You're reading from Mastering Information Security Compliance Management

Product typeBook

Published inAug 2023

PublisherPackt

ISBN-139781803231174

Edition1st Edition

Concepts

Robotic Process Automation

Authors (2):

Adarsh Nair

Greeshma M. R.

View More author details

Auditor Competence and Evaluation

There are three different aspects of auditor competence that are identified in the ISO 19011 standard for management system auditing – personal behavior, technical competence, and auditing competence.

Auditors are required to have the relevant characteristics, knowledge, and abilities in each of these three domains. The key step to determining auditor competence is to determine which traits, knowledge, and abilities are required for each individual auditor for them to accomplish the goals that have been set for the audit and the audit program.

The required competency of an audit team can be determined based on a few factors, including the nature of the organization being audited, the nature and level of complexity of the audit that will be performed, the composition of the audit team, and any specific requirements that have been imposed by stakeholders.

It is not necessary for every auditor to possess the same level of expertise to...

Personal conduct

Clause 4 of ISO 19011 (https://www.iso.org/) describes the principles of auditing (explained in Chapter 8). Auditors are expected to exhibit attributes that enable them to abide by these principles. The individual behavior of an auditor should be professional during the conduct of an audit. ISO 19011 lists certain desired attributes for auditors, such as the following:

Ethical: Auditors must base their findings on objective evidence and not falsify them for vested interests. Their reports should be truthful, have a defined objective, and be unbiased. Special care should be taken to refrain from unprofessional behavior, such as gossip or the disclosure of confidential information.
Open-minded: Auditors must not let their own biases get in the way of assessing a process implementation by the auditee. Ultimately, the checks should be performed on whether the requirements are met or not and how effective they are in achieving the objectives set by an organization...

Knowledge and skills

There are two types of intellectual skills that help auditors:

Generic capability and sector-specific skills
Competence in conducting audits

Let us see each in detail.

Generic knowledge and skills

The generic knowledge and skills of management system auditors are constituted by the following:

Knowledge of audit principles, processes, and methods: This helps auditors in the effective conduct of an audit. With such competency, the auditor can plan the audit effectively as well as stick to the plan. They will also be able to implement a risk-based approach to auditing, as the auditor is aware of such approaches. The auditor will be able to plan and prioritize tasks efficiently to achieve the objectives. Communication as an important tool would be well understood by the auditor, and this would reflect in the audit interview process, enabling a more successful gathering of information and evidence. They will also verify the relevance...

Auditor evaluation

The evaluation of auditors is an essential part of the ISO 19011 standard and one of its most important components. The evaluation of auditors is done with the intention of ensuring that those conducting audits have the requisite level of expertise, knowledge, and experience to carry out successful audits.

The evaluation of auditors can be carried out in several different ways, including self-assessment, a review by peers, and an evaluation by a higher level of management. The assessment must take into account not just the auditor’s level of technical expertise but also their capacity to carry out the audit procedure in a manner that is compliant with the ISO 19011 standard. The standard also recommends that organizations establish a process for the selection and appointment of auditors and that they regularly review the performance of auditors to ensure that they continue to meet the necessary qualifications and requirements. This recommendation relates...

Maintaining and improving auditor competence

Auditors build, maintain, and improve their level of competence through consistent participation in audits, as well as regular professional development activities. Competence should be something that auditors and leaders of audit teams consistently work to improve. Auditors should keep their auditing competence up to date by actively participating in management system audits regularly and engaging in ongoing professional development. This might be accomplished by the acquisition of further job experience, training, self-study, mentoring, attendance at meetings, seminars, and conferences, or participation in any number of other pertinent activities.

The audit program manager is responsible for aiding the continual evaluation of the auditor’s performance in the audit team. Different types of training should be provided to upskill auditors as well as audit team leaders, based on the latest developments in auditing processes and technology...

Summary

As you can see, a variety of skills should be taken into consideration to have the right individual to carry out efficient audits of your organization’s information security management system (ISMS). Some of these skills are required while others are only desired. Even though it is conceivable for a person who lacks sufficient competence to conduct an audit of parts of ISMS, a professional auditor or audit team is your best bet to move your company closer to its goal of incorporating audits into its ongoing cycle of continuous improvement.

In the next chapter, we will see case studies based on audit planning, reporting NCs, and drafting the final audit report.

