Uploaded by Javita Certifications

ISMS Surveillance Audit Report Rev 06

advertisement
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 1/26
CERTIFICATION AUDIT REPORT
Surveillance
Audited company:
Name and surname
Date
Signature
Report prepared by: lead auditor
Reviewed By:
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 1 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 2/26
OPENING MEETING
Attendees
Designation
Sign
Attendees
Designation
Sign
TOPICS FOR DISCUSSION
√
Introduction of LMS staff
√
Introduction of company staff
√
Confirm statement of confidentiality.
√
Confirm the assessment standard (e.g. ISO 27001:2013). ISO 27001:2013
√
Confirm number of sites, employees, working hours (eg shift patterns, early finishes, holiday
shutdowns etc. Details of major changes within the company (staff, new processes, business,
premises,confirmation of relevant work safety, emergency and security procedures for
the audit team;)
Confirm scope of registration. (please record scope)
√
confirmation of the status of findings of the previous certification,review or audit and
their status(if applicable).
confirmation that, during the audit, the client will be kept informed of audit progress
and any concerns;
√





√
√
Explain how assessment will be undertaken

√
Refer to assessment programme, methods and procedures to be used to conduct the
audit based on sampling
Describe method of non-compliance reporting & conditions under which the audit
may be prematurely terminated;
Language of audit and reporting
Major non-compliance early warning
Assessors need to question individuals not just guides
Closing meeting and who should be present
√
Confirm status of company's management system.
√
Confirm guides are available.
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 2 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 3/26
Confirm office facilities are available.
√
Confirm lunch arrangements.
√
Review H & S and Trade Union arrangements.
√
Invite questions.
√
Final preparation for team (10 minutes)
√
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 3 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 4/26
Name of the
Organization
Address
Site Address (If any)
No. of Employees
No. of Users
No. of Server
No. of Work Stations
No. of Application
Development and
Maintenance staff
E mail id
Name of Management
representative
Telephone/Fax
Scope
EA Code/Technical Category
Exclusions
Audit Team
Date of Audit
Brief about the
organization
Audit Objective
Objective of surveillance activities audit is to monitor representative
areas and functions covered by the scope of the management system on
a regular basis, and take into account changes to its certified client and
its management system
Audit Duration for Surveillance
Are quoted man-days adequate?
Any change in employee detail
since Last audit ?
Any Change in Scope since Last
audit ?
Any additional Information
regarding change since Last audit.
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 4 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 5/26
NCR’S from previous visits
#
Category
Clause
Description
o
1
NCR n .
Work Order No.o.
NCR no.1
Work Order No.o.
NCR no.
Work Order No.o.
NCR no.
Work Order No.o.
NCR no.
Work Order No.o.
NCR no.
Work Order No.o.
Action Taken:
Accepted
Yes
No
2
Action Taken:
Accepted
Yes
No
3
Action Taken:
Accepted
Yes
No
4
Action Taken:
Accepted
Yes
No
5
Action Taken:
Accepted
Yes
No
6
Action Taken:
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 5 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 6/26
Comments
4. Context of the organisation
4.1 Understanding the Organisation and its context
a) Has the external and internal issues relevant to the information
security management system been identified?
b) Has the organization's context been identified to establish its
information security management system (ISMS).
c) Have the internal issues that are relevant to the organization's
purpose been identified and the influence these issues could have
on its ability to achieve the outcomes that its ISMS intends to
achieve been documented?
Has the organization :• Determined the influence the internal stakeholders could have?
• Determined the influence the approach to governance could
have?
• Determined the influence the organization's capabilities could
have?
• Determined the influence the organization's culture could have?
• Determined the influence the organization's contracts could
have?
• Identified the external issues that are relevant to the
organization's purpose and considered the influence these issues
could have on its ability to achieve the outcomes that its ISMS
intends to achieve?
• Determined the influence environmental conditions could have?
• Determined the influence key trends and drivers could have?
• Determined the influence external stakeholders could have?
4.2 Understanding the needs and expectations of interested parties
a) Has the organization determined all the parties that have
an interest in the organization's ISMS?
b) Has the organization identified the requirements of the
parties including their needs and expectations?
4.3 Determining the scope of the information security management
system
a) Determined boundaries and applicability of the ISMS?
b) Is ISMS Policy available as documented information?
c) Has the Organisation considered; external and internal
issues, requirements of interested parties, interface and
dependencies between activities performed by the
Organisation and those performed by other organizations?
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 6 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 7/26
Comments
4.4 Information security management system
Has the organisation documented the process to establish, implement,
maintain and continually improve the ISMS?
