theknowledgeacademy

ISO 27001: 2022

Internal Auditor
 theknowledgeacademy

About Us
The world's largest provider of classroom and online
training courses
 World Class Training Solutions
 Subject Matter Experts
 Highest Quality Training Material
 Accelerated Learning Techniques
 Project, Programme, and Change Management, ITIL®
Consultancy
 Bespoke Tailor Made Training Solutions
 PRINCE2®, MSP®, ITIL®, Soft Skills, and More
theknowledgeacademy Course Syllabus
Module 1: Introduction to ISO 27001 5

Module 2: Information Security 10

Module 3: Context of the Organisation 43

Module 4: Leadership 48

Module 5: Planning 52

Module 6: Support 61
theknowledgeacademy Course Syllabus
Module 7: Operation 68

Module 8: Performance Evaluation 72

Module 9: Improvement 78

Module 10: Introduction to Auditing 82

Module 11: Performing ISO 27001 Audits 104

Module 12: Internal Auditor 127

 theknowledgeacademy

Module 1:  Introduction

Introduction to ISO  Compatibility with Other Management

System Standards

27001  ISO 27001:2022 and its Clauses

Introduction
General

 In order to establish, implement, maintain, and continuously improve an information security

management system, this document has been prepared.

 The information security management system's adoption is a strategic decision for an organisation.

 The needs and objectives of the organisation, security requirements, organisational procedures utilised,
and the size and structure of the organisation all influence the establishment and execution of an
organisation's information security management system.

 All of these impacting elements are expected to adjust over time.

 The information security management system protects information confidentiality, integrity, and
availability through a risk management process, giving interested parties confidence that risks are properly
handled.

theknowledgeacademy
Introduction
 Significantly, the information security management system
is integrated into, and part of the organisation's process
and overall management structure and that information
security is thought about in the design of processes,
information systems, and controls.

 An information security management system's execution is

expected to be scaled per the organisation's requirements.

 Internal and external parties can use this document to

evaluate the organisation's capacity to complete its
information security requirements.

 The order in which the requirements are given in this

document does not indicate their significance nor imply
the order in which they will be executed.

theknowledgeacademy
Compatibility with Other Management System Standards
 In order to maintain compatibility with other
management system standards that have adopted
Annex SL, this document applies the high-level
structure, identical sub-clause titles, identical text,
common terms, and core definitions defined in
Annex SL of ISO/IEC Directives, Part 1, Consolidated
ISO Supplement.

 For organisations that decide to operate a single

management system that satisfies the
requirements of two or more management system
standards, the common approach described in
Annex SL will be helpful.

theknowledgeacademy
ISO 27001:2022 and its Clauses
Clauses to ISO/IEC 27001

 Clause 1: Scope

 Clause 2: Normative references

 Clause 3: Terms and definitions

Clauses 1 to 3 are not directly audited against, but

because they provide context and definitions for the
rest of the standard, not that of the organisation,
their contents must be taken into account

theknowledgeacademy
 theknowledgeacademy

 What is Business?

 Industries

Module 2:  Risk

 SWOT Analysis
Information Security  Constructs & Characteristics of Assets

 Security

 Privacy

 Triad of Information Security

 theknowledgeacademy

 Cyber security is everyone’s responsibility

 Cybersecurity Landscape

Module 2:  What is Information Security?

 Information Security Management

Information Security  Need of Information Security

 Threats to Information Security

 Active and Passive Attacks

What is Business?

 An organisation or economic system where goods and services

are exchanged for one another or for money.

 Every business requires some form of investment and enough

customers to whom its output can be sold on a consistent basis
in order to make a profit.

 Businesses can be privately owned, not-for-profit or public

owned..

theknowledgeacademy
Industries
Utilities
Media Food Chemical

Education

Metal Retail
Engineering

Cement FMCG
BSFSI
Oil
Manufacturing

Health Pharma
Care Telecom
IT/ITES
Real Estate Automobile

theknowledgeacademy
Risk
Ransomware
Threats >>>
VVV
Theft,
Malwar Natural
Sabotage,
e Calamities
Supply Chain Misuse & Fire
Attacks

High User
Knowledg
e of IT Risks Lapse in
Systems Controls Physical
Deterrent Security

Disinformation – Preventive Social

Vulnerability Detective
Misinformation Engineering
Compensatin
g

Corrective
Lack Of Recovery
Docume Directive
ntation
Manmade
Disaster
Threats Against Availability- Internet Threats Against
Threats Data

Systems &
Network
ISMS Failure NIST CSF/ISO 27001:2022
Threats Against Availability
(DDOS)

theknowledgeacademy
SWOT Analysis

Weakness Strengths

Threats Mini-Mini Maxi-Mini

WT ST

Opportunities Mini-Maxi Maxi-Maxi

WO SO

theknowledgeacademy
Constructs & Characteristics of Assets

Assets Information
MERCURY
Transformation Assets

Transformed data (qualitative)

Raw facts, figures & events Set of people, processes,
(quantitative) services & resources that Created by analysis and
collects & transforms data into structured presentation of
Collected by observation &
information and disseminates data
recording
& presents this information Virtual (logical) – not stored in
Stored in a specific location
The “information system” or a specific location
(physical)
“ICT system”  Context (has meaning through
 No context (little meaning
organisation & presentation)
until organised, arranged &
developed)

theknowledgeacademy
Security
To provide confidence & assurance
 Business can depend upon and trust our technologies
 Business is not exposed to unacceptable risk
 Business can meet its objectives and grasp opportunities

To protect business assets

 Technology and are our use of it is ‘secure’
 Information and our use of it is ‘secure’

To support the business objectives

 What is our mission?
 What are our strategic, tactical & operational business
objectives?

theknowledgeacademy
Privacy
Protecting the privacy of information:
 Keep sensitive information off the network, if possible
 Encrypt sensitive information
 Protect access to your system
 Don’t share sensitive information
 Password protection

Preventing Unauthorised Modification of Information:

 Emails
 Data
 Digital Downloads
 Log/Audit files

theknowledgeacademy
Privacy
Reliability/Trustworthiness of information

 Hijacked websites

 Email with modified content

 Corrupted files

Danial of Service Attacks

 Denial of Service Attacks and Distributed Denial of

Service Attacks

 Expect the Unexpected

 Beware of Natural/Manmade disasters

theknowledgeacademy
Triad of Information Security
Confidentiality, Integrity, and Availability (CIA) are the three main goals of information security programs

I A
1. Confidentiality

 Confidentiality means that information is not disclosed to groups, organisations, or processes that are not
authorised

 For instance, let's say I had a password for my Gmail account, but someone witnessed me logging in. In that
case, both my password and confidentiality have been compromised

theknowledgeacademy
Triad of Information Security
2. Integrity

 Means ensuring data accuracy and completeness. This means that information cannot be altered without
authorisation

