Audit Information

  • Address
  • Audit Number

  • Function / PPC / Region

  • Region

  • Audit Date & Time

  • Lead Auditor

  • Support Auditor(s)

  • Auditor in Training

  • Auditee

Opening Meeting

  • Opening Meeting Notes

Section 4 -QMS

  • Section applicable to the function being audited

  • Applicable Clauses

4.2.3 Control of Documents

  • Requirements:

    Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.
    A documented procedure shall be established to define the controls needed
    a) to approve documents for adequacy prior to issue,
    b) to review and update as necessary and re-approve documents?
    c) to ensure that changes and the current revision status of documents are identified?
    d) to ensure that relevant versions of applicable documents are available at points of use?
    e) to ensure that documents remain legible and readily identifiable?
    f) to ensure that documents of external origin are identified and their distribution controlled?
    g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

  • What to check?

    How are the documents required by the Test Centre created and udated?

    1. Are the documents identified?
    2. What format & media is used?
    3. How are documents reviewd and approved?

    How are the documents required by the Test Centre controlled?

    Documents should be reviewed throughout the audit for following:

    a) approve documents for adequacy prior to issue?
    b) review and update as necessary and re-approve documents?
    c) ensure that changes and the current revision status of documents are identified?
    d) ensure that relevant versions of applicable documents are available at points of use?
    e) ensure that documents remain legible and readily identifiable?
    f) ensure that documents of external origin are identified and their distribution controlled?
    g) prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

  • Has the above requirements been met for 4.2.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

6.2.2 Competence, training and awareness

  • Requirements:

    The organization shall
    a) determine the necessary competence for personnel performing work affecting conformity to product quality requirement,
    b) where applicable, provide training or take other actions to achieve necessary competence
    c) evaluate the effectiveness of the actions taken,
    d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and
    e) maintain appropriate records of education, training, skills and experience (see 4.2.4).

  • What to check?

    1. Check how training is provided for a new starter and how records are maintained?

    2. Check for the following process - A checklist is available for each new starter with deadlines for completion of key areas of training which will be signed off by the person responsible for training and the new starter and will be emailed to the RM / Regional Trainer on completion.

    The regional manager will review the training completion status and records on a monthly basis. The Authorities will be provided with a year to date status report of training delivered and successfully recorded in the PPCs.

    3. Pick up a new starter in every region and check for the process as per point 2

    Please note that this clause is to be auited with the RMs

  • Has the above requirements been met for 6.2.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

6.4 Work environment

  • Requirements:

    The organization shall determine and manage the work environment needed to achieve conformity to product requirements.

    NOTE The term “work environment” relates to those conditions under which work is performed including physical, environmental and other factors (such as noise, temperature, humidity, lighting or weather).

  • What to check?

    1. What kind of work environment is required to achieve conformity to service delivery?
    2. How is this environment managed and maintained?

  • Has the above requirements been met for 6.4

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.1 Control of prodcution and service provision

  • Requirements:

    The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable
    a) the availability of information that describes the characteristics of the product,
    b) the availability of work instructions, as necessary,
    c) the use of suitable equipment,
    d) the availability and use of monitoring and measuring devices,
    e) the implementation of monitoring and measurement, and
    the implementation of release, delivery and post-delivery activities.

  • What to check?

    Observe a few candidates as per the documenetd PPC procedures

  • Has the above requirements been met for 7.5.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

  • Total Number of Findings in QMS

Section 5 - ISMS

  • Section applicable to the function being audited

  • Applicable Clauses

5.3 Roles, responsibilities and authorities

  • Requirement:

    Top management shall ensure that the responsibilities and authorities for roles relevant to information
    security are assigned and communicated.
    Top management shall assign the responsibility and authority for:
    a) ensuring that the information security management system conforms to the requirements of this
    International Standard; and
    b) reporting on the performance of the information security management system to top management.
    NOTE Top management may also assign responsibilities and authorities for reporting performance of the
    information security management system within the organization.

  • What to check?

    1. Check if the TCM and TCA are aware of their roles, responsibilities and authorities.

    2. Check how these communicated

  • Has the above requirements been met for 5.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.1 Resource

  • Requirement:

    The organization shall determine and provide the resources needed for the establishment, implementation,
    maintenance and continual improvement of the information security management system.

  • What to check?