5
Leadership
5.1 Leadership and commitment
Has the Management :a) Established policy and objectives in line with strategic
direction?
b) Ensured integration with organizations processes?
c) Ensured resources?
d) Communicated importance of management and conformity?
e) Ensured ISMS achieves intended outcomes?
f) Directed and supported persons involved in the ISMS?
g) Promoted continual improvement?
h) Supported other relevant managers?
5.2 Policy
a) Is the policy appropriate to the purpose of the Organisation?
b) Does the policy include information security objectives or
provides the framework for setting information security
objectives?
c) Does the policy includes a commitment to satisfy applicable
requirements related to information security?
d) Does the policy include a commitment to continual
improvement of the information security management
system?
e) Is the policy available as documented information?
f) Is the policy communicated within the organization?
g) Is the policy Available to interested parties?
Documented Information.
ISMS Policy is required
5.3 Organizational roles, responsibilities and authorities
a) Are Roles and authorities assigned and communicated?
b) Has top management assigned responsibilities for; ensuring
the ISMS which conforms to the standard, reporting on the
performance to top management?
6
Planning
6.1 Actions to address risks and opportunities
6.1.1 General
Has the management considered; context of the
Organisation, needs and expectations of interested
parties?
b)
Determined the risks and opportunities that need to
be addressed; ISMS achieves intended outcomes,
prevents or reduces undesired effects and achieves
continual improvement?
c)
Has the organisation planned; actions to address risks and
opportunities and how to; integrate and implement actions
into its ISMS and evaluate the effectiveness?
a)
6.1.2 Information security risk assessments
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 7 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 8/26
Comments

a)
Has the organisation defined and applied a risk
assessment approach that; establishes and maintains risk
acceptance criteria and criteria for performing risk
assessments?
b)
Ensured repeatability producing consistent, valid and
comparable results?
c)
Has the security risks associated with loss of
Confidentiality, Integrity and Availability along with
Risk Owners identified?
d)
Has the risks analysis been done and potential consequences,
realistic likelihood, levels of risk been identified?
e)
Have the risks been evaluated, compared and priorities been
assigned?
f)
Has the documented information been retained by the
organization?
Documented Information.
1.
Information on the Risk Assessment Process
6.1.3 Information security risk treatment
a)
Has the organisation defined and applied Information
security risk treatment process to; select treatment
options?
b) Determined controls “from any source”?
c) Compared controls with Annex A?
d) Produced a Statement of Applicability?
e) Formulated a treatment plan?
f) Obtained owners approval of treatments and residual risks?
g) Retained documented information?
Documented Information.
1. Information on the Risk Treatment Process
2. The Statement of Applicability must be
documented.
6.2 Information security objectives and planning to achieve them
a) Has the organisation established objectives “at relevant
functions and levels”?
b)
Are these objectives consistent, measurable (where
practicable), take into account requirements, assessment
and treatments, communicated, updated?
c)
Has the Organisation retained documented information
such as what will be done, what resources will be required,
who will be responsible, when it will be completed and
how results will be evaluated?
Documented Information.
The Objectives are required.
7 Support
7.1 Resources
Has the Organisation provided enough resources to achieve
information security?
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 8 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 9/26
Comments
7.2 Competence
Has the organizations determined the necessary competence and
ensure it, take actions to acquire, retain documentation?
Documented Information.
Evidence of competence.
7.3 Awareness
a)
b)
c)
Persons shall be aware of; the ISMS policy, their
contributions to the ISMS, consequence of not conforming
Make sure that the people who work for the organization
understand and are aware of its information security policy.
Make sure that the people who work for the organization
understand
how they can support and help enhance the effectiveness of
the ISMS.
7.4 Communication
Has the organisation determined the need for internal and external
communication?
7.5 Documented information
7.5.1 General
a) Has the organizations ISMS included the documented
information required by the standard?
b) Information deemed by the Organisation as required
7.5.2 Creating and updating
When creating documented information; has the
Organisation ensured appropriate; identification and
description, format, review and approval?
7.5.3 Control of documented information
a)
Has the documented information controlled to ensure;
availability, suitability and protection
b) Has the Organisation addressed; distribution, access
retrieval and use, storage and preservation, change control,
retention and disposition
Has the External documents, Documented Information of External
Origin controlled as other Documented Information?
8. Operation
8.1 Operational planning and control
a) Has the Organisation planned, implemented and controlled
all the processes?
b) Has the Organisation implemented plans to achieve
objectives?
c)
Has the Organisation controlled planned changes and
review consequences of unplanned changes?
d) Has the Organisation ensured that the outsourced processes
are determined and controlled?
Documented Information.
Information necessary to have confidence that processes are being
carried out as planned.
8.2 Information security risk assessments
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 9 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 10/26
Comments
a)
Has the Organisation performed risk assessments at
planned intervals or at significant changes?
b) Has the Organisation retained documented information?
Documented Information.
a) Information on Risk Assessments is required.
