en AE ISS | ee, i ae Lier ASSURANCE PART B: ISO 27001: 2013 Information Security Management System Lead Auditor Welcome to Part B: ISO 27001:2013 ISMS Lead Auditor! VALIDATIOND) /\ @ DISCOVERY or ee = ‘PASS asContents Lead Auditor ISO 27001: 2013 1. Audit Overview 1 Whai 2 Why At n audit? 1.3 Audit Types 2. Audit Steps 2.1 Performing audit activi 2.2 Audit Plan 2.3 Developing Checklists 2.4 Opening Meeting 2.5 Conducting the Audit 2.6 Recording Results 27h Conformities & Non-Compliances 2.8 Cle 2.9 Audit Report Meeting (s) 2.10 Audit follow-up © LreeroAssuranContents 3. Audit Programme 3.1. Establishing the Audit ogramme objectives 3.2 Identifying and a opportunities ting audit programme risks and 3.3 Proc s flow for the management of an audit programme 3.4 Managing an audit programme 3.5 Audit programme Implementation 3.6 Monitoring audit programme 3.7. Improving audit programme 4. Accreditation & Certification reditation & Certification Bodies 4.2 Certification P © LreeroAssurANCEContents 5. Auditor's Performance 5.1 Auditor's Quality 5.2 The Auditors conduct 5.3 Auditor onduct 5.4 Auditor Characteristics 's personal behavior 5.6A onduct 5,7 Selecting the audit team members 5.8 Skills of audit team leaders 5.9 How to evaluate an Au 5.10 Maintaining and improving auditor competence © LreeroAssuranContents 6. Psychological factors during an audit 6.1 Attitudes and relations 6.2 Ob: 63 Spac acl es 6.4 Body language 65 Cultural factors 6.6 Principles of Listening 67 Questions & uestioning 7. Audit tips & techniques 7.1 Tips to trained auditor 7.2 Question Technique 7.3 Competence of the audit programme manager © LreeroAssuranAudit Overview This section is to introduce you to: 1.1 What is an audit? SANA AU ited abe To Lam oX-191.1 What is an Audit ? +> As defined in ISO 9000 Fundamental & Vocabulary, an audit is: “a systematic, independent and documented process for obtaining objective audit evidence [records, statements of fact or other information which are relevant to the audit criteria and verifiable] and evaluating it objectively to determine the extent to which the audit criteria [set of policies, procedures or requirements] are fulfilled.” *» Can it be conducted by someone within the organisation or from someone outside. . ‘> The auditor is an employee of the company who is responsible to provide independent and objective evaluations of the company's financial and operational business activities + An auditor may focus in types of audits based on the audit purpose, such as to verify compliance, conformance, or performance + Remember the auditor is attempting to prove the system by establishing the facts and finding the proof + Does it comply with the standard you have chosen to follow (in this case ISO 27001 updated version) ? * The Aim is not to set out fail the system! © LiseroAssurance1.2 Why Audit ? * Is the Information Security Management System implemented exactly as intended? > To investigate a problem + why did it occur? + how can it be resolved? + how can it be prevented in future ? * Identify opportunities for improvement + “+ To see if the ISMS meets the requirements of standard (ISO 27001) © LreeroAssurance1.3 Audit Types + Types of audits > System audit ~ An audit conducted on a management system. It can be described as a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements. > Examples: A quality management system audit evaluates an existing quality program to determine its conformance to company policies, contract commitments, and regulatory requirements. Similarly, an Information Security system audit examines an Information Security management system, a food safety system audit examines a food safety management system, and safety system audits examine the safety management system. © LreeroAssurance1.3 Audit Types Different types of audits pes eae my Elona Internal audit External provider audit | Certification and/or accreditation audit Other external interested party Statutory, regulatory and similar audit audit © LreeroAssurance- (ela yoccar Audit Steps A UD | T As This section is to introduce you to: 2.1 Performing audit activities ee Ta 2.3 Developing Checklists 2.4 Opening Meeting 2.5 Conducting the Audit 2.6 Recording Results lon-Conformities & Non- ea sd a Ee 2.8 Closing Meeting (s) 2.9 Audit Report 2.10 Audit follow-up2.1 Performing audit activities Initiating the audit Establishing initial contact with the auditee Determining the feasibility of the audit = Preparing audit activities Performing document review in preparation for the audit Preparing the audit plan ‘Assigning work to the audit team Preparing work documents Tonducling tee suaiT actives Conducting the opening meeting Performing document review while conducting the audit ‘Communicating during the audit ‘Assigning roles and responsibilities of quides and observers, Collecting and verifying information Generating audit findings Preparing audit conclusions Conducting the closing meeting = Preparing and distributing the auditreport Preparing the audit report Distributing the audit report Completing the audit Conducting audit follow-up © LreeroAssurance2.1 Performing audit activities + Audit Steps Audit plan * Develop Checklists E@ - Opening Meeting pM « Gather Evidence Mf « Record Results * Closing Meeting pi « Audit Report ypne ay3 Buy2npuoz2.2 Audit Plan % Objectives & scope % Collect documents + standard, documented information, forms + desk top review 4 History - Previous audit reports Guidelines + Review documents + Identify important aspects of the activity + List in logical order + Set of questions to ensure critical information is covered for required standard or statutory requirement (e.g. ISO 27001: 2013) © LreeroAssurance2.2 Audit