The rest of the chapter is locked

You have been reading a chapter from

Mastering Information Security Compliance Management

Published in: Aug 2023Publisher: PacktISBN-13: 9781803231174

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at $15.99/month. Cancel anytime

Authors (2)

Adarsh Nair

Adarsh Nair is the global head of information security at UST. He is a recognized information security strategist, author, and keynote speaker. Adarsh holds the title of Fellow of Information Privacy (FIP) by IAPP and is a Google Hall of Fame honoree. He serves as co-chair of OWASP Kerala Chapter, an IAPP exam development board member, and an EC-Council advisory board member. With a decade of experience, Adarsh specializes in information security governance, risk and compliance, business continuity, data privacy, ethical hacking, and threat identification and mitigation. He maintains expertise through memberships, training, and certifications, including CISSP, CIPM, CIPP/E, LPT, OSCP, and ISO Lead Auditor. Adarsh has authored two books, published numerous articles and research papers, and delivered impactful presentations at national and international conferences, establishing himself as a thought leader in information security.
Read more about Adarsh Nair

Greeshma M. R.

Greeshma M. R. is an entrepreneur and seasoned freelance technology writer, specializing in technology domains, especially information security and Web 3.0. She is interested in exploring the intersection of technology and humanity, as well as the social aspects of technology. Her areas of interest also encompass innovation, sustainable development, gender, and society. She is a co-author and publisher of two books and holds a certification as an ISO 27001 Lead Auditor. Having worked in the IT and knowledge and innovation management domains, Greeshma possesses an interdisciplinary perspective that enriches her approach. She has actively contributed to establishing an innovation ecosystem among students via communities of practice, fostering a culture of creativity and collaboration.
Read more about Greeshma M. R.

Personalised recommendations for you

Based on your interests and search pattern

Engineering Manager's Handbook

Engineering Manager's Handbook is a comprehensive guide for managers to excel in their role, foster customer-centric digital products, learn leadership, team building, and balancing technical work with management. You’ll also explore how to develop trust, authority, and collaboration to drive success and make a lasting impact.

BookSep 2023278 pages

C++ Game Animation Programming

Video game characters have a fascinating history, evolving from simple 2D sprites to high-polygon 3D models. Take a look behind the curtain and learn how to build a 3D renderer, load character models, play animations and blend between them, and create large crowds of animated people with this comprehensive C++ game animation programming guide.

BookDec 2023480 pages

Gamification for Product Excellence

This book helps you to take your product management strategy to the next level by standing out in crowded markets. Along with boosting user adoption rates by creating engaging products that incorporate playful elements, learn gamification theory and how to integrate it into your design, product development, and product management processes.

BookSep 2023350 pages

Supercharging Productivity with Trello

Supercharging Productivity with Trello is the ultimate guide for anyone looking to boost their productivity with digital tools. Whether you're new to Trello or a seasoned professional, this book covers everything from core features to advanced automation, and Power-Ups.

BookAug 2023342 pages

Automate It with Zapier and Generative AI

This comprehensive guide takes you through the concepts of business process automation, showing you how Zapier can facilitate it without having to write code and helping you to boost productivity. You’ll learn how to save time, reduce costs, and make your business recession-proof by using Zapier to automate tasks in your cloud-based business apps.

BookAug 2023706 pages

Scoring to Picture in Logic Pro

In this book, you’ll explore a variety of techniques to synchronize music to picture using Logic Pro. Though this is not a technical manual, it will teach you how to make the best use of Logic Pro and how to wield this technology to maximize your potential when scoring to picture.

BookSep 2023412 pages

Mastering Information Security Compliance Management

This concise book equips you with the knowledge and practices needed to establish and maintain an effective information security management system. The chapters provide insights into ISO/IEC 27001/27002:2022, risk management, ISMS development, incident management, audit processes, and strategies for continuous improvement.

BookAug 2023236 pages1

Implementing Atlassian Confluence

Implementing Atlassian Confluence provides both a high-level overview and an insightful path for remote collaboration with Atlassian Confluence. With this multi-layered yet practical guide, you’ll be able to set up Confluence-based collaboration with minimum external consultancy services to ensure smooth and close coordination between teams.

BookSep 2023406 pages

R Bioinformatics Cookbook

This book takes a unique problem–solution approach to handling complex tasks in the bioinformatics domain using different datasets present in the book. With the help of real-world examples, you’ll learn to put each independent recipe to use to tackle problems in the field of bioinformatics.

BookOct 2023396 pages

Build Your Own Metaverse with Unity

Build Your own Metaverse with Unity is a practical guide for developers to create their own metaverse - a virtual world with infinite possibilities. It empowers you to identify gaps in existing metaverses and improve upon them, enabling you to shape your virtual world.

BookSep 2023586 pages5