 For instance, if an employee leaves an organisation, all relevant data for that employee should be updated to
reflect JOB LEFT status in order to ensure that the data is accurate and complete. In addition, only authorised
individuals should be permitted to edit employee data

3. Availability

 Availability means that information must be accessible when required

 For instance, working with various organisational teams like network operations, development operations,
incident response, and policy/change management is necessary if one needs to access information about a
specific employee to determine whether they have exceeded the allowed number of leaves. One of the
factors that can affect the accessibility of information is a denial of service attack

theknowledgeacademy
Cyber Security is Everyone’s Responsibility
Cybersecurity is everyone’s concern:

Help your organisation

Reduce loss Think: C-I-A

Reduce loss Prevent Fraud

Protect customer
information

theknowledgeacademy
Cyber Security is Everyone’s Responsibility
Security breaches leads to:

 Reputation loss

 Financial loss

 Intellectual property loss

 Legislative Breaches leading to legal actions (Cyber Law)

 Loss of customer confidence

 Business interruption costs

theknowledgeacademy
Cybersecurity Landscape
Secure Application Physical Security
Data Protection Network Design Development
4th Party Risk
CASS Assets Inventory

Cloud Security Baseline

Configuration
Secure System Vulnerability Scan
Security Architecture 3rd Party Risk
build
Federated Identity Social Engineering
Access Control

Blue Team
Applications
Security Cryptography Risk Assessment
Identity Management
Engineering ISO/IEC CoBIT

Penetration Tests Red Team Infrastructure

NIST
Identity and Access SANS/CSC
Privileged Access
Management Management

`Framework &
Certifications Standard Data Centric Risk Assessment Data Flow Map

Training Conferences
Source Code Scan
Career Development Industry Specific

DR
Federal
Peer Groups Self Study
Domains Blackbox Whitebox
Laws and Regulations

State
BCP Governance
Recovery
Executive Management Involvement
Detection User Education
Audit
Prevention Protection Risk Informed Reports & Scorecards

Threat Intelligence

SIEM Active Training (New Skills) Company’s Return Supervisory Procedure (WSPs)
KPIs/KRIs
Security Operations Defense

SOC
Policy
Awareness
Data (Reinforced) External Internal Compliance & Enforcement
Incident Leakage
Vulnerability Response
Management
Procedures
Guidelines

Breach Contextual IOCs Intel Sharing

Notification Forensic
Standards

Containment Eradication

theknowledgeacademy
Information Security Management
 Information security encompasses more than just
protecting data from unauthorised access
 The practise of preventing unauthorised access, use,
disclosure, disruption, modification, inspection,
recording, or destruction of information is known as
information security. Information comes in both physical
and digital forms
 Information can be either physical or electronic.
Information can include your personal information, your
social media profile, your mobile phone data, your
biometrics, and so on
 Thus, information security encompasses numerous
research areas such as cryptography, mobile computing,
cyber forensics, online social media, etc

theknowledgeacademy
Information Security Management
Information security management is about preserving the
‘Confidentiality, Integrity and Availability’ of information and
associated information processing facilities, whether that’s
systems, services, infrastructure or the physical locations. It
ensures business continuity by minimising business damage by
preventing and reducing the impact of security incidents.

C – Confidentiality: The property that information is not made

available or disclosed to unauthorised individuals, entities or
processes
I – Integrity: The property of safeguarding the accuracy and
completeness of assets
A – Availability: The property of being accessible and usable upon
demand by an authorised entity

theknowledgeacademy
Information Security Management
The purpose of the ISMS is to:

 Understand the organisation’s needs and the

necessity for establishing information security
management policy and objectives

 Implement and operate controls and measures for

managing the organisation’s overall capability to
manage information security incidents

 Monitor and review the performance and

effectiveness of the ISMS

 Continually improve the organisation’s information

security based on objective measurement

theknowledgeacademy
Information Security Management
Rules for ISMS:

 A weak foundation amplifies risk.

 If a bad guy tricks you into running his code on your

computer, it’s not your computer anymore.

 There’s always a bad guy out there who’s smarter, more

knowledgeable, or better-equipped than you.

 Know the enemy, think like the enemy.

 Know the business, not just the technology.

 Technology is only one-third of any solution.

 Every organisation must assume some risk.

theknowledgeacademy
Need of Information Security
 Information system refers to the process of evaluating
available controls or countermeasures inspired by
vulnerabilities discovered and identifying an area that
requires additional research.

 By preventing and reducing the effects of security

incidents, data security management aims to ensure
business continuity and reduce business damage.

The need for Information security:

1. Preserving the organisation's functionality

 Organisational decision-makers are responsible for

establishing policies and running their business in
accordance with complicated, changing legislation and
applications that are effective and capable.

theknowledgeacademy
Need of Information Security
2. Enabling the safe operation of applications

 The organisation is under tremendous pressure to obtain and run integrated, efficient, and capable
applications.

 The modern organisation must establish a setting that protects applications using its IT systems, especially
those applications that are crucial to the organisation's infrastructure.

3. Data protection for the organisation's collection and use

 In an organisation, data can exist in two states: at rest or in motion. Data in motion is being used or
processed by the system at the moment

 Attackers were motivated to steal or corrupt the data by its values. The values and integrity of the
organisation's data depend on this. Data in motion and data at rest are both protected by information
security.

theknowledgeacademy
Need of Information Security
4. Organisational technology asset protection

 Depending on its size and scope, the

organisation must add intrastate services. The
need for public key infrastructure, or PKI—a
comprehensive system of software and
encryption techniques—could arise as a result
of organisational growth.

 In contrast to a small organisation, a large

organisation uses a complex information
security mechanism. Small businesses typically
favour symmetric key data encryption.

theknowledgeacademy
Threats to Information Security
 Threats to information security can take many different forms, including software attacks, intellectual
property theft, identity theft, equipment theft, information theft, sabotage, and information extortion

 Threats include anything that has the potential to breach security, harm one or more valuable objects, or
negatively alter, erase, or otherwise affect them

 Attack & Breach:

Attack Breach

 An attack is the exploitation of a  A breach is the occurrence of a security

vulnerability by a threat agent. In other mechanism being bypassed or thwarted by
words, an attack is any intentional attempt a threat agent. When a breach is combined
to exploit a vulnerability of an organisation’s with an attack, a penetration, or intrusion,
security infrastructure to cause damage, can result.
loss, or disclosure of assets.  A penetration is the condition in which a
 An attack can also be viewed as any violation threat agent has gained access to an
or failure to adhere to an organisation’s organisation’s infrastructure through the
security policy. circumvention of security controls and is
able to directly imperil assets.

theknowledgeacademy
Threats to Information Security
 Software Attacks include viruses, worms, Trojan horses, and other malware. Many users think that malware,
viruses, worms, and bots are all the same.