Plan *¢ The audit plan may cover the following, as appropriate: + Identification of the auditee’s representative for the audit + The working and reporting language of the audit where this is different from the language of the auditor or the auditee or both + The audit report topics + Logistics and communications arrangements, including specific arrangements for the locations to be audited + Any specific measures to be taken to address the effect of uncertainty on achieving the audit objectives + Any follow-up actions from a previous audit + Any follow-up activities to the planned audit + Coordination with other audit activities, in case of a joint audit © LreeroAssurance2.3 Developing Checklists * Scope of a checklist * Checklist is made to establish objective evidence. The auditor tries to establish: That Authorized documented information are in use That superseded documents have been removed That good housekeeping is practiced That facilities are adequate That supervision is adequate i Scope Oe © LreeroAssurance2.3 Developing Checklists > Audit Check-list + Planned audit of Information Security Management System (ISMS) requires check list which can serve as aid memoir for the auditor. The audit need not be limited to the questions given in the check-list. + The questionnaire to be designed to assess whether the spirit of the standard has been captured by application of ISO 27001: 2013 * The aim is that the ISMS should add value to the organization and drive it towards achievement of organizational objectives and continual improvement + The questions help organization in deeper analysis of their processes for establishing robust ISMS for better control over business processes © LreeroAssurance2.3 Developing Checklists * Evaluating Responses to the Questionnaire / audit checklist > While responding to questions, the person responsible for the activity, has to demonstrate that the requirement written in the question is being complied. The respondent does not always have to show a document or records evidence. » Where a procedure or instruction is not documented, the auditor may seek response from two or three persons involved in the activity to assess that a standardized process has been established and is being operated satisfactorily. > Effectiveness of a current process can also be assessed while auditing the next process which would receive the output of the current process audited, Generic questions are given in the following slides. © LreeroAssurance2.4 Opening Meeting *” Who? + Auditor/audit team + Auditor must be trained + Any staff from area to be audited that may be interviewed + Must be independent for area being audited > What? + Scope + Expected duration + The purpose of the opening meeting is to: a) Confirm the agreement of all parties (e.g. auditee, audit team) to the audit plan; b) Introduce the audit team; ensure that all planned audit activities can be performed © LreeroAssurance2.4 Opening Meeting + List of points to be discussed in the opening meeting: Introduction of the participants, including observers and guides, and an outline of their roles; Confirmation of the audit objectives, scope and criteria; Confirmation of the audit plan and other relevant arrangements with the auditee, such as the date and time for the closing meeting, any interim meetings Presentation of the methods to be used to conduct the audit, Introduction of the methods to manage risks to the organization which may result from the presence of the audit team members; Confirmation of formal communication channels between the audit team and the auditee; © LreeroAssurance2.4 Opening Meeting + List of points to be discussed in the opening meeting: * Confirmation of the language to be used during the audit; * Confirmation that, during the audit, the auditee will be kept informed of the audit progress; + Confirmation that the resources and facilities required by the audit team are available; + Information about the method of reporting audit findings including grading, if any; + Information about the conditions under which the audit may be terminated; + Information about the closing meeting; + Information about how to deal with possible findings during the audit; + Information about any system for feedback from the auditee on the findings or conclusions of the audit, including complaints or appeals. © LreeroAssurance2.5 Conducting the Audit Assign the auditors to their area Sample the system and witness few testing from technicians Collect objective evidence of system effectiveness Compare findings from checklist with requirements Decide compliance or non - compliance oP EF SS Audit team daily meeting © LreeroAssurance2.5 Conducting the Audit > > Gather Evidence about Compliance Interviews ask questions about the system and its implementation other questions @ 1. direct 2. hypothetical \\ 5 ab} 3. clarifying © LreeroAssurance2.5 Conducting the Audit *» Gather Evidence about Compliance Examine documented information procedures, SOPs, forms ISMS manual copies controlled? available? correct issue status? used in manner intended? ISMS Records stored correctly? used as objective evidence many forms Compliance obligations © LreeroAssurance2.5 Conducting the Audit *» Gather Evidence about Compliance > Observe activities + what is said or written may not reflect reality + “show me" instead » Examine facilities * While visiting the operation areas/offices examine: * equipment 4 standard of housekeeping % size and layout of working area Environment Overall compliance to required standards or statutory requirement LrperoAssuraNce2.5 Conducting the Audit +» Objective evidence > Try to Establish: + That Authorized documents are in use + That superseded documents have