    1. How does the manager determine and provide the resource needed for maintaining the security of the test centre?

    2. What is process of resource monitoring on an on-going basis to ensure continual improvement of the management system

  • Has the above requirements been met for 7.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.2 Competence

  • Requirement:

    The organization shall:
    a) determine the necessary competence of person(s) doing work under its control that affects its
    information security performance;
    b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
    c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
    of the actions taken; and
    d) retain appropriate documented information as evidence of competence.
    NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment
    of current employees; or the hiring or contracting of competent persons.

  • What to check?

    1. Is there a process defined and documented for determining competence for roles - Check if the TCM/TCA are aware of the annual PDR process

    2. Are those undertaking IS roles competent, and is this competence documented appropriately - check if the PDR is completed on an annual basis

  • Has the above requirements been met for 7.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.3 Awareness

  • Requirement:

    Persons doing work under the organization’s control shall be aware of:
    a) the information security policy;
    b) their contribution to the effectiveness of the information security management system, including
    c) the benefits of improved information security performance; and
    the implications of not conforming with the information security management system requirements.

  • What to check?

    1. Is everyone within the test centre aware of the importance of the Information Security policy, their involvement in implementing it and the benefits of an effective security management system - check for awareness throughout the audit process.

  • Has the above requirements been met for 7.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.1 General

  • Requirement:

    The organization’s information security management system shall include:
    a) documented information required by this International Standard; and
    b) documented information determined by the organization as being necessary for the effectiveness of
    the information security management system.
    NOTE The extent of documented information for an information security management system can differ
    from one organization to another due to:
    1) the size of organization and its type of activities, processes, products and services;
    2) the complexity of processes and their interactions; and
    3) the competence of persons.

  • What to check?

    Are there documents available to be used on a daily basis and as and when needed?

    1. Check if the TCM/TCA is aware and has access to PPC guides?

    2. Check if the TCM/TCA is aware and has access to client chapters?

    3. Check if the TCM/TCA is aware and has access to global policies?

  • Has the above requirements been met for 7.5.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.2 Creating and updating

  • Requirement:

    When creating and updating documented information the organization shall ensure appropriate:
    a) identification and description (e.g. a title, date, author, or reference number);
    b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
    c) review and approval for suitability and adequacy.

  • What to check?

    How are the documents required by the Test Centre created and updated?

    1. Are the documents identified?
    2. What format & media is used?
    3. How are documents reviewed and approved?

  • Has the above requirements been met for 7.5.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.3 Control of documented information

  • Requirement:

    Documented information required by the information security management system and by this
    International Standard shall be controlled to ensure:
    a) it is available and suitable for use, where and when it is needed; and
    b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
    For the control of documented information, the organization shall address the following activities,
    as applicable:
    c) distribution, access, retrieval and use;
    d) storage and preservation, including the preservation of legibility;
    e) control of changes (e.g. version control); and
    f) retention and disposition.
    Documented information of external origin, determined by the organization to be necessary for
    the planning and operation of the information security management system, shall be identified as
    appropriate, and controlled.
    NOTE Access implies a decision regarding the permission to view the documented information only, or thepermission and authority to view and change the documented information, etc.

  • What to check?

    How are the documents required by the Test Centre controlled?

    Documents should be reviewed throughout the audit for following:

    a) approve documents for adequacy prior to issue?
    b) review and update as necessary and re-approve documents?
    c) ensure that changes and the current revision status of documents are identified?
    d) ensure that relevant versions of applicable documents are available at points of use?
    e) ensure that documents remain legible and readily identifiable?
    f) ensure that documents of external origin are identified and their distribution controlled?
    g) prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

  • Has the above requirements been met for 7.5.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.1 Operational planning and control

  • Requirement:

    The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2.
    The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned.
    The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.
    The organization shall ensure that outsourced processes are determined and controlled.

  • What to check?

    1. Is the risk assessment conducted and documented.
    2. Is the test centre staff aware?
    3. How is the risk assessment reviewed for changes
    4. Are outsourced process addressed in the risk assessment and asset register

  • Has the above requirements been met for 8.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.2 Information security risk assessment

  • Requirement:

    The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments.

  • What to check?

    1. Have security risk assessments been performed in accordance with the criteria defined in Pearson VUEs global risk management process?

