Describes CS Risk\'s approach to providing a managed ISO 27001 internal audit service.

1. ISO 27001 Audit Services Effortless Assurance October 2010

2. The ISMS internal audit ISO 27001 Clause 6 sets out the requirement for ISMS internal audits at planned intervals to: Identify and address non-conformances in the design of the ISMS against ISO 27001 (e.g. as a result of People/Process/Technology/Regulatory change since certification or last audit) Identify and address non-conformances in the operation of the ISMS against the documented policies, processes, procedures and controls Identify opportunities for improvement in efficiency and effectiveness of ISMS operation To form an integral part of the “Plan-Do-Check-Act” continuous improvement cycle required by ISO 27001 Feed into the Management Review process (ISO 27001 Clause 7)

4. Internal ISMS audit skills shortage and dependency on key individuals

5. Valuable audit resources tied up in planning, performing and managing ‘routine’ ISMS auditsUnnecessary and unsustainable management overhead, hassle and worry Objectivity of internal staff may be questionable, especially if security department audit themselves (despite ‘Chinese walls’ approach) Impacts on the overall effectiveness of the assurance function, as focus shifted away from high-risk audit areas Results in ISMS being a burden rather than a business enabler and risk management instrument

6. Our approach Our engagement model is flexible to suit your specific ISMS assurance requirements You can engage us on an audit by audit basis (co-sourcing), or to manage and resource the end-to-end ISMS assurance programme (managed assurance service). Co-sourcing example: You decide whether to use internal, CS Risk or mixed resources for your audits. We operate under your direction in terms of scope and audit process. Charged on an agreed day-rate for the number of CS Risk resources used. Managed Assurance Service example: You set the objectives of the assurance programme. We develop and run your ISMS audit programme on your behalf, tailored to your ISMS, aligned with your security objectives and ISMS scope. Fixed fee for agreed audit plan plus time and materials for ad-hoc audit work.

9. Department/Section and responsible individuals in charge.

10. Audit team members. The number of auditors depends on the audit area size.

11. Type of management system to be audited

12. Date, place, time of the audit and distribution date of the audit report

13. Ensure the availability of all the resources needed and other logistics that may be required by the auditor.

14. Verify the scope of the audit

15. Audit findings collected through interviews, examination of documents and observation of activities and conditions

16. Non-conformance evidence noted along with other objective evidence and observations reflecting the effectiveness of the information security management system

17. Review and analysis of findings

18. Consolidation of findings including grouping and initial classification

19. Interim agreement and clarification of findings with key stakeholders

20. Final classification of findings

21. Preparation of recommendations and audit report

22. Formal report issued to audit sponsor

23. Closing meeting attended by the audit team and the auditees

24. Auditors report their findings, observations and recommendations

27. IT control testing

29. Business impact assessments

30. BC strategy and planning support

31. BS25999 compliance

33. Managed IT audit services