Audit
Report
For
Lake
Dale Contact Center (LDCC)
By Bernardino, Raul
Audit
Objective:
LDCC intent to get ISO 27001:2013 certification
Audit
Scope:
Information Security Management System (ISMS)
applies to the provision of Telephony services, the management of information
and business support services at our only site in Mumbai (India), in accordance
with the ISMS Statement of Applicability (SoA) revision 03, dated 21/Sept/2014.
The scope of this ISMS excluded all IS outsources process (as there is not
controlled by LDCC)
Audit
Criteria:
ISO/IEC 27001:2013
Conclusion:
The audit team found that there are several NCs during
the auditing process. The audit team decided to not process the ISO 27001:2013
certification to LDCC yet until those NCs are corrected in the LDCC.
We encourage the Management Review to have a closed
monitoring with the relevant risks owners in order to do a corrective and
correction action and continual improve.
Recommendations:
The Audit team recommend to the Management
Representative (MR) to take more serious on the Major Non-Conformities (NCs)
and liaise with Risk Owner to take a Corrective Action and Correction Action of
the findings.
The MR shall ensure all Risk Owner approvals are
approved and accepted the risks.
The MR shall liaise with internal auditor to do
internal audit periodically or as per internal auditing plan.
The MR should produce effectiveness report towards
to the implementation the correctives of the NCs.
The external auditor will perform the follow up
auditing process in next 60 days.
Description
of Audit Process:
The Audit team consists of Mr. Dino, the Lead
Auditor, Mr. Toha, the Auditor team member, and Ms. Qory, the Auditor team
member. The audit team has held with Mr. Sanchez, as a Management
Representative and the meeting happened as per agreed schedule.
The lead auditor greeted the Management
Representative, Mr. Sanches and introduced auditor team members. The lead
auditor explained the objective of the meeting and Mr. Sanchez was most
welcoming the auditor team members. The situation was friendly or conducive for
both auditors and auditee.
The lead auditor started with brief interviews the
MR and followed with questions that were focusing on clause 6. For instant, how
do you prevent or reduce your effects?
MR replied that they had a risks
assessment, risk evaluation, risk analysis, and risk evaluation toward to the
external and internal issue. They had seriously tackling the issues which are
compliance the ISMS standards. Why in
some risks, the RO did not sign or approved the risks? MR replied that because
that staffs were on leave once the return the will signed.
The auditor team member was questioning how LDCC set
the Risk criteria? MR replied to the team that they just use Low, Medium, High
us their parameter’s. Ms. Qory has follow up question how if the risk owner
change and the person does know the situation and adjusting with wrong
judgment? MR replied they will know that.
Other auditor team member was questioning the SoA
document which based on assets and not on the control. MR replied that they
have a procedure for that.
The lead auditor was question about lot of loss on
documents and unorganized file? MR replied that just lock the door when they
out of office; the follow up question was how about Janitor has the key and
access the room and looking the confidentiality files or documents? MR
persistent that once they locked the door no one can access it;
During this interviewed, auditor team members found
several NCs and they are in the following section.
Non
Conformity (NC):
1. Risk
Owner (RO) – [Minor-NC]:
Based on the Risk
Assessment template ISO 27001 - D13 – issue 1, we found that some of “Risk
Owner” did not approved, especially in the section A1 and A18.
During the audit
process, the Management Representative (MR) stated that the Risk Owner did not
approved because they were on leave
This is against requirement
of standard of ISO 27001:2013 in clause 6.1.3 (f), which is to ‘obtain Risk
Owner approval of the information security Risk Treatment Plan (RTP) and acceptance
of residual information security risks’.
2. The
Statement of Applicability (SoA) document is not effective [Major-NC]
In the SoA document
number SoA - D14 - issue 1, which is based on the asset and it is not based
control.
This is against the
requirement standard of ISO 27001:2013 clause 6.1.3 (d) which is to ‘produce a
Statement of Applicability that contains the necessary controls (see also 6.1.3
(b) and (c) and justification for inclusions, whether they are implemented or
not, and the justification for exclusions of the control from Annex A’.
3. Risk
Criteria was not effective [Major-NC]
The LDCC did not
defined the information security criteria properly based on the document
Information Security Risk Procedure - D11- issue 2, there are no brief
definition about the scoring level for consequences, likelihood, and occurrence
in the procedure. It can be triggered a different assumption from the risk
owners.
It is against
requirement of the ISO 27001:2013 in clause 6.1.2 (b) which is to ‘ensure that
repeated information security risk assessment produce a consistent, valid, and
comparable results’.
Observation:
The interviewers and auditee were have more relaxing
time and it is created a conducive situation while the flows of questions and
answers were no proper implementation was enjoyable.
Schedule
for Next external audit:
July 10, 2014
Dated: May 9, 2014
Prepare by, Approved by,
Mr. Dino, Lead Auditor Mr. Sanches, MR
No comments:
Post a Comment