    2. Has documented information of the results been retained?

    3. Review the document

  • Has the above requirements been met for 8.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.3 Information security risk treatment

  • Requirement:

    The organization shall implement the information security risk treatment plan.
    The organization shall retain documented information of the results of the information security risk treatment

  • What to check?

    1. Has the risk treatment plan defined in Pearson VUEs global process been implemented?

    2. Has documented information of the results been retained?

    3. Review the document

  • Has the above requirements been met for 8.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

10.1 Nonconformity and corrective action

  • Requirement:

    When a nonconformity occurs, the organization shall:
    a) react to the nonconformity, and as applicable:
    1) take action to control and correct it; and
    2) deal with the consequences;
    b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur
    or occur elsewhere, by:
    1) reviewing the nonconformity;
    2) determining the causes of the nonconformity; and
    3) determining if similar nonconformities exist, or could potentially occur;
    c) implement any action needed;
    d) review the effectiveness of any corrective action taken; and
    e) make changes to the information security management system, if necessary.
    Corrective actions shall be appropriate to the effects of the nonconformities encountered.
    The organization shall retain documented information as evidence of:
    f) the nature of the nonconformities an
    d any subsequent actions taken, and
    g) the results of any corrective action.

  • What to check?

    1. What is done if any issues or concerns are observed that does not meet the requirements?
    2. Is root cause analysis conducted and corrective actions taken

    Check for evidence

  • Has the above requirements been met for 10.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

10.2 Continual improvement

  • Requirements:

    The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

  • What to check?

    1. What improvement initiative has been taken at the test centre?

    2. How do the test centre continually improve?

  • Has the above requirements been met for 10.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.5.1 Security policies

  • Requirement:

    A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

  • What to check?

    1. Do Security policies exist?
2. Is the test centre staff aware of the policies & procedures and are they aware of how to locate them.

  • Has the above requirements been met for A.5.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.6.1.3 Contact with authorities

  • Requirement:

    Appropriate contacts with relevant authorities shall be maintained.

  • What to check?

    1.Does the test centre staff maintain contact with authorities - e.g. Council, Law enforcement etc. Is the following defined - when, and by whom, contact with relevant authorities (law enforcement etc.) will be made?
    2. Is there a process which details how and when contact is required?
    3. Is there a process for routine contact and intelligence sharing?

    Please note this need not be documented. If this is explained verbally, that can be taken as evidence. Please check based on the response what happens when the authorities are contacted.

  • Has the above requirements been met for A.6.1.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.7.2.2 Information security awareness, education and training

  • Requirement:

    All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.

  • What to check?

    Have all test centre staff undergone regular security awareness training appropriate to their role and function within the organisation - Check if everyone on the team has completed the annual awareness training on MILO

  • Has the above requirements been met for A.7.2.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.8.1.1 Inventory of assets

  • Requirement:

    Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

  • What to check?

    1. Is there an inventory of all assets associated with information and information processing facilities?
    2. Is the inventory accurate and kept up to date?

    Check if the above is addressed in the asset register and risk assessment and is the test centre staff aware.

  • Has the above requirements been met for A.8.1.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.8.1.2 Ownership of assets

  • Requirement:

    Assets maintained in the inventory shall be owned.

  • What to check?

    All information assets must have a clearly defined owner who is aware of their responsibilities - check if this is addressed in the asset register and risk assessment and is the test centre staff aware.

  • Has the above requirements been met for A.8.1.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.8.2.1 Information classification

  • Requirement:

    Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

  • What to check?

    1. Is the test centre staff aware of the policy governing information classification?
2. Are the documents/information classified as per the policy?

  • Has the above requirements been met for A.8.2.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.8.3.3 Physical media transfer

  • Requirement:

    Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.

  • What to check?

    1.Is the test centre staff aware of the policy and process detailing how physical media should be transported?
2. Is media in transport protected against unauthorised access, misuse or corruption?
3. Is the information correctly labelled?

  • Has the above requirements been met for A.8.3.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.9.3.1 Use of secret authentication information

  • Requirement:

    Users shall be required to follow the organization’s practices in the use of secret authentication information.

  • What to check?

    1. Is the test centre staff aware of the policy covering Pearson VUEs practices in how secret authentication (username and password) information must be handled?
2. Is this communicated to all test centre staff?
3. Check that passwords are not shared?

  • Has the above requirements been met for A.9.3.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.1.1 Physical security perimeter

  • Requirement:

    Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

  • What to check?

