Expert Advice Community

Guest

Incorporating ISO clauses in an internal audit

  Quote
Guest
nemys Created:   Aug 26, 2017 Last commented:   Aug 26, 2017

Incorporating ISO clauses in an internal audit

I'm expected to conduct an internal audit for one of our policies within our isms.. and i wasn't sure how i'm suppose to incorporate iso clauses? Am I expected to check for those clauses when i'm conducting an internal audit. Reading policies and the interviews etc i understand it's how to incorporate or make sure it all links to the standard. but i'm not interested in signing up for anything really just need to figure out the above.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 26, 2017
To properly audit a policy considering ISO 27001 standard, it's only a matter of reading the standard and assess if the policy is compliant with its requirements (e.g., the standard requires a document to be reviewed and approved for suitability and adequacy, so in this case you should check if the policy was reviewed and approved).
In our free online course "ISO 27001:2013 Internal Auditor Course" (https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-internal-auditor-course/) you can find examples of how consider ISO 27001 clauses on an internal audit.
These materials will also help you regarding internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
Quote
0 0
Guest
nemys Aug 27, 2017
Hi There,

Suppose we are conducting an internal audit on seeing the effectiveness of secure development policy and general knowledge around IS policies within the organisation. Reviewing the secure dev policy and collecting evidence to see if the company is complaint with this shouldn't be hard as we will be interviewing developers and so on. My understanding is that iso consists of two main parts the clauses 4-10 and annex A. The secure dev policy is one of the controls in annex A. I haven't actually been provided with the standard itself but have been on a course. My scope for this audit is primarily development team and their general knowledge around the existing policies. What would be the best way to approach this audit? I am not sure how the clauses will be applicable and i'm not expected to check the overall effectiveness of the whole ISMS so do I need to go through everything?

Thanks
Quote
0 0
Expert
Rhand Leal Aug 30, 2017
First thing is that if you have to verify compliance with ISO 27001 you need to have the standard with you. As best as a course can be, it cannot replace the letter of the standard during an audit.

Considering that, if your audit scope is primarily development team and their general knowledge around the existing policies, then you should focus on clauses 7.2 (competence) and 7.3 (awareness), to verify if the development team has the necessary knowledge, skills or experience to perform their activities and if they are aware about the importance of being compliant with the policies and controls and what is the impact of non compliance.

And even though you do not need to check the overall effectiveness of the whole ISMS, you have to check if the ISMS cycle has been completed in the development process, so you have to go through all clauses from sections 4 to 10, only focusing on the development process (e.g., you have to check the risk assessment of the development process, verify if the existent competence is capable to handle the risks identified as unacceptable, verify if the training activities performed were effective and verify the effectiveness of any non conformity or corrective action taken in the process).

This article will provide you further explanation about how approach a process in an audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Although the article covers certification audit, the same concepts can be applied for internal audit.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 26, 2017

Aug 30, 2017

Suggested Topics