Tuesday, 27 May 2014

Audit Report template

Audit Report
For
Lake Dale Contact Center (LDCC)

By Bernardino, Raul

Audit Objective:
LDCC intent to get ISO 27001:2013 certification

Audit Scope:
Information Security Management System (ISMS) applies to the provision of Telephony services, the management of information and business support services at our only site in Mumbai (India), in accordance with the ISMS Statement of Applicability (SoA) revision 03, dated 21/Sept/2014. The scope of this ISMS excluded all IS outsources process (as there is not controlled by LDCC)

Audit Criteria:
ISO/IEC 27001:2013

Conclusion:
The audit team found that there are several NCs during the auditing process. The audit team decided to not process the ISO 27001:2013 certification to LDCC yet until those NCs are corrected in the LDCC.
We encourage the Management Review to have a closed monitoring with the relevant risks owners in order to do a corrective and correction action and continual improve.

Recommendations:
The Audit team recommend to the Management Representative (MR) to take more serious on the Major Non-Conformities (NCs) and liaise with Risk Owner to take a Corrective Action and Correction Action of the findings.
The MR shall ensure all Risk Owner approvals are approved and accepted the risks.
The MR shall liaise with internal auditor to do internal audit periodically or as per internal auditing plan.

The MR should produce effectiveness report towards to the implementation the correctives of the NCs.
The external auditor will perform the follow up auditing process in next 60 days.

Description of Audit Process:
The Audit team consists of Mr. Dino, the Lead Auditor, Mr. Toha, the Auditor team member, and Ms. Qory, the Auditor team member. The audit team has held with Mr. Sanchez, as a Management Representative and the meeting happened as per agreed schedule.

The lead auditor greeted the Management Representative, Mr. Sanches and introduced auditor team members. The lead auditor explained the objective of the meeting and Mr. Sanchez was most welcoming the auditor team members. The situation was friendly or conducive for both auditors and auditee.

The lead auditor started with brief interviews the MR and followed with questions that were focusing on clause 6. For instant, how do you prevent or reduce your effects? 
MR replied that they had a risks assessment, risk evaluation, risk analysis, and risk evaluation toward to the external and internal issue. They had seriously tackling the issues which are compliance the ISMS standards.  Why in some risks, the RO did not sign or approved the risks? MR replied that because that staffs were on leave once the return the will signed.

The auditor team member was questioning how LDCC set the Risk criteria? MR replied to the team that they just use Low, Medium, High us their parameter’s. Ms. Qory has follow up question how if the risk owner change and the person does know the situation and adjusting with wrong judgment? MR replied they will know that.

Other auditor team member was questioning the SoA document which based on assets and not on the control. MR replied that they have a procedure for that.
The lead auditor was question about lot of loss on documents and unorganized file? MR replied that just lock the door when they out of office; the follow up question was how about Janitor has the key and access the room and looking the confidentiality files or documents? MR persistent that once they locked the door no one can access it;    
During this interviewed, auditor team members found several NCs and they are in the following section.

Non Conformity (NC):
1.     Risk Owner (RO) – [Minor-NC]:
Based on the Risk Assessment template ISO 27001 - D13 – issue 1, we found that some of “Risk Owner” did not approved, especially in the section A1 and A18.
During the audit process, the Management Representative (MR) stated that the Risk Owner did not approved because they were on leave
This is against requirement of standard of ISO 27001:2013 in clause 6.1.3 (f), which is to ‘obtain Risk Owner approval of the information security Risk Treatment Plan (RTP) and acceptance of residual information security risks’.
2.     The Statement of Applicability (SoA) document is not effective [Major-NC]
In the SoA document number SoA - D14 - issue 1, which is based on the asset and it is not based control.
This is against the requirement standard of ISO 27001:2013 clause 6.1.3 (d) which is to ‘produce a Statement of Applicability that contains the necessary controls (see also 6.1.3 (b) and (c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of the control from Annex A’.
3.     Risk Criteria was not effective [Major-NC]
The LDCC did not defined the information security criteria properly based on the document Information Security Risk Procedure - D11- issue 2, there are no brief definition about the scoring level for consequences, likelihood, and occurrence in the procedure. It can be triggered a different assumption from the risk owners.
It is against requirement of the ISO 27001:2013 in clause 6.1.2 (b) which is to ‘ensure that repeated information security risk assessment produce a consistent, valid, and comparable results’.

Observation:
The interviewers and auditee were have more relaxing time and it is created a conducive situation while the flows of questions and answers were no proper implementation was enjoyable.

Schedule for Next external audit:
July 10, 2014

Dated: May 9, 2014

Prepare by,                                                                    Approved by,


Mr. Dino, Lead Auditor                                   Mr. Sanches, MR

No comments:

Post a Comment