    1. Is there a designated security perimeter?
2. Are sensitive or critical information areas segregated and appropriately controlled?

  • Has the above requirements been met for A.11.1.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.1.2 Physical entry controls

  • Requirement:

    Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

  • What to check?

    1. Do secure areas have suitable entry control systems to ensure only authorised personnel have access?
    2. How is the access controlled e.g. pass, keys?
    3. If via keys, Who has access to the keys and how is the inventory maintained.
    4. Check for visitor logs

  • Has the above requirements been met for A.11.1.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.1.3 Securing offices, rooms and facilities

  • Requirement:

    Physical security for offices, rooms and facilities shall be designed and applied.

  • What to check?

    1. Have offices, rooms and facilities been designed and configured with security in mind?
    2. Do processes for maintaining the security(e.g. Locking up, clear desks etc.) exist?
    3. How is the access to the test centre controlled
    4. Check for CCTV quality assurance
    5. Check for burglar alarm and maintenance (Pointer)

  • Has the above requirements been met for A.11.1.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.1.4 Protecting against external and environmental threats

  • Requirement:

    Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.

  • What to check?

    1. Have physical protection measures to prevent natural disasters, malicious attack or accidents been designed in?
2. What measures does the TCM take if any such threats are indicated and (or) materialised.

  • Has the above requirements been met for A.11.1.4

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.1.5 Working in secure areas

  • Requirement:

    Procedures for working in secure areas shall be designed and applied.

  • What to check?

    1. Do secure areas exist? If yes, which areas are considered as secure areas?
    2. Where they do exist, do secure areas have suitable processes for access to them and is the test centre staff aware of this?

    Server Room:
    1. Check the server room logs and match them with the visitor logs?
    2. Check if the cabling is correct and there are no cable running through the floor/walls/ceiling - if yes note that they are no health and safety risks.
    3. Check the server room is not stored as store room?
    4. Check who has access to the server room and how is it managed - key, pass etc?
    5. Check how is the temperature monitored and maintained in the server room?
    6. Are there any water sprinklers in the server room? If yes, are they located in such a place that they don't damage the servers?
    7. Is the server rack clear of all materials - no CD's papers etc?
    8. Check if no confidential information is written around the server or on paper or post it notes - check for IP addresses, passwords etc.

  • Has the above requirements been met for A.11.1.5

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.1.6 Delivery and loading areas

  • Requirement:

    Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

  • What to check?

    1. How is the building main entrance controlled for security? Check if it is a managed reception or direct entrance to the test centre. 
2. What Kind of checks are conducted?

  • Has the above requirements been met for A.11.1.6

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.11.2.9 Clear desk and clear screen policy

  • Requirement:

    A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

  • What to check?

    1. Check if the test centre staff is aware of the clear desk and clear screen policy?
2. Check if the clear screen policy is implemented?

  • Has the above requirements been met for A.11.2.9

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.13.2.2 Agreement on information transfer

  • Requirement:

    Agreements shall address the secure transfer of business information between the organization and external parties.

  • What to check?

    1. Check if the test centre staff is aware of the information transfer requirements?
2. Check for evidence that the information is transferred as per the policy?

  • Has the above requirements been met for A.13.2.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.13.2.3 Electronic messaging

  • Requirement:

    Information involved in electronic messaging shall be appropriately protected.

  • What to check?

    1. Check what type of electronic messaging is used by the test centre staff and is it appropriately protected

  • Has the above requirements been met for A.13.2.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.17.2.1 Availability of information processing facilities

  • Requirement:

    Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

  • What to check?

    Do information processing facilities have sufficient redundancy to meet the test centre availability requirements - check for alternate printer, what will happen if the digital signature pad is not working, what will the TCM do if one of the machines is not working

  • Has the above requirements been met for A.17.2.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.18.1.1 Identification of applicable legislation and contractual requirements

  • Requirement:

    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.

  • What to check?

    1. Is the test centre staff aware of the legal requirements - e.g. Data protection act.
2. Is the test centre staff aware of the contractual requirements - do they have access to client chapters.
3. How are they communicated if there are changes to client chapters or client requirements.

  • Has the above requirements been met for A.18.1.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.18.1.3 Protection of records

  • Requirement:

    Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

  • What to check?

