84 lines
2.5 KiB
Markdown
84 lines
2.5 KiB
Markdown
Title: Internal Audit Procedure
|
|
Document ID: [PROC-AUDIT-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Internal Audit Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should plan, perform, report, and follow up internal audits of the ISMS.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to internal audits of the ISMS scope, including governance, policies, standards, procedures, records, control operation, and improvement activities.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure:
|
|
|
|
- according to the internal audit plan
|
|
- when management requests targeted assurance
|
|
- after major changes or significant incidents where additional assurance is needed
|
|
|
|
## Procedure Steps
|
|
|
|
1. Define the audit objective, scope, criteria, timing, and auditor assignment.
|
|
2. Confirm auditor competence and independence appropriate to the audit scope.
|
|
3. Prepare the audit plan, sampling approach, and evidence request.
|
|
4. Conduct document review, interviews, walkthroughs, and evidence sampling as required.
|
|
5. Evaluate conformity, effectiveness, and any identified gaps or nonconformities.
|
|
6. Record findings, observations, and strengths in the audit report.
|
|
7. Communicate results to relevant owners and management.
|
|
8. Track resulting corrective actions to closure and confirm follow-up where needed.
|
|
|
|
## Inputs
|
|
|
|
- audit plan
|
|
- audit criteria and scope
|
|
- relevant documents and records
|
|
- prior audit and corrective action information
|
|
|
|
## Outputs / Records
|
|
|
|
- audit plan
|
|
- working notes or evidence references
|
|
- audit report
|
|
- corrective action records
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- [Role] must coordinate the internal audit programme.
|
|
- Auditors must perform audits objectively and record evidence appropriately.
|
|
- Auditees must provide access to relevant information and support the audit.
|
|
- Management must review results and support corrective action.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate where:
|
|
|
|
- auditor independence cannot be maintained
|
|
- required evidence is unavailable
|
|
- significant nonconformity or systemic failure is identified
|
|
- corrective actions are not progressing
|
|
|
|
Exceptions to the audit plan must be documented and approved.
|
|
|
|
## Related Documents
|
|
|
|
- Information Security Policy
|
|
- Management Review Procedure
|
|
- Corrective Action Procedure
|
|
- Internal Audit Plan Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|