Scribd Logo
Upload

Welcome to Scribd!

  • 18 views

    Audit at 3 Pragmatic Levels

    Uploaded by

    Ketan
    This document outlines three levels of internal auditing for an information security management system (ISMS). Level 1 involves reviewing policies to ensure they remain relevant. Level 2 includes developing an internal audit plan to assess required controls. Level 3 promotes a holistic approach, such as auditing a department, to demonstrate ISMS effectiveness beyond just controls.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Audit at 3 Pragmatic Levels

    Uploaded by

    Ketan
    18 views1 page
    This document outlines three levels of internal auditing for an information security management system (ISMS). Level 1 involves reviewing policies to ensure they remain relevant. Level 2 includes developing an internal audit plan to assess required controls. Level 3 promotes a holistic approach, such as auditing a department, to demonstrate ISMS effectiveness beyond just controls.

    Original Description:

    Conducting IT Audit at 3 Pragmatic Levels

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines three levels of internal auditing for an information security management system (ISMS). Level 1 involves reviewing policies to ensure they remain relevant. Level 2 includes developing an internal audit plan to assess required controls. Level 3 promotes a holistic approach, such as auditing a department, to demonstrate ISMS effectiveness beyond just controls.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    18 views1 page

    Audit at 3 Pragmatic Levels

    Uploaded by

    Ketan
    This document outlines three levels of internal auditing for an information security management system (ISMS). Level 1 involves reviewing policies to ensure they remain relevant. Level 2 includes developing an internal audit plan to assess required controls. Level 3 promotes a holistic approach, such as auditing a department, to demonstrate ISMS effectiveness beyond just controls.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 1

    How to audit at 3 pragmatic and simple levels

    Level 1 – Review of policies in line with A.5.1.2 and A.8.1.2 for independent
    reviews
    This level is a simple review of how you ‘describe’ your policies and controls, and
    ensure they remain relevant for the organisation given 4.1 – 3 and in line with the above
    issues, parties, scope, information assets, risks etc.
    In ISMS.online we’ve included the policy for A.5.1.2 and developed the platform with
    that in mind so it’s easy for you to adopt our policy and really ‘live’ it in practice.
    This is clearly not internal auditing for Sect. 9.2 in itself, but is an important part of your
    ISMS management along with other aspects like management reviews, incident
    tracking etc. and will help to ensure that when you come to conduct your formal internal
    audit you are doing so against a solid set of policies and controls that are appropriate
    for your organisation.

    Level 2 – internal audit plan covering the requirements and controls


    This is the required, more traditional approach and will need to be carried out over the
    course of the certification cycle at a minimum and it may be worth considering covering
    this annually.
    Our audit project can be used to set the objectives and scope of each audit and record
    your findings. Any non-conformances that are identified can then be addressed in
    the Improvement Track.
    For those organisations wishing to follow a three-year audit programme of all controls,
    we’ve included a framework to follow in ISMS.online too.

    Level 3 – a holistic approach to demonstrating the effectiveness


    We also encourage a more holistic approach to internal audits and have built a
    programme in the platform that focuses an audit around ‘demonstrating’ a specific part
    of your ISMS scope is compliant, e.g. a department, a location, a product, system or a
    process.
    This gives you the opportunity to look at how the business works in practice,
    beyond InfoSec per se, and see opportunities for improvement or, indeed, uncover risks
    that might not be easily seen from looking through a control lens.
    This also enables an organisation to audit a larger number of controls in one go, in a
    joined-up fashion.
    In our ISO 27001 Virtual Coach, we include an example to give a flavour of what you
    could be doing that would illustrate part of your ISMS scope is working well and meeting
    its objectives, with the controls working (or not).

    You might also like