    1. Check how records protected from loss, destruction, falsification and unauthorised access or release in accordance with legislative, regulatory, contractual and business requirements?
2. What happens if the test schedule for the day is printed?
3. Is the test schedule shared with the building to allow candidate entrance - if yes, how is this controlled. Check the copy with the building staff.

  • Has the above requirements been met for A.18.1.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.18.1.4 Privacy and protection of personally identifiable information

  • Requirement:

    Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

  • What to check?

    1. Is personal data identified and appropriately classified?
2. Is personal data protected in accordance with the data protection act - check if the result is handed over as per policy, check if TCM/TCA screen is protected and the information not subjected to risk i.e. not left unattended, not seen by candidates

  • Has the above requirements been met for A.18.1.4

  • Auditor Notes

  • Compliance Level

  • Finding Type

A.18.2.2 Compliance with security policies and standard

  • Requirement:

    Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and other security requirements

  • What to check?

    How does the RM ensure they regularly review the compliance of policies and procedures within their area of responsibility

  • Has the above requirements been met for A.18.2.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

  • Total Number of Findings in ISMS

Section 6 - BCMS

  • Section applicable to the function being audited

  • Applicable Clauses

5.3 Policy

  • Requirements:

    Top management shall establish a business continuity policy that
    a) is appropriate to the purpose of the organization,
    b) provides a framework for setting business continuity objectives,
    c) includes a commitment to satisfy applicable requirements,
    d) includes a commitment to continual improvement of the BCMS.
    The BCMS policy shall
    — be available as documented information,
    — be communicated within the organization,
    — be available to interested parties, as appropriate,
    — be reviewed for continuing suitability at defined intervals and when significant changes occur
    The organization shall retain documented information on the business continuity policy.

  • What to check?

    1. Do Business Continuity policy exist?
    2. Is the test centre staff aware of the policies & procedures and are they aware of how to locate them.

  • Has the above requirements been met for 5.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

5.4 Roles, responsibilities and authorities

  • Requirements:

    Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization.
    Top management shall assign the responsibility and authority for
    a) ensuring that the management system conforms to the requirements of this International Standard, and
    b) reporting on the performance of the BCMS to top management.

  • What to check?

    1. Check if the TCM and TCA are aware of their roles, responsibilities and authorities.

    2. Check how are these communicated

  • Has the above requirements been met for 5.4

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.1 Resource

  • Requirements:

    The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the BCMS.

  • What to check?

    1. How does the manager determine and provide the resource needed for maintaining the security of the test centre?

    2. What is process of resource monitoring on an on-going basis to ensure continual improvement of the management system


  • Has the above requirements been met for 7.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.2 Competence

  • Requirements:

    The organization shall
    a) determine the necessary competence of person(s) doing work under its control that affects its performance,
    b) ensure that these persons are competent on the basis of appropriate education, training, and experience,
    c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken, and
    d) retain appropriate documented information as evidence of competence.

    NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employed persons; or the hiring or contracting of competent persons.

  • What to check?

    1. Is there a process defined and documented for determining competence for roles - Check if the TCM/TCA are aware of the annual PDR process

    2. Are those undertaking Business Continuity roles competent, and is this competence documented appropriately - check if the PDR is completed on an annual basis

  • Has the above requirements been met for 7.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.3 Awareness

  • Requirements:

    Persons doing work under the organization’s control shall be aware of
    a) the business continuity policy,
    b) their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance,
    c) the implications of not conforming with the BCMS requirements, and
    d) their own role during disruptive incidents.

  • What to check?

    1. Is everyone within the test centre aware of the importance of the BCM policy, their involvement in implementing it and their role in a disruption? - check for awareness throughout the audit process.

  • Has the above requirements been met for 7.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.1 General

  • Requirements:

    The organization’s BCMS shall include
    — documented information required by this International Standard, and
    — documented information determined by the organization as being necessary for the effectiveness of the BCMS.

    NOTE The extent of documented information for a BCMS can differ from one organization to another due to
    — the size of organization and its type of activities, processes, products and services,
    — the complexity of processes and their interactions, and
    — the competence of persons.

  • What to check?

    Are there documents available to be used on a daily basis and as and when needed?

    1. Check if the TCM/TCA is aware and has access to PPC guides?

    2. Check if the TCM/TCA is aware and has access to client chapters?

    3. Check if the TCM/TCA is aware and has access to global policies?

  • Has the above requirements been met for 7.5.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.2 Creating and updating

  • Requirements:

    When creating and updating documented information, the organization shall ensure appropriate
    a) identification and description (e.g. a title, date, author or reference number),
    b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic), and review and approval for suitability and adequacy.

