32. HealthSafe ISMS Internal Audit Policy



ISMS INTERNAL AUDIT POLICY

1

1.1

1.2

CISO

MD

Reviewed

28 Jul 2022

Annual review



Document Identification 

HSNZ/POL/32

Document Name

ISMS Internal Audit Policy

Master Copy

CISO

Version Number

1.3

Date Of Release 

15 Aug 2023

Prepared By

Eparama Tuibenau

CISO

Approved by

Kevin McAfee

Managing Director


 


VERSION HISTORY


Sl No

Version No.

Prepared by

Approved by

Description of Version

Date

Reason for Version Change

From

To

1

1.0

-

CISO

MD

First Release

14 Apr 2020 

No changes made

1

1.0

1.1

CISO

MD

Updated

04 Aug 2021 

Modifications due to changes in HealthSafe

1

1.1

1.2

CISO

MD

Reviewed

28 Jul 2022

Annual review

1

1.2

1.3

CISO

MD

Reviewed

15 Aug 2023

Annual review

               

DOCUMENT STATUS


Date

Document Status

14 Apr 2020

Modified

04 Aug 2021

Reviewed

28 Jul 2022

Reviewed

15 Aug 2023

Current


Table of Contents

1 Purpose


2 Scope

3 Responsibility


4 Input


5 Output


6 Procedure


7 Monitoring 


8 Records



1 PURPOSE

To ensure conduct of internal audits at planned intervals to determine whether the information security management system conforms to the planned arrangements to the requirements of ISO 27001:2013 and to the information security management system established by HealthSafe NZ and is effectively implemented and maintained.


2 SCOPE

Applicable to all the activities connected to the realisation of the end product and the measures taken for continual improvement of the products / processes


3 RESPONSIBILITY

The CISO (Chief Information Security Officer) shall review and approve the yearly Internal Information Security Management System Audit Program in consultation with the GM and appropriate security related staff. The entire system shall be audited at least twice a year. CISO shall oversee the internal audit activities and close-out of all outstanding corrective actions.

The Auditor shall carry out the instructions given by the CISO.

The Auditee’s Functional Head shall verify, and correct non-conformities discovered by the Audit Team. He/she shall ensure the effectiveness of the corrective actions. The CISO shall ensure that the internal audits of the Information Security Management System are conducted at planned intervals to determine whether the ISMS conforms to planned arrangement.

The CISO will report to top management on the effectiveness of the Information Security Management System.


4 INPUT

All the Documents pertaining to the projects/departments


5 OUTPUT

Observation Sheet

Non-Conformity Report 

Checklist



6 PROCEDURE

Planning the Audit Management Programme

The CISO shall review and assess on previous and current (i) corrective actions, (ii) improvement actions arising from Management Review Meetings and (iii) Management System Plans / Customer Satisfaction information.

The CISO shall prepare the Audit Program for either Functional compliance to ISO 27001 or performance improvement. The Information Security Management System of the Company shall be audited at least once a year. The relevant elements of Information Security Management System procedure to be audited under each cycle & its interval shall be specified in the Internal Information Security Management System Audit Plan.


Execution


Audit Plan/ Schedule: 

An Audit Plan/Schedule shall be prepared for each audit in advance containing information such as process to be audited, date, time and name of the Auditor or Audit Team. Auditee shall be informed of the audit by Internal Information Security Management System Audit Plan at least two (2) weeks in advance to eliminate the element of surprise.


Audit Team

The Auditor must have a good working knowledge of ISO 27001:2013 and must also possess sound project knowledge, auditing skills and techniques.


Preparation of Checklist

The Auditor shall prepare the Internal Information Security Management System Audit Checklist before the audit. 


Conducting the Audit


Pre-Audit Meeting

The Auditor shall have a formal meeting with the auditee’s representative prior to commencement of the audit, stating the scope of audit as tabulated in the Internal Information Security Management System Audit Plan and explain how the audit will be operated. 


Actual Audit

The Auditor shall use the Internal Information Security Management System Audit Checklist to carry out fact find and interview of the auditee on his system. Audit Team Members shall be objective in questioning the Auditees.

The Auditor shall ask the Auditee to briefly run through the procedure; stop for clarification if necessary.

The Auditor shall ask for the work evidence.


Post-Audit Meeting

At the end of the audit, the auditor shall hold a meeting with the Auditee’s management to present audit findings. At this meeting, the attendees shall agree on a close-out time frame for the corrective actions.

Prior to the Post-Audit Meeting, the auditor shall decide on the number of major / minor NCR’s that will be discussed in the meeting.


Issue of Non-Conformity Report

The Auditor should issue the Non-Conformity Report to the Auditee during the post-audit meeting. The Auditee must act on the reported non conformances and complete by the stipulated date.

The Auditor shall take note of the stipulated date for the evaluation & close-out of the corrected actions.

The Auditor shall ensure that all Non-Conformity Report are clearly stated, and cross reference of the sample taken.


Follow-up & Close-out of Non-Conformity Report

Auditee should be informed of the next visit to follow-up on the corrective action issued. Auditee should close the non-conformances; if actions have been implemented by the Auditee and a copy of duly completed Non-Conformity Report must be verified / commented and filed.


Verification of the Auditor’s Outputs

The CISO shall be responsible to ensure that the Information Security Management System of the Company is implemented and maintained effectively. 


7 Monitoring (Checking)

The CISO shall check to ensure that during each audit cycle, auditor 

  • Do not audit their own department.
  • Audit within the scope of ISO 27001:2013 and requirements of the documented ISMS manual 
  • Non-Conformance Reports raised are concise and do not raise doubts / ambiguity in the mind of the auditee.

Data Analysis / Corrective & Improvement Action

Auditors shall collect data / audit evidence via the Audit checklists for analysis and identify opportunities for improvement.

The data collected on non-conformities / area for improvement shall be reverted to Functional Head to analyse on the root-cause(s) of the non-conformance.

The Auditor(s) shall initiate a follow-up / audit to assess the effectiveness of corrective action taken in conjunction with an effective date committed by the auditee.

Further corrective action shall be required if the Non-Conformity Report cannot be closed or corrective action taken by the auditee is not effective.

The internal audit findings and proposed improvements shall be forwarded to the Management Team for deliberation in the Management Review Meeting for Top Management’s approval.


Internal Audit Report

After the internal audit and issue of NCR, 14 days will be given to plan and implement corrective actions.  

The internal audit report shall be sent to the top management team on the 4th week, after the internal audit.  The audit report will list the number of NCRs along with their current closure status, which will be the input for the Management Review Meeting.  


8 RECORDS 

  • Internal Audit Program
  • Internal Audit Plan/Schedule
  • Internal Audit Checklist
  • Non-Confirming Report