07-ISMS Procedure for Internal Audits

Version

1.0

Owner

Head of Engineering

Last Updated on

Nov 9, 2022

Last Updated by

@Bruno Belizario

Approved by

@Sean Oldfield

Purpose

The purpose of this procedure is to establish a framework for planning, conducting, and reporting on an internal audit of the ecoPortal’s Information Security Management System (“ISMS”). An internal audit is used to help determine whether the ISMS control objectives, controls, policies and procedures:

  • Conform to the applicable requirements of the ISO/IEC 27001 (“ISO 27001”) standard

  • Conform to the identified information security requirements

  • Are effectively implemented, maintained, or have opportunities for improvement

Scope

The audits will cover all elements of the ISMS for all in-scope information assets and the applicable controls identified within the Statement of Applicability.

Auditor Selection

The Information Security Team may engage a third-party vendor knowledgeable in performing ISO 27001 internal audits. The selection of the auditor(s) shall be reviewed and approved by Senior Management. The auditor(s) shall be evaluated and selected based on their objectiveness and impartiality in the auditing process. The auditor(s) should also be trained and/or otherwise qualified to perform the internal audit of an ISMS. It should also be confirmed that there is proper segregation of duties while choosing an auditor (i.e., the auditor has not implemented or does not operate or review any of the controls under audit).

The auditor(s) shall be evaluated based on their education and experience to validate their competence.

Resources

The third-party or internal auditor(s) will carry out the internal audit process with input from the Information Security Management Leader and the Information Security Team.

The primary responsibilities of the auditor are as follows:

  • To plan the ISMS internal audit(s) as per the defined frequency and schedule

  • To conduct the internal audit as per the audit plan and to share the results of the audit findings with the Information Security Leader for review and approval

  • To ensure the confidentiality and integrity of the audit data and the supporting evidence within the auditor’s control

  • To provide all audit records to the Information Security Leader as requested

  • To identify the corrective actions to be taken to close any identified audit observations/non-conformities, to review the actions taken to close the gaps reported, and to evaluate the effectiveness of such actions

Frequency & Schedule

The frequency of the internal audit is scheduled to be conducted annually at a minimum. The ISMS Governance Council will determine if the frequency of the audit needs to be increased depending on the number of findings identified during the audit, the severity of the previous audit findings, and the operating efficiency of conducting the audit annually.

Audit Criteria

The audit criteria shall take into consideration the defined set of ISMS policies and procedures, any regulatory, legal, and contractual requirements, ISO 27001, and any additional authoritative standards as necessary.

Evaluation Criteria

A non-conformity (“NC”) is a gap against the ISO 27001 standard which may have an adverse effect to the interests of ISMS.

  • Major NC - the adverse effect is immediate and directly impacts the ISMS’ ability to achieve its objectives

  • Minor NC - the effect may take place over a period of time and does not immediately adversely impact the ISMS

  • Conforms - controls are designed and operating effectively in accordance with the requirements of ISO 27001

  • Opportunity for Improvement (“OFI”) - an observation may arise out of an opportunity for improvement

Alternative Labeling of Findings

ecoPortal reserves the right to apply any appropriate internal audit of information security controls to the ISO 27001 internal audit requirements. Alternative audit approaches may identify findings using alternate terms such as “Yes/No/Partial,” or “In Place/Not in Place.” In cases where an alternate standard or approach is applied to the ISO 27001 internal audit requirements, the controls will be “mapped” to ISO 27001 Controls and the finding language will be mapped to ISO 27001 evaluation criteria. For example, controls labeled, “Yes,” and, “In Place,” may be mapped to ISO 27001 as, “Conforms.”

Audit Documentation

The internal auditor shall audit the ISMS policies and procedures, implemented information security controls, and the effectiveness of the ISMS against the ISO 27001 standard requirements. Artifacts and documents may be collected as evidence by the auditor in addition to observations and interviews.

Audit Reporting

The internal auditor shall document the audit results and observations along with the supporting evidence. A final report will be produced and shared with the Information Security Leader for initial review and finalization. Highlights of the internal will be communicated to the ISMS Governance Council. The complete internal audit report will be provided to the ISMS Governance Council upon request. An internal audit report will show the audit results including non-conformities and observations.

Audit Records Retention

The evidence collected and the documentation prepared as part of the internal audit shall be protected and retained in accordance with the requirements defined within the 05-ISMS Procedure for the Control of Documented Information document.