Initial commit
This commit is contained in:
Paul Jenkins
83
03-procedures/internal-audit-procedure.md
Normal file
83
03-procedures/internal-audit-procedure.md
Normal file
@@ -0,0 +1,83 @@
|
||||
Title: Internal Audit Procedure
|
||||
Document ID: [PROC-AUDIT-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Internal Audit Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should plan, perform, report, and follow up internal audits of the ISMS.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to internal audits of the ISMS scope, including governance, policies, standards, procedures, records, control operation, and improvement activities.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure:
|
||||
|
||||
- according to the internal audit plan
|
||||
- when management requests targeted assurance
|
||||
- after major changes or significant incidents where additional assurance is needed
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Define the audit objective, scope, criteria, timing, and auditor assignment.
|
||||
2. Confirm auditor competence and independence appropriate to the audit scope.
|
||||
3. Prepare the audit plan, sampling approach, and evidence request.
|
||||
4. Conduct document review, interviews, walkthroughs, and evidence sampling as required.
|
||||
5. Evaluate conformity, effectiveness, and any identified gaps or nonconformities.
|
||||
6. Record findings, observations, and strengths in the audit report.
|
||||
7. Communicate results to relevant owners and management.
|
||||
8. Track resulting corrective actions to closure and confirm follow-up where needed.
|
||||
|
||||
## Inputs
|
||||
|
||||
- audit plan
|
||||
- audit criteria and scope
|
||||
- relevant documents and records
|
||||
- prior audit and corrective action information
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- audit plan
|
||||
- working notes or evidence references
|
||||
- audit report
|
||||
- corrective action records
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- [Role] must coordinate the internal audit programme.
|
||||
- Auditors must perform audits objectively and record evidence appropriately.
|
||||
- Auditees must provide access to relevant information and support the audit.
|
||||
- Management must review results and support corrective action.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate where:
|
||||
|
||||
- auditor independence cannot be maintained
|
||||
- required evidence is unavailable
|
||||
- significant nonconformity or systemic failure is identified
|
||||
- corrective actions are not progressing
|
||||
|
||||
Exceptions to the audit plan must be documented and approved.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Information Security Policy
|
||||
- Management Review Procedure
|
||||
- Corrective Action Procedure
|
||||
- Internal Audit Plan Template
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user