been removed * That good housekeeping is practiced + That facilities are adequate + That supervision is adequate + That orderly records are kept + That staff are adequately trained ¥ Well prepared checklists will assist when answering these questions x LiseroAssurANcE2.5 Conducting the Audit + Questioning techniques Keep conversation going V Repeat the last word or phrase — say something nice Avoid double questions (2 questions in 1) ¥ Only one word answer is likely to result YES / No Questions Y Often elicit dead answers — you cannot gain much information How — What - Why - When - Where - Who? ¥ Direct questions — will achieve more detailed answers Explanation Questions ¥ Useful for comparing interfaces © LreeroAssurance2.6 Recording Results *» Record on checklists Activities which do not adhere to ISMS V \ May be classified ¥ major non-conformance ¥ minor non-conformance fl > Areas for improvement RECORDS © LreeroAssurance2.6 Recording Results * Audit Records should include the following: a) Records related to the audit programme, such as: + Documented audit programme; + Those addressing the audit programme risks; + Reviews of the audit programme effectiveness and actual audit details; b) Records related to each individual audit, such as: + Audit plans and audit reports; + Non-conformity reports; + Corrective and preventive action reports; + Audit follow-up reports, if applicable; © LreeroAssurance2.6 Recording Results * Audit Records should include the following: <) Records related to audit personnel covering topics such as: + Competence and performance evaluation of the audit team members; + Selection of audit teams and team members; + Maintenance and improvement of competence. The form and level of detail of the records should demonstrate that the objectives of the audit programme have been achieved © LreeroAssurance2.7 Non-Conformities & Non-Compliances * Non-conformity report + Used to report non-conformity audit findings. + Must be factual. — — + Must be understandable and traceable — + Rise formal notification of any issues at the time of finding. + Must allow the auditee to implement corrective action prior to the closing meeting + The auditee is required to sign a document of understanding and acceptance of the non — compliance. © LreeroAssurance2.7 Non-Conformities & Non-Compliances * Categorizing Non - Compliances Major A single major system, product or service non - compliance. A lack of documented information needed to satisfy an agreed requirement. Non — implementation of documented information and arrangements. A series of minor non-compliances in a particular area or activity which collectively have an adverse effect on the qualification of the product or service. Minor There is a defined system of documented procedures and arrangements which satisfy agreed requirements against which the organization being assessed can demonstrate an acceptable level on implementation overall, but there are minor discrepancies or lapses in discipline or only 1 area such mistakes found © LreeroAssurance2.7 Non-Conformities & Non-Compliances Bee ee sess bw wewees “+ Non-Compliance Reporting > Whatis the Problem? * Describe clearly, concisely and factually. > Why isita non-compliance? + i.e. against which requirement? » Where did it occur or When it occur? + i.e, which department or activity or when? © LreeroAssurance2.7 Non-Conformities & Non-Compliances + Wording of NCRs It is important when preparing NCRs to take care and ensure it is justified. Failure to achieve clear factual information will invite challenge of the findings at the closing meeting. This will be particularly important in areas where the emphasis is placed on the following: ¥ Management Commitment ¥ Competence ¥ Communication ¥ Continual Improvement © LreeroAssurance2.8 Closing Meeting (s) + Audit team meeting + discuss audit results + Closing meeting * discuss corrective actions + determine resolution dates + Identify corrective actions + use corrective action forms © LreeroAssurance2.8 Closing Meeting (s) + Contents of closing meeting + Asappropriate, the following should be explained in the closing meeting: y¥ Advising that the audit evidence collected was based on a sample of the information available; ¥ The method of reporting; ¥ The process of handling of audit findings and possible consequences; ¥ Presentation of the audit findings and conclusions in such a manner that they are understood and acknowledged by the management; ¥ Any related post-audit activities © eg. implementation of corrective actions, o audit complaint handling. © LreeroAssurance2.9 Audit Report + Audit report + Audit details + Summary of findings v v v corrective actions numbered objective evidence reference the document observations J AUDI tepop yl © LreeroAssurance2.9 Audit Report *» Observations Notes made by an auditor during assessment may lead to non-compliances being raised or to provide information for the audit report. Notes provide objective evidence back — up. OBSERVATIONS: LrperoAssuraNce2.10 Audit Follow-up + Audit Follow-up Activities + It may be necessary for a follow-up audit to be performed to verify the effectiveness of any corrective action carried out. Corrective action, and subsequent follow-up audits, should be completed within a time period agreed to by the auditee, in consultation with the auditor + The Safety Manager/ Management Appointee should schedule the follow-up audit and enter details on the Audit Schedule and the Audit Status Log © LreeroAssurance3. Audit Programme > Contents of audit programme Objectives for the audit programme and individual audits; Extent/number/types/duration/locations/schedule of the audits; Audit programme procedures; Audit criteria; Audit