psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
881b2bf2bcd7b1053d66f58e0fb522118a672f19
ISMS/03-procedures/internal-audit-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.5 KiB
Raw Blame History

Title: Internal Audit Procedure Document ID: [PROC-AUDIT-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Internal Audit Procedure

Purpose

This procedure defines how BlackDice should plan, perform, report, and follow up internal audits of the ISMS.

Scope

This procedure applies to internal audits of the ISMS scope, including governance, policies, standards, procedures, records, control operation, and improvement activities.

Trigger / When Used

Use this procedure:

  • according to the internal audit plan
  • when management requests targeted assurance
  • after major changes or significant incidents where additional assurance is needed

Procedure Steps

  1. Define the audit objective, scope, criteria, timing, and auditor assignment.
  2. Confirm auditor competence and independence appropriate to the audit scope.
  3. Prepare the audit plan, sampling approach, and evidence request.
  4. Conduct document review, interviews, walkthroughs, and evidence sampling as required.
  5. Evaluate conformity, effectiveness, and any identified gaps or nonconformities.
  6. Record findings, observations, and strengths in the audit report.
  7. Communicate results to relevant owners and management.
  8. Track resulting corrective actions to closure and confirm follow-up where needed.

Inputs

  • audit plan
  • audit criteria and scope
  • relevant documents and records
  • prior audit and corrective action information

Outputs / Records

  • audit plan
  • working notes or evidence references
  • audit report
  • corrective action records

Roles and Responsibilities

  • [Role] must coordinate the internal audit programme.
  • Auditors must perform audits objectively and record evidence appropriately.
  • Auditees must provide access to relevant information and support the audit.
  • Management must review results and support corrective action.

Escalation / Exceptions

Escalate where:

  • auditor independence cannot be maintained
  • required evidence is unavailable
  • significant nonconformity or systemic failure is identified
  • corrective actions are not progressing

Exceptions to the audit plan must be documented and approved.

Related Documents

  • Information Security Policy
  • Management Review Procedure
  • Corrective Action Procedure
  • Internal Audit Plan Template

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink