...
The objectives of this audit procedure are to:
Ensure that information security processes are carried out effectively, efficiently and economically to the benefit of Vertic Pty Ltd
Identify compliance or any areas of non-compliance with the ISO/IEC 27001 standard
Identify further opportunities for continual improvement, which may extend beyond the criteria set out in ISO/IEC 27001
Provide Vertic Pty Ltd with internal assurance that information security is effectively managed and risks to the business are minimised
This procedure describes the general approach to internal auditing within Vertic Pty Ltd; a separate, more detailed, plan will be produced for each specific audit that is to be carried out.
...
Where a discrepancy against the standard is found, one of three types of item will be raised as follows:
Observation – a comment which may be of use to the auditee, based on experience of other ISMS implementations
Minor nonconformity – a single lapse which does not in itself indicate a breakdown of the management system
Major nonconformity - a significant issue which represents a breakdown of the operation of the management system
Scope
The audit programme will cover all information assets within Vertic Pty Ltd. Input and discussion with additional involved parties will also take place where appropriate. Those aspects of services provided by third parties will not be audited directly, but the management of those suppliers will be scrutinised.
...