a result of People/Process/Technology/Regulatory change since certification or last audit) Identify and address non-conformances in the operation of the ISMS against the documented policies, processes, procedures and controls Identify opportunities for improvement in efficiency and effectiveness of ISMS operation To form an integral part of the “Plan-Do-Check-Act” continuous improvement cycle required by ISO 27001 Feed into the Management Review process (ISO 27001 Clause 7)
5. Valuable audit resources tied up in planning, performing and managing ‘routine’ ISMS auditsUnnecessary and unsustainable management overhead, hassle and worry Objectivity of internal staff may be questionable, especially if security department audit themselves (despite ‘Chinese walls’ approach) Impacts on the overall effectiveness of the assurance function, as focus shifted away from high-risk audit areas Results in ISMS being a burden rather than a business enabler and risk management instrument
6. Our approach Our engagement model is flexible to suit your specific ISMS assurance requirements You can engage us on an audit by audit basis (co-sourcing), or to manage and resource the end-to-end ISMS assurance programme (managed assurance service). Co-sourcing example: You decide whether to use internal, CS Risk or mixed resources for your audits. We operate under your direction in terms of scope and audit process. Charged on an agreed day-rate for the number of CS Risk resources used. Managed Assurance Service example: You set the objectives of the assurance programme. We develop and run your ISMS audit programme on your behalf, tailored to your ISMS, aligned with your security objectives and ISMS scope. Fixed fee for agreed audit plan plus time and materials for ad-hoc audit work.
15. Audit findings collected through interviews, examination of documents and observation of activities and conditions
16. Non-conformance evidence noted along with other objective evidence and observations reflecting the effectiveness of the information security management system