Add to collection(s) Add to saved
  1. No category
Uploaded by Mariusz Piskorczyk

pdfcoffee.com audit-report-iso-27001-uk-rev-1-response-v1-pdf-free

advertisement 
AUDIT START DATE
(dd/mm/yy)
ISMS AUDIT REPORT
1
This report relates to
Stage 1
Client Name:
Blue Coat Inc.
Address:
15 Scenic Point
Stage 2
Surveillance
Re-Certification
Special
9
1
2
1
2
Visit /assessment/inspection
Postcode:
84020
Draper, UT
Scope
Proposed / Amended?
Yes
No
Cloud Services, responsible for Cloud Engineering (product development), Cloud QA (product test), and Cloud Operations (maintenance and
management of production systems)
Other Changes, e.g. name, address, contact, proposed extension to scope, complaint investigated?
Visit No.
s
t
a
g
e
Number of Employees
(f/te within scope)
2
ISO/IEC 27001 (ISMS)
Relevant standard /
Supporting
Documentation
Yes
No
Visit Duration
(In Days)
86
BS 25999-1 (BCMS)
1.00
ISO 9001 (QMS)
OTHER:
If other, please
supply detail
This visit had the following conclusion as indicated by a cross in the box:
The visit was satisfactory. A positive recommendation for (continuing) registration is made / An assessment is scheduled (see attached audit plan)
The visit was unsatisfactory. A recommendation for (continuing) registration cannot be made / An assessment cannot be scheduled
The following action should be taken by the client:
No action required
Minor non-compliances & observations were raised,
Timescales to complete the corrective action are agreed at
days or 21 days if not stated
There were one or more Major non-compliances raised. A corrective action plan must be submitted to NQA Head Office within 10 working days
Were opening and closing meetings performed in accordance with ISO 19011?
NQA Audit Team
Lead Assessor
Yes
Client Representatives (Name)
John Thompson
No
Title
Attendance
Tom Miller
Information Security Director
Opening / Closing
Member 1
James Whitchurch
VP Engineering/Cloud
Opening / Closing
Member 2
Elmer Benites
Clout and Webpluse ops VP
Opening / Closing
Comments of the assessment team:
This is an excellent system. The management team has the basic knowledge of the ISMS (ISO 27001) requirements and controls. This was achieved by
their business control experience and their training in the ISMS requirement and controls. This is also shown during the interviews with the employees.
Signature
(NQA)
Signature on file
Signature
(Client)
Signature on file
The client is reminded that prior to a main assessment visit they are to ensure the management system has been implemented for at least 3 months, understood throughout the
organisation, completely audited and has held a management review. The contents of this audit report are confidential. Findings raised within this report are the result of
limited sampling, therefore, non-compliances may exist that have not been identified. The signature of the client’s representative confirms their agreement and understanding
of the contents of this report and their commitment to undertake satisfactory corrective action to address all non conformance raised.
Form No. 614067
rev1
Page no.
1
Total no. of pages
11
9625442642
AUDIT START DATE
1
(dd/mm/yy)
9
/
1
2
/
1
2
ISMS AUDIT MATRIX
Visit No.
s
t
a
g
e
Business areas/processes audited during this visit
2
BS EN ISO/IEC 27001:2005 REQUIREMENTS
General
4.1
Establishing and managing the ISMS
4.2
Documentation Requirements
4.3.1
Control of documents
4.3.2
Control of records
4.3.3
Management responsibility
5.1
Resource management
5.2
Internal ISMS audits
6
Management review of the ISMS
7
ISMS improvement
8
Security Policy
A5
Organisation of Information Security
A6
Internal Organization
A 6.1
External Parties
A 6.2
Asset Management
A7
Responsibility for assets
A 7.1
Information classification
A 7.2
Human resource security
A8
Prior to employment
A 8.1
During employment
A 8.2
Termination or change of employment
A 8.3
Physical and environmental security
A9
Secure areas
A 9.1
Equipment security
A 9.2
Communications and operations mgt
A 10
Operational procedures & responsibilities
A 10.1
Third party service delivery management
A 10.2
System planning and acceptance
A 10.3
Protection against malicious & mobile
code
A 10.4
Back-up
A 10.5
Network security management
A 10.6
Media Handling
A 10.7
Exchange of information
A 10.8
Recertification
A
B
C
D
E
F
G
H
Key to business area / processes audited
Network Architect
Systems Deployment
Systems Architect
NOC Administration
A
B
C
D
Form No. 64
Page no.
