• • • • If you are planning your for the first time, you are probably puzzled by the complexity of the standard and what you should check out during the audit. So, you’re probably looking for some kind of a checklist to help you with this task. Here’s the bad news: there is no universal checklist that could fit your company needs perfectly, because every company is very different; but the good news is: you can develop such a customized checklist rather easily. Zip Code For Kaduna State Nigerian.
Developing an internal program for auditing the ISMS. From an IRCA point of view you develop an Audit Plan when preparing to audit an organization. This plan is derived from the 'Scope of Registration' document that an individual fills out when requesting a certification audit from a registrar.
The steps in the internal audit Let’s see which steps you need to take to create a checklist, and where they are used. By the way, these steps are applicable for internal audit of any management standard, e.g.,, etc.: • Document review. In this step you have to read all the documentation of your Information Security Management System or Business Continuity Management System (or part of the ISMS/BCMS you are about to audit) in order to: (1) become acquainted with the processes in the ISMS, and (2) to find out if there are nonconformities in the documentation with regard to. • Creating the checklist. Basically, you make a checklist in parallel to Document review – you read about the specific requirements written in the documentation (policies, procedures and plans), and write them down so that you can check them during the main audit. For instance, if the Backup policy requires the backup to be made every 6 hours, then you have to note this in your checklist, to remember later on to check if this was really done.
• Planning the main audit. Since there will be many things you need to check out, you should plan which departments and/or locations to visit and when – and your checklist will give you an idea on where to focus the most. • Performing the main audit. The main audit, as opposed to document review, is very practical – you have to walk around the company and talk to employees, check the computers and other equipment, observe physical security, etc. A checklist is crucial in this process – if you have nothing to rely on, you can be certain that you will forget to check many important things; also, you need to take detailed notes on what you find. Once you finish your main audit, you have to summarize all the nonconformities you found, and write an Internal audit report – of course, without the checklist and the detailed notes you won’t be able to write a precise report. Based on this report, you or someone else will have to open corrective actions according to the Corrective action procedure.
In most cases, the internal auditor will be the one to check whether all the corrective actions raised during the internal audit are closed – again, your checklist and notes can be very useful here to remind you of the reasons why you raised a nonconformity in the first place. Only after the nonconformities are closed is the internal auditor’s job finished. Making your checklist usable for beginners So, developing your checklist will depend primarily on the specific requirements in your policies and procedures. But if you are new in this ISO world, you might also add to your some basic requirements of ISO 27001 or ISO 22301 so that you feel more comfortable when you start with your first audit. First of all, you have to get the standard itself; then, the technique is rather simple – you have to read the standard clause by clause and write the notes in your checklist on what to look for. By the way, the standards are rather difficult to read – therefore, it would be most helpful if you could attend some kind of training, because this way you will learn about the standard in a most effective way.
(Click here to see.) What to include in your checklist Normally, the checklist for internal audit would contain 4 columns: • Reference – e.g. Clause number of the standard, or section number of a policy, etc. • What to look for – this is where you write what it is you would be looking for during the main audit – whom to speak to, which questions to ask, which records to look for, which facilities to visit, which equipment to check, etc. • Compliance – this column you fill in during the main audit, and this is where you conclude whether the company has complied with the requirement. In most cases this will be Yes or No, but sometimes it might be Not applicable. • Findings – this is the column where you write down what you have found during the main audit – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.