8.3 Information security risk treatment
Has the Organisation implemented risk treatment plan and retain
documentation?
Documented Information.
Results of Risk Treatment is required
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
Has the Organisation evaluated the ISMS performance and
effectiveness?
Documented Information.
Evidence of Monitoring and Measuring is required.
9.2 Internal audit
Has the Organisation conducted internal audits and auditors
selected to conduct audits “that ensure the objectivity and
impartiality of the audit process”?
Documented Information.
a) The Audit Programme
b) Audit Results.
9.3 Management review

Has the Top management reviewed the ISMS at planned
intervals and recorded the actions which include;
a. Status of actions from previous meetings
b. External and internal changes
c. Feedback on performance
d. Non-conformities and corrective actions
e. Monitoring and measurement
f. Audit results
g. Fulfilment of objectives
h. Feedback from interested parties
i. Results of risk assessments and treatment plans
j. Opportunities for continuous improvement.
Documented Information.
The results of Management Review are required.
10. Improvements
10.1 Nonconformity and corrective actions
Has the Organisation reacted to nonconformities, evaluated
the need for actions and implemented actions?
Does the documented procedures for corrective actions define
requirements for:
a)
Identifying non-conformities
b)
Determining the causes of non-conformities
c)
Evaluating the need for actions to ensure that nonconformities do not recur
d)
Determining and implementing the corrective action
needed
e) Recording results of action taken and Reviewing of
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 10 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 11/26
Comments
corrective action taken
Documented Information.
Information on Non-conformances and actions
10.2 Continual improvement
Does the organisation continually improve the effectiveness of
the ISMS through the use of the

Information security policy & objectives

Audit results & analysis of monitored events

Corrective & preventive actions

Management review?
Table A.1 Control Objectives and Controls
A5 Information Security Policies
A5.1 Management direction for information security
Objective: Is there an information security policy to provide
management direction and support for information security in
accordance with business requirements, relevant laws and
regulations?
A5.1.1: Policies for information security : Is there a set of policies
for information security defined, approved by management,
published and communicated to employees and relevant
external parties?
A5.1.2: Review of the policies for information security : Are the
policies for information security reviewed at planned intervals or if
significant changes occur to ensure its continuing suitability,
adequacy and, effectiveness?
A6 Organisation Of Information Security
A6.1 Internal Organisation
Objective: To establish a management framework to initiate and
control the implementation and operation of information security
within the organisation.
A6.1.1 Information security roles and responsibilities: Are all
information security responsibilities defined and allocated?
A6.1.2 Segregation of duties : Are conflicting duties and areas of
responsibility segregated to reduce opportunities for unauthorized
or unintentional modification or misuse of the organizations
assets?
A6.1.3 Contact with authorities : Are appropriate contacts with
relevant authorities maintained ?
A6.1.4 Contact With Special Interest Groups : Are appropriate
contacts with special interest groups or other specialist security
forum and professional associations maintained?
A6.1.5 Information security in project management : Is information
security addressed in project management, regardless of the type of
the project?
A6.2 Mobile devices and teleworking
Objective :– to ensure the security of teleworking and use of
mobile devices.
A6.2.1 Mobile device policy : – Is a policy and supporting security
measures adopted to manage risks introduced by using mobile
devices?
A6.2.2 Teleworking :- Is a policy and supporting security
measures implemented to protect information accessed, processed
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 11 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 12/26
Comments
or stored at teleworking sites?
A7 Human resource security
A7.1 Prior to employment
Objective: to ensure that employees and contractors understand
their responsibilities and are suitable for the roles for which they
are considered.
A7.1.1 Screening: Are background verification checks on all
candidates for employment carried out in accordance with relevant
laws, regulations and ethics, and proportional to business
requirements, the classification of the information to be accessed,
and the perceived risks?
A7.1.2 Terms and conditions of employment : Are their contractual
agreements with employees and contractors established and the
organization’s responsibility for information security?
A7.2 During employment
Objective: – to ensure that all employees and contractors are aware
of and fulfil their information security responsibilities.
A7.2.1 Management responsibilities:- Has management directed the
employees and contractors to apply security in accordance with
established policies and procedures of the organization?
A7.2.2. Information security awareness, education and training :Are all employees of the organization and, where relevant,
contractors received appropriate awareness education and training
and regular updates in the organizations policies and procedures, as
relevant to their job function?
A7.2.3. Disciplinary process :- Is there a formal and communicated
disciplinary process to take action against employees who have
committed an information security breach?
A7.3 Termination and change of employment
Objective: – to protect the organisations interests as part of the
process of changing or terminating employment.
A7.3.1 Termination or change of employment responsibilities.:
Are information security responsibilities and duties that remain
valid after termination or change of employment defined,
communicated to the employee or contractor and enforced?
