Expert Advice Community

Guest

Internal audit checklist questions

  Quote
Guest
Guest user Created:   Aug 25, 2016 Last commented:   Aug 25, 2016

Internal audit checklist questions

I had some questions regarding a few of the internal audit checklist items.
0 0

Assign topic to the user

ISO 27001 INTERNAL AUDIT CHECKLIST

List of questions to ask during the ISO 27001 audit.

ISO 27001 INTERNAL AUDIT CHECKLIST

List of questions to ask during the ISO 27001 audit.

Expert
Dejan Kosutic Aug 25, 2016

9.1 - "Is it defined what needs to be measured, by which method, who is responsible, who will analyze and evaluate the results?" Does this refer to the objectives? Also, does there need to be a document that shows each objective, what needs to be measured and who is responsible?

Answer: Setting the objectives is only one part of measurement - once you set the objectives, then you have to measure whether they are fulfilled. You can document objectives in one or several documents, see the details here: https://community.advisera.com/topic/monitoring-and-measurement-and-the-process-approach/

A6.1.2 - "Are duties and responsibilities defined in such a way to avoid conflict of interest, particularly with the information and systems where high risks are involved?" Do these duties include those beyond just IT?

Answer: Information security is not only about IT, it concerns all the functions in your company - therefore, A.6.1.2 is not for IT only - e.g. you can avoid conflict of interest in your finance department by asking for a double signature for signing payments in your bank account.

A16.1.7 - "Do procedures exist which define how to collect evidence that will be acceptable during the legal process?" How detailed does this need to be? Would saying we use a 3rd party to handle these procedures suffice?

Answer: The level of detail depends on what your local courts would find as acceptable - therefore, asking for someone with experience (e.g. consultant with legal experience, or a lawyer with information security experience) would certainly help you with this. It is not enough to say that 3rd party is in charge of something - you need to check whether they are really performing the activities they are hired for.

This free online training will also help you: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 24, 2016

Aug 24, 2016