methods; Selection of audit teams; Necessary resources, including travel and accommodation; Processes for handling confidentiality, environmental and other similar matters. cla Ta © LreeroAssurance3.1 Establishing the Audit programme objectives ‘+ The audit programme objectives can be based on consideration of the following: a) Management priorities; b) Commercial and other business intentions; c) Characteristics of processes, products and projects, and any changes to them; Information Security Management System requirements; e) Legal and contractual requirements and other requirements to which the organization is committed; f) Need for supplier evaluation; g) Needs and expectations of interested parties, including customers; h) Auditee’s level of performance, as reflected in the occurrence of failures or incidents or customer complaints; i) Risks to the auditee; Audit Programme | j) Results of previous audits; k)_ Level of maturity of the Information Security Management System being audited & © LreeroAssurance3.1 Establishing the Audit programme objectives + Examples of audit programme objectives include the following: To contribute to the improvement of an Information Security Management System and its performance; To fulfill external requirements, eg. certification to an Information Security Management System standard; To verify conformity with contractual requirements; To obtain and maintain confidence in the capability of a supplier; To determine the effectiveness of the food safety management system; To evaluate the compatibility and alignment of the Information Security Management System objectives with the Information Security Management System policy and the overall organizational objectives © LreeroAssurance3.2 Identifying and evaluating audit programme risks and opportunities ‘ There are many different risks associated with establishing, implementing, monitoring, reviewing and improving an audit programme. These risks may be associated with the following: + Planning, e.g. failure to set relevant audit objectives and determine the extent of the audit programme; + Resources, eg. allowing insufficient time for developing the audit programme or conducting an audit; + Selection of the audit team, e.g. the team does not have the collective competence to conduct audits effectively; + Implementation, e.g. ineffective communication of the audit programme; + Records and their controls, e.g. failure to adequately protect audit records to demonstrate audit programme effectiveness; + Monitoring, reviewing and improving the audit programme, e.g. ineffective monitoring of audit programme outcomes. © LreeroAssurance3.2 Identifying and evaluating audit programme risks and opportunities * Opportunities for improving the audit programme can include: allowing multiple audits to be conducted in a single visit; minimizing time and distances travelling to site; matching the level of competence of the audit team to the level of competence needed to achieve the audit objectives; aligning audit dates with the availability of auditee’s key staff. © LreeroAssurance3.3 Process flow for the management of an audit programme (Ref ISO 19011) Roles and responsi programme Competence of the person managing the audit programme Establishing the extent of the audit programme Identifying and evaluating audit programme risks Establishing procedures for the audit programme Identifying audit programme resources jes of the person managing the audit Implementing the audit programme General Defining the objective, scope and criteria for an individual audit Selecting the audit methods Selecting the audit team members Assigning responsibility for an individual audit to the audit team leader Managing the audit programme outcome Managing and maintaining audit programme records _ Competence and evaluation of auditors Performingan audit ¥ I" Monitoring the audit programme Reviewingand improving the audit programme CHECK ACT | © LreeroAssurance3.4 Managing an audit programme 1, General 2. Establishing the audit programme objectives 3. Establishing the audit programme + Roles and responsibilities of the person managing the audit programme + Competence of the person managing the audit programme + Establishing the extent of the audit programme + Identifying and evaluating audit programme risks * Establishing procedures for the audit programme + Identifying audit programme resources © LreeroAssurance3.4 Managing an audit programme 4. Implementing the audit programme + General + Defining the objectives, scope and criteria for an individual audit + Selecting the audit methods + Selecting the audit team members + Assigning responsibility for an individual audit to the audit team leader + Managing the audit programme outcome + Managing and maintaining audit programme records 7 Monitoring the audit programme 6. Reviewing and improving the audit programme © LreeroAssurance3.5 Audit programme Implementation + Implement the audit programme by means of the following: Communicating the pertinent parts of the audit programme to relevant parties and informing them periodically of its progress; Defining objectives, scope and criteria for each individual audit and the audit method; Coordinating and scheduling audits and other activities relevant to the audit programme; Ensuring the selection of audit teams with the necessary competence; Providing necessary resources to the audit teams; Ensuring the conduct of audits in accordance with the audit programme and within the agreed time frame; Ensuring that audit activities are recorded and records are properly managed and maintained. Defining and implementing the operational controls necessary for audit programme monitoring Reviewing the audit