A8 Asset Management
A8.1 Responsibility for Assets
Objective: to identify organizational assets and define appropriate
protection responsibilities.
A8.1.1 Inventory of Assets: Are assets associated with information
security and information processing facilities identified and an
inventory of these assets is drawn up and maintained. The
Inventory of Assets must be documented.
A8.1.2 Ownership of Assets: Are assets maintained in the inventory
owned by an owner?
A8.1.3 Acceptable use of Assets: Are rules for the acceptable use
of information and assets associated with information and
information processing facilities identified, documented and
implemented?
A8.1.4 Return of assets : Are all employees and external party users
return all of the organizations assets in their possession upon
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 12 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 13/26
Comments
termination of their employment, contract or assignment.
Remarks (if any):
A8.2 Information Classification
Objective: – to ensure that information receives an appropriate level
of protection in accordance with its importance to the organisation
A8.2.1 Classification of information: Is information classified in
terms of its legal requirements, value, criticality and sensitivity
to unauthorized disclosure or modification.
A8.2.2 Labelling of Information: Are appropriate set of
procedures for information labelling developed and implemented
in accordance with the information classification scheme
adopted by the organization?
A8.2.3 Handling of assets: Are procedures for handling assets
developed and implemented in accordance with the information
classification scheme adopted by the organisation?
A8.3 Media handling
Objective: to prevent unauthorized disclosure, modification,
removal or destruction of information stored on media.
A8.3.1 Management of removable media: Are procedures
implemented for the management of removable media in
accordance with the classification scheme adopted by the
organisation?
A8.3.2 Disposal of media: Is media disposed of securely
when no longer required, using formal procedures?
A8.3.3 Physical media in transit : Is media containing
information protected against unauthorized access, misuse
or corruption during transportation?
Remarks (if any):
A9 Access control
A9.1 Business requirements of access control
Objective: to limit access to information and information
processing facilities
A9.1.1 Access control policy : Is access control policy
established, documented, and reviewed based on business and
security requirement?
A9.1.2 Access to networks and network services: Are users
only be provided with access to the network and network
services that they have been specifically authorized to use?
A9.2 User access management
Objective: – to ensure authorized user access
prevent unauthorized access to systems and services.
and
to
A9.2.1 User registration and de-registration: Is a formal user
registration and de-registration procedure implemented to enable
assignment of access rights?
A9.2.2 User access provisioning : Is a formal user access
provisioning process implemented to assign or revoke access
rights for all user types to all systems and services?
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 13 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 14/26
Comments
A9.2.3 Management of privileged access rights : Is the allocation
and use of privileged access rights restricted and controlled?
A9.2.4 Management of secret authentication information :Is the
allocation of secret authentication information controlled
through a formal management process?
A9.2.5 Review of user access rights:- Do Asset owners review
users’ access rights at regular intervals?
A9.2.6 Removal or adjustment of access rights : Are access rights
of all employees and external party users to information and
information processing facilities removed upon termination of
their employment, contract or agreement, or adjusted upon
change.
A9.3 User Responsibilities
Objective – to make users accountable for safeguarding their
authentication information.
A.9.3.1 Use of secret authentication information : Do Users follow
the organisation’s practices in the use of secrete authentication
information?
Remarks (if any):
A 9.4 System and application access control
Objective: – to prevent unauthorized access to systems and
applications
A.9.4.1 Information access restriction: Is the access to
information and application system functions restricted in
accordance with the access control policy?
A.9.4.2 Secure log-on procedures: Where required by the
access control policy, is the access to systems and
applications controlled by secure log-on procedures.
A.9.4.3 Password management system : Is password
management systems interactive and ensure quality
passwords?
A9.4.4 Use of privileged utility programs: Is the use of
utility programs that might be capable of overriding
system and application controls restricted and tightly
controlled?
A.9.4.5 Access control to program source code : Is the access
to program source code restricted?
Remarks (if any):
A10
A10.1 Cryptographic Controls
Objective: To ensure proper and effective use of cryptography
to protect the confidentiality, authenticity and/or integrity of
information.
A10.1.1 Policy on the use of cryptographic controls :- Is a policy
on the use of cryptographic controls for protection of
information developed and implemented?
A10.1.2 Key management: - Is a policy on the use, protection
and lifetime of cryptographic keys developed and implemented
throughout their whole lifetime.
Remarks (if any):
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 14 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 15/26
Comments
A11 Physical and environmental security
A11.1 Secure areas
Objective: – to prevent unauthorized physical access, damage
and interference to the organizations information and
information processing facilities.
A11.1.1 Physical security perimeter : Are security perimeters
defined and used to protect areas that contain either
sensitive
or
critical
information
and information
processing facilities?
A.11.1.2 Physical entry controls : Are secure areas protected
by appropriate entry controls to ensure that only authorized
personnel are allowed access?
