Since you are using the framework of ISO 27001, you need to make sure that your company has clearly defined protocols for network security. The company’s standards should have well-defined damage control procedures to possible problems caused by human error, equipment damage or any attempts at unauthorised access to your systems.
Your audit process is an essential part of this, especially when planning on conducting an ISO 27001 audit.
After all, practices have been observed, any simulations have taken place, and the impartial evaluators have noted any deficiencies and areas resistant to risk treatment. You have to implement and maintain corrective action as a plan and in individual steps.
Clause 9.2 of the ISO standard notes:
- That you need an implementation plan, you have to retain your audit programme.
- Figure out what are the critical scopes in each department, which you need to audit
- Select auditors and effect an impartial plan.
- Ensure the processes and results are affected in each department and report what happened to the appropriate manager in each department
- Retain all documented evidence, show where programmes are capable and which ones may be deficient. Also, document the results of what happened during actual stress testing.
- You want to stay within the ISO 19011 Guidelines as to proper auditing of management systems.
- Go through each team. Check through the clauses in the different departments according to the actual needs and find areas of improvement.
It’s recommended you look for continual improvements when running through these processes because seldom would the evaluation give you a perfect outcome.
Performing an excellent internal audit procedure, includes a pre-audit survey to provide you with a solid background to work from before you conduct an audit.
Be prepared with a good planning, fieldwork, perform detailed analysis with an executive summary, report it to the management in charge of the audit and the department heads.
In your audit report, you can include the following areas to identify the weak points:
- Login and passwords for programmes and software.
- The information security management system in use.
- Any information security risks.
- Do a complete Access and authentication review for every department and equipment.
- Find areas of poor upkeep in your review of your security and access levels.
- Look into the effectiveness of any needed cryptology.
- See if your physical security, site keys, pass cards, time clocks or logs and related systems accurately record and track movement and events as well as who is using them.
- It would be best if you also looked into the actual fire, smoke, flood, temperature and humidity controls, as well as proper emergency mitigation.
- Are your power failure systems currently adequate, and can they handle additional stresses that may not have been there at the time of their original build?
- Does your backup power come on smoothly with clean power to prevent any damage?
- Review, assess and make recommendations for attempts at sabotage, burglary, unlawful entry into your systems using methods of corruption such as hacking, malware or foreign individuals as well as employees (both prior and current who may not have your best interests at heart).
In your analysis and management review, you want to seek improvements in planning and preparation for each of the stresses or unexpected situations and compare what you have as to the scope in the various related ISO standards.
Good fieldwork requires a thorough review and internal audits of policy that can be taxing and boring for the staff doing it. You need good impartial evaluators who are willing to do this when running the assessment.
Training and awareness protect your people, systems, intellectual and physical property from any unforeseen danger or damage. When doing these tests, make sure you retain documented evidence of how well each item or team scored while running the procedures and document the evidence of what you determined was the outcome.