We are an IT Service provider in the healthcare industry and have different internal IT teams. We have an IT Field Engineering team, Data Centre, Directory Services, Networks and Telecoms, IT Server team, Project Management Office (PMO) teams etc. These are all specialist teams and their members are SMEs in their field they know the benefits of ISO 27001 and are committed to helping us the Compliance Team however auditing these technical experts from clauses 4 – 10 is a challenge.
So, what we have been doing auditing these internal teams from the controls of Annex A we created a template around these controls. Each team is audited around these controls for example
A6.1.2 Segregation of Duties
A9 User Access Management
A11 Physical & Environment Security
A16 Information Security Incidents etc
However, during the recent Surveillance audit, the external auditor issued a non-conformity saying.
“Audits conducted to date have covered service delivery: to date, there has been no audit to conformity with ISO27001 clauses 4-10”
My question is these technical people don’t know what is in clauses 4 -10 of ISO27001. How should we audit them from clauses of the standard? For example, they don’t know the basic questions
Are relevant internal and external issues that can affect an organization's ISMS identified?
Are all relevant interested parties identified, together with their requirements?
Is top-level Information security policy documented?
Are management reviews performed as planned?
Is the Risk Assessment and Risk Treatment Methodology reviewed before the regular review of existing risk assessment?
The only option we can see is if someone within the organization who is independent audits us The Compliance team from Clause 4 – 10 and we continue auditing technical teams from Annex A controls. Please advise if this approach is sufficient to improve our auditing process. Many thanks, Ash