You're reading from Mastering Information Security Compliance Management

Product typeBook

Published inAug 2023

PublisherPackt

ISBN-139781803231174

Edition1st Edition

Concepts

Robotic Process Automation

Authors (2):

Adarsh Nair

Greeshma M. R.

View More author details

Audit Principles, Concepts, and Planning

The International Organization for Standardization (ISO) defines an audit as follows:

A systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. (ISO 19011:2018 – Guidelines for Auditing Management Systems)

In July 2018, in response to the demand for guidelines on integrated management system audits, the International Organization for Standardization published ISO 19011:2018, titled Guidelines for Auditing Management Systems.

It is a meta-standard that details the audit principles, planning, and execution processes for several types of management system audits including information security, environmental, and quality management audits.

One of the most important components of this guidance is to make sure that the objectives of the audit program are well-aligned with an entity’s basic business objectives...

Different types of ISO audit

The ISO 19011 standard is intended to help businesses in auditing processes. In ISO standards, there are mainly two kinds of audits that can be carried out (see also Figure 8.1):

Internal audits (first - party): Internal audits are assessments and analyses made by businesses on their own management systems. These audits are carried out by the company. There are several resources available to guide businesses on how to carry out internal audits, but the ISO 19011 standard is the most important of them. Internal audits are a crucial part of meeting the requirements of most standards for management systems. Internal audits for any management systems do not lead to ISO certifications.
External audits (second -party and third - party): When relevant stakeholders outside the business conduct an audit, it is called a second-party audit (such as those carried out by suppliers). Third-party audits are the most crucial ones and result in certifications...

Seven principles of auditing

Auditing principles are needed for an audit to be an effective and reliable technique for supporting management systems and providing entities with chances for continual improvement. By adhering to these principles, audits can become effective and dependable tools in supporting management policies and controls. They provide essential information that organizations can act upon to enhance their performance. Following these principles is vital for generating relevant and comprehensive audit conclusions while enabling independent auditors to reach similar conclusions in similar situations.

Figure 8.2 depicts the seven principles laid out by ISO 19011:2018, Clause 4, followed by an explanation of each one.

Figure 8.2 – Seven principles of auditing

Integrity – the foundation of professionalism

Auditors and individuals in charge of the audit program must conduct themselves ethically, honestly, and responsibly...

Additional guidance for auditors

Annex A of ISO/IEC 19011:2018 provides additional guidance for auditors on different aspects explained in the following subsections.

Audit methods

An audit can be conducted using a number of methods including on-site audit and remote audit, with or without human interaction, in different combinations. On-site audits are those performed at the location of the auditee, and remote audits are those performed at a place different from the location of the auditee, regardless of the distance, using digital interactive communication means. Interactive audits involve the interaction of the auditee’s representative(s) and the audit team. Non-interactive audits do not involve human interaction but involve interaction with equipment, facilities, and documents.

The objectives, scope, and criteria of the audit, as well as the audit’s duration and location, all have a role in determining the audit techniques used. The audit process and its results...

Audit program

An audit program is the master plan for conducting an audit or set of audits that are to be undertaken in a specific timeframe and for a specific purpose. For example, the purpose could be to certify the information security management system of a company against ISO 27001. It gives a direction for the proper execution of audits. The ISO 19011:2018 standard offers instructions on how to manage audit program improvements in a systematic manner.

The objectives of the audit program should align with the policies and goals of the management system in addition to meeting regulatory and statutory requirements.

For third-party audits, the audit program must comprise an initial audit (Stage 1 – document review and Stage 2 – evaluating the implementation and effectiveness of the management system[s]), surveillance audits in the first and second years (after certification audits), and a recertification audit in the third year prior to the expiration of certification...

Summary

ISO 19011 can be used by anyone who conducts or participates in audits or audit programs. It is intended for those who are tasked with overseeing audit program management and conducting audit participant evaluations. ISO 19011:2018 is a useful resource for anyone who has been entrusted with enhancing an audit program. The standard outlines the seven auditing principles, how to manage an audit program, and methods for determining an auditor’s level of competence. This chapter covered the theory, principles, and planning parts of conducting an audit, which may help you in better decision-making and planning for an audit in your organization.

In the next chapter, we will see how to conduct an ISO 27001 audit. Again, the steps and processes involved are stated in the ISO 19011 standard.

