A.12.7.1 Information systems audit controls

A.12.7.1 Information systems audit controls

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-06-24

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.

Renamed to A.12.7.1 Information systems audit controls from B16 Technical Audits.

2022-11-16

2.0Edward RobinsonAdditions/changes as part of the periodic review and improvement.

Added more responsibility for the Security Officer in coordinating technical audits.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Changed CTO to CEO giving the current organisational structure.

Updated links under Administrations.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the technical audits policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives

The objectives of this control are:


  • To minimise the impact of audit activities on operational systems (A.12.7).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.12.7 Information systems audit considerations

A.12.7.1 Information systems audit controls


“Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes.”


myDRE is periodically subjected to technical audits such as penetration testing (pentests) and code reviews. It is important to ensure that these technical audits do not compromise the level of security and the availability of information. This is the responsibility of the CEO and the Security Officer.

The CEO decides in consultation with the Product Owner, appointed developers and the Security Officer which type of technical audit has to be carried out, based on:


  • The importance of information, in combination with relevant risks.

  • Incident reports requiring a technical audit.

  • Requirements made by clients.


If a technical audit procedure needs to be carried out, the CEO and the Security Officer must ensure that the following criteria are addressed:


Before the audit:

  • Establish the way in which confidentiality, integrity, availability, and auditability (CIA-A) of the information is guaranteed.

  • The scope is clearly defined.

  • A test plan is present.


During the audit:

  • If the CIA-A of information is compromised, this has to be reported as an incident.


After the audit:

  • The CEO registers, based on information provided by the Security Officer:

    • Whether the CIA-A of information was compromised.

      • Suggestions for improvement in future audits if the above was the case.

  • If not included in the report, the Security Officer draws up a management summary reflecting on the findings.

    • Findings are discussed with management and relevant stakeholders during the ISMB meeting. The severity of the findings are reassessed and product backlog items (PBIs) are created accordingly.

    • The management summary is published publicly on anDREa’s Knowledge Base.

Administrations


    • Related Articles

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20230503 - Internal audit management summary

      Internal ISO 27001 audits are a crucial part of the Information Security Management System (ISMS) implementation process. These audits are conducted by an organization's own internal auditors or a team of trained individuals to assess the ...