A.11.1.3 Securing offices, rooms and facilities : Is physical
security for offices, rooms and facilities designed and
applied?
A.11.1.4 Protecting against external and environmental threats
:– Is physical protection against natural disasters, malicious
attack or accidents designed and applied?
A.11.1.5 Working in secure areas: - Are procedures for
working in secure areas designed and applied?
A.11.1.6 Delivery and loading areas: - Are access points such as
delivery and loading areas and other points where unauthorized
persons could enter the premises controlled and, if possible,
isolated from information processing facilities to avoid
unauthorized access?
A11.2 Equipment
Objective: to prevent loss, damage, theft or compromise of
assets and interruption to the organizations operations.
A11.2.1 Equipment siting and protection: Is equipment sited and
protected to reduce the risks from environmental threats and
hazards, and opportunities for unauthorized access?
A11.2.2 Supporting utilities: Is equipment protected from
power failures or other disruptions caused by failures in
supporting utilities?
A11.2.3 Cabling security: Are power and telecommunications
cabling carrying data or supporting information services
protected from interception or damage?
A11.2.4 Equipment maintenance: – Is equipment correctly
maintained to ensure its continued availability and integrity?
A.11.2.5 Removal of assets :- Is there a formal authorization
procedure in place and equipment, information or software are
not taken off- site without prior authorization?
A.11.2.6 Security of equipment and assets off-premises :-Is
security applied to off-site assets taking into account the
different risks of working outside the organization’s
premises.
A.11.2.7 Secure disposal or re-use of equipment :-Are all items
of equipment containing storage media verified to ensure
that any sensitive data and licensed software has been
removed or securely overwritten prior to disposal or re-use?
A.11.2.8 Unattended user equipment:- Do users ensure that
unattended equipment has appropriate protection?
A.11.2.9 Clear desk and clear screen policy:- Is clear desk
policy for papers and removable storage media and a clear
screen policy for information processing facilities adopted by
the organization?
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 15 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 16/26
Comments
A12 Operations security
A12.1 Operational procedures and responsibilities
Objective: to ensure the correct and secure operation of
information processing facilities.
A12.1.1 Documented operating procedures: Are operating
procedures documented, maintained and made available to all
users who need them?.
A.12.1.2 Change management: Are changes to the
organisation, business processes and information processing
facilities and systems controlled?
A.12.1.3 Capacity management: Is the use of resources
monitored, tuned and projections made of future capacity
requirements to ensure the required system performance?
A.12.1.4 Separation of development, test and operational
environments:- Are development, test and operational
environments separated to reduce the risks of unauthorized
access or changes to the operational environment?
Documented Information
The Operating Procedures must be documented.
A12.2 Protection from malware
Objective: to ensure that information and information
processing facilities are protected against malware.
A12.2.1 Controls against malware:- Are detection, prevention
and recovery controls to protect against malware
implemented, combined with appropriate user awareness?
A12.3 Back up
Objective: protect against the loss of data
A12.3.1 Information back-up: Are back-up copies of
information, software and system images taken and tested
regularly in accordance with an agreed back-up policy?
A12.4 Logging
and Monitoring
Objective: to record events and generate evidence
A12.4.1 Event logging : – A r e event logs recording user
activities, exceptions, faults and information security events
produced, kept and regularly reviewed?
A12.4.2 Protection of log information: Are logging facilities
and log information protected against tampering and
unauthorized access?
A12.4.3. Administrator and operator logs : Are System
administrator and system operator activities logged and the
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 16 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 17/26
Comments
logs protected and regularly reviewed?
A.12.4.4 Clock synchronization: - Are the clocks of all
relevant information processing systems within an
organization or security domain synchronized to a single
reference time source?
A12.5 Control of operational software
Objective: – to ensure the integrity of operational systems.
A12.5.1 Installation of software on operational systems:- Are
procedures in place to control the installation of software on
operational systems?
A12.6 Technical Vulnerability Management
Objective: – to prevent exploitation of technical vulnerabilities
A12.6.1 Management of Technical Vulnerabilities: Is
information about technical vulnerabilities of information
systems being used obtained in a timely fashion, the
organization's exposure to such vulnerabilities evaluated and
appropriate measures taken to address the associated risk?
A.12.6.2 Restrictions on software installation: – Are rules
governing the installation of software by users established and
implemented?
A12.7 Information system audit considerations
Objective: – to minimize the impact of audit activities on operational
systems.
A12.7.1 Information systems audit controls: Are Audit
requirements and activities involving verification of
operational systems carefully planned and agreed to minimize
the risk of disruptions to business processes?
A13 Communications security
A13.1 Network security management
Objective: to ensure the protection of information in networks and its
supporting information processing facilities.
A13.1.1 Network controls : Are networks managed and
controlled, in order to be protected information in systems
and applications.
