ISMS INTERNAL AUDIT POLICY
|
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
|
Document Identification |
HSNZ/POL/32 |
|
|
Document Name |
ISMS Internal Audit Policy |
|
|
Master Copy |
CISO |
|
|
Version Number |
1.3 |
|
|
Date Of Release |
15 Aug 2023 |
|
|
Prepared By |
Eparama Tuibenau |
CISO |
|
Approved by |
Kevin McAfee |
Managing Director |
VERSION HISTORY
|
Sl No |
Version No. |
Prepared by |
Approved by |
Description of Version |
Date |
Reason for Version Change |
|
|
From |
To |
||||||
|
1 |
1.0 |
- |
CISO |
MD |
First Release |
14 Apr 2020 |
No changes made |
|
1 |
1.0 |
1.1 |
CISO |
MD |
Updated |
04 Aug 2021 |
Modifications due to changes in HealthSafe |
|
1 |
1.1 |
1.2 |
CISO |
MD |
Reviewed |
28 Jul 2022 |
Annual review |
|
1 |
1.2 |
1.3 |
CISO |
MD |
Reviewed |
15 Aug 2023 |
Annual review |
DOCUMENT STATUS
|
Date |
Document Status |
|
14 Apr 2020 |
Modified |
|
04 Aug 2021 |
Reviewed |
|
28 Jul 2022 |
Reviewed |
|
15 Aug 2023 |
Current |
Table of Contents
1 Purpose
2 Scope
3 Responsibility
4 Input
5 Output
6 Procedure
7 Monitoring
8 Records
1 PURPOSE
To ensure conduct of internal audits at planned intervals to determine whether the information security management system conforms to the planned arrangements to the requirements of ISO 27001:2013 and to the information security management system established by HealthSafe NZ and is effectively implemented and maintained.
2 SCOPE
Applicable to all the activities connected to the realisation of the end product and the measures taken for continual improvement of the products / processes
3 RESPONSIBILITY
The CISO (Chief Information Security Officer) shall review and approve the yearly Internal Information Security Management System Audit Program in consultation with the GM and appropriate security related staff. The entire system shall be audited at least twice a year. CISO shall oversee the internal audit activities and close-out of all outstanding corrective actions.
The Auditor shall carry out the instructions given by the CISO.
The Auditee’s Functional Head shall verify, and correct non-conformities discovered by the Audit Team. He/she shall ensure the effectiveness of the corrective actions. The CISO shall ensure that the internal audits of the Information Security Management System are conducted at planned intervals to determine whether the ISMS conforms to planned arrangement.
The CISO will report to top management on the effectiveness of the Information Security Management System.
4 INPUT
All the Documents pertaining to the projects/departments
5 OUTPUT
Observation Sheet
Non-Conformity Report
Checklist
6 PROCEDURE
Planning the Audit Management Programme
The CISO shall review and assess on previous and current (i) corrective actions, (ii) improvement actions arising from Management Review Meetings and (iii) Management System Plans / Customer Satisfaction information.
The CISO shall prepare the Audit Program for either Functional compliance to ISO 27001 or performance improvement. The Information Security Management System of the Company shall be audited at least once a year. The relevant elements of Information Security Management System procedure to be audited under each cycle & its interval shall be specified in the Internal Information Security Management System Audit Plan.
Execution
Audit Plan/ Schedule:
An Audit Plan/Schedule shall be prepared for each audit in advance containing information such as process to be audited, date, time and name of the Auditor or Audit Team. Auditee shall be informed of the audit by Internal Information Security Management System Audit Plan at least two (2) weeks in advance to eliminate the element of surprise.
Audit Team
The Auditor must have a good working knowledge of ISO 27001:2013 and must also possess sound project knowledge, auditing skills and techniques.
Preparation of Checklist
The Auditor shall prepare the Internal Information Security Management System Audit Checklist before the audit.
Conducting the Audit
Pre-Audit Meeting
The Auditor shall have a formal meeting with the auditee’s representative prior to commencement of the audit, stating the scope of audit as tabulated in the Internal Information Security Management System Audit Plan and explain how the audit will be operated.
Actual Audit
The Auditor shall use the Internal Information Security Management System Audit Checklist to carry out fact find and interview of the auditee on his system. Audit Team Members shall be objective in questioning the Auditees.
The Auditor shall ask the Auditee to briefly run through the procedure; stop for clarification if necessary.
The Auditor shall ask for the work evidence.
Post-Audit Meeting
At the end of the audit, the auditor shall hold a meeting with the Auditee’s management to present audit findings. At this meeting, the attendees shall agree on a close-out time frame for the corrective actions.
Prior to the Post-Audit Meeting, the auditor shall decide on the number of major / minor NCR’s that will be discussed in the meeting.
Issue of Non-Conformity Report
The Auditor should issue the Non-Conformity Report to the Auditee during the post-audit meeting. The Auditee must act on the reported non conformances and complete by the stipulated date.
The Auditor shall take note of the stipulated date for the evaluation & close-out of the corrected actions.
The Auditor shall ensure that all Non-Conformity Report are clearly stated, and cross reference of the sample taken.
Follow-up & Close-out of Non-Conformity Report
Auditee should be informed of the next visit to follow-up on the corrective action issued. Auditee should close the non-conformances; if actions have been implemented by the Auditee and a copy of duly completed Non-Conformity Report must be verified / commented and filed.
Verification of the Auditor’s Outputs
The CISO shall be responsible to ensure that the Information Security Management System of the Company is implemented and maintained effectively.
7 Monitoring (Checking)
The CISO shall check to ensure that during each audit cycle, auditor
- Do not audit their own department.
- Audit within the scope of ISO 27001:2013 and requirements of the documented ISMS manual
- Non-Conformance Reports raised are concise and do not raise doubts / ambiguity in the mind of the auditee.
Data Analysis / Corrective & Improvement Action
Auditors shall collect data / audit evidence via the Audit checklists for analysis and identify opportunities for improvement.
The data collected on non-conformities / area for improvement shall be reverted to Functional Head to analyse on the root-cause(s) of the non-conformance.
The Auditor(s) shall initiate a follow-up / audit to assess the effectiveness of corrective action taken in conjunction with an effective date committed by the auditee.
Further corrective action shall be required if the Non-Conformity Report cannot be closed or corrective action taken by the auditee is not effective.
The internal audit findings and proposed improvements shall be forwarded to the Management Team for deliberation in the Management Review Meeting for Top Management’s approval.
Internal Audit Report
After the internal audit and issue of NCR, 14 days will be given to plan and implement corrective actions.
The internal audit report shall be sent to the top management team on the 4th week, after the internal audit. The audit report will list the number of NCRs along with their current closure status, which will be the input for the Management Review Meeting.
8 RECORDS
- Internal Audit Program
- Internal Audit Plan/Schedule
- Internal Audit Checklist
- Non-Confirming Report