2
E
F
G
H
9625442642
AUDIT START DATE
NQA ISMS AUDIT MATRIX
1
(dd/mm/yy)
9
/
1
2
/
1
2
Business areas/processes audited during this visit
Visit No.
BS EN ISO/IEC 27001:2005 REQUIREMENTS
Electronic commerce services
A 10.9
Monitoring
A 10.10
Access Control
A 11
Business requirement for access control
A 11.1
User access management
A 11.2
User responsibilities
A 11.3
Network access control
A 11.4
Operating system access control
A 11.5
Application and information access control
A 11.6
Mobile computing and teleworking
A 11.7
Information Systems acquisition,
development and maintenance
A 12
Security requirements of information
systems
A 12.1
Correct processing in applications
A 12.2
Cryptographic controls
A 12.3
Security of system files
A 12.4
Security in development & support
process
A 12.5
Technical vulnerability management
A 12.6
Information security incident management
A 13
Reporting information security events and
weaknesses
A 13.1
Management of information security
incidents and improvements
A 13.2
Business continuity management
A 14
Information security aspects of business
continuity management
A 14.1
Compliance
A 15
Compliance with legal requirements
A 15.1
Compliance with security policies &
standards, and technical compliance
A 15.2
Recertification
Information systems audit considerations
A 15.3
Issue status of the company SoA
Issue status of the company Risk Treatment plan
Key to business area / processes audited
A
B
C
D
Network Architect
Systems Deployment
Systems Architect
NOC Administration
E
F
G
H
A
B
C
D
E
F
G
H
Form No. 64
Page no.
3
AUDIT START DATE
(dd/mm/yy)
1
9
/
1
2
/
1
AUDIT RECORD
Visit No.
Clause
ref.
s
t
a
g
e
Assessor
2
John Thompson
Standard +
ISO 27001:2005
Details of activities seen, persons met or interviewed
Record documents viewed and referenced to DMS sections etc
Blue Coat Systems is a leading provider of Web security and WAN optimization solutions. Blue
Coat offers solutions that provide the visibility, acceleration and security required to optimize
and secure the flow of information to any user, on any network, anywhere.
For this site, there are 87 employees. One shift. Help desk is 24/7.
Blue Coat does not perform electronic commerce services, therefore all controls (A.10.9) relating
to ECS are excluded.
Documents Reviewed:
Security Policy
Clout Statement of Applicability
Risk Assessment Approach
Management Approval to Operate the ISMS
Identified Risk and Assets Sec. D – H
Implement and Operate the ISMS
Monitor and Review the ISMS
ISMS Maintain and Improve the ISMS
Required Documentation
Control of Records
Management Commitment
Training, Awareness and Competence
Internal ISMS Audits
Management Review
ISMS Improvements
Blue Coat ISMS Policy
Blue Coat ISMS Scope Statement
Cloud Security Responsibilities
ISMS Audit Procedure
Risk Calculator
Clout Change Control Process V.11
6/22/11
8/28/12
6/26/12
8/28/12
8/28/12
8/28/12
8/28/12
6/19/12
8/28/12
8/28/12
8/28/12
8/28/12
6/19/12
6/19/12
6/19/12
6/19/12
8/28/12
12/5/12
6/12/12
8/28/12
11/19/12
Interviews:
Richard McCluney
James Whitchurch
Dallin Wrigh
Dennis Fox
Gordon Bray
David Smith
Brian Hich
Alex Brokaw
Roger Harrison
Kealey Spencer
Michael Magnusson
Tirn Gray
Tom Miller
VP operations
VP Engineering/Cloud
Deployment Tech
NOC Admin
NOC Admin
NOC Manager
Secretary/Lobby receptionists
Systems Development
Security
Information Security Director
* Only to be completed where more than one assessor is involved in the audit
+ Only to be completed where the audit is against more than one standard
NC/OFI
Ref. No.
2
Form No. 62
Page no.
