The purpose of this procedure is to establish a framework for planning, conducting, and reporting on an internal audit of the ecoPortal’s Information Security Management System (“ISMS”). An internal audit is used to help determine whether the ISMS control objectives, controls, policies and procedures:
Conform to the applicable requirements of the ISO/IEC 27001 (“ISO 27001”) standard
Conform to the identified information security requirements
Are effectively implemented, maintained, or have opportunities for improvement
The audits will cover all elements of the ISMS for all in-scope information assets and the applicable controls identified within the Statement of Applicability.
The Information Security Team may engage a third-party vendor knowledgeable in performing ISO 27001 internal audits. The selection of the auditor(s) shall be reviewed and approved by Senior Management. The auditor(s) shall be evaluated and selected based on their objectiveness and impartiality in the auditing process. The auditor(s) should also be trained and/or otherwise qualified to perform the internal audit of an ISMS. It should also be confirmed that there is proper segregation of duties while choosing an auditor (i.e., the auditor has not implemented or does not operate or review any of the controls under audit).
The auditor(s) shall be evaluated based on their education and experience to validate their competence.
The third-party or internal auditor(s) will carry out the internal audit process with input from the Information Security Management Leader and the Information Security Team.
The primary responsibilities of the auditor are as follows:
To plan the ISMS internal audit(s) as per the defined frequency and schedule
To conduct the internal audit as per the audit plan and to share the results of the audit findings with the Information Security Leader for review and approval
To ensure the confidentiality and integrity of the audit data and the supporting evidence within the auditor’s control
To provide all audit records to the Information Security Leader as requested
To identify the corrective actions to be taken to close any identified audit observations/non-conformities, to review the actions taken to close the gaps reported, and to evaluate the effectiveness of such actions
Frequency & Schedule
The frequency of the internal audit is scheduled to be conducted annually at a minimum. The ISMS Governance Council will determine if the frequency of the audit needs to be increased depending on the number of findings identified during the audit, the severity of the previous audit findings, and the operating efficiency of conducting the audit annually.
The audit criteria shall take into consideration the defined set of ISMS policies and procedures, any regulatory, legal, and contractual requirements, ISO 27001, and any additional authoritative standards as necessary.
A non-conformity (“NC”) is a gap against the ISO 27001 standard which may have an adverse effect to the interests of ISMS.
Major NC - the adverse effect is immediate and directly impacts the ISMS’ ability to achieve its objectives
Minor NC - the effect may take place over a period of time and does not immediately adversely impact the ISMS
Conforms - controls are designed and operating effectively in accordance with the requirements of ISO 27001
Opportunity for Improvement (“OFI”) - an observation may arise out of an opportunity for improvement
Alternative Labeling of Findings
ecoPortal reserves the right to apply any appropriate internal audit of information security controls to the ISO 27001 internal audit requirements. Alternative audit approaches may identify findings using alternate terms such as “Yes/No/Partial,” or “In Place/Not in Place.” In cases where an alternate standard or approach is applied to the ISO 27001 internal audit requirements, the controls will be “mapped” to ISO 27001 Controls and the finding language will be mapped to ISO 27001 evaluation criteria. For example, controls labeled, “Yes,” and, “In Place,” may be mapped to ISO 27001 as, “Conforms.”
The internal auditor shall audit the ISMS policies and procedures, implemented information security controls, and the effectiveness of the ISMS against the ISO 27001 standard requirements. Artifacts and documents may be collected as evidence by the auditor in addition to observations and interviews.
The internal auditor shall document the audit results and observations along with the supporting evidence. A final report will be produced and shared with the Information Security Leader for initial review and finalization. Highlights of the internal will be communicated to the ISMS Governance Council. The complete internal audit report will be provided to the ISMS Governance Council upon request. An internal audit report will show the audit results including non-conformities and observations.
Audit Records Retention
The evidence collected and the documentation prepared as part of the internal audit shall be protected and retained in accordance with the requirements defined within the 05-ISMS Procedure for the Control of Documented Information document.