 However, they are not identical; the only thing they have in common is that each is malicious software that
behaves differently.

 Malware is a combination of the words malicious and software. So malware is defined as malicious
software, including intrusive program code or anything else created to harm a system.

Malware can be categorised into two groups:

1
Malware
Actions
Infection
Methods
2

theknowledgeacademy
Threats to Information Security
The following list of malware is based on the manner of infection:

Virus Trojan

Worms Bots

theknowledgeacademy
Threats to Information Security
1. Virus

 They can reproduce themselves and spread throughout the Internet by connecting to the host computer's
software, such as music or videos

 The Creeper Virus was initially identified on ARPANET. Examples of viruses include file viruses, macro viruses,
boot sector viruses, stealth viruses, etc

2. Worms

 In nature, worms can also replicate themselves, but they do not affix themselves to the host computer's
software

 Worms are network-aware, which is their primary difference from viruses. They can quickly switch from one
machine to another if a network is available

 They will not harm the target machine, but they might slow it down by taking up hard disc space, for example

theknowledgeacademy
Threats to Information Security
3. Trojan

 A Trojan is absolutely unrelated to a virus or worm in terms of its

concept

 Greek mythology's "Trojan Horse" tale, which relates how the Greeks
invaded the walled city of Troy by disguising their men within a huge
wooden horse that had been presented to the Trojans as a gift, is where
the word "Trojan" originates

 The Trojans loved horses so much that they trusted the gift. The
soldiers entered the city during the night and began an internal uprising

 The software will carry out its mission of either stealing information or
performing any other function for which it was designed when it is
executed. They aim to conceal themselves inside software that seems
to be trustworthy

theknowledgeacademy
Threats to Information Security
4. Bots

 Worms that have advanced more are

known as bots.

 They are automated processes designed

for online communication without
human contact.

 They are both viable options. A

malicious bot can infect one host, after
which it connects to the main server and
sends commands to all other hosts
linked to that botnet.

theknowledgeacademy
Threats to Information Security
Malware based on its actions:

Adware Ransomware Scareware

Spyware Rootkits Zombies

theknowledgeacademy
Threats to Information Security
1. Adware

 Adware violates users' privacy even though it is not specifically dangerous.

 They display adverts in particular programmes or on the desktop of a computer.

 They come bundled with free software, which is how these developers primarily make money.

 Your preferences are tracked, and they show you relevant ads.

 If harmful code is included in the software, the adware can monitor your computer's operations and possibly
compromise it.

2. Ransomware

 It is malware that either locks the computer, rendering it partially or completely unusable or encrypts all files.
Then a screen will display and ask for money or a ransom

theknowledgeacademy
Threats to Information Security
3. Spyware

 It is a programme, or should we say software, that monitors internet actions and discloses the information to
anyone who may be interested

 Most frequently, spyware is released through viruses, Trojan horses, and worms. Once dropped, they establish
themselves and keep quiet to avoid being discovered

4. Scareware

 Although it appears to be a programme to help you fix your system, once the software is launched, it will
either infect or break your system

 In order to frighten you and convince you to take some sort of action, like paying them to fix your system, the
software will display a message

theknowledgeacademy
Threats to Information Security
5. Rootkits

 Root access usually referred to as

administrative rights, is what rootkits are
designed to achieve on the user system. The
exploiter can steal anything, including
confidential files and data, once they have
root access

6. Zombies

 Similar to spyware, they operate. The

infection mechanism is the same, but they
wait for a hacker's order instead of spying
and stealing data

theknowledgeacademy
Active and Passive Attacks
Active Attacks

An active attack tries to change system resources or

interfere with their operability. Active attacks include
some data stream modification or false statement
creation

Passive Attacks

A passive assault does not affect system resources but

tries to get or use information from the system

Eavesdropping or transmission monitoring are both

passive attacks

theknowledgeacademy
 theknowledgeacademy

 Organisation and Its Context

Module 3:  Needs and Expectations of Interested Parties

Context of the  Scope of the Information Security

Organisation Management System

 Information Security Management System

Understanding the Organisation and Its Context

External and internal issues shall

be determined by the organisation
that is relevant to the purpose and
affect its capability of achieving
the intended result of its
information security management
system

theknowledgeacademy
Understanding the Needs and Expectations of Interested
Parties
The organisation shall determine:

 Interested parties that are appropriate

to the information security management
system

 These interested parties' requirements

are relevant to information security

 Which of these requirements will be

met by the information security
management system

theknowledgeacademy
Determining the Scope of the Information Security
Management System
 In order to establish its scope, the organisation shall
determine the boundaries and applicability of the information
security management system

The organisation shall think about when determining this scope:

o The external and internal issues

o The requirements

o The organisation performs interfaces and dependencies

between activities, and those that are performed by other
organisations

 As documented information, the scope shall be available

theknowledgeacademy
Information Security Management System
 In accordance with this document's requirements, the organisation shall establish, implement, maintain,
and continuously improve an information security management system, including the processes
required and their interactions

theknowledgeacademy
 theknowledgeacademy

 Leadership and Commitment

Module 4:
Leadership  Policy

 Roles, Responsibilities, and Authorities

Leadership and Commitment
 Leadership and commitment shall be demonstrated by the top management regarding the information
security management system by:
o Make sure that the information security policy and goals are established and compatible with the
organisation's strategic direction
o Assure that the information security management system requirements are integrated into the processes
of the organisation
o Ensuring the availability of the resources required for the information security management system
o Communicating the significance of effective information security management and adhering to the
requirements of the information security management system
o Assuring that the information security management system attains its intended result
o Directing and assisting individuals in contributing to the effectiveness of the information security
management system, encouraging continuous improvement
o Assisting other appropriate management roles in showing leadership in their areas of responsibility

theknowledgeacademy
Policy
 An information security policy shall be established by the top management that:

o Is relevant to the organisation's objective.

o Contains information security objectives or gives a framework to set information security goals

o Includes a commitment to meet applicable information security requirements; and

o Includes a commitment to improving the information security management system on an ongoing basis

 The information security policy shall:

o Be available as documented information

o Be communicated in the organisation; and

o As relevant, be available to interested parties

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
 Top management must confirm that
responsibilities and authorities for information
security roles are assigned and communicated
throughout the organisation

 Top management must delegate responsibility and

authority for the following tasks:

o Ensuring that the information security

management system meets the requirements
of this document

o Reporting to top management on the

performance of the information security
management system

theknowledgeacademy
 theknowledgeacademy

 Actions to Address Risks and Opportunities

Module 5:
Planning
 Information Security Objectives and Planning

 Planning of Changes
Organisational Roles, Responsibilities, and Authorities
1. General

