Title Page
-
Audit Report Reference:
-
ISO 27001:2022 + Amd-01:2024
-
Report dated:
-
For:
Audit General Data
-
Site conducted
-
Conducted on
-
ACCS Auditor / Certification Officer
-
Location
-
Remote Audit method - Delete this section if the Audit is 'on-site'
-
* A remote CAAT / ICT assessment was performed to the extent 30 %.
* Form of audit: video conferencing (MS Teams), email communication.
* The CAAT/ICT method of remote assessment in the given range was used effectively using the tools listed below .
- A remote CAAT / ICT assessment was performed to the extent 100 % - EE (IAF ID 3) Form of audit: video conferencing (MS Teams, Zoom), email communication Remote CAAT / ICT assessment was performed for 100% - EE extension (IAF ID 3) Audit form: Videoconferences - (eg MS Teams, Google Zoom) , email communication were used Interview (zoom); Documentation analysis (screen sharing, email); -
Audit type: Stage 2
-
Audit type: surveillance,
-
Audit type: recertification
-
Audit Objectives
Audit objectives, where methodologically can:
1) confirm the compliance of the client's management system with audit criteria,
2) determine the ability of the management system to ensure that the organization meets the applicable statutory, regulatory and contractual requirements.
3) achieve the specified objectives, as the management system can identify areas for potential improvement, including management review and internal audits - Were fulfilled.
Customer General Data
-
The main scope of the company for which certification management system is considered
-
Corresponding NACE Code or Category : 99.98, 99.99
-
Number of employees in the certified area :
-
Special processes: If None please state 'None'
-
Number of Shifts: 1
Certification Data Process
-
Certification standard applied: ISO/IEC 27001:2022 + Amd: 1: 2024
-
Detail of any clauses claimed as 'Not Applicable' including any claimed justification
-
Audit date ( from / To):
-
Total Audit Days :
-
Certificated since (dd/mm/yyyy)
-
Place(s) of Audit headquarters and branches (see section Visited locations)
-
Certification Officer / Lead Auditor:
-
Deviation from the audit plan required
-
Significant issues impacting on audit programme or client's MS (yes / no) :
-
Consultant involved in management system support (yes/no):
-
Audit (Report) language: English
Disclaimer Auditing is based on a sampling process of the available information and consequently there will always be an element of uncertainty present in auditing evidence, which may be reflected in the audit findings. Those relying or acting upon the audit results and conclusions should take into account this uncertainty.
Opening Meeting and Confirmation of Audit Scope
-
Audit Criteria
The audit criteria are the requirements of the standard and the established processes as well as the documentation of the organization's management system. The purpose of the audit is to confirm the compliance of the client's management system with the audit criteria, to determine the ability of the management system to ensure that the organization meets the relevant legal and other requirements (but the audit is not an audit of compliance with the legislation). Furthermore, the objective is to determine whether the effectiveness of the management system makes it possible to achieve the objectives set and identify areas for potential improvement. -
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
Representing the client the opening meeting was attended by
-
Description of the clients company, its activities / main product or services
-
Corporation details, infrastructure, working places and branch offices, organizational chart description
-
Manufacturing equipment or services support activities
The Top management of the company has provided the necessary resources for the implementation of activities: equipment, software and IS, and personnel. Channels of communication communication channels and support services have been defined. -
Confirm the audit agenda is acceptable to everyone, see notes for changes
-
Confirm the audit agenda is acceptable to everyone, see notes for changes
-
Confirm that audit sampling of records is based on "random Samples" not 100% inspection; Confirm that the audit is based on a "risk-based" approach of company processes.