programme in order to identify opportunities for its improvement © LreeroAssurance3.6 Monitoring audit programme * The individual(s) managing the audit programme should ensure the evaluation of: a) whether schedules are being met and audit programme objectives are being achieved; b) the performance of the audit team members including the audit team leader and the technical experts; ©) the ability of the audit teams to implement the audit plan; d) feedback from audit clients, auditees, auditors, technical experts and other relevant parties; ©) sufficiency and adequacy of documented information in the whole audit process © LreeroAssurance3.7 Improving audit programme The individual(s) managing the audit programme and the audit client should review the audit programme to assess whether its objectives have been achieved. Lessons learned from the audit programme review should be used as inputs for the improvement of the programme. * The audit programme review should consider the following: results and trends from audit programme monitoring; conformity with audit programme processes and relevant documented information; evolving needs and expectations of relevant interested parties; audit programme records; © LreeroAssurance3.7 Improving audit programme alternative or new auditing methods; alternative or new methods to evaluate auditors; effectiveness of the actions to address the risks and opportunities, and internal and external issues associated with the audit programme; confidentiality and information security issues relating to the audit programme. © LreeroAssurancePet See P| a “This section introduces you to: Be oo Tolan Mec aU let a " a CAO la hie Kola ey4.1 Accreditation & Certification bodies > Function Organizations that issue credentials or certify third parties against official standards are themselves formally accredited by accreditation bodies Assesses whether the system, product or personnel fulfil the requirements stated in the certification requirements. Certification bodies must be free from bias. Their auditors cannot offer advice! © LreeroAssurance4.1 Accreditation & Certification bodies ** Organizations can be certified to ISO 27001: 2013 * ISO 9000 Organization definition: “person or group of people that has its own function with responsibilities, authorities and relationships to achieve its objectives Note: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, association, charity or institution, or part or combination thereof, whether incorporated or not, public or private” * Organizations have the option to get certified as a whole (i.e. company-wide) or In parts (i.e. site-by-site.) © LreeroAssurance4.2 Certification process * Certification Process Application Peseta Pease Tele) Time - Scale Audit Team Ta IE ated © LreeroAssurance4.2 Certification process + Optional Pre-Audit A pre-audit is a preparation for certification audit Voluntary initiative by the client before certification audit to review compliance with a standard or review updated standards that require transition Clarifies the steps to be taken for a smoother transition Helps organization to familiarize themselves with the certification audit approach Identifies “gaps’ Covers all ISO 27001: 2013 requirements © LreeroAssurance4.2 Certification process + Stage One (initial) Audit * a for Planning stage two audi * Assess readiness for complete system Audit + Validate scope of ISMS Familiarize with the facility * Plan and allocate resources + Risk Assessment . * Check requirements for team + Legal & other requirements competence + Evaluation of compliance + Feedback to client + Internal Audit + Management Review + ISMS Documentation © LreeroAssurance4.2 Certification process ** Stage Two (Main) Audit - Objectives Assess suitability for organization policy Verify conformity with the standard and internal procedures + Evaluate system's effectiveness in: Delivering policy promise(i.e. compliance, meeting legal requirements, continual improvement, etc.) Achieving objectives © LreeroAssurance4.2 Certification process + Audit Stage Two - Complete System Audit EVERY clause of ISO 27001: 2013 for: Intent Implementation Effectiveness + Key Questions: Is the system complete? Is the system working? © LreeroAssurance4.2 Certification process > Surveillance audits monitor the continuing implementation of the ISMS Conducted at least once per year Cover all functions/processes over a 3 year period Audit plan based upon results of previous audits and ISMS importance Internal audits may be taken into account + Key considerations include: Is policy promise being delivered? Compliance management (legal & other requirements) Continual Improvement Effectiveness of internal audit program Continuing management commitment? a © LreeroAssurancePERFORMANCE Auditor's performance This section is a description of: 51 PNT eRe Nels Ae aoa Cas PRC eietset- tas ERAS een ee Coma ed eet Auditor's Code Conduct er) pI Nola I0 oa ere e016 Pe Auditor Characteristics a} VRE ae elie a} OMe ee Na dle 5.10 Maintaining and improving auditor erica5. Auditor’s performance ‘+ Main aspects to consider are: + Auditor's quality + Auditor's conduct + Code of conduct + Auditor's personal characteristics + Auditor's behaviour + Audit team members + Auditee’s conduct © LreeroAssurance5.1 Auditor’s Quality t 2, 3. 4. 5. 6. . Wise & alert; ability to adapt to different people & situations. . Appropriate industrial experience; Ability to question; to ascertain facts. |. Ability to listen; Not prepare next question while listening to an answer. Interested in the explanation. Knowledge of Information Security Management System standards & of assessment & audit techniques gein oyete sean PE nine SS EEN ost sg IMPROVE "Exp SYSTEMS 3? = FEE one EBNANAGEMET EEA gl nce Qu ALT TY a a “pe wih MAY suniconve vk gg MODERN temcerua, Fees Proven © LrseroAssurance5.1 Auditor’s Quality 7. Analytical brain. 