A13.1.2 Security of network services : Are Security
mechanisms, service levels, and management requirements
of all network services identified and included in any network
services agreement, whether these services are provided inhouse or outsourced?
A.13.1.3 Segregation in networks : Are Groups of information
services, users and information systems segregated on
networks?
A13.2 Information transfer
Objective: to maintain the security of information and software
transferred within an organization and with any external entity.
A13.2.1 Information transfer policies and procedures : Are
formal transfer policies, procedures, and controls in place to
protect the transfer of information through the use of all types
of communication facilities?
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 17 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 18/26
Comments
A13.2.2 Agreements on information transfer: Are Agreements
established for the secure transfer of business information
and software between the organization and external
parties?
A13.2.3 Electronic messaging: Is information i n v o l v e d i n
electronic messaging appropriately protected.
A.13.2.4 Confidentiality or non- disclosure agreements : Are
requirements for confidentiality or non-disclosure agreements
reflecting the organization’s needs for the protection of
information identified, regularly reviewed and documented?
Documented Information
The Confidentiality and Non- disclosure agreements must be.
A14 System acquisition, development and maintenance
A14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part
of information systems across the entire lifecycle. This also
includes the requirements for information systems which provide
services over public networks.
A14.1.1 Information security requirements analysis and
specification : Are the information security related requirements
included in the requirements for new information systems
or enhancements to existing information systems?
A14.1.2 Securing application services on public networks : Is
information involved in application services passing over public
networks protected from fraudulent activity, contract dispute and
unauthorised disclosure and modification?
A14.1.3. Protecting application services transactions : Is the
Information involved in service transactions protected to prevent
incomplete transmission, mis-routing, unauthorized message
alteration, unauthorized disclosure, unauthorized message
duplication or replay?
A14.2 Security in development and support processes :Objective: To ensure that information security is designed and
implemented within the development lifecycle of information
systems.
A14.2.1 Secure development policy : Are rules for the development
of software and systems established and applied to developments
within the organisation?
A14.2.2 System change control procedures: Are changes to systems
within the development lifecycle controlled by the use of formal
change control procedures?
A14.2.3. Technical review of applications after operating platform
changes: - Whenever operating platforms are changed, a r e
business critical applications reviewed and tested to ensure there is
no adverse impact on organizational operations or security?
A.14.2.4 Restrictions on changes to software packages : Are
modifications to software packages discouraged, limited to
necessary changes, and all changes strictly controlled?
A.14.2.5 Secure system engineering principles: – Are principles
for engineering secure systems established, documented,
maintained and applied to any information systems
implementation efforts?
A.14.2.6 Secure development environment: Does organization
establish and appropriately protect development environments for
system development and integration efforts t h a t cover the entire
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 18 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 19/26
Comments
system development lifecycle?
A.14.2.7 Outsourced development : Does the organisation supervise
and monitor the activity of out-sourced systems development?
A.14.2.8 System security testing: Does the testing of security
functionality carried out during development?
A.14.2.9 System acceptance testing : Does acceptance testing
programs and related criteria established for new information
systems, upgrades and new versions?
Documented Information :The Principles for Engineering Secure Systems must be
documented.
A14.3 Test data :Objective: To ensure the protection of data used for testing.
A14.3.1 Protection of test data : Is test data selected carefully,
and protected and controlled?
A15 Supplier relationships
A15.1 Information security in supplier relationships
Objective: – to maintain an agreed level of information security
and service delivery in-line with supplier agreements.
A15.1.1 Information security policy for supplier relationships: Are
information security requirements for mitigating the risks associated
with supplier’s access to the organization’s assets agreed with the
suppliers and documented?
A15.1.2. Addressing security within supplier agreement :Are all
relevant information security requirements established and
agreed with each supplier that may access, process, store,
communicate, or provide IT infrastructure components for, the
organisation’s information?
A15.1.3 Information and communication technology supply chain :
Does agreements with suppliers include requirements to address the
information security risks associated with information and
communications technology services and product supply chain?
Documented Information :The Policy for Supplier Relationships must be documented.
A15.2 Supplier service delivery management
Objective: – to maintain an agreed level of information security and
service delivery in line with supplier agreements.
A15.2.1 Monitoring and review of supplier services :- organizations
shall regularly monitor, review and audit supplier delivery.
A.15.2.2 Managing changes to supplier services :- changes
to the provision of services, including maintaining and improving
existing information security policies, procedures and controls shall
be managed, taking account of the criticality of the business
information and processes involved and the re-assessment of the risks.
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 19 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 20/26
Comments
A16 Information security incident management
A16.1 Management of information security incidents and
improvements
Objective: – To ensure a consistent and effective approach to
the management of information security incidents,
including communication on security events and weaknesses.