-
Re-confirm confidentiality and impartiality
-
Confirm that decisions be based on objective evidence of conformity (or nonconformity) obtained by ACCS, and that decisions are not influenced by other interests or by other parties. Confirm understanding of findings - Major/Minor NCs; Observations; confirm routes and timescales for closing any NCs. Confirm the right of appealing any decisions the client does not agree with
-
Confirm Questions can be asked but advice or consultancy cannot be given
-
End opening meeting; provide "Thank You's" for using ACCS and coming to the opening meeting; assistance to be given
-
Are there any significant changes that could impact the Management System or any unresolved NC's / issues since the last ACCS audit
Clause 4 Context of the organisation
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
4.1 understanding the organisation and its context - has the client determined external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes[s] of its ISMS
-
4.1.1 Has the client considered determined whether climate change is/are a relevant issue.
-
Is clause 4.1 considered compliant
-
4.2 understanding the needs and expectations of interested parties - Has the client determined: a) interested parties that are relevant to the information security management system;
-
understanding the needs and expectations of interested parties - Has the client determined: b) the relevant requirements of these interested parties;
-
understanding the needs and expectations of interested parties - Has the client determined: c) which of these requirements will be addressed through the information security management<br>system.
-
is clause 4.2 considered compliant
4.3 Determining the scope of the information security management system
-
Has the client determined the boundaries and applicability of the information security
-
When determining this scope, has the client considered: a) the external and internal issues referred to in 4.1;<br>b) the requirements referred to in 4.2;<br>c) interfaces and dependencies between activities performed by the organization, and those that are<br>performed by other organizations.
-
is clause 4.3 considered compliant
-
4.4 Information security management system - can the client demonstrate that they have established, implemented, maintained and continually improved an information security management system (ISMS), including the processes needed and their interactions, in accordance with the requirements of this document.
-
Is clause 4.4 considered compliant
5 Leadership
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
5.1 Leadership and commitment
-
Can "Top management" demonstrate leadership and commitment with respect to the information security management system by:
-
A) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization;
-
B) ensuring the integration of the information security management system requirements into the companies processes;
-
C) ensuring that the resources needed for the information security management system are available;
-
D) communicating the importance of effective information security management and of conforming to the information security management system requirements;
-
E) ensuring that the information security management system achieves its intended outcome(s);
-
F) directing and supporting persons to contribute to the effectiveness of the information security management system;
-
G) promoting continual improvement;
-
H) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
-
Is clause 5.1 considered compliant
5.2 Policy
-
Can Top management demonstrate that they established an information security policy that:
-
A) is appropriate to the purpose of the organization;
-
B) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;
-
C) includes a commitment to satisfy applicable requirements related to information security;
-
D) includes a commitment to continual improvement of the information security management system.
-
Is the information security policy:
-
1) available as documented information;
-
2) communicated within the company;
-
3) Available to interested parties, as/where appropriate.
-
Is clause 5.2 considered compliant
5.3 Organizational roles, responsibilities and authorities
-
Does "top management " ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.
-
Have "top management" assigned the responsibility and authority for: ensuring that the information security management system conforms to the requirements of ISO 27001:2022
-
Have "top management" assigned the responsibility and authority for: reporting on the performance of the information security management system to top management.
-
Is clause 5.3 considered compliant
6 Planning
6.1 Actions to address risks and opportunities
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
6.1.1 General - When planning for the information security management system, has the client considered the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
-
A) Ensured the information security management system can achieve its intended outcome(s);
-
B) prevent, or reduce, undesired effects;
-
C) Achieve continual improvement.
-
Can the client demonstrate that they have planned:
-
D) Actions to address these risks and opportunities;
-
E) Can the client demonstrate how
-
1) They integrate and implement the actions into its information security management system processes;
-
2) They evaluate the effectiveness of these actions.
-
Is clause 6.1.1 considered compliant
6.1.2 Information security risk assessment
-
Can the client define and apply an information security risk assessment process that:
-
A) establishes and maintains information security risk criteria that include:
-
1) the risk acceptance criteria;
-
2) criteria for performing information security risk assessments;
-
B) ensures that repeated information security risk assessments produce consistent, valid and comparable results;
-
C) identifies information security risks that:
-
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system;
-
2) identify the risk owners;
-
D) analyses the information security risks via the following:
-
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
-
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1);
-
3) determine the levels of risk;
-
E) evaluates the information security risks by the following
-
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a);
-
2) prioritize the analysed risks for risk treatment.
