5 - Performing ISO 27001 Audits

Question 1

1 - Title and introduction

Answer 1

Scope
Objectives

Question 2

2 - Timescale of audit

Answer 2

Nature and extent of audit

Question 3

3 - Executive summary

Answer 3

Key findings
Summary analysis and commentary
Conclusion(s) drawn from internal audit

Question 4

4 - Recipients and Document Classification

Answer 4

Confidential findings viewable only by specified recipients
Instructions on how to circulate documentation

Question 5

5 - Credentials

Answer 5

How did the internal auditors carry out their audit ?
Who are the internal auditors ?

Question 6

6 - Findings and Analysis

Answer 6

Detailed information of findings and in-depth analysis
Cited in supporting evidence, where required
Findings are categorised, based on severit

Question 7

7 - Conclusions and Recommendations

Answer 7

Detailed summary of proposals and (possible action plans)
Written with consideration to the organisation’s own practices

Question 8

8 - Limitations

Answer 8

Does the auditor have any reservations about the audit that was conducted ?
Were there any limitations that may have hindered the process ?

Question 9

Audit reports contain:

Answer 9

A review and analysis of findings
Consolidation of all findings including grouping and tabulation
Classification of findings
Preparation of recommendations

Question 10

clause 4.3

Answer 10

Scope of the ISMS

Question 11

clause 5.2 - 6.2

Answer 11

IS policy and objectives

Question 12

clause 6.1.2

Answer 12

Risk assessment and risk treatment methodology

Question 13

clause 6.1.3 d

Answer 13

SOA statement of applicability

Question 14

clause 6.1.3 and 6.2

Answer 14

Risk treatment plan

Question 15

clause 8.2

Answer 15

Risk assessment report

Question 16

clause A.7.1.2 and A.13.2.4

Answer 16

Definition of security roles and responsabilities

Question 17

clause A.8.1.1

Answer 17

Inventory of assets

Question 18

clause A.8.1.3

Answer 18

Acceptable use of assets

Question 19

clause A.9.1.1

Answer 19

Access control policy

Question 20

clause A.12.1.1

Answer 20

Operating procedures for IT management

Question 21

clause A.14.2.5

Answer 21

Secure system engineering principles

Question 22

clause A.15.1.1

Answer 22

Supplier security policy

Question 23

clause A.16.1.5

Answer 23

Incident management procedure

Question 24

clause A.17.1.2

Answer 24

Business continuity procedures

Question 25

clause A.18.1.1

Answer 25

Statutory, regulatory, and contractual requirements

Question 26

Six best reports for ISO 27001 - 1

Answer 26

The Statement of Applicability:

Mandatory report for the audit, the SoA ensures the proper management and control of an ISMS.
The SoA identifies the controls that are relevant to your business, and explains why those controls have been selected (or omitted) to treat the identified risks.

Question 27

Six best reports for ISO 27001 - 2

Answer 27

The risk treatment plan:

Another mandatory report for audit purposes, the RTP (risk treatment plan) provides a summary of:
Each of the identified risks;
The responses that have been designed for each risk;
The parties responsible for those risks; and
The target date for applying the risk treatment.
This document outlines how the organisation intends to manage information security.

Question 28

Six best reports for ISO 27001 - 3

Answer 28

The risk assessment report:

The risk assessment report provides an overview of your findings.
This includes information on:
The relevant assets;
The treatment applied;
The impact and likelihood of the risk affecting the confidentiality, integrity and availability of each asset before and after treatment;
Comments related to the justification for the treatment;
The owner of the risk;
The order of priority of treating the risks;
The control applied; and
The target date for applying the treatment.

Question 29

Six best reports for ISO 27001 - 4

Answer 29

The risk summary report:

The risk summary report provides detailed information about the residual risks, as determined by the risk assessment.
This is useful for assessing assets that remain moderately vulnerable, and for helping the organisation prepare its responses and continuity plans based on the likelihood or severity of those risks.
It is also useful for providing information regarding the residual risks to the board or other stakeholders, ensuring that this is accepted by the appropriate authority.

Question 30

Six best reports for ISO 27001 - 5

Answer 30

Comments report:

Comments regarding the applications of controls you’ve implemented and omitted are incredibly useful, so you should collect them in this report.
Including comments here ensures that the organisation applies controls effectively and efficiently. It also provides a log that can be presented to an auditor to explain any variations.

Question 31

Six best reports for ISO 27001 - 6

Answer 31

Controls usage report:

This controls usage report shows all of the controls from Annex A that you’ve implemented.
Unlike the SoA, it doesn’t include the controls you’ve omitted. That’s because the two documents have different purposes. The SoA is designed to document your thought process when applying controls, whereas the controls usage report provides an overview of the actions you’ve taken.
Creating a report dedicated to the controls you’ve implement is great for staying on top of your compliance activity.
The document is more streamlined than the SoA and contains only the information you need for monitoring the effectiveness of your security measures.
With vsRisk Cloud, this report is created automatically, as the tool populates all of the controls you have applied in one document.