A16.1.1 Responsibilities and procedures Management: A r e
responsibilities and procedures be established to ensure a
quick, effective, and orderly response to information security
incidents?
A16.1.2. Reporting information security events : Are Information
security
events reported through appropriate
management
channels as quickly as possible?
A16.1.3 Reporting information security weaknesses: Are employees
and contractors using the organisation’s information systems
and services required to note and report any observed or suspected
security weaknesses in systems or services?
A.16.1.4 Assessment of and decision on information security
events : Are information security events assessed and it is
decided if they are to be classified as information security
incidents?
A.16.1.5 Response to information security incidents: Are
information security incidents responded to in accordance with
documented procedures?
A.16.1.6 Learning from information security incidents: – Is
knowledge gained from analyzing and resolving information
security incidents used to reduce the likelihood or impact of future
incidents?
A.16.1.7 Collection of evidence: Has the organisation defined and
applied procedures for the identification, collection, acquisition
and preservation of information which can serve as evidence?
A.17 Information Security aspects of Business Continuity
Management.
A.17.1 Information security continuity:
Objective – information security continuity shall be embedded in
the organisation’s business continuity management systems.
A.17.1.1 Planning information security continuity : Has the
organisation determined its requirements for information security
and continuity of information security management in adverse
situations, e.g. a crisis or disaster?
A.17.1.2 Implementing information security continuity: Has the
organisation established, documented, implemented and maintained
processes, procedures and controls to ensure the required level of
continuity for information security during an adverse situation?
A.17.1.3 Verify, review and evaluate information security
continuity :- Has the organisation verified the established and
implemented information security continuity controls at regular
intervals in order to ensure that they are valid and effective during
adverse situations?
A17.2 Redundancies
Objective: to ensure availability of information processing facilities
A.17.2.1 Availability of information processing facilities : Are
information processing facilities implemented with redundancy
sufficient to meet availability requirements?
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 20 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
ISO 27001-2013 ISMS Requirements
C/O/NCR
Page: 21/26
Comments
A18 Compliance
A.18.1Compliance with legal and contractual requirements
Objective : To avoid breaches of any legal, statutory, regulatory
or contractual obligations related to information security
and of any security r e q u i r e m e n t s .
A.18.1.1 Identification of applicable legislation and contractual
requirements: Are all relevant legislative, statutory, regulatory and
contractual requirements and the organization’s approach to meet
these requirements explicitly identified, documented and kept up to
date for each information system and the organization?
A.18.1.2 Intellectual property rights : Are appropriate procedures
implemented to ensure compliance with legislative, regulatory, and
contractual requirements related to intellectual property rights and
on the use of proprietary software products?
A.18.1.3 Protection of records : Are records protected from loss,
destruction and falsification, in accordance with legislatory,
regulatory, contractual, and business requirements?
A.18.1.4 Privacy and protection of personally identifiable
Information : Is privacy and protection of personally
identifiable information ensured as required in relevant
legislation, regulations where applicable?
A.18.1.5 Regulation of cryptographic controls :Are Cryptographic
controls u sed in compliance with all relevant agreements,
legislation, and regulations?
A.18.2 Information security reviews
Objective – to ensure that the information security is implemented and
operated in accordance with the organizational security policies and
standards.
A.18.2.1 Independent review of information security : –Is the
organizations approach to managing information security and
its implementation (i.e. control objectives, controls, policies,
processes, and procedures for information security) reviewed
independently at planned intervals, or when significant
changes occur?
A.18.2.2 Compliance with security policies and standards : Do
Managers regularly review the compliance of information
processing and procedures within their area of
responsibility with the appropriate security polices, standards and
any other security requirements?
A.18.2.3 Technical compliance review: Are Information systems
regularly reviewed for compliance with the organisation’s
information security policies and standards?
OBSERVATIONS
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 21 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 22/26
----- Minor/Major Non conformance identified in the Surveillance audit,
details of Non Conformance in CAR From (LMS-FM-058A) (Note: the detailed
NC is to be submitted and accepted by the client on LMS-FM-058A)
Summary of Audit
initial certification –
post audit
Surveillance Cum Transfer
Modification
Yes
Renewal
Upgrade from
other :
Yes
Issuance of the certificate
Yes
use of the LMS & IAS Logo as per Guidance for Usage of Logo
refusal of the certificate
post audit
modification of the current certificate (registration and expiration date remain unchanged)
other :
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 22 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 23/26
The quality system complies with the requirements of the reference standard:
Congratulations, on the basis of the above summary, Lead Auditor is pleased to put
forward a recommendation for conducting next stage of assessment.
The quality system complies with the requirements of the reference standard with
exception of minor NC: Congratulations, Lead Auditor is pleased to put forward a
recommendation for registration of Organization upon off-site verification of closure
of all issues within 60 days from the date of Surveillance audit. Responses to the
non-conformances should be submitted to LMS and must include supporting
evidence of closure to allow for off-site verification. In responding to the nonconformances, the organization should consider the root cause of the nonconformance and the potential for related issues in other parts of system.
