Valid until: 2025-03-11
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Updated link for effectiveness criteria under 9.1. Updated link for internal audit planning under 9.2 and Administrations. Added that internal audit management summaries will be publicly published on the KB including a link to previous ones. Added link to overview of public management reports. |
anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.
The purpose of this document is to describe how anDREa ensures performance evaluation of the ISMS.
This document will be updated at least annually and when significant change happens.
The objective of this control is:
To ensure the evaluation of the performance and effectiveness of the ISMS (9.1).
To ensure that internal audits are planned and performed (9.2)
To ensure that top management reviews the ISMS (9.3).
The scope of this document is according to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
The organisation shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated; and
f) who shall analyse and evaluate these results.
The organisation shall retain appropriate documented information as evidence of monitoring and measurement results.”
a) conforms to (1) the organisation’s own requirements for its own information security management system and (2) the requirements of the International Standard;
b) is effectively implemented and maintained.
The organisation shall:
c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
d) define the audit criteria and the scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management;
g) retain documented information as evidence of the audit programme(s) and the audit results.”
Have knowledge of information and communication technology (preferably cloud technology), to an extent in which they can comprehend the functioning and purpose of separate information systems and security related aspects.
To ensure the appropriate knowledge level and skill of an internal auditor, an auditor should show his/her familiarity with auditing by means of a certificate (Lead auditor) or other courses for information security, or 3 years of experience in auditing.
Independent and objective working.
anDREa:
requires all employees to aid and support the auditor in carrying out the work.
will provide access to policy documents, procedures, guidelines, and other administrations needed to carry out the internal audit.
The internal audit consists of three components:
Design: is there a documented procedure/policy?
Existence: has the procedure/policy been implemented?
Functioning: is the implemented procedure/policy effective and has evidence of the functioning been collected?
Audit planning
The three-year provisional planning for the internal audit on the ISMS of anDREa is presented in Internal audit planning. In the first year, the entire ISMS is audited. The provisional planning can be adjusted based on the results of internal and external audits. For each internal audit it can be decided to deviate from these subjects based on newly identified risks, incident reports, results of previous audits and importance of certain processes within the organisation.
Audit plan
The internal auditor writes a plan outlining:
The scope and target areas.
Who will be involved as auditors (such as subject specific experts) for which part of the audit.
Who will be involved in the interviews for which part of the audit.
The internal auditor will discuss the plan with the management team and Security Officer and adjust where appropriate.
The Security Officer communicates the final audit plan to the involved employees.
Preparation
The internal auditor and the Security Officer will set-up an internal audit Microsoft Teams/Google Meet meeting.
The Security Officer invites the additional interviewees.
Carrying out an audit
The internal auditor is bound by the guidelines stated below when carrying out the internal audit:
Assessment of existence and functioning of the ISMS takes place based on the audit criteria in the norm. The internal auditor and the Security Officer decide what the points of interest are. Because of this, it might be decided to have more/less/no attention to subjects based on information security incidents, developments in the field of information security, results of previous audits, risk assessment and the importance of processes within the organisation. Decisions and explanations will be put in the internal audit report.
The internal auditor manages his/her audit trail during the audit itself. The audit trail stands for all evidence that has been used during the audit. The internal auditor makes a consideration of what he/she finds relevant to be used as evidence. The Security Officer will safeguard the audit trail once the audit session has terminated.
Audit report
The internal auditor reports findings per subject:
The assessed criteria.
The assessment results.
Who was interviewed.
The audit trail.
The findings with explanation and evidence.
The internal auditor delivers the audit report to the Security Officer. The Security Officer will take charge of the report and communicate the results to management.
Follow-up
If nonconformities arise during the internal audit, the Security Officer will create a follow up report. In this report the Security Officer assesses:
the nonconformity.
the root cause.
the size.
the immediate corrective steps.
the long-term corrective steps.
This is done in accordance with Clause 10 Improvement. The follow-up is tracked in a ticket and reviewed by management.
Recording
All of the above will be recorded in the ticket system such that there is demonstrable proof that the audits took place, what the findings were, and how these were addressed. All relevant tickets have been tagged with ‘internal audit’.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organisation shall retain documented information as evidence of the results of management reviews.”
The CTO approves (changes in the) documented information of the ISMS.
Management is attending the monthly Information Security Management Board (ISMB) meetings.
Based on the annual Security Management Report delivered by the Security Officer.
All actions are tracked in the appropriate tickets.
Management representatives will participate in internal (and external) audits.
Internal audit planning (authorised personnel only)
Internal audit reports (authorised personnel only)
If needed, follow-up reports.
ISMB meeting notes and action list (authorised personnel only)