-
Has the client retain documented information about the information security risk assessment - ask for copies
-
Is clause 6.1.2 considered compliant
6.1.3 Information security risk treatment
-
Can the client demonstrate that they have defined and applied an information security risk treatment process to:
-
A) select appropriate information security risk treatment options, taking account of the risk assessment results;
-
B) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;
-
C) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted;
-
D) produce a Statement of Applicability that contains: * the necessary controls (see 6.1.3 b) and c)); * justification for their inclusion; * whether the necessary controls are implemented or not; * the justification for excluding any of the Annex A controls.
-
Ask for a copy of the clients S.o.A. - THIS IS REQUIRED TO BE CHECKED SEPERATLY AGAINST CONTROLS up load as media attachment if possible, if not then retain a paper or electronic copy in the client file
-
E) formulate an information security risk treatment plan;
-
F) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
-
Can the client demonstrate that they have retained documented information about the information security risk treatment process.
-
Is clause 6.1.2 considered compliant
6.2 Information security objectives and planning to achieve them
-
Can the client demonstrate that they have established information security objectives at relevant functions and levels.
-
Do / Are the information security objectives:
-
A) consistent with the information security policy;
-
B) measurable (if practicable);
-
C) take into account applicable information security requirements, and results from risk assessment and risk treatment;
-
D) monitored
-
E) communicated;
-
F) updated as appropriate;
-
G) available as documented information.
-
When planning how to achieve its information security objectives, can the client demonstrate that they have determined via:
-
1) what will be done;
-
2) what resources will be required;
-
3) who will be responsible;
-
4) when it will be completed;
-
5) how the results will be evaluated.
-
Is clause 6.2 considered compliant
6.3 Planning of changes
-
When the client determines the need for changes to the information security management do they have a process for the planning of those changes
-
Is clause 6.3 considered compliant
7 Support
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
7.1 Resources
-
Can the client demonstrate how they determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.
-
Is clause 7.1 considered compliant
7.2 Competence
-
Can the client demonstrate that they have a process to:
-
A) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
-
B) ensure that these persons are competent on the basis of appropriate education, training, or experience;
-
C) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;
-
D) retain appropriate documented information as evidence of competence.
-
Obtain evidence of training and how the training is documented
-
Is clause 7.2 considered compliant
7.3 Awareness
-
Does the client ensure that Persons undertaking work under their control are aware of:
-
A) the information security policy;
-
B) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance;
-
C) the implications of not conforming with the information security management system requirements
-
Is clause 7.3 considered compliant
7.4 Communication
-
Can the client demonstrate how they have determined the need for internal and external communications relevant to the information security management system including:
-
A) on what to communicate;
-
B) when to communicate;
-
C) with whom to communicate;
-
D) how to communicate.
-
Is clause 7.4 considered compliant
7.5 Documented information
-
7.5.1 Does the clients information security management system include:
-
A) documented information required by ISO 27001: 2022
-
B) documented information determined by the client as being necessary for the effectiveness of the information security management system.
-
Is clause 7.5.1 considered compliant
7.5.2 Creating and updating
-
When creating and updating documented information does the client ensure appropriate document control by the following
-
A) identification and description (e.g. a title, date, author, or reference number);
-
B) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
-
C) review and approval for suitability and adequacy.
-
Is clause 7.5.2 considered compliant
7.5.3 Control of documented information
-
Documented information required by the information security management system and by ISO 27001: 2022 shall be controlled to ensure:
-
A) it is available and suitable for use, where and when it is needed;
-
it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
-
For the control of documented information, does the client address the following activities, as applicable
-
C) distribution, access, retrieval and use;
-
D) storage and preservation, including the preservation of legibility;
-
E) control of changes (e.g. version control);
-
F) retention and disposition.
-
1) Is documented information of external origin, determined by the client to be necessary for the planning and operation of the information security management system identified as appropriate, and controlled.
-
Is clause 7.5 considered compliant
8 Operation
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
8.1 Operational planning and control
-
Can the client demonstrate how they plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, via:
-
1) establishing criteria for the processes;
-
2) implementing control of the processes in accordance with the criteria.
-
3) Is Documented information available to the extent necessary to have confidence that the processes have been carried out as planned.
-
4) Can the client demonstrate how it controls planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
-
Can the client demonstrate how they ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.