  • What to check?

    How are the documents required by the Test Centre created and updated?

    1. Are the documents identified?
    2. What format & media is used?
    3. How are documents reviewed and approved?

  • Has the above requirements been met for 7.5.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

7.5.3 Control of documented information

  • Requirements:

    Documented information required by the BCMS and by this International Standard shall be controlled to ensure
    a) it is available and suitable for use, where and when it is needed,
    b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
    For the control of documented information, the organization shall address the following activities, as applicable
    — distribution, access, retrieval and use,
    — storage and preservation, including preservation of legibility,
    — control of changes (e.g. version control),
    — retention and disposition,
    — retrieval and use,
    — preservation of legibility (i.e. clear enough to read), and
    — prevention of the unintended use of obsolete information.

    Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled.

    When establishing control of documented information, the organization shall ensure that there is adequate protection for the documented information (e.g. protection against compromise, unauthorized modification or deletion).

    NOTE Access implies a decision regarding the permission to view the documented information, or the permission
    and authority to view and change the documented information, etc.

  • What to check?

    How are the documents required by the Test Centre controlled?

    Documents should be reviewed throughout the audit for following:

    a) approve documents for adequacy prior to issue?
    b) review and update as necessary and re-approve documents?
    c) ensure that changes and the current revision status of documents are identified?
    d) ensure that relevant versions of applicable documents are available at points of use?
    e) ensure that documents remain legible and readily identifiable?
    f) ensure that documents of external origin are identified and their distribution controlled?
    g) prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

  • Has the above requirements been met for 7.5.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.2.2 Business Impact Analysis

  • Requirements:

    The organization shall establish, implement, and maintain a formal and documented evaluation process for determining continuity and recovery priorities, objectives and targets. This process shall include assessing the impacts of disrupting activities that support the organization’s products and services.

    The business impact analysis shall include the following:
    a) identifying activities that support the provision of products and services;
    b) assessing the impacts over time of not performing these activities;
    c) setting prioritized timeframes for resuming these activities at a specified minimum acceptable level, taking into consideration the time within which the impacts of not resuming them would become unacceptable; and
    d) identifying dependencies and supporting resources for these activities, including suppliers, outsource partners and other relevant interested parties.

  • What to check?

    1. Check if the TCM has access to the BIA document on SharePoint? Ask the TCM to open the document for review?

    2. Ask the TCM to explain the document and BIA process? Check if the TCM is aware of the formal process for BIA?

    3. Is the BIA carried out as per process?

    4. Does the BIA enable prioritization of time frames for resuming each activity (Recovery Time Objectives)? Is it documented in the BIA

    5. Have minimum acceptable levels for resuming activities been identified and documented in the BIA?

    Review the complete BIA process and document

  • Has the above requirements been met for 8.2.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.2.3 Risk assessments

  • Requirements:

    The organization shall establish, implement, and maintain a formal documented risk assessment process that systematically identifies, analyses, and evaluates the risk of disruptive incidents to the organization.

    NOTE This process could be made in accordance with ISO 31000.
    The organization shall
    a) identify risks of disruption to the organization’s prioritized activities and the processes, systems, information, people, assets, outsource partners and other resources that support them,
    b) systematically analyse risk,
    c) evaluate which disruption related risks require treatment, and
    d) identify treatments commensurate with business continuity objectives and in accordance with the
    organization’s risk appetite.

    NOTE The organization must be aware that certain financial or governmental obligations require the communication of these risks at varying levels of detail. In addition, certain societal needs can also warrant sharing of this information at an appropriate level of detail.

  • What to check?

    1. Has the risk treatment plan defined in Pearson VUEs global process been implemented?

    2. Has documented information of the results been retained?

    3. Review the document

  • Has the above requirements been met for 8.2.3

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.3.1 Determination and selection

  • Requirements:

    Determination and selection of strategy shall be based on the outputs from the business impact analysis and risk assessment.
    The organization shall determine an appropriate business continuity strategy for
    a) protecting prioritized activities,
    b) stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and
    c) mitigating, responding to and managing impacts.

    The determination of strategy shall include approving prioritized time frames for the resumption of activities.