8. Sensitive to feelings, attitudes & motives so as to understand what people mean when they say something. 9. Maintains eye contact. 10. Ability to discuss without arguing. 11. Neither approves nor disapproves. © LreeroAssurance5.2 The Auditors conduct “> Some of traits of auditor is given below. The list is exhaustive but not final. An auditor needs lot of common sense in addition to the conducts listed here. XY Look the part - Dressing smart > Be calm & courteous XV Be punctual > Be precise > Be Prepared > Do time management. > Have sense - Neglect Human Errors > Be human Be decisive, determined & direct Get on the job > Be fair Y Y © LreeroAssurance5.2 The Auditors conduct > Be independent; not guided or controlled by Auditee. Je > Use your power of deduction & inferences. > Know who's who for effective & proper communication. > Be sure from all corners - sufficient evidence. > Discuss problem on the spot. > Record Non-conformity / Non-compliances & Evidences; summaries daily. > Good Guy - Bad Guy approach (two auditor team) - One for the task & other for mild approach. > Key trait - Be a good listener. © LreeroAssurance5.3 Auditor's Code Conduct > Do not accept any inducement, commission gift or any other benefit from auditee organizations, their employee or any interested party or knowingly allow colleagues to do so > Do not intentionally communicate false or misleading information that may compromise the integrity of any audit or the auditor certification process. > Do not act in any way that would prejudice the reputation of the auditor certification body or the auditor certification process and do co-operate fully with an enquiry in the event of any alleged breach of this code. > Do act professionally, accurately and in an unbiased manner © LreeroAssurance5.4 Auditor Characteristics Skills an Auditor needs to develop, being + Diplomatic + Patient + Honest + Fair minded + Impartial + Articulate + Communicative + Analytical + Helpful + Co-operative + Persistent + Observant + Ethical + Professional + Conscientious + Assertive © LreeroAssurance5.5 Auditor's personal behavior “> Auditors should exhibit professional behavior during the performance of audit activities, including being: Ethical, i.e. fair, truthful, sincere, honest and discreet; Open-minded, i.e. willing to consider alternative ideas or points of view; Diplomatic, ic. tactful in dealing with people; Observant, i.e. actively observing physical surroundings and activities; Perceptive, i.e. aware of and able to understand situations; Versatile, i.e. able to readily adapt to different situations; Tenacious, i.e. persistent and focused on achieving objectives; Decisive, ie. able to reach timely conclusions based on logical reasoning and analysis; © LreeroAssurance5.5 Auditor's personal behavior * Auditors should exhibit professional behavior during the performance of audit activities, including being: + Self-reliant, ie. able to act and function independently whilst interacting effectively with others; + Acting with fortitude, ie. able to act responsibly and ethically, even though these actions may not always be popular and may sometimes result in disagreement or confrontation; + Open to improvement, i.e. willing to learn from situations, and striving for better audit results; + Culturally sensitive, i.e. observant and respectful to the culture of the auditee; * Collaborative, ic. effectively interacting with others, including audit team members and the auditee’s personnel. © LreeroAssurance5.6 The Auditee’s conduct “> An auditor need to be vigilant & guarding him & against the tactics of Auditees which they use quite often in order to hide the weakness. Time wasters Fixed ballot or loaded dice The trial of strength by argument on competence Insincerity - Kill him with kindness The absentee Amnesia - Let auditor forgets it Language barrier Desperation © LreeroAssurance5.7 Selecting the audit team members b) q d) e) ) In deciding the size and composition of the audit team for the specific audit, consideration should be given to the following: The overall competence of the audit team needed to achieve audit objectives, taking into account audit scope and criteria; Complexity of the audit and if the audit is a combined or joint audit; The audit methods that have been selected; Legal and contractual requirements and other requirements to which the organization is committed; The need to ensure the independence of the audit team members from the activities to be audited and to avoid any conflict of interest; The ability of the audit team members to interact effectively with the representatives of the auditee and to work together; The language of the audit, and the auditee’s social and cultural characteristics. These issues may be addressed either by the auditor's own skills or through the support of a technical expert a © LreeroAssurance5.7 Selecting the audit team members + To assure the overall competence of the audit team, the following steps should be performed: + Identification of the knowledge & skills needed to achieve the objectives of the audit; + Selection of the audit team members so that all of the necessary knowledge and skills are present in the audit team. UAH A © LiperoAssurance5.8 Skills of audit team leaders *» Audit team leaders should have additional knowledge and skills to manage and provide leadership to the audit team, in order to facilitate the efficient and effective conduct of the audit. An audit team leader should have the necessary knowledge and skills to do the following: a. Balance the strengths and weaknesses of the individual audit team members; b. Develop a harmonious working relationship among the audit team members; Manage the audit process, including: Planning the audit and making effective use of resources during the audit; Managing the uncertainty of achieving audit objectives; Protecting the health and safety of the audit team members during the audit, including ensuring compliance of the auditors with the relevant health, safety and security requirements; Organizing and directing the audit team members; Providing direction and guidance to auditors-in-training; Preventing and resolving conflicts, as necessary; © LreeroAssurance5.8 Skills of audit team leaders *» Audit team leaders should have additional knowledge and skills to manage and provide leadership to the audit team, in order to facilitate the efficient and effective conduct of the audit. An audit team leader should have the necessary knowledge and skills to do the following: d. Represent the audit team when communicating with the person managing the audit programme, audit client and auditee; e. Lead the audit team to reach the audit conclusions; £. Prepare and complete the audit report © LreeroAssurance5.9 How to evaluate an Auditor Evaluation method Review of records Feedback Interview Observation Testing Post-audit review Objectives To verify the background of the auditor To provide information about how the performance of the auditor is perceived To evaluate personal behavior and communication skills, to verify information and test knowledge and to acquire additional information To evaluate personal behavior and the ability to apply knowledge and skills, To evaluate personal behavior and knowledge and skills and their application To provide information on the auditor performance during the audit activities, identify strengths and opportunities for improvement surveys, references, performance evaluation, peer Examples Analysis of records of education, training, ‘employment, professional credentials and audit experience questionnaires, testimonials, personal complaints, Personal interviews Role playing, witnessed audits, on-the-job performance Oral and written exams, psychometric testing Review of the audit report, interviews with ‘the audit team leader, the audit team and, if appropriate, feedback from the auditee © LreeroAssurance5.10 Maintaining and improving auditor competence * The individual(s) managing the audit programme should establish suitable mechanisms for the continual evaluation of the performance of the auditors and audit team leaders. * The continual professional development activities should take into account the following: a) changes in the needs of the individual and the organization responsible for the conduct of the audit; b) ©) relevant standards including guidance/supporting documents and other requirements; developments in the practice of auditing including the use of technology; d changes in sector or disciplines. © LreeroAssurance= factors during a BU eet ra CodaM a ecele Ulam ole CoH a) OX M Losi osd fo )oE5eCal Tee aol Tela 1(e)4) BSjoF- Tee a Me (c} Body language et UTC neraceles Pines tarsal) foNeninee ae terion]6.1 Attitudes and relationships + Auditor's attitude + MUST be positive 1am here to help, not find mistakes o We are on the same side © Together we will seek improvement ©. The audit process is beneficial for your company “+ Relationship between auditors and auditees are crucial for a successful audit. The auditor influences that relationship by: 1. Understanding the process of communication 2. Minimizing communication problems 3. Developing an environment of effective communication 4. Listening the auditees carefully we © LreeroAssurance6.2 Obstacles & communication ** Obstacles to effective communication + Physical + Mental + Psychological + Factors for fruitful communication + Whereis the audit taking place? BS WHERE | + What time of the day? * Good eye contact? + Positive body language? + observe carefully! + Any cultural barriers? « be prepared! © LreeroAssurance6.3 Space & Time issues ° Space issues Do not violate the other's personal space Choice of appropriate location > eg. at the workspace of auditees or at the meeting room Seat plan Minimize external distractions <5 A desk between people can be an obstacle — Auditor and auditee must belong to the same team © LreeroAssurance6.3 Space & Time issues > Time issues + Prior to your arrival, allow time for the auditee to deal with his everyday workload + Respect the time plan of the auditee and stick to the schedule © Nevertoo early! o Nevertoo late! + Keepin mind: © The customer's schedule © Meal and additional breaks © The work schedule © LreeroAssurance6.4 Body language + Enough eye contact? * Eye contact is a very important subtle form of social interaction * In Western cultures good eye contact is vital to communication + In Middle Eastern cultures continuous eye contact may be considered as offensive and rude o however long and strong eye contact may indicate sincerity + Lack of eye contact does not always indicate an attempt to hide information ‘+ 70% of social interaction is non-verbal + Body language Posture, gestures, face expressions Communicates numerous information Uncontrollable signals may upset the auditee o Commoninterpretations Cultural differences © LiperoAssurance6.5 Cultural factors > Cultural characteristics + Audits may be carried out in a multi-cultural environment + Cultural sensitivity > be aware that cultural differences and similarities between people exist without assigning them a value + Examples + Hand shake > the same for everyone? + Offensive gestures > Be aware! + Personal space > Do not