4
2382552052
AUDIT START DATE
(dd/mm/yy)
1
9
/
1
2
/
1
MANAGEMENT SYSTEM
EFFECTIVENESS
Visit No.
s
t
a
g
e
Assessor
2
John Thompson
ISO 27001:2005
Standard +
Management System Effectiveness
CATEGORY
Monitoring and/or Measurement methods used by the organization to determine
their effectiveness
Effective
Defined Goals & Objectives
Being Realized
Specific and detailed goals are defined and documented for each group. The activity is recorded
and reported weekly at the manage team meetings.
X
All complaints are processed in a very proactive manner. All complaints are documented and
reviewed by the management team.
X
Effective Demonstration of
Customer Satisfaction and the
Handling of Complaints
Effectively Providing Product
and Services That Meet Defined Interviews and records indicate that customer requirements are met or exceeded.
Requirements
X
The Ability Of Measured
Processes To Meet Defined
Goals
Excellent process has been implemented where specific objectives are defined and progress is
tracked and reported.
X
The Ability To Demonstrate
Progress on Improvement
Projects or Actions
Records and interviews demonstrate that projects and support activity are tracked and reported
to specific objectives and target dates.
X
The Continued Effectiveness of
Corrective and preventive actions process and records support this activity is very effective.
Corrective and Preventive Action
Interviews with management support this effort.
Processes
Not
Effective
X
Areas of Good Performance
During the interviews it was observed that the employees have a strong desire to learn more about ISMS and how it will improve the control and
understanding of responsibilities and the management of the ISMS controls.
Excellent change control process. Detail information and records are found at each review step.
All incidents are reported daily and reviewed. Records are kept for each incidents that is found to warrant further review.
Excellent management support .
Form No. 62A
Page no.
5
2382552052
2
AUDIT START DATE
(dd/mm/yy)
1
9
1
2
1
2
AUDIT FINDINGS
SUMMARY
Visit No.
s
Ref
No.
Clause
No.
JT1
4.3.2
JT2
4.3.2
a,b,c
JT3
5.2.2 b
JT4
5
Signed for NQA
Form No. 63
t
a
g
e
Assessor
2
John Thompson
Standard +
ISO 27001:2005
Details of activities seen, persons met or interviewed
Record documents viewed and referenced to DMS sections etc
NC
Review of the Sharepoint system found that not all of the documents are
found in/controlled by Sharepoint, the required document control tool. (i.e.
“receptionists reference book”)
Reviewing “Reception Desk Procedure book” found that the documents in the
book were not identified as control documents.
Throughout the interviews, especially interviews with management, it was
found that the requirements for ISMS Documentation Requirements 4.3.1 is
not understood and followed.
Interviews found that there is inconstancy in the understanding of the
documentation requirements.
Signature on file
Page no.
Signed for client
6
OFI
Minor
Minor
Minor
Obs
Signature on file
2382552052
AUDIT START DATE
1
(dd/mm/yy)
9
1
2
1
AUDIT PLAN
This programmes relates to the NEXT
Visit No.
s
Relevant standard /
Supporting
Documentation
Member
Date:
t
a
g
Stage 1
e
Stage 2
Surveillance
ISO/IEC 20000-1 (ITSMS)
ISO/IEC 27001 (ISMS)
BS 25999-1 (BCMS)
OTHER
Date:
Location / Department / Function
8:30
Arrive in Lobby
9:00
Opening Meeting and Site walk walkthrough.
10:00
Policies review, SOA review
11:00
Continue review of required documents
12:00
Lunch
1:00
Controls Review
2:00
Control Review
3:00
Control Review
4:00
Auditor Time
4:30
Closing Meeting
Form No. 67
Visit /Assessment
Member
12/19/2012
Signed for NQA
Special
2
John Thompson
Time
Re-Certification
John Thompson
Page no.
Time
Location / Department / Function
Timings and content may be subject to change
7
2382552052
2
AUDIT FINDING AND CORRECTIVE ACTION SUBMISSION FORM
Section 1- To be completed by NQA auditor
Company Name
Blue Coat Inc.
