Introduction

The purpose of this document is to set out how the Information Security Management System (ISMS) will be audited by the Vertic Pty Ltd internal audit team.

In addition to an external audit programme carried out by the Registered Certification Body (RCB), the internal audit team will also carry out regular audits to spur on the achievement of beneficial change within Vertic Pty Ltd.

The objectives of this audit procedure are to:

• Ensure that information security processes are carried out effectively, efficiently and economically to the benefit of Vertic Pty Ltd

• Identify compliance or any areas of non-compliance with the ISO/IEC 27001 standard

• Identify further opportunities for continual improvement, which may extend beyond the criteria set out in ISO/IEC 27001

• Provide Vertic Pty Ltd with internal assurance that information security is effectively managed and risks to the business are minimised

This procedure describes the general approach to internal auditing within Vertic Pty Ltd; a separate, more detailed, plan will be produced for each specific audit that is to be carried out.

ISMS audit procedure

This procedure describes how an internal audit programme will be run to meet the requirements of the ISO/IEC 27001 standard. This will involve the audit of the ISMS over a period of time as specified in the programme schedule.

Resources

The Vertic Pty Ltd internal audit team will carry out the audit programme with input from the information security function and business management and staff. The resourcing of the internal audit team is reviewed on a regular basis as part of management reviews and is maintained at a sufficient level to meet its commitments.

Criteria

The international standard for information security ISO/IEC 27001:2013 (and its subsequent revisions), will be used as the basis of the criteria for the audit programme, with additional input from related standards such as ISO/IEC 27002 (information security code of practice), ISO 22301 (business continuity) and ISO/IEC 20000 (IT service management) where appropriate.

Where a discrepancy against the standard is found, one of three types of item will be raised as follows:

• Observation – a comment which may be of use to the auditee, based on experience of other ISMS implementations

• Minor nonconformity – a single lapse which does not in itself indicate a breakdown of the management system

• Major nonconformity - a significant issue which represents a breakdown of the operation of the management system

Scope

The audit programme will cover all information assets within Vertic Pty Ltd. Input and discussion with additional involved parties will also take place where appropriate. Those aspects of services provided by third parties will not be audited directly, but the management of those suppliers will be scrutinised.

Schedule

An initial audit will take place in 12/2022, which will cover all aspects of the management system. Thereafter, audits will take place every six months. Selected processes shall be reviewed with the intention that all processes will be covered in a one-year timeframe. The detailed programme of audits will be maintained by the internal audit team and made available on request.

Methods

The audits will consist of a combination of document review and onsite visits to talk to management and staff. Appropriate documented information will be reviewed as evidence that defined processes and procedures are being followed.

Where appropriate, remote audits may be carried out, subject to the agreement of all parties involved.

Nonconformities arising from previous audits will be assessed to judge whether they have been successfully closed.

Communication of findings

A draft audit report will be produced, and the contents will be communicated initially to the management team who will be given an opportunity to comment.

A plan of action to address any non-conformities and appropriate corrective actions will be agreed.

A final written report will be produced and communicated to the management team and made available to the executive management team as appropriate.

Follow up visits shall take place in accordance with the plan of action to ensure any major non-conformities and corrective actions have been addressed/implemented. Such repeat visits will not be required for observations and minor non-conformities.