If all non-conformances are not closed within 60 days, a full reassessment may be
required.
Evidence of major non conformities: Organization is not recommended for next
assessment at this time. A follow-up assessment will be scheduled to allow for onsite verification and closure of all issues within 60 days from the date of Stage 2.
Once all non-conformances are closed, the recommendation for registration can be
made. Responses to the non- conformances should be submitted to LMS within 45
days and must include supporting evidence. In responding to the non-conformances,
the organization should consider the root cause of the non-conformance and the
potential for related issues in other parts of system.
If all non-conformances are not closed within 60 days, a full reassessment may be
required.
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 23 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 24/26
Not Recommended: Organization is not recommended for next assessment at this
time.
A Surveillance audit will be required.
To progress the application for registration, please respond to each nonconformances, with a plan showing proposed actions, timescales and responsibilities
for resolution. The organization should consider the root cause of the nonconformance and the potential for related issues in other parts of the system.
Proposed Audit Date for Surveillance Audit On or Before
Confirmation of details for certificate printing:
Organization name:
Physical location(s):
Certification Scope:
Next Audit type:
Next audit date:
Note: The next surveillance audit, if applicable, will be performed as per the attached Surveillance
Schedule
(LMS-FM-092E). In case of recertification, the audit program shall be communicated by the CAB
to the client, well in advance, for acceptance of the same. The gap between two consecutive audits
(Stage II, surveillance and re-certification, as applicable) shall not exceed 12 months from
Certification Decision. Any delay in audit shall be dealt as per LMS condition for certification on
the website, www.staunchlyservices.com.
Auditor declares that all the
documents shall be kept
confidential
Lead Auditor
Name:
Client declares that he/she agrees with the audit report,
including next audit schedule, non-conformities and
recommendations, and has received a copy of the report.
Client representative
Name:
Signature:
Signature:
Attachments:
1. Surveillance schedule
2. Non-conformance report: Nos.
3. Observations & Improvements: Yes/NA
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 24 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 25/26
CLOSING MEETING
Attendees
Designation
Sign
Attendees
Designation
Sign
TOPICS FOR DISCUSSION
√
Thank the client for their hospitality, assistance and co-operation.
√
Confirm the assessment standard( e.g. ISO 27001:2013). ISO 27001:2013
√
N/A
Confirm any special scheme requirements e.g., HACCP
Confirm scope of registration
√
Confirm statement of confidentiality.
√
Explain assessment was based on a sample.
√
Explain non-compliances.
√
Invite the client to discuss the non-compliances.
√
Inform the client of recommendation for registration/ non-registration or continued registration.
√
Obtain client signature on reports.
√
If non-registered explain appeals procedure.
√
√
√
information about complaints handling process.
Explain and agree corrective action process.
N/A
Explain certificate issue process (initial assessment only)
√
√
√
√
Explain surveillance arrangements.
Confirm client has a copy of the current regulations.
Explain the rule for use of marks.(surveillance only)
Clients' consent for information on public domain
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 25 of 26
Work Order Nr.:
CERTIFICATION AUDIT REPORT
ISO 27001:2013 (ISMS)
Page: 26/26
√
Check use/non use of marks. (surveillance only)
For LMS Office Use Only
I also confirm that the following documents have been reviewed and are attached
Fully completed application form
Y
N
Auditor Intimation and Allocation form signed by the auditor and nominated team.
Y
N
Stage one checklist showing correct client reference no, name of auditor, details of scope and
exclusions.
Closed NCR from stage one (if applicable) that included acceptable corrective action
Y
N
Y
N
Stage one summary report signed by the client and auditor, which includes reference and
acceptance of any claimed exclusions (ISO 27001 only), a stage two/surveillance audit plan for the
correct number of days and a clear recommendation.
Stage two process based checklist which shows clear evidence of a process based audit being
conducted, clear evidence (including location) of any site visited, adequate coverage of all clauses,
evidence of compliance with any applicable legislation and evidence to support all activities
covered by the scope.
Stage two Summary Report signed by the auditor and client which contains a clear
recommendation and plan for the next visit
Complete nonconformity report that have been clearly written with clear audit evidence with
supporting evidence of corrective action as required to justify closing out the NC
Y
N
Y
N
Y
N
Y
N
From the information available was the auditor fully impartial when conducting the audit and
making the recommendation.
Any additional comments
Y
N
Authorised Reviewer (Office)
Name …………………………….Signed …………………..…………Dated……………
LMS-FM-059E Surveillance Audit Report Rev 06
Issue Date: 27-12-2017
Page 26 of 26
Download