    The organization shall conduct evaluations of the business continuity capabilities of suppliers.

  • What to check?

    1. Is the BC strategy based on the outputs of the BIA and risk assessment?

    2. Does the BC strategy protect prioritized activities and provide appropriate continuity and recovery of them, their dependencies and resources?

    3. Does the BC strategy provide for mitigating, responding to and managing impacts?

    4. Have prioritized time frames been set for the resumption of all activities?

    5. Have the BC capabilities of suppliers been evaluated?

  • Has the above requirements been met for 8.3.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.3.2 Establishing resource requirements

  • Requirements:

    The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to
    a) people,
    b) information and data,
    c) buildings, work environment and associated utilities,
    d) facilities, equipment and consumables,
    e) information and communication technology (ICT) systems,
    f) transportation,
    g) finance, and
    h) partners and suppliers.

  • What to check?

    1. Have the resource requirements for the selected strategy options been determined, including people, information and data, infrastructure, facilities, consumables, IT, transport, finance and partner/supplier services?

    2. Have these been documented in the BIA and the BC plans?

  • Has the above requirements been met for 8.3.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.4.1 General

  • Requirements:

    The organization shall establish, implement, and maintain business continuity procedures to manage a disruptive incident and continue its activities based on recovery objectives identified in the business impact analysis.
    The organization shall document procedures (including necessary arrangements) to ensure continuity of activities and management of a disruptive incident.

    The procedures shall
    a) establish an appropriate internal and external communications protocol,
    b) be specific regarding the immediate steps that are to be taken during a disruption,
    c) be flexible to respond to unanticipated threats and changing internal and external conditions,
    d) focus on the impact of events that could potentially disrupt operations,
    e) be developed based on stated assumptions and an analysis of interdependencies, and
    f) be effective in minimizing consequences through implementation of appropriate mitigation strategies.

  • What to check?

    Check if the test centre staff is aware of the documented BC procedures and are they able to locate them on SharePoint?

  • Has the above requirements been met for 8.4.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.4.2 Incident response structure

  • Requirements:

    respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident.

    The response structure shall
    a) identify impact thresholds that justify initiation of formal response,
    b) assess the nature and extent of a disruptive incident and its potential impact,
    c) activate an appropriate business continuity response,
    d) have processes, and procedures for the activation, operation, coordination, and communication of the response,
    e) have resources available to support the processes and procedures to manage a disruptive incident in order to minimize impact, and
    f) communicate with interested parties and authorities, as well as the media.

    The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish and implement procedures for this external communication, alerts and warnings including the media as appropriate.

  • What to check?

    1. Is there the management structure and trained personnel in place to respond to a disruptive incident at the test centre?

    2. Does the Incident Response Structure (IRS) and associated procedures include thresholds, assessment, activation, resource provision and communication - check the emergency response plan (ERP)? Check if the TCM is aware of the ERP?

    3. Check if the ERP aspects have been implemented or not e.g. Fire Drills etc?


  • Has the above requirements been met for 8.4.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.4.4 Business continuity plans

  • Requirements:

    The organization shall establish documented procedures for responding to a disruptive incident and how it will continue or recover its activities within a predetermined timeframe. Such procedures shall address the requirements of those who will use them.

    The business continuity plans shall collectively contain
    a) defined roles and responsibilities for people and teams having authority during and following an incident,
    b) a process for activating the response,
    c) details to manage the immediate consequences of a disruptive incident giving due regard to
    1) the welfare of individuals,
    2) strategic, tactical and operational options for responding to the disruption, and
    3) prevention of further loss or unavailability of prioritized activities;
    d) details on how and under what circumstances the organization will communicate with employees and their relatives, key interested parties and emergency contacts,
    e) how the organization will continue or recover its prioritized activities within predetermined timeframes,
    f) details of the organization’s media response following an incident, including
    1) a communications strategy,
    2) preferred interface with the media,
    3) guideline or template for drafting a statement for the media, and
    4) appropriate spokespeople;
    g) a process for standing down once the incident is over.

    Each plan shall define
    — purpose and scope,
    — objectives,
    — activation criteria and procedures,
    — implementation procedures,
    — roles, responsibilities, and authorities,
    — communication requirements and procedures,
    — internal and external interdependencies and interactions,
    — resource requirements, and
    — information flow and documentation processes.

  • What to check?