Classification of finding
Reference Standard
Audit Report Number
Minor
Finding Reference Number
ISO 27001:2005
Date:
Referenced Standard Clause
JT 1
12/19/12
4.3.2
Statement of the Non-Conformity
Interviews and review of documents found that the required document control procedure is not being followed
by all of the departments/groups.
Objective evidence observed that supports the statement of non-conformity
Review of the Sharepoint system found that not all of the documents are found in/controlled by Sharepoint,
the required document control tool. (i.e. “receptionists reference book”)
Endorsed by NQA
John
Thompson
Date
12/19/12 Endorsed by Client Tom Miller
Date
12/19/12
Section 2- To be completed by the client.
Please print and complete this form or alternatively complete your own internal
corrective action form (including root cause analysis) and forward to NQA Head-Office.
Due date for submission
Immediate action taken to contain the situation/containment action
A training course is being developed to provide adequate detail in ISMS requirements including documentation
requirements.
Root cause analysis. For example: supply copies of a completed 5 why or similar problem solving methodology
1) Why didn’t the employees know about the documentation requirements?
a. Employee received inadequate training on documentation requirements.
2) Why didn’t the employees receive adequate training on documentation requirements?
a. The ISMS is new and training was provided on the system, but specific training on all of the
documentation requirements was lacking enough detail to be effective.
Systemic corrective action. Process/system creation and/or enhancements to prevent recurrence
1) Move all documentation under the scope of the ISMS to SharePoint.
2) Provide training to all staff on documentation requirements.
3) Perform internal audits to ensure that document control is in place.
4) Perform effectiveness reviews using SurveyMonkey to track training efforts.
Planned completion date of corrective action:
Related preventative actions
Verified on behalf of the company
Form No. 69
Page no.
31 Mar 2013
Closed by NQA
8
7582212276
AUDIT FINDING AND CORRECTIVE ACTION SUBMISSION FORM
Section 1- To be completed by NQA auditor
Company Name
Blue Coat Inc.
Classification of finding
Reference Standard
Minor
Audit Report Number
Finding Reference Number
ISO 2001:2005
JT 2
Date:
Stage 2
12/19/12
Referenced Standard Clause 4.3.2 a,b,c
Statement of the Non-Conformity
Documents required by the ISMS shall be protected and controlled. A documented procedure shall be
established to define the management actions needed to a)approve documents for adequacy prior to issue;
b) review and update documents as necessary and re-approve documents; c) ensure that changes and the
current revision status of the documents are identified.
Objective evidence observed that supports the statement of non-conformity
Reviewing “Reception Desk Procedure book” found that the documents in the book were not identified as
control documents.
Endorsed by NQA
John
Thompson
Date
12/19/12 Endorsed by Client Tom Miller
Date
12/19/12
Section 2- To be completed by the client.
Please print and complete this form or alternatively complete your own internal
corrective action form (including root cause analysis) and forward to NQA Head-Office.
Due date for submission
Immediate action taken to contain the situation/containment action
Documentation was collected from team for review and informal guidance was provided to employees working
in this job function. A project plan is under development to move all documentation to SharePoint and provide
training to all staff on documentation requirements.
Root cause analysis. For example: supply copies of a completed 5 why or similar problem solving methodology
1) Why were the documents not identified as control documents?
a. The documents were not considered part of the ISMS.
2) Why weren’t the documents considered to be part of the ISMS?
a. The documentation evolved from one employee to another and was not officially approved.
3) Why did the employees use documentation that was not approved?
a. The documentation served the intended purpose and the employee did not realize that it was a
problem to continue to use it with the new implementation of ISO27001 documentation
requirements.
4) Why didn’t the employee follow the documentation requirements?
a. Employee received inadequate training on documentation requirements.
5) Why didn’t the employee receive adequate training on documentation requirements?
a. The ISMS is new and training was provided on the system, but specific training on all of the
documentation requirements was lacking enough detail to be effective.
Systemic corrective action.
1)
2)
3)
4)
Process/system creation and/or enhancements to prevent recurrence
Move all documentation under the scope of the ISMS to SharePoint.
Provide training to all staff on documentation requirements.
Perform internal audits to ensure that document control is in place.
Perform effectiveness reviews using SurveyMonkey to track training efforts.