 When planning for an information security management system, the organisation shall think about the issues
and requirements, as well as determine the risks and opportunities that must be addressed:

o Make sure the information security management system can attain its intended result

o Avert, or decrease, undesired effects

o Attain continuous improvement

 The organisation shall plan:

o Taking steps to address these risks and opportunities; and

o How to Integrate and execute these actions into the processes of its information security management
system; and

o Assess the efficacy of these actions

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
2. Information Security Risk Assessment

 An information security assessment process shall be

defined and applied by the organisation that:

o Establishes and keeps information security risk

criteria, which include the following:

 Criteria for risk acceptance; and

 Criteria for conducting risk assessments in

information security

o Make sure that repeated assessments of

information security risk produce consistent, valid,
and comparable outcomes

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
o The information security risks should be identified:

 Use the information security risk assessment process to

recognise risks related to the loss of information's
confidentiality, integrity, and availability in the scope of
the information security management system; and

 The risk owners must be identified

o Analyses the risks to information security:

 Evaluate the potential consequences if the identified

risks were to materialise

 Assess the realistic likelihood of the risks happening;

 Determine the risk levels

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
o Assesses the information security
risks:

 Compare the risk analysis

outcomes to the risk criteria; and

 Prioritise the risks that have been

analysed for risk treatment

 The organisation shall keep documented

information regarding the information
security risk assessment process

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
3. Information Security Risk Treatment
 An information security risk treatment process shall be defined and applied by the organisation that:
o Select relevant information security risk treatment options, considering the outcomes of the risk assessment
o Determine all controls required to execute the chosen information security risk treatment option
o Compare the controls and verify that no essential controls have been left out
o Produce an Applicability statement that includes the required controls and justification for inclusions,
whether or not they are executed, as well as justification for control exclusions from Annex A
o Create a plan for dealing with information security risks; and
o Receive approval from risk owners for the information security risk treatment plan and acceptance of
residual information security risks
 Documented information shall be kept by the organisation regarding the information security risk treatment
process

theknowledgeacademy
Information Security Objectives and Planning to Achieve Them
 At relevant functions and levels, the organisation must
establish information security objectives. The information
security objectives must include the following:

o Be in accordance with the information security policy.

o Be quantifiable (if possible)

o Consider applicable information security requirements,

as well as risk assessment and risk treatment results

o Be observed

o Must be communicated

o Be updated as needed

o Be accessible as documented information

theknowledgeacademy
Information Security Objectives and Planning to Achieve Them
 The organisation must keep documented information on its
information security goals. The organisation must decide
the following when planning how to achieve its information
security objectives:

o What will be completed

o What resources will be needed

o Who will be accountable

o When it will be finished; and

o How the outcomes will be assessed

theknowledgeacademy
Planning of Changes

 When the organisation determines that

changes to the information security
management system are required, the
changes must be implemented in a
planned manner.

theknowledgeacademy
 theknowledgeacademy

 Resources

 Competence
Module 6:
Support
 Awareness

 Communication

 Documented Information
Resources

The resources that are required for the

establishment, execution, maintenance and continual
improvement of the information security
management system shall be determined and given
by the organisation.

theknowledgeacademy
Competence
 The organisation shall:

o Determine the required competence of any

individual performing work under its control
that impacts its information security
performance

o Make sure these individuals are competent

based on relevant education, training, or
experience

o Take action to obtain the essential

competence where applicable, and assess the
effectiveness of the actions taken

o Maintain appropriate documentation as

evidence of competence

theknowledgeacademy
Awareness
 Individuals performing work under the
organisation's control shall be aware of the
following:

o The policy on information security

o Their contribution to the information

security management system's
effectiveness involves the advantages of
improved information security
performance

o The implications of failing to meet the

requirements of the information security
management system

theknowledgeacademy
Communication
 The organisation shall determine the requirement for internal and external communications appropriate to
the information security management system involving:

o On what to communicate

o When to communicate

o With whom to communicate

o How to communicate

theknowledgeacademy
Documented Information
1. General

 The information security management system of the organisation must include:

o This International Standard requires documented information

o The organisation determines documented information as being essential for the effectiveness of the
information security management system

2. Creating And Updating

 When making and updating documented information, the organisation shall make sure relevant:

o Description and identification

o Media and format

o Review and approval for appropriateness and sufficiency

theknowledgeacademy
Documented Information
3. Control of documented information

 The information security management system requires documented information and, by this International
Standard, must be controlled to make sure:

o It is readily available and appropriate for use where and when it is required
o It is adequately safeguarded

 The organisation shall address the following activities, as applicable, for the control of documented information:

o Distribution, retrieval, access and usage

o Storage and preservation, involving legibility preservation

o Changes' in control

o Retention and disposal

theknowledgeacademy
 theknowledgeacademy

 Operational Planning and Control

Module 7:
Operation
 Information Security Risk Assessment

 Information Security Risk Treatment

Operational Planning and Control
 This clause is very easy to explain the evidence
against if the organisation has been already
‘showed its workings’

 In evolving the information security

management system to concede requirements
6.1, 6.2 and in particular 7.5, where the entire
ISMS is well structured and documented, this
also accomplishes 8.1 at the same time

 The organisation is responsible for planning,

implementing, and overseeing the procedures
required to satisfy information security
requirements and implement the chosen
course of action

theknowledgeacademy
Information Security Risk Assessment
 This clause of ISO 27001 is automatically
finished

 The organisations have already evidenced

the information security management work
in line with requirements 6.1 and 6.2, and
the whole ISMS is documented

 The organisation should perform

information security risk assessments as
per planned intervals and when changes
are required, which should be documented

theknowledgeacademy
Information Security Risk Treatment
 Under clause 8.3, the organisation needs to
enforce the information security risk treatment
plan and maintain documented information on
the outcomes of that risk treatment

 Therefore, this requirement ensures that the risk

treatment process described in clause 6.1 occurs

 This should incorporate evidence and

transparent audit trials of reviews and actions,
demonstrating the movements of the risk over
time as outcomes of investments emerge (not
least also providing the organisation and the
auditor confidence that the risk treatments are
accomplishing their objectives)

theknowledgeacademy
 theknowledgeacademy

 Monitoring, Measurement, Analysis, and

Evaluation
Module 8:
 Internal Audit
Performance Evaluation
 Management Review
Monitoring, Measurement, Analysis, and Evaluation
 The organisation will assess the information security performance and the effectiveness of the information
security management system
 The organisation shall determine the following:
o What requires to be observed and measured involves information security processes and controls
o The methods to monitor, measure, analysis and evaluation to make sure valid outcomes, as applicable
o When the monitoring and measuring shall be carried out
o Who is responsible for monitoring and measuring
o When the monitoring and measurement must be analysed and assessed; and
o Who will analyse and assess these outcomes?
 The organisation must keep appropriate documentation as proof of monitoring and measurement results

theknowledgeacademy
Internal Audit
 The organisation shall conduct internal audits at planned
intervals to give information on whether the information
security management system:
 Conforms to
o The organisation's information security management
system requirements
o This International Standard's requirements
 Is successfully executed and maintained

