Business & Other
Reader small image

You're reading from  Mastering Information Security Compliance Management

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781803231174
Edition1st Edition
Concepts
Robotic Process Automation
Right arrow
Authors (2):
Adarsh Nair
Adarsh Nair
author image
Adarsh Nair

Adarsh Nair is the global head of information security at UST. He is a recognized information security strategist, author, and keynote speaker. Adarsh holds the title of Fellow of Information Privacy (FIP) by IAPP and is a Google Hall of Fame honoree. He serves as co-chair of OWASP Kerala Chapter, an IAPP exam development board member, and an EC-Council advisory board member. With a decade of experience, Adarsh specializes in information security governance, risk and compliance, business continuity, data privacy, ethical hacking, and threat identification and mitigation. He maintains expertise through memberships, training, and certifications, including CISSP, CIPM, CIPP/E, LPT, OSCP, and ISO Lead Auditor. Adarsh has authored two books, published numerous articles and research papers, and delivered impactful presentations at national and international conferences, establishing himself as a thought leader in information security.
Read more about Adarsh Nair

Greeshma M. R.
Greeshma M. R.
author image
Greeshma M. R.

Greeshma M. R. is an entrepreneur and seasoned freelance technology writer, specializing in technology domains, especially information security and Web 3.0. She is interested in exploring the intersection of technology and humanity, as well as the social aspects of technology. Her areas of interest also encompass innovation, sustainable development, gender, and society. She is a co-author and publisher of two books and holds a certification as an ISO 27001 Lead Auditor. Having worked in the IT and knowledge and innovation management domains, Greeshma possesses an interdisciplinary perspective that enriches her approach. She has actively contributed to establishing an innovation ecosystem among students via communities of practice, fostering a culture of creativity and collaboration.
Read more about Greeshma M. R.

View More author details
Right arrow

Performing an Audit

Auditing is important in maintaining trust and efficiency in a company’s management system. An organization must foster a culture of continual improvement. They will be making worthwhile efforts for success, whether it be planning, scheduling, creating checklists, or carrying out or following up on audits, if they can pinpoint the areas to be audited. You can prevent inconsistencies between procedures and team member unavailability for the audit by creating a plan and schedule in advance. An audit plan assists your teams in organizing their operations and work properly. Scheduling audits will ensure that no procedure or area is overlooked.

Future audits should be announced to all departments as a courtesy so that they can be ready with the necessary documentation and other resources, such as evidence of the accomplished action plans, for the reviewer. Except in cases when there is a surprise audit of questionable behavior, your staff has every right to...

An overview of the steps for performing an audit as per ISO 19011 guidelines

There are six main steps for conducting an audit, as listed here:

  1. Initiating the audit:
    • Establishing initial contact with the auditee
    • Determining the feasibility of the audit
  2. Preparing the audit:
    • Conducting a document review
    • Planning the audit
    • Task allocation to the audit team
    • Framing of documented information
  3. Conducting audit activities:
    • Designating duties to guides and observers
    • Administering the opening meeting
    • Communication between the auditors and auditees and among the audit team members during the audit
    • Examining the availability and accessibility of audit information
    • Documented information examination while conducting the audit
    • Gathering and verifying information
    • Framing audit findings
    • Finalizing audit conclusions and conducting the closing meeting
  4. Preparing and distributing the audit report
  5. Completing the audit
  6. Conducting an audit follow-up

Steps 1 to 3 are explained in this chapter...

Initiating the audit

The auditor must start the audit by getting in touch with the process owner and making sure the audit is possible. When doing an audit, it’s better to make sure someone is there to present evidence than to try to catch them by surprise. It’s also important to note that the audit team leader is the one who is ultimately responsible for how an audit is done.

Initiating an audit usually involves two steps, as mentioned here:

  1. Establishing initial contact with the auditee: To establish contact with the auditee, the auditor and auditee decide on the communication channels. Both parties agree on the objectives, scope, methods, and composition of the audit team, which may include observers, guides, technical experts, or other roles. Any problems with the composition should be worked out at this point. The audit team intends to see relevant documents and records so that they can plan the audit. The laws and regulations that apply are considered...

Preparing audit activities

The administration of the audit operations is covered in depth in the audit activities of ISO 19011. This methodical technique can assist in ensuring that your audits are efficient and reliable and strengthen the audit system. The individual steps in the process are detailed here:

  1. Performing the document review: After the initiation process, the required documents must be reviewed. This helps in determining the extent of the system documentation for the audit and to analyze any gap which decides the audit plan in the following step. These documents include but are not limited to the following:
    • Information Security Management System (ISMS) scope and objectives
    • Information Security (IS) policy
    • ISMS risk register
    • Statement of Applicability (SoA)
    • Legal records
    • Monitoring and measurement records
    • Records of corrective actions
    • Management reviews

The management system’s documented information must be analyzed in order to comprehend the auditee’...

Conducting audit activities

The steps in the process of conducting an audit are elaborated on as follows. There are no rules to adhering to this sequence but it can be tweaked according to the characteristics of specific audits:

  1. Assigning roles and responsibilities to guides and observers: The presence of guides and/or observers is agreed upon by the audit team and auditee, following which they may accompany the audit team. They do not form part of the decisions during the audit and the audit team leader is the ultimate decision-maker who can at any point in time discontinue guides/observers if they interfere with audit activities. Guides usually help the audit team members arrange interviews with specific personnel, access specific locations in the organization, abide by the organizational rules of health, safety, or access, or make any general clarifications.
  2. Conducting the opening meeting: The main purpose of the opening meeting is to discuss the audit plan and arrangements...

