Welcome to our “Day in the Life of an ISO Consultant” series. We’ll be exploring our work from a consultant’s perspective to give you an idea of what life working with ISO Standards is like!
Today’s Job: Internal Audits
Today’s work is an on-site ISO 27001 internal audit with a fintech start-up. Internal audits are one of the main activities we undertake as part of a post-certification ISO Support package for our clients.
I’ve already worked with the client as they prepared for ISO Certification, but the Assent office has reviewed the work and are happy that I haven’t had direct involvement in their activities, so I remain impartial for the audit.
The office has worked with the client to book the internal audit dates and aligned them to the internal audit schedule we agreed previously.
Arriving On Site & The Opening Meeting
I arrive shortly before 9am. The receptionist recognises me but still asks me to sign in and wait in reception until but contact comes to collect me. She hands me a visitor pass on a yellow lanyard labelled “Visitor”. Although the audit has not yet officially started, I’m already getting a good feeling about this one. The receptionist is well versed in visitor procedure.
The IT Manager come to collect me and we go to meeting room he has booked. Again a good sign the resources are provided for the ISMS.
He organises a coffee and we review the audit schedule to ensure we are both expecting to cover the same areas.
There’s a change, The IT Manager tells me, that the Head of HR is on Holiday and asks if we can swap her session for something else. As this is the start of a new audit programme I agree and we confirm availability and timings of representatives from across the business.
The Managing Director joins us briefly at 9.30, and I go over the usual opening meeting points including confidentiality. The MD tells me he is around all day and will come back for the closing meeting.
We begin the audit!
Documentation Audit: Management Review, Risk Assessment, Objectives
The latest management review minutes are a good place to start, as this will give me an idea about any changes that have occured in the company. We review the minutes, discuss the content and I check clause 9.3 of the standard has been covered.
Next up Risk Assessment and Objectives. I can see both have been updated recently and take some notes for the audit report.
Auditing Software Development Controls
It hits 10.30 and the head of development appears with his laptop to cover the software development controls.
He connects the large meeting room screen and having been audited before, he immediately logs in to Jira, they development planning tool.
We have a brief conversation, then I ask him to walk me through a recent Sprint using Jira to evidence each stage of the Agile Process they use.
I take notes, and ask questions to ensure we cover all of A14 in the standard.
Physical Security Audit
The Software Development session overruns slightly. We have around 40 mins before lunch, so we agree now is a good time to do a site walk.
We walk around the building and I observe unattended screens being locked, desks generally tidy, fire exits shut, secure shredding bins all locked.
I also perform an auditors favourite task, and lift a fire extinguisher off the wall to check the date. It was serviced only 3 months ago.
I make notes as we walk around, and when we return to the reception area, I ask the receptionist to find some maintenance records. She produces servicing records for fire extinguishers, intruder alarm and air conditioning easily.
I also ask for collection notes from the secure shredding company. These are locked away, but she promises to get the last 3 and bring them in over lunch. I take a note.
After lunch we look at some recent information security incidents. The IT Manager stores these reports in a secure network folder, and he presents a recent incident.
We discuss it fully, cross-reference the risk register and make sure we cover all the Annex A16 controls.
We decide to check the corrective action has been resolved fully, so walk over to the IT Service desk to check some asset numbers.
Mid-afternoon we review the Business Continuity Plan. I explain that the scope of this audit is only in respect of information security within business continuity. The company has a plan, and a recent test record.
We review the documentation and I can see the plan was updated shortly after the test, all good signs.
I spent 30 minutes checking through my report, which the IT Manager checks his emails, and then a summarise to him today’s findings, before the Managing Director Returns.
We agree that those findings are fair and accurate, and the managing director returns to hear the details.
I explain that auditing is a sampling process, and these findings represent the sample we have taken. I then talk through each finding.
The managing director listens carefully and looks towards the IT Manager to ensure he agrees.
We wrap up, say good bye and I send my draft report in to our office for a Report Review.
Report Review, Issue & Next Dates
The Assent office receives my report and at the time were turning around the report reviews within 24 hours. This is the process of checking the spelling, grammar and coherence of the report, to ensure the client gets the most out of the content. We also check for confidential or sensitive personal data which does not need to be in the report, and this is redacted.
The findings are also added to our central non-conformance log, which we use for end of contract reviews with our clients.
The project manager from the Assent office sends the report to the client, and suggests some dates for the next internal audit session.
The day is completed successfully.