theknowledgeacademy
Internal Audit
 The organisation shall:
o Plan, establish, implement, and maintain an audit
programme, including the frequency, methods,
responsibilities, planning needs, and reporting
requirements
o The audit programme shall consider the significance of the
processes involved and the outcomes of earlier audits
o Define each audit's audit criteria and scope
o Select auditors and conduct audits that ensure the audit
process's objectivity and impartiality
o Assure that the audit results are reported to the
appropriate management
o Keep documentation as evidence of the audit programme
and the audit results

theknowledgeacademy
Management Review
 Top management must conduct planned reviews of the
organisation's information security management system to assure
its continued suitability, adequacy, and effectiveness
 The management review shall take into account:
 The status of previous management reviews' actions
 Changes in internal and external issues that are appropriate to the
information security management system
 Feedback on the performance of information security, involving
trends in:
o Corrective and nonconformities actions
o Results of monitoring and measurement
o Audit results
o Achievement of information security goals

theknowledgeacademy
Management Review
 Feedback from interested parties

 The outcome of the risk assessment and the status of the risk
treatment plan

 Opportunities for continuous improvement

 The management review's outputs shall contain decisions on

opportunities for continuous improvement and any requirements
for changes to the information security management system

 The organisation shall keep documented information as evidence

of the outcomes of management reviews

theknowledgeacademy
 theknowledgeacademy

 Nonconformity and Corrective Action

Module 9:
 Continual Improvement
Improvement
 Management Review
Nonconformity and Corrective Action
When a non-conformity happens, the organisation shall:
 Respond to the non-conformity, and if necessary:
o Take appropriate action to control and fix it, and
o Deal with the consequences
 Assess the requirement for action to eliminate the causes of
nonconformity so that it does not reoccur or happen elsewhere by:
o Review the nonconformity
o Determine the causes of the nonconformity
o Determining whether similar nonconformities exist or could
happen

theknowledgeacademy
Nonconformity and Corrective Action
 Execute any necessary action

 Review the efficacy of any corrective action taken

 If essential, make changes to the information security

management system

o Corrective actions shall be relevant to the nonconformities

encountered effects

o The organisation shall keep documented information as

evidence of the following:

 The nonconformities' nature, as well as any subsequent actions, are

taken

 Any corrective action outcomes

theknowledgeacademy
Continual Improvement

Continual improvement is fundamental to achieving

and sustaining information security's effectiveness
and propriety

theknowledgeacademy
 theknowledgeacademy

 Internal Audit Charter

 Communicate with Organisation and Audit

Committee

Module 10:
 Auditing Reflects

 General and Internal Auditing Standards and

Introduction Guidance

to Auditing  Auditing Types

 Auditing Techniques

 Auditing Principles

 Phases of Audit
Internal Audit Charter

Statement of Purpose Roles and Responsibilities

Reporting Relationships Points of Contact

Programme Activities Reporting Requirements

theknowledgeacademy
Communicate with Organisation and Audit Committee

Develop strategy

Create audit plans

Select tools and protocols

Manage, train, and assign auditors

Conduct audits

Produce findings and reports

Assess and improve programme quality

theknowledgeacademy
Auditing Reflects
 Organisational policy

 Programme perspectives on what to audit and how different

types of audits are conducted

 Generally Accepted Auditing Standards (GAAS) are examples of

such standards

 Applicable subject matter knowledge

theknowledgeacademy
General and Internal Auditing Standards and Guidance

Technical
guidance
Auditor
Procedural guidance
guidance

IT
Auditing
Policy and
Domain programme
knowledge guidance
Industry
guidance

theknowledgeacademy
Auditing Types
First Party Audit
 Is an internal audit where a person from the inside of an
organisation will conduct the Audit
Second Party Audit
 Also called external audit – an organisation will bring in a
qualified second-party company to perform an audit, making
sure that the organisation comply with a standard or
legislation
Third Party Audit
 Where an organisation organises the audit of a third party
(often a supplier) to ensure they are complying with an
agreed contract

theknowledgeacademy
Auditing Techniques
Auditing Techniques
 ISO Auditors will use various audit techniques to get the
required objective proof and obtain the objectives of every
internal audit sessions Here are some audit techniques which
are as follows:
Sampling
 This technique is one of the most efficient ways to obtain audit
objectives
 Auditors must be able to reach valid conclusions about large
systems However, it's often impractical or too costly to study
every single item in a large system
 There may be just too many items to examine or they may be
spread over a large geographical area
 As a result, auditors work with smaller samples

theknowledgeacademy
Auditing Techniques
 Sampling can be further divided into two types:
Judgement-Based Sampling
 Judgment-based sampling depends on the knowledge, skill, and experience of audit team members When
using this approach, auditors use their personal judgment to select audit samples
Statistical Sampling
 Your statistical sampling plan should help you to achieve your audit objectives and should be based on what is
known about the characteristics that define the population you intend to study
 ISO 19011 mentions two statistical sampling techniques: attribute-based sampling and variable-based
sampling
 Attribute sampling is used when there are two possible outcomes (attributes) for each sample: yes/no,
pass/fail, correct/incorrect
 Variable-based sampling is used when outcomes occur along a range of values

theknowledgeacademy
Auditing Techniques
Observation
 Auditors can observe a work process in review or action a physical
feature of premises to determine if a method is efficient in obtaining
intended results
 It can be an inactive observation while individuals carry on their work,
or a directed walkthrough where an auditor will ask questions to get a
better understanding
Testing
 In some situations, sampling or observing live data will not be possible,
for instance if doing an activity generates unnecessary risk or too much
disruption to the organisation

theknowledgeacademy
Auditing Techniques
Interview
 Showing the commitment of the leadership of the organisation is a
major requirement, and one way to audit this is using interviews
 Our auditors can meet with individuals from across the organisation
to ask them about various factors of the management system
 This is an excellent way to test awareness of critical policies and
methods

Data Analytics (the science of analysing raw data in order to make

conclusions about that information)
 Some processes can create a large amount of data which can be
examined to determine if an intended result has been obtained
 This is a more technical method but it can be a beneficial technique

theknowledgeacademy
Auditing Techniques
Onsite Vs Offsite
 Most audits are performed on-site; but, with the emergence of video
conferencing, remote execution of some of the above techniques is
becoming increasingly feasible
 At the planning stage of the audit programme, the balance between
on-site and off-site audits should be carefully considered, and it
should be remembered that some audit techniques can only be
performed on-site
Human Interaction Vs No Human Interaction
 Individuals are an essential part of the ISMS of an organisation and are
also a key to discovering what is happening within a management
system
 Most of our audit time will be spent working with members of the site
being audited

theknowledgeacademy
Auditing Principles
 The main principles of auditing are:

Planning Honesty Impartiality Secrecy

Consistency Legal Framework Internal Controls Report

theknowledgeacademy
Auditing Principles
 Planning: An auditor must take into account the system as well
as internal control procedures

 Honesty: Honesty and sincerity are important principles in

auditing The professional integrity of an auditor must be beyond
doubt

 Impartiality: The attitude of the auditor must be impartial Their

personal views may not influence or affect the audit report

 Secrecy: Secrecy must be maintained An auditor may not

disclose information to a third party
 Consistency: In the case of internet security audits, the auditor
must follow the same processes in future years There should be
consistency between audits

theknowledgeacademy
Auditing Principles
 Legal Framework: Business activities must run within rules and
regulations The rule of law must be applied to protect the rights of
interested parties
 Internal Controls: The auditor will examine the internal controls
governing information security Ensure evidence exists of control use
(eg records of resolved incidents)
 Report: A report should be prepared by the auditor at the end of an
audit The auditor can draw conclusions and disclose relevant facts
and figures as general information

theknowledgeacademy
Auditing Principles
 The techniques for auditing are:

Examination of
Record Analytical Review
Sampling

2 4
1 3 5
Inquiry
Confirmation

theknowledgeacademy
Auditing Principles
 Examination of Record: This is commonly done by auditors The
inspection of documentation is to verify the validity of data ISO
focus should be on documentation and records

 Inquiry: An auditor can make inquiries/interview others An auditor

can accumulate information from those inside and outside the
organisation, often through the designated contact

 Sampling: An auditor can select certain items from all of the

available information to create samples This allows the auditor to
obtain and evaluate the evidence to be extrapolated This is helpful
in forming conclusions

theknowledgeacademy
Auditing Principles
 Confirmation: To ensure the accuracy of data, an auditor collects
information from stakeholders Confirmation is a response to an
inquiry to prove certain data recorded

 Analytical Review: This consists of studying significant ratios, trends,

and investigating changes This review procedure is based on the
expectation of a relationship between past and present data

theknowledgeacademy
Phases of Audit
There are several phases to an internal audit:

 Preparation and planning

 Execution and fieldwork

 Recording and reporting

 Follow-up and assessment

theknowledgeacademy
Phases of Audit
Audit Preparation

 Audit preparation consists of anything that is done in advance by

interested parties, such as the auditor, the lead auditor, the client,
and the audit program manager to ensure that the audit meets its
goals

 The preparation stage of an audit begins with the decision to

conduct the audit, and ends when the audit itself begins

theknowledgeacademy
Phases of Audit
Audit Performance

 Audit performance is the evidence collection stage of the audit and

covers the time period from arrival at the audit location up to the
exit meeting

 It consists of activities including

o on-site audit management meeting with the auditee,
o understanding the process and system controls,
o verifying that these controls work,
o communicating among team members,
o communicating with the auditee

theknowledgeacademy
Phases of Audit
Audit Reporting

 The purpose of the audit report is to communicate the results

of the investigation

 The report should provide correct and clear data that will be
effective as a management aid in addressing important
organisational issues

theknowledgeacademy
Phases of Audit
Audit Follow-up and Closure

 The audit is completed when all the planned audit activities have
been carried out or agreed with the audit client and the report is
produced

 Follow-up occurs after the audit is completed to check that

concerns raised in the audit have been effectively addressed

 The audit cannot be closed until satisfactory evidence that the

concerns have been addressed has been obtained

theknowledgeacademy
 theknowledgeacademy

 Preparing an Audit Report

 Assessment of Audit Reports and Documents

 Report Preparation, Findings, Reconciliation,

Module 11: and Conclusions

Performing ISO 27001  Reviewing Documents and Reports

Audits  Auditing Procedures

 Reviewing Documents and Reports

 Classifying Findings
Preparing an Audit Report
 The audit scope should be split down in the ISMS audit
plan/checklist This should include timings and priorities

 Resourcing should be negotiated and agreed upon with the

management of the organisation and auditing team

 Preliminary bookings should be made for formal audit

reports/discussions, allowing participants to confirm attendance

 Specific “checkpoints” should be put in place to give auditors and

management contacts opportunities to meet for discussion

theknowledgeacademy
Assessment of Audit Reports and Documents
 The internal audit is one of the key activities in ISO 27001, which assures
that the information security management system (ISMS) is working
efficiently and accurately
 An audit report is read by
o People who were audited, or were present at the closing meeting
o Senior management who were not present at the audit for review
o The audit report needs to address the needs of both audiences
 The report is required to contain
o The findings of the audit team supported by evidence evidence
o The auditors opinion as to whether the auditee is compliant with
ISO 27001
o Any concerns raised and corrective measures required

theknowledgeacademy
Assessment of Audit Reports and Documents
 ISO 19011 recommends the following items are to be included in the certification audit report :

Audit Client

Audit Objective

Audit Scope

Audit Dates and Places

Audit Criteria

Audit Conclusions

Audit Findings

theknowledgeacademy
Assessment of Audit Reports and Documents
The following information is useful to internal audit

01 03 05
Summary of Audit Disagreement between Agreed Follow-up
Process & Obstacles Auditor and Auditee Plans

02 04 06
Any Areas not Opportunities for
Audit Plan
Covered Improvement

theknowledgeacademy
Preparing an Audit Report
 What to include?

• Scope
Title and introduction
• Objectives

Timescale of audit • Nature and extent of audit

• Key findings
Executive summary • Summary analysis and commentary
• Conclusion(s) drawn from internal audit

Recipients and Document • Confidential findings viewable only by specified recipients

Classification • Instructions on how to circulate documentation

• How did the internal auditors carry out their audit?

Credentials
• Who are the internal auditors?

theknowledgeacademy
Preparing an Audit Report

• Detailed information of findings and in-depth analysis

Findings and Analysis • Cited in supporting evidence, where required
• Findings are categorised, based on severity

Conclusions and • Detailed summary of proposals and (possible action plans)

Recommendations • Written with consideration to the organisation’s own practices

• Does the auditor have any reservations about the audit that was
Limitations conducted?
• Were there any limitations that may have hindered the process?

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

 Below is the list of items that should be included in an Audit

Report

Audit Objectives

 What is the purpose of the audit?

 Is this a regular audit of a process, or a follow-up on a corrective

action?

 All Audits are done to demonstrate the compliance with the

requirements, but was there anything else that was being done?

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

Audit Scope
 What were the boundaries of the audit?
 If there is more than one manufacturing line that is using the
process, how many were audited?
 Was a night shift or evening shift excluded?
Audit Client
 Who was the process owner or owners that the audit was
performed for?
Audit Criteria
 What were the processes audited against? For instance, this could
be the ISO 27001 standard, internal company procedures and
policies, or customer requirements

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

Audit Dates and Places

 It is essential to be able to demonstrate the timeframe when all

of your audits of the system take place Also, for management
review, it may be important to know the chronology of the
audits that are being reviewed

Audit Findings

 What are the results of the evidence found? It is important to

include the audit evidence for these findings including contract
numbers that were reviewed, but leave out names of people
who were audited

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

Audit Conclusions

 What is the summary of the outcome of the audit?