Summary

Everyone who conducts or participates in audits or audit programs can use ISO 19011. It is designed for individuals involved with supervising audit program administration and evaluating audit participants. ISO 19011 is a valuable resource for anyone tasked with improving an audit program. It is designed for those who administer audit programs or conduct audits (internal or external) of management systems.

There are six main steps established by ISO 19011 for the conduct of an audit, starting from initiating the audit to conducting follow-ups after the audit is over. Steps 1 through 3 were explained in this chapter. Audit initiation takes place first, between the auditee and the audit team. This is followed by preparing for the audit by reviewing the documents presented by the auditee, preparing the audit plan, assigning work to the audit team, and the preparation of documented information according to the work assigned. Conducting audit activities starts by defining the...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 19
Next Chapter
You have been reading a chapter from
Mastering Information Security Compliance Management
Published in: Aug 2023Publisher: PacktISBN-13: 9781803231174
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Adarsh Nair

Adarsh Nair is the global head of information security at UST. He is a recognized information security strategist, author, and keynote speaker. Adarsh holds the title of Fellow of Information Privacy (FIP) by IAPP and is a Google Hall of Fame honoree. He serves as co-chair of OWASP Kerala Chapter, an IAPP exam development board member, and an EC-Council advisory board member. With a decade of experience, Adarsh specializes in information security governance, risk and compliance, business continuity, data privacy, ethical hacking, and threat identification and mitigation. He maintains expertise through memberships, training, and certifications, including CISSP, CIPM, CIPP/E, LPT, OSCP, and ISO Lead Auditor. Adarsh has authored two books, published numerous articles and research papers, and delivered impactful presentations at national and international conferences, establishing himself as a thought leader in information security.
Read more about Adarsh Nair

author image
Greeshma M. R.

Greeshma M. R. is an entrepreneur and seasoned freelance technology writer, specializing in technology domains, especially information security and Web 3.0. She is interested in exploring the intersection of technology and humanity, as well as the social aspects of technology. Her areas of interest also encompass innovation, sustainable development, gender, and society. She is a co-author and publisher of two books and holds a certification as an ISO 27001 Lead Auditor. Having worked in the IT and knowledge and innovation management domains, Greeshma possesses an interdisciplinary perspective that enriches her approach. She has actively contributed to establishing an innovation ecosystem among students via communities of practice, fostering a culture of creativity and collaboration.
Read more about Greeshma M. R.

Personalised recommendations for you

Based on your interests and search pattern

Engineering Manager's Handbook

Engineering Manager's Handbook

Engineering Manager's Handbook is a comprehensive guide for managers to excel in their role, foster customer-centric digital products, learn leadership, team building, and balancing technical work with management. You’ll also explore how to develop trust, authority, and collaboration to drive success and make a lasting impact.

BookSep 2023278 pages
C++ Game Animation Programming

C++ Game Animation Programming

Video game characters have a fascinating history, evolving from simple 2D sprites to high-polygon 3D models. Take a look behind the curtain and learn how to build a 3D renderer, load character models, play animations and blend between them, and create large crowds of animated people with this comprehensive C++ game animation programming guide.

BookDec 2023480 pages
Gamification for Product Excellence

Gamification for Product Excellence

This book helps you to take your product management strategy to the next level by standing out in crowded markets. Along with boosting user adoption rates by creating engaging products that incorporate playful elements, learn gamification theory and how to integrate it into your design, product development, and product management processes.

BookSep 2023350 pages
Supercharging Productivity with Trello

Supercharging Productivity with Trello

Supercharging Productivity with Trello is the ultimate guide for anyone looking to boost their productivity with digital tools. Whether you're new to Trello or a seasoned professional, this book covers everything from core features to advanced automation, and Power-Ups.

BookAug 2023342 pages
Automate It with Zapier and Generative AI

Automate It with Zapier and Generative AI

This comprehensive guide takes you through the concepts of business process automation, showing you how Zapier can facilitate it without having to write code and helping you to boost productivity. You’ll learn how to save time, reduce costs, and make your business recession-proof by using Zapier to automate tasks in your cloud-based business apps.

BookAug 2023706 pages
Scoring to Picture in Logic Pro

Scoring to Picture in Logic Pro

In this book, you’ll explore a variety of techniques to synchronize music to picture using Logic Pro. Though this is not a technical manual, it will teach you how to make the best use of Logic Pro and how to wield this technology to maximize your potential when scoring to picture.

BookSep 2023412 pages
Mastering Information Security Compliance Management

Mastering Information Security Compliance Management

This concise book equips you with the knowledge and practices needed to establish and maintain an effective information security management system. The chapters provide insights into ISO/IEC 27001/27002:2022, risk management, ISMS development, incident management, audit processes, and strategies for continuous improvement.

BookAug 2023236 pages1
Implementing Atlassian Confluence

Implementing Atlassian Confluence

Implementing Atlassian Confluence provides both a high-level overview and an insightful path for remote collaboration with Atlassian Confluence. With this multi-layered yet practical guide, you’ll be able to set up Confluence-based collaboration with minimum external consultancy services to ensure smooth and close coordination between teams.

BookSep 2023406 pages
R Bioinformatics Cookbook

R Bioinformatics Cookbook

This book takes a unique problem–solution approach to handling complex tasks in the bioinformatics domain using different datasets present in the book. With the help of real-world examples, you’ll learn to put each independent recipe to use to tackle problems in the field of bioinformatics.

BookOct 2023396 pages
Build Your Own Metaverse with Unity

Build Your Own Metaverse with Unity

Build Your own Metaverse with Unity is a practical guide for developers to create their own metaverse - a virtual world with infinite possibilities. It empowers you to identify gaps in existing metaverses and improve upon them, enabling you to shape your virtual world.

BookSep 2023586 pages5