-
Is clause 8.1 considered compliant
8.2 Information security risk assessment
-
Can the client demonstrate how they perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
-
Does the client retain documented information of the results of the information security risk assessments.
-
is clause 8.2 considered compliant
8.3 Information security risk treatment
-
Can the client demonstrate how they implement the information security risk treatment plan.
-
Can the client demonstrate how they retain documented information of the results of the information security risk treatment.
-
Is clause 8.3 considered compliant
9 Performance evaluation
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
9.1 performance evaluation
-
Can the client demonstrate how they have determined the following:
-
A) what needs to be monitored and measured, including information security processes and controls;
-
B) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid;
-
C) when the monitoring and measuring shall be performed;
-
D) who shall monitor and measure;
-
E) when the results from monitoring and measurement shall be analysed and evaluated;
-
F) who shall analyse and evaluate these results.
-
Is documented information available as evidence of the results.
-
Can the client demonstrate how they evaluate the information security performance and the effectiveness of the information security management system.
-
Is clause 9.1 considered compliant
9.2 Internal audit
-
9.2.1 General
-
Can the client provide evidence to show they conduct internal audits at planned intervals to provide information on whether the information security management system by the following
-
A) conforms to
-
1) the clients own requirements for its information security management system;
-
2) the requirements of ISO 27001: 2022
-
B) is effectively implemented and maintained.
-
is clause 9.2.1 considered compliant
9.2.2 Internal audit programme
-
Can the client demonstrate how they have planed, established , implemented and maintained an audit programme (s), including the frequency, methods, responsibilities, planning requirements and reporting.
-
When establishing the internal audit programme(s), the client shall consider the importance of the processes concerned and the results of previous audits, can the client demonstrate how they ensure this.
-
Can the client provide evidence to show that they ensure the following:
-
A) define the audit criteria and scope for each audit;
-
B) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
-
C) ensure that the results of the audits are reported to relevant management;
-
Is documented information available as evidence of the implementation of the audit programme(s) and the audit results.
-
Is clause 9.2.2 considered comp-liant
9.3 Management review
-
9.3.1 General
-
Can the top management demonstrate how they review the companies information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
-
Is clause 9.3.1 considered compliant
9.3.2 Management review inputs
-
Can the client demonstrate that the management review includes consideration of the following
-
A) the status of actions from previous management reviews;
-
B) changes in external and internal issues that are relevant to the information security management system;
-
C) changes in needs and expectations of interested parties that are relevant to the information security management system;
-
D) feedback on the information security performance, including trends in the following
-
1) nonconformities and corrective actions;
-
2) monitoring and measurement results;
-
3) audit results;
-
4) fulfilment of information security objectives;
-
E) feedback from interested parties;
-
F) results of risk assessment and status of risk treatment plan;
-
G) opportunities for continual improvement.
-
Is clause 9.3.2 considered compliant
9.3.3 Management review results
-
Do the results of the management review include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
-
Can the client provide documented information as evidence of the results of management reviews.
-
Is clause 9.3.3 considered compliant
10 Improvement
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
10.1 Continual improvement
-
Can the client provide evidence of how they have continually improved the suitability, adequacy and effectiveness of the information security management system.
-
Is clause 10.1 considered compliant
10.2 Nonconformity and corrective action
-
When a non-conformity occurs can the client demonstrate how they undertake the following
-
A) react to the nonconformity, and as applicable:
-
1) take action to control and correct it;
-
2) deal with the consequences;
-
B) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
-
1) reviewing the nonconformity;
-
2) determining the causes of the nonconformity;
-
3) determining if similar nonconformities exist, or could potentially occur;
-
C) implement any action needed;
-
D) review the effectiveness of any corrective action taken;
-
E) make changes to the information security management system (if necessary).
-
Corrective actions shall be appropriate to the effects of the nonconformities encountered. Documented information shall be available as evidence of:
-
F) the nature of the nonconformities and any subsequent actions taken,
-
G) the results of any corrective action.