 Were there too many findings to determine if the process was

properly implemented?

 What is the assessment of the effectiveness of the QMS from

this audit?

theknowledgeacademy
Auditing Procedures
There are some activities/steps which are carried out in the procedure:

STEP 1 : PREPARE ANNUAL AUDIT PLAN

Responsibility ISMS Audit Team
• Security-related incidents which are occurred since the last audit
• Security-related personnel problems that have occurred since the last
audit
Input • Results of any risk assessment are initiated since the last audit and
proposed controls discussion
• To manage risk designation of processes or people
• Proposed changes to the Security Policy
• Previously decided actions' implementation progress reports
• The information security management system's Audit Team makes the
Annual Audit Plan which covers the audits types as well as the
Actions frequency and audit methods The plan of annual audit takes into
consideration the importance and status of the areas and processes to
be audited, the Risk Assessment report, as well as the results of earlier
audits
Output Annual Audit Plan

theknowledgeacademy
Auditing Procedures

STEP 2 : SUBMIT PLAN FOR APPROVAL

Responsibility ISMS Audit Team
Input • Annual Audit Plan
• The plan is submitted by the ISMS Audit Team to the ISMS Manager for
consent After having the permission of the annual audit plan, the ISMS
Actions Audit Team communicates the plan to the interested parties
Output • When approved: Proceed to step 3
• When not approved: Proceed to step 1

theknowledgeacademy
Auditing Procedures

STEP 3 : PREPARE FOR AUDIT

Responsibility ISMS Audit Team
Input • Annual Audit Plan
• Periodic audit
• Ad-hoc audit
• The ISMS Audit Team gathers and studies earlier audit findings and
possible outstanding concerns Also, all the relevant documents are
Actions prepared by the team that will be required for the realisation of the audit
Work-programs or checklists are instrumental in helping thorough,
efficient and uniform
• Periodical audit work-programs/ checklists should be in-depth and based
on ISO 27001, that follows a predefined path and checking adherence with
controls Follow-up audit work-programs/checklists should be limited to
involve only the findings of the relative audit Ad-hoc audit work-programs/
checklists should always be focused on a trigger event So, ad-hoc audit
checklists should be created to a new before every ad-hoc audit

Output • ISMS Audit Checklist

theknowledgeacademy
Auditing Procedures
STEP 4 : CONDUCT AUDIT & RECORD FINDINGS
Responsibility ISMS Audit Team
Input • ISMS Audit Checklist
• Annual Audit Plan
• The ISMS Audit Team conducts the audit and completes pre-
defined audit report During the audit course, the audit and ISMS
Actions audit Team tries to find out proper proofs to determine that:
o The information security policy is an absolute reflection of
the needs of the business
o A proper risk assessment methodology is used
o Documented processes are being followed and meeting
their desired goals
o Technical controls are in place, rightly configured and
working as planned
o Assessing residual risk correctly, acceptable to the
company's management
o Actions that are agreed form earlier audits and reviews
have been executed
o ISMS is compliant with ISO 27001
Output • Output Audit Findings (if any)

theknowledgeacademy
Auditing Procedures

STEP 5 : CREATE & ARCHIVE AUDIT REPORT

Responsibility ISMS Audit Team
Input • ISMS Audit Checklist
• Annual Audit Plan
• The ISMS Audit Team makes the report of the audit, that is based on the audit
findings This is a report related to non-compliance, high residual risks, unsolved
Actions issues, etc Audit findings should be labelled as per its priority level​
• Audit findings that are marked as Priority 1 are important nonconformities and
should be planned for resolution in a period on of two weeks, and follow-up
audit should be scheduled at the end period If it is considered critical, the
resolution of the certain audit findings are needed ASAP
• Audit findings that are marked as Priority 2 are less non-conformities and should
bee planned for resolution in a period of three months, and follow-up audit
should be scheduled at the end period
Output • Audit Report

theknowledgeacademy
Auditing Procedures

STEP 6 : DEVELOP ACTION PLAN

Responsibility ISMS Audit Team
Input • Annual Report
• In accordance with the audit findings and the non-conformance level, an action
plan and follow-up audit should be developed Follow-up audits are scheduled
Actions and performed when an earlier audit has found critical non-conformances The
scope of follow-up audits is restricted to the non-conformance and mechanisms
of the same audit that produces the finding are used
Output • Action Plan
• Follow up Audit

theknowledgeacademy
Reviewing Documents and Reports
Mandatory Documents by ISO 27001

 Scope of the ISMS (clause 43)

 Information security policy and objectives (clauses 52 and 62)
 Risk assessment and risk treatment methodology (clause 612)
 Statement of Applicability (clause 613 d)
 Risk treatment plan (clauses 613 e and 62)
 Risk assessment report (clause 82)
 Definition of security roles and responsibilities (clauses A712 and A1324)
 Inventory of assets (clause A811)

theknowledgeacademy
Reviewing Documents and Reports
Mandatory Documents by ISO 27001

 Acceptable use of assets (clause A813)

 Access control policy (clause A911)
 Operating procedures for IT management (clause A1211)
 Secure system engineering principles (clause A1425)
 Supplier security policy (clause A1511)
 Incident management procedure (clause A1615)
 Business continuity procedures (clause A1712)
 Statutory, regulatory, and contractual requirements (clause A1811)

theknowledgeacademy
Reviewing Documents and Reports
Reports

 The following are the six best reports for ISO 27001 audit:

The Statement of
Applicability
The Risk Treatment Plan

The Risk Assessment The Risk Summary Report

Report

Controls Usage
Comments Report
Report

theknowledgeacademy
Classifying Findings
 The audit findings are the auditor’s summary or description and
analysis of an inadequately mitigated risk to the organisation

 Audit findings are collected through interviews, examination of

documents, and observation of activities and conditions in the
areas of concern

 The audit team will review their findings to determine whether

they should be reported as non-conformities or observations

theknowledgeacademy
Classifying Findings

Finding Definition/Impact Action/Mitigation

Compliant means adherence with the requirements of the standard and the QMS The
COMPLIANT Continue to monitor trends/indicators
process is implemented and documented and records exist to verify this

A low risk issue that offers an opportunity to improve current practice Processes may Review and implement actions to improve the
OFI cumbersome or overly complex but meet their targets and objectives Unresolved OFIs process(s) Monitor trends/indicators to determine if
may degrade over time to become non-compliant improvement was achieved

