Internal audit checklist questions
Assign topic to the user
9.1 - "Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?" Does this refer to the objectives? Also, does there need to be a document that shows each objective, what needs to be measured and who is responsible?
Answer: Setting the objectives is only one part of measurement - once you set the objectives, then you have to measure whether they are fulfilled. You can document objectives in one or several documents, see the details here: https://community.advisera.com/topic/monitoring-and-measurement-and-the-process-approach/
A6.1.2 - "Are duties and responsibilities defined in such a way to avoid conflict of interest, particularly with the information and systems where high risks are involved?" Do these duties include those beyond just IT?
Answer: Information security is not only about IT, it concerns all the functions in your company - therefore, A.6.1.2 is not for IT only - e.g. you can avoid conflict of interest in your finance department by asking for a double signature for signing payments in your bank account.
A16.1.7 - "Do procedures exist which define how to collect evidence that will be acceptable during the legal process?" How detailed does this need to be? Would saying we use a 3rd party to handle these procedures suffice?
Answer: The level of detail depends on what your local courts would find as acceptable - therefore, asking for someone with experience (e.g. consultant with legal experience, or a lawyer with information security experience) would certainly help you with this. It is not enough to say that 3rd party is in charge of something - you need to check whether they are really performing the activities they are hired for.
This free online training will also help you: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Aug 24, 2016