    1. Are there documented plans/procedures for responding to a disruptive incident?

    2. Do these plans reflect the needs of those who will use them?

    3. Do the plans define roles and responsibilities?

    4. Do the plans define a process for activating the response?

    5. Do the plans consider the management of the immediate consequences of a disruption, in particular the welfare of individuals, options for response and further loss prevention?

    6. Do the plans detail how to communicate with the various interested parties during the disruption?

    7. Do the plans contain details on how prioritized activities will be continued or recovered within predetermined time frames?

    8. Is there a planned media response to an incident?

    9. Do the plans include a procedure for standing down the response?

    10.Does each plan contain the essential information to use it effectively?

    11. Check for Wallet Cards - if they are updated, relevant and accessible

  • Has the above requirements been met for 8.4.4

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.4.5 Recovery

  • Requirements:

    The organization shall have documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident.

  • What to check?

    1. Is the test centre staff aware of the documented plans/procedures for restoring business operations after an incident?

    2. Do these plans reflect the needs of those who will use them?

    3. Do the plans define roles and responsibilities?

  • Has the above requirements been met for 8.4.5

  • Auditor Notes

  • Compliance Level

  • Finding Type

8.5 Exercise & testing

  • Requirements:

    The organization shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives.
    The organization shall conduct exercises and tests that
    a) are consistent with the scope and objectives of the BCMS,
    b) are based on appropriate scenarios that are well planned with clearly defined aims and objectives,
    c) taken together over time validate the whole of its business continuity arrangements, involving relevant interested parties,
    d) minimize the risk of disruption of operations,
    e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to
    implement improvements,
    f) are reviewed within the context of promoting continual improvement, and
    g) are conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operates.

  • What to check?

    1. Have business continuity procedures been tested to ensure they are consistent with your BC objectives?

    2. Does the RM “actively engage” in testing and exercising the BCMS?

    3. Are the test exercises clearly defined, consistent with the scope of the BCMS and business continuity objectives, and based on appropriate scenarios?

    4. Will the test exercises that have been conducted over time validate the whole of the organization’s business continuity arrangements?

    5. Are the test exercises designed to minimize the risk of disruption to operations?

    6. Have formal post-exercise reports been produced for the conducted tests?

    7. Are the outcomes of exercises reviewed to ensure they lead to improvement?

    8. Are test exercises undertaken at planned intervals, and when significant changes occur is this process documented within the BCMS?

  • Has the above requirements been met for 8.5

  • Auditor Notes

  • Compliance Level

  • Finding Type

10.1 Nonconformity and corrective action

  • Requirements:

    When a nonconformity occurs, the organization shall:
    a) react to the nonconformity, and as applicable:
    1) take action to control and correct it; and
    2) deal with the consequences;
    b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur
    or occur elsewhere, by:
    1) reviewing the nonconformity;
    2) determining the causes of the nonconformity; and
    3) determining if similar nonconformities exist, or could potentially occur;
    c) implement any action needed;
    d) review the effectiveness of any corrective action taken; and
    e) make changes to the information security management system, if necessary.
    Corrective actions shall be appropriate to the effects of the nonconformities encountered.
    The organization shall retain documented information as evidence of:
    f) the nature of the nonconformities an
    d any subsequent actions taken, and
    g) the results of any corrective action.

  • What to check?

    1. What is done if any issues or concerns are observed that does not meet the requirements?
    2. Is root cause analysis conducted and corrective actions taken

    Check for evidence

  • Has the above requirements been met for 10.1

  • Auditor Notes

  • Compliance Level

  • Finding Type

10.2 Continual improvement

  • Requirements:

    The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

  • What to check?

    1. What improvement initiative has been taken at the test centre?

    2. How do the test centre continually improve?

  • Has the above requirements been met for 10.2

  • Auditor Notes

  • Compliance Level

  • Finding Type

  • Total Number of Findings in BCMS

Closing Meeting

  • Closing Meeting Notes

  • Positives

  • Overall Audit Summary

  • Findings Raised

  • Non-Conformance RED

  • Non-Conformance AMBER

  • Observation RED

  • Observation AMBER

  • Observation GREEN

  • Feedback GREEN

Audit Signoff

  • Sign off Audit Team

  • Lead Auditor

  • Support Auditor

  • Auditor in Training

  • Functional Owner

  • Auditee Team

  • Auditee
  • Add signature

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.