A medium risk, minor non-conformance resulting in deviation from process practice not
Investigate root cause(s) and implement corrective
MINOR N/C likely to result in the failure of the management system or process that will not result in
the delivery of non-conforming products nor reduce the effectiveness of the QMS action by next reporting period or next scheduled audit

A high risk, major non-conformance which directly impacts upon customer Implement immediate containment action, investigate
MAJOR N/C requirements, likely to result in the customer receiving non-conforming products or root cause(s) and apply corrective action Re-audit in 4
services, or which may reduce the effectiveness of the QMS weeks to verify correction

theknowledgeacademy
The Reliability of Audit Findings
The following are the aspects that impact the reliability of audit findings:

 Relevant scope of the audit

 Auditee name and title

 Time, date and venue

 Needs of the standard

 State what is seen and how it does not satisfy the needs

 Document names, versions of documents and date of the last update

theknowledgeacademy
 theknowledgeacademy

 Roles and Responsibilities

 Audit Plan

Module 12:  Opening Meeting

Internal Auditor  Record Review Activities

 Internal Auditor Checklist

 Communication Between Departments

 Drafting Reports and Test Plans

Roles and Responsibilities
 Internal auditors must:

Attend meetings with the auditee

Travel to onsite locations to meet staff and obtain documents

Report on risk management processes

Provide advice to managers and staff

Perform risk assessments

theknowledgeacademy
Roles and Responsibilities

Anticipate potential issues

Agree on recommendations for improvements

Report on issues and problems to relevant personnel

Assess compliance

Manage stakeholders and their expectations through communications

theknowledgeacademy
Audit Plan
 The ISO 19011 standard tells management about the auditing
activities for auditing to ISO 27001

 This official methodology can help to assure the consistency

and effectiveness in your internal audits and shapes the
integrity of the system of internal audit

 These are not compulsory steps (eg, small companies can miss
some of them), but they are a best practices for conducting an
audit

theknowledgeacademy
Audit Plan
Prepare an audit plan This plan should involve the following components
and considerations:

1. Roles and responsibilities of each audit team member

2. Risk-based approach to audit planning

3. Scheduling and coordination of audit activities

4. Scope and complexity of the audit

5. Sampling techniques for collecting evidence

6. Opportunities for improvement

7. Risks of inadequate planning

8. Impact of the audit on auditee activities

theknowledgeacademy
Opening Meeting
 An opening meeting between the auditee and all relevant parties
should be held

 During the opening meeting, confirm the following with all relevant
parties:

o Audit programme plans

o Audit scope

o Audit objectives

o Audit criteria

o Audit plans

theknowledgeacademy
Opening Meeting
o Roles and responsibilities of the audit team

o That all planned activities can be performed, and proper

authorisation is acquired

o Language of the audit

o Information security protocol

o Relevant access and arrangements for the audit team

o Notable on-site activities that could impact audit process

theknowledgeacademy
Opening Meeting
 During the opening meeting, the following items should be clearly
communicated:

o Methods for reporting and communicating audit progress

o Conditions of audit termination

o Procedures for dealing with audit findings during the audit

o Procedures for receiving feedback from the auditee in response

to findings during the audit

theknowledgeacademy
Record Review Activities
 Internal auditors should keep in regular contact
to ensure adherence to the audit plan.

 Regular face-to-face meetings and the use of

audit working papers allows internal auditors
and lead auditors to track progress according
to the internal audit checklist and plan.

 Meetings set out in the plan with management

contacts allow for auditors to request access to
certain information, as well as potential
problems with the process.

theknowledgeacademy
Internal Auditor Checklist
 One of the tools available to ensure audits address the essential requirements is the audit checklist.

 It serves as a reference point before, during, and after the audit process, and if developed for and used
correctly, it will provide the following benefits:

Ensures the audit is conducted Ensures a consistent audit

systematically Promotes audit planning
approach

Actively supports organisation’s Provides a repository for notes

audit process collected during the audit

Ensures uniformity in the

Provides reference to objective
performance of different
evidence
auditors

theknowledgeacademy
Internal Auditor Checklist
 An audit plan is a list of guidelines to be followed when conducting the audit; this will be particular to the
nature of the organisation and its ISMS, as well as its specific needs.

To prepare the audit plan, the following are required:

Preparation of audit
Knowledge of the client’s
programme
business and its ISMS

Development of audit
strategies or overall plan

theknowledgeacademy
Internal Auditor Checklist
Benefits of a Checklist:

 Conducting regular audits can help a

small business identify problems and
highlight strengths within the business.

 The use of an audit checklist not only

helps small business review their
practices but will also help them to
prepare in the event of a third-party audit
in the future.

 An audit checklist identifies areas of

concern, allowing management to take
corrective action.

theknowledgeacademy
Communication Between Departments
Here are some tips for communication during an audit:

Do not Rely on Email

 Email should be used for basic tasks and for keeping

people informed.
 Face-to-face and telephone interaction force parties
to commit to an action, speeding up the process

Less Jargon

 Avoid using audit jargon when communicating with

stakeholders, as it increases the potential for
confusion
 Be ready to take time explaining aspects

theknowledgeacademy
Communication Between Departments
Here are some tips for communication during an audit:

Keep Meeting Short and Relevant

 Avoid wasting stakeholders' time; the information shared should

be actionable.
 Do state when additional information is required to move
forward.
 Keeping things concise and relatable gives the auditee more
chances and incentives to help.

theknowledgeacademy
Drafting Reports and Test Plans
 A typical ISMS audit report will contain some of the
following elements, some of which may be split into
appendices or separate documents:

o Title and introduction naming the organisation and

clarifying scope, objectives, period of coverage and the
nature, timing and extent of the audit work performed.

o An executive summary indicative of the key audit

findings with a short analysis and commentary, and an
overall conclusion, typically phrased as:

 “We find the ISMS compliant with ISO/IEC 27001

and worthy of certification” or “Aside from
[significant concerns], we are impressed with the
coverage and effectiveness of the information
security controls within the ISMS”.

theknowledgeacademy
Drafting Reports and Test Plans
 A list of specific recipients (since the contents may be confidential) and appropriate document classification or
circulation instructions.

 An outline of the credentials, audit methods, and other information pertaining to individual auditors and team
members.

 Audit findings and analysis, supported upon occasion by extracts from the audit files to aid understanding.

 The audit conclusions and recommendations are to be discussed with management and eventually integrated
if agreed upon as action plans depending on the organisation’s practices.

 A formal statement of the auditors’ reservations, qualifications, scope limitations, or other caveats with
respect to the audit.

 Management may be invited to provide a short commentary or formal response, accepting the results of the
audit and stating a commitment to agreed plans.

theknowledgeacademy
 The World’s Largest Global Training Provider
theknowledgeacademy.com

[email protected]

/The.Knowledge.Academy.Ltd

/TKA_Training

/the-knowledge-academy

/TheKnowledgeAcademy

Congratulations