Audit Planning and Scope
What should be in the scope of an ISO 27001 Audit?
- The tricky thing with an ISMS audit is that the Audit Scope is defined in consultation with the entity up front so there is not a specific list you can refer to.
- The audit scope provided to you by your auditor should describe the range and limits of the audit for example the locations, the organisations business units, the activities, the systems and the processes as well as the time period covered by the audit.
- Taking into account the limited duration of the audit the auditor determines which business units and processes systems they will audit. It is critical the audit scope chosen by the auditors be representative of the management system in scope.
- As part of the ISO 27001 audit engagement your auditor should have put together a detailed plan to determine the scope and the materiality of certain parts of scope. Materiality will help define what processes they will place emphasis on during the on-site/evidence collection part of the audit. The auditor will then adjust their sampling plan based on the materiality of each processor asset.
In summary make sure your assets are well documented and assign them materiality rating, based on risk, then look to work with your auditor to develop a detailed audit plan based on that asset list.
The Scope Statement
A Scope Statement is required if you intend to get ISO 27001 certification.
Sample scope statement
The scope encompasses all (Company Name) employees, (Company Name) locations, (Company Name) owned technology and data assets and (Company Name) businesses processes that deliver:
- (List all product and services in scope).
Tip: Carefully consider which of the backend systems you wish to include. The most important systems to include is the parts that are important to your customers.
You may wish to articulate very clearly what is in scope vs out of scope. Here is an example of a scope statement clearly articulated.
Product and Services
The following products and services are in scope:
- Product 1
- Service 1
- Service 2
Out of Scope
- Back office systems that support the operation of the business that do not directly support in-scope products and services.
- HR System 1
- Marketing System 1
Does the Auditor have to follow any guidelines or standards?
- Requirements for certifying bodies - ISO 1702-1 – Conformity assessment - Requirements for bodies providing audit and certification of management systems.
- Requirements for Auditing and Certifying ISMS – ISO 27006 – Information Technology - Security Techniques - Requirements For Bodies Providing Audit And Certification Of Information Security Management Systems. These requirements are intended to be used by companies that audit and certify ISMS according to the audit criteria of ISO/IEC27001.
- Guidelines for auditing ISO 27001 - ISO 27007 Guidelines for ISMS Auditing and ISO 27008 - Information Technology - Security Techniques -Guidelines For Auditors On Information Security Controls
- Guidelines for auditing management systems - ISO 19001 – Guidelines for Auditing Mgt Systems
Guidelines for auditing under the ISO 27001 certification program are intended to be flexible so they can be adapted to the size and complexity of the organisation being audited.
The responsibility falls on each auditor to apply the ISO 27007 Guidelines for ISMS Auditing.
While ISO 27007 outlines the audit activities and steps ISO 27008 provides guidelines on the review of security controls.
Many auditors will also refer to ISO 19001 – Guidelines for Auditing Mgt Systems as they were specially developed to assist auditors in acetification audit context.
There are typically two stages of an ISO 27001 certification audit. Stage 1 will be to review the design of your ISMS and stage 2 will be to verify that controls are operating effectively.
What types of evidence will Auditor's want to collect?
Types of Audit Evidence are typically either qualitative (test if control complies with criteria) or quantitative (test if control is functional/effective).
There typically 7 types of evidence:
- Physical – anything that can be counted, examined, observed inspected(such as wiring, fire protection, asset labels)
- Mathematical – Calculating mathematical exactness of certain records (such as number of training hours, invoices matching software inventory)
- Confirmative – evidence from a third party (such as logs collected from third party, letters from a lawyer, results form a pen test)
- Technical – Analysis results of technical tests/observations performed on a systems (such as analysis of an intrusion text on network, transaction simulation test, observing a firewall configuration)
- Analytical – Results from the relationship between recorded analysis and expectations of auditor (such as analysis of network logs to detect deviations, analysis of security incident tickets, analysis of how well employees under their training)
- Documentary - Records or documents (Such as policies, guidelines, training material, registers, includes letters and/or meeting minutes)
- Verbal – Evidence collected during interviews with personnel(such as discussions with key stakeholders during audit interviews
You can use InfoSecAssure to assess your business against ISO 27001 before you begin your audit. The process is guided and will help you collect the documents you need to provide to the auditor.
How will the auditor assess evidence?
Some auditors have a list of every requirement from the Standard and use a table to record input against each control. For example:
Control <name> <number in standard>.
- Technical Verification
- Overall assessment
They will then write up their findings in a non-conformity plan for management review.
Auditors will typically look for multiple type of evidence to confirm their final assessment against each control determined in-scope based on the overall scope of the ISMS.
What is are some specific examples of evidence Auditor's will ask for?
Here are some sample of how evidence could be sought for these 5 requirements:
Policies for information security (A.5.1.1)
- Documentation review of the information security policy to validate the content
- Interview with the person in charge of the information security to validate the approval and distribution process of the policy
- Verification of the policy distribution media (website, hardcopy, version, information in the employee manual
Removal or adjustment of access rights (A. 9. 2. 6)
- Documentation review of procedures and process for removal of access rights,
- Interview with the person in charge of information security and/or the person in charge of Human Resources to validate the operating of the process,
- Analysis of a sample of employees having left the organisation to verify if the access rights have been removed
- Observation of access rights in the Systems Directories (ex: Microsoft Active Directory, Novell Access Manager, Apple Open Directory, etc.
Controls against malware (A.12.2.1)
- Documentation review of management of measures against malware
- Interview with a technician to validate the management process of the measures against malware (monitoring, updates, reports, etc.)
- Verifying the configurations of protection against malware software
- Analysis of a sample of workstations to check for the presence of protection software and if it is up-to-date
Confidentiality or nondisclosure agreements (A.13.2.4)
- Documentation review of the policy and procedures for the distribution of information to the public,
- Interview the person in charge of the public website to verify the process for publishing content
- Request and review sample NDA’s and confidentiality agreements in place with suppliers/contractors
Review of user access rights (A.9.2.5)
- Review documentation on user access rights and policy and review procedures
- Interview a person in charge of changes to user access rights
- Review last access review process document and outcomes
- Analyse a sample of employees that have left the organisation in the last year and validate if they still exist in any of the organisation's active directories
Contact us if you would like further information or help in preparing for your ISO 27001 Certification Audit.