Audit practices
Assign topic to the user
1.1) Your screen/computer should be locked out if you failed login 5 times consecutively.
1.2) Your password should be expired after 45 days and system should ask to change the password.
Answer: Typically the auditor will focus on whether the activities performed in a company are compliant with the standard and with internal policies, procedures and plans - in your example, the auditor will check the behaviour of the screen lock feature, and the settings of the password expiry.
Testing is usually not done by ISO 27001 auditors - the auditor should check whether the responsible person in the company has performed any tests if this was required by the internal documentation; however, ISO 27001 does not prevent internal auditors from performing tests so this is also a possibility.
2) In one of the cases, we were checking whether IT team has configured their system/servers for sending alerts on me eting certain conditions (Say, if the memory(RAM) use is more than 80% ...etc).(Since these servers were performing critical operations)
2.1) In this case, there were more than 70 systems/servers. So, should we just check for some servers randomly(important ones) or should we check for all servers even if it is 100+?
Here, if we sample, let's say 10 servers -
2.1.1) Chances are that for these 10 servers configurations are proper but for remaining it is not.
2.1.2) Chances are that for some selected servers configurations are not done. And actually, when we did for some servers we found that some of those were not configured.
Answer: For deciding between a 100% checking or verifying a smaller sample, you should evaluate the associated risk assessment results, the previous history of related incidents regarding the potential impacts of a incident occurring and the available time and resources you have.
If the decision is for audit a sample, to maximize the reliability that your sample represents your entire scenario, you should use statistical concepts to help you define the size of your sample, which servers will be part of the sample, and the number of acceptable failures among the sample you can have and still maintain the degree of confidence.
Comment as guest or Sign in
Jun 26, 2017