Expert Advice Community

Guest

Query Regarding Internal Audit

  Quote
Guest
Guest user Created:   Jun 29, 2021 Last commented:   Jun 29, 2021

Query Regarding Internal Audit

We have been working on the ISO 27001 project using Advisera templates.

With regards to the Internal Audit, we plan to conduct the audit based on "ISMS policies" as scope instead of "Departments" as scope as indicated in Advisera vimeo video and templates.

This approach lead to some doubts around scope & criteria content in the templates for which we want to clarify with Advisera ISO27001 experts.

Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit
Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements
Internal Audit Program  (Scope & Criteria)

Scope (What, when, who) - HR Security Policy

Criteria (What) - BS7858 (mentioned in HR Security policy)

and so on for other policies in our ISMS to be scope and criteria

Internal Audit Procedure template (Section 3.2) is proposed to be updated as follows:

Scope of the audit (departments, processes, clauses of the standard, etc.) == >> plan to add "ISMS Policies" (to cover HR Security policy, Access Control policy, etc.) as our approach to audit is based on audit of polices instead of departments

Audit criteria (standards, legislation and regulations, internal documentation, corporate standards, and/or contractual obligations) == >> BS7858 is a regulatory & contractual obligation from regulator for HR security policy

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 29, 2021

1 - Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit

The internal audit can be performed in terms of implemented ISMS policies. You only need to ensure that all mandatory clauses and applicable controls are audited before the next certification/surveillance audit.

For further information, see:

2 - Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements

First is important to note that audit criteria need to be something against which ISMS policies are compared, not within ISMS policies, so you should think about requirements “applied” to ISMS policies, not “within” them.

Considering that, requirements used to develop ISMS policies can be used as audit criteria. In your example, BS7858 requirements are the criteria against which you evaluate your HR screening policy.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 29, 2021

Jun 29, 2021

Suggested Topics

Guest user Created:   Jan 08, 2021 ISO 27001 & 22301
Replies: 1
0 0

Audit

Guest user Created:   Jan 12, 2016 ISO 27001 & 22301
Replies: 1
0 0

IRCA, RABQSA, PECB