violate! © LreeroAssurance6.6 Principles of Listening * The art of listening is ESSENTIAL > Bad habits you must avoid “—S Eliminate distraction Listen carefully Don't rush to judge Hear the main issues Use free time for review and analysis Seek for explanations Pretend to listen Exaggerated reactions Be occupied with other matters Unnecessary interruptions Lack of eye contact Selective listening > filter out what you think is important Use the time of listening to think of the next question a © LreeroAssurance6.7 The interview step > Interview — A crucial step of the audit * Offer meaningful and c ective proofs damental for + Effective communication is fu a successful interview + Make the auditee feel comfortable *%» Tips for a successful interview Interviews are NOT interrogations + Pose your questions in a form of disct Incorporate yc conversation questions into the + Avoid the question-answer tactic © LiperoAssurance6.7 The interview step ** Question techniques for interviews * The questions must: o Avoid the relevant information o Not imply the answers o Not include affective words or implications *» 3 questions types + Open + Closed and direct + Explanatory /\ © LreeroAssurance6.7 The interview step + Open questions - useful for the auditor * Open: What? Why? Where? Who? When? How? © Allow for detailed answers o Limits: diverge from the initial conversation topic + Closed and direct questions + Closed questions-answers: Yes/No + Direct questions-answers: Few words © Very specific information © Disadvantages: 1. limited amount of information, 2. may give the impression of interrogation + Explanatory questions co Aim to explain and obtain full information and prevent misinterpretation © Disadvantages: 1. if used a lot may give the impression you were not focused, 2. time consuming = © LreeroAssurance7.1 Tips to trained auditor Vede een) Technique WARM ae Rem ae elm ere CRC le ls LiseroAssurANce7.1 Tips to trained auditor * Audit Techniques + Internal Audit carried out by own staff - independent of the system being audited OR + Audit by external expert % Auditing Techniques: + Trace forward + Trace backward + Random + Status of importance * Auditor's Friends listed below: What? Why? When? How? Where? Who? Show me © LreeroAssurance7.1 Tips to trained auditor 1, Auditor is always a fact finder and not a fault finder. 2. As per ISO 19011 auditor looks for effectiveness of system, process approach and not just records. 3. Auditors 4 Key boundaries a. Information Security Management System Requirements ie. ISO 27001 Standard b. Own written documented information ¢, Customer requirements d. Statutory & Regulatory requirements (Compliance obligations) 4. Audit methodology a, Interview People b. Verify Records c. Witness verification/ Process Checking d, Own verification of Process / Product parameters Information Security Management System Audit is a sampling activity © LreeroAssurance7.1 Tips to trained auditor + Interview people Ask employees about their job, listen to what they say. Ask questions to test their knowledge and understanding (have a look to the following question tips) Observe operations Discover if the current practices comply with the requirements of the standard, Allow personnel to demonstrate their work instead of simply explaining, Review documents & records Request from employees to demonstrate what documents and records use for their work. Check if relevant document control is sufficient, refer to documentation to follow the demonstrated work. Question the need for documentation. Examine records Look for representative samples in order to make informal judgements. Use your time effectively and efficiently in order to be more confident while reviewing the system © LreeroAssurance7.1 Tips to trained auditor * The Auditors Six Friends + When asking questions... Who ? What ? Where ? When? Why ? + And the seventh....OK, Show Me? © LreeroAssurance7.2 Question Technique oe vEs/ No Questions + Often elicit dead answers — you gain nothing = only useful as a leader question “> How - What — Why - When - Where - Who? + Direct questions — will achieve more detailed answers ‘+ Explanation Questions + Useful for comparing interfaces © LreeroAssurance7.2 Question Technique Key tips Keep conversation going Repeat the last word or phrase ~ say something nice Avoid double questions (2 questions in 1) Only one word answer is likely to result © LreeroAssurance7.2 Question Technique ‘> Types of Questions in interviews What / Why / When / Where /How/ Who & Show me? A set of question for the auditor is listed below; Hypothetical question: — Let us say? — Suppose ? — If this does not happen then ? Silent question: — Body language, silence — Obvious one; isn’t it? Inverse question: — 1am not sure, are you sure? Comparison question: — Comparing different situations for statements. © LreeroAssurance7.3 Competence of the audit programme manager ‘+ The person managing the audit programme should have the necessary competence to manage the programme as well as knowledge and skills in the following areas: + Audit principles, procedures and methods; + Thorough knowledge of auditing standard and requirements; * Activities, products and processes; Applicable legal and other requirements relevant to the activities and products; + Customers, suppliers and other interested parties. © LreeroAssuranceTo sum up, always remember... Team spirit ‘S.. > Successful audit The auditors are the onesReferences * ISO 27001 % ISO 19011 guidelines for auditing management systems *% ISO 9000 environmental Fundamentals and vocabulary © LreeroAssuranceEnd of presentation Thank you for participating! “ISO 27001: 2013 Information Security Management System Lead Auditor” © LiperoAssuraNce