Planned completion date of corrective action:
Related preventative actions
31 Mar 2013
Verified on behalf of the company
Form No. 69
Page no.
Closed by NQA
9
7582212276
AUDIT FINDING AND CORRECTIVE ACTION SUBMISSION FORM
Section 1- To be completed by NQA auditor
Company Name
Blue Coat, Inc.
Classification of finding Minor
Reference Standard
Audit Report Number
Finding Reference Number
ISO 27001:2005
JT 3
Date:
Stage 2
12/19/12
Referenced Standard Clause 5.2.2 b
Statement of the Non-Conformity
The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are
competent to perform the required task by: b) providing training or taking other actions (e.g. employing
competent personnel) to satisfy these needs....
Objective evidence observed that supports the statement of non-conformity
Throughout the interviews, especially interviews with management, it was found that the requirements for
ISMS Documentation Requirements 4.3.1 is not understood and followed.
Endorsed by NQA
John
Thompson
Date
12/19/12 Endorsed by Client Tom Miller
Date
12/19/12
Section 2- To be completed by the client.
Please print and complete this form or alternatively complete your own internal
corrective action form (including root cause analysis) and forward to NQA Head-Office.
Due date for submission
Immediate action taken to contain the situation/containment action
A training course is being developed to provide adequate detail in ISMS requirements including documentation
requirements.
Root cause analysis. For example: supply copies of a completed 5 why or similar problem solving methodology
1) Why didn’t the employees understand the documentation requirements?
a. Employee received inadequate training on documentation requirements.
2) Why didn’t the employees receive adequate training on documentation requirements?
a. The ISMS is new and training was provided on the system, but specific training on all of the
documentation requirements was lacking enough detail to be effective.
Systemic corrective action. Process/system creation and/or enhancements to prevent recurrence
1) Move all documentation under the scope of the ISMS to SharePoint.
2) Provide training to all staff on documentation requirements.
3) Perform internal audits to ensure that document control is in place.
4) Perform effectiveness reviews using SurveyMonkey to track training efforts.
Planned completion date of corrective action:
Related preventative actions
Verified on behalf of the company
Form No. 69
Page no.
Closed by NQA
10
7582212276
AUDIT FINDING AND CORRECTIVE ACTION SUBMISSION FORM
Section 1- To be completed by NQA auditor
Company Name
Blue Coat Inc.
Audit Report Number
Classification of finding
Observation
Finding Reference Number
Reference Standard
ISO 27001:2005
JT 4
Referenced Standard Clause
Date:
Stage 2
12/19/12
5 Management Responsibility
Statement of the Non-Conformity
Understanding the ISMS and Blue Coat documentation requirements.
Objective evidence observed that supports the statement of non-conformity
Interviews found that there is inconstancy in the understanding of the documentation requirements.
Endorsed by NQA
John
Thompson
Date
12/19/12 Endorsed by Client Tom Miller
Date
12/19/12
Section 2- To be completed by the client.
Please print and complete this form or alternatively complete your own internal
corrective action form (including root cause analysis) and forward to NQA Head-Office.
Due date for submission
Immediate action taken to contain the situation/containment action
A training course is being developed to provide adequate detail in ISMS requirements including documentation
requirements.
Root cause analysis. For example: supply copies of a completed 5 why or similar problem solving methodology
1) Why didn’t the employees understand the documentation requirements?
a. Employee received inadequate training on documentation requirements.
2) Why didn’t the employees receive adequate training on documentation requirements?
a. The ISMS is new and training was provided on the system, but specific training on all of the
documentation requirements was lacking enough detail to be effective.
Systemic corrective action.
Process/system creation and/or enhancements to prevent recurrence
1)
2)
3)
4)
Move all documentation under the scope of the ISMS to SharePoint.
Provide training to all staff on documentation requirements.
Perform internal audits to ensure that document control is in place.
Perform effectiveness reviews using SurveyMonkey to track training efforts.
Planned completion date of corrective action:
Related preventative actions
Verified on behalf of the company
Form No. 69
Page no.
31 Mar 2013
Closed by NQA
11
7582212276
Related documents
Intensive Support - Aberdeen Getting It Right
Intensive Support - Aberdeen Getting It Right
CV
CV
Download
advertisement