The rest of the chapter is locked

You have been reading a chapter from

Mastering Information Security Compliance Management

Published in: Aug 2023Publisher: PacktISBN-13: 9781803231174

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at $15.99/month. Cancel anytime

Authors (2)

Adarsh Nair

Adarsh Nair is the global head of information security at UST. He is a recognized information security strategist, author, and keynote speaker. Adarsh holds the title of Fellow of Information Privacy (FIP) by IAPP and is a Google Hall of Fame honoree. He serves as co-chair of OWASP Kerala Chapter, an IAPP exam development board member, and an EC-Council advisory board member. With a decade of experience, Adarsh specializes in information security governance, risk and compliance, business continuity, data privacy, ethical hacking, and threat identification and mitigation. He maintains expertise through memberships, training, and certifications, including CISSP, CIPM, CIPP/E, LPT, OSCP, and ISO Lead Auditor. Adarsh has authored two books, published numerous articles and research papers, and delivered impactful presentations at national and international conferences, establishing himself as a thought leader in information security.
Read more about Adarsh Nair

Greeshma M. R.

Greeshma M. R. is an entrepreneur and seasoned freelance technology writer, specializing in technology domains, especially information security and Web 3.0. She is interested in exploring the intersection of technology and humanity, as well as the social aspects of technology. Her areas of interest also encompass innovation, sustainable development, gender, and society. She is a co-author and publisher of two books and holds a certification as an ISO 27001 Lead Auditor. Having worked in the IT and knowledge and innovation management domains, Greeshma possesses an interdisciplinary perspective that enriches her approach. She has actively contributed to establishing an innovation ecosystem among students via communities of practice, fostering a culture of creativity and collaboration.
Read more about Greeshma M. R.

Personalised recommendations for you

Based on your interests and search pattern

Engineering Manager's Handbook

Engineering Manager's Handbook is a comprehensive guide for managers to excel in their role, foster customer-centric digital products, learn leadership, team building, and balancing technical work with management. You’ll also explore how to develop trust, authority, and collaboration to drive success and make a lasting impact.

BookSep 2023278 pages

C++ Game Animation Programming

Video game characters have a fascinating history, evolving from simple 2D sprites to high-polygon 3D models. Take a look behind the curtain and learn how to build a 3D renderer, load character models, play animations and blend between them, and create large crowds of animated people with this comprehensive C++ game animation programming guide.

BookDec 2023480 pages

Gamification for Product Excellence

This book helps you to take your product management strategy to the next level by standing out in crowded markets. Along with boosting user adoption rates by creating engaging products that incorporate playful elements, learn gamification theory and how to integrate it into your design, product development, and product management processes.

BookSep 2023350 pages

Supercharging Productivity with Trello

Supercharging Productivity with Trello is the ultimate guide for anyone looking to boost their productivity with digital tools. Whether you're new to Trello or a seasoned professional, this book covers everything from core features to advanced automation, and Power-Ups.

BookAug 2023342 pages

Automate It with Zapier and Generative AI

This comprehensive guide takes you through the concepts of business process automation, showing you how Zapier can facilitate it without having to write code and helping you to boost productivity. You’ll learn how to save time, reduce costs, and make your business recession-proof by using Zapier to automate tasks in your cloud-based business apps.

BookAug 2023706 pages

Scoring to Picture in Logic Pro

In this book, you’ll explore a variety of techniques to synchronize music to picture using Logic Pro. Though this is not a technical manual, it will teach you how to make the best use of Logic Pro and how to wield this technology to maximize your potential when scoring to picture.

BookSep 2023412 pages

Mastering Information Security Compliance Management

This concise book equips you with the knowledge and practices needed to establish and maintain an effective information security management system. The chapters provide insights into ISO/IEC 27001/27002:2022, risk management, ISMS development, incident management, audit processes, and strategies for continuous improvement.

BookAug 2023236 pages1

Implementing Atlassian Confluence

Implementing Atlassian Confluence provides both a high-level overview and an insightful path for remote collaboration with Atlassian Confluence. With this multi-layered yet practical guide, you’ll be able to set up Confluence-based collaboration with minimum external consultancy services to ensure smooth and close coordination between teams.

BookSep 2023406 pages

R Bioinformatics Cookbook

This book takes a unique problem–solution approach to handling complex tasks in the bioinformatics domain using different datasets present in the book. With the help of real-world examples, you’ll learn to put each independent recipe to use to tackle problems in the field of bioinformatics.

BookOct 2023396 pages

Build Your Own Metaverse with Unity

Build Your own Metaverse with Unity is a practical guide for developers to create their own metaverse - a virtual world with infinite possibilities. It empowers you to identify gaps in existing metaverses and improve upon them, enabling you to shape your virtual world.

BookSep 2023586 pages5