-
Is clause 10.2 considered compliant
Mandatory Documentation
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
ISO 27001: 2022 requires the following documents, indicate if they are available, if possible obtain copies and include them in the clients file
-
10.1 Continual improvement
-
Scope of the ISMS Clause 4.3 ISMS Scope document
-
Information security policy Clause 5.2 Information Security Policy
-
Risk assessment and risk treatment process Clause 6.1.2 Risk Assessment and Treatment Methodology
-
Statement of Applicability Clause 6.1.3 d) Statement of Applicability
-
Risk treatment plan Clauses 6.1.3 e, 6.2, and 8.3 Risk Treatment Plan
-
Information security objectives Clause 6.2 List of Security Objectives
-
Risk assessment and treatment report Clauses 8.2 and 8.3 Risk Assessment & Treatment Report
-
The following controls are documents required within the Statement of Applicability indicate if they are available, if possible obtain copies and include them in the clients file
-
Inventory of assets Control A.5.9* Inventory of Assets, or List of Assets in the Risk Register
-
Acceptable use of assets Control A.5.10* IT Security Policy
-
Incident response procedure Control A.5.26* Incident Management Procedure
-
Statutory, regulatory, and contractual requirements Control A.5.31* List of Legal, Regulatory, and Contractual Requirements
-
Security operating procedures for IT management Control A.5.37* Security Procedures for IT Department
-
Definition of security roles and responsibilities Controls A.6.2 and A.6.6* Agreements, NDAs, and specifying responsibilities in each security policy and procedure
-
Definition of security configurations Control A.8.9* Security Procedures for IT Department
-
Secure system engineering principles Control A.8.27* Secure Development Policy
Mandatory records
-
The following records should be viewed, collect random sample evidence
-
Trainings, skills, experience, and qualifications Clause 7.2 Training certificates and CVs
-
Monitoring and measurement results Clause 9.1 Measurement Report
-
Internal audit program Clause 9.2 Internal Audit Program
-
Results of internal audits Clause 9.2 Internal Audit Report
-
Results of the management review Clause 9.3 Management Review Minutes
-
Results of corrective actions Clause 10.2 Corrective Action Form
records of the following controls within the SoA , if possible obtain copies and include them in the clients file
-
Logs of user activities, exceptions, and security events Control A.8.15* Automatic logs in information systems
Closing Meeting and Recomendations
-
** input evidence within the 'notes' / 'media' section for all questions - ** Each question should be answered where applicable
-
Can it be verified that the client is using the correct version of the ACCS / UKAS logo and is it being displayed correctly
-
Closing Meeting
-
The closing meting was attended by (name & position) :
-
Introductions <br>• Thank the organisation for their assistance, co-operation and hospitality <br>• Deal with any issues of confidentiality <br>• Emphasise that the auditing process can only sample the Data Protection System at a particular moment in time <br>• Ask the management team to defer any questions until after the findings have been presented
-
Presentation of Findings <br>Presentation of the detailed findings which involves: <br>• Confirmation of each non-compliance found and areas seen of good practices<br>• Agreement to suitable corrective action for each non-compliance <br>• Indication of timescales for completion of corrective action <br>• Ask other members of the Audit Team to report if appropriate <br>• Presentation of an Audit summary including a judgement of the level of Data Protection compliance achieved by the organisation <br>• Invite questions for clarification and provide immediate answers wherever possible
Recomendations
-
Confirm that the Auditors recommendations may not be the final outcome of the audit and that the audit report will be subject to review by an ACCS audit reviewer
-
Is certification / continued certification / recertification recommended
Post Audit Activities
-
Post Audit Reporting <br>• Explain to the management team the nature of summary report they will receive, e.g. Compliance Audit Report together with associated Non-compliance Reports etc. <br>• Establish the organisations requirements for distribution of the summary report
-
If required - Audit Follow-up <br>• Agree the nature of any required follow-up visit, e.g. documentation check, partial re-audit or full re-audit <br>• Arranging the timescale for any required follow-up visit
-
Ensure a copy of Audit plan for THIS audit is attached onto your downloaded Word document before sending a copy to admin
-
Ensure a copy of the 3 year audit cycle plan is attached to your downloaded word document before sending a copy to admin
-
Ensure a copy of Audit plan for the NEXT audit is attached onto your downloaded Word document and that it includes the required elements of the 3 year audit cycle plan before sending a copy to admin