An audit process in general is a review process with the purpose to ensure that the ISMS of the organization is compliant with the requirements of a specific framework, such as the ISO 27001 framework. However, before an organization is moving towards a certification audit, an internal audit usually takes place. The internal audit helps the organization to oversee the current position of the implementation of the controls of a specific framework and to find potential non-conformities, which should be addressed before the certification audit. Potential improvements that are found in either an internal or the certification audit will help the organization to continuously improve their own ISMS.
When should you do an (internal) audit in Cyberday?
An (internal) audit is an efficient tool to check the current compliance level of the organization. Using this tool in Cyberday is a great step, after at least some of the controls (which will be audited) are fully implemented. Results will be documented directly in Cyberday and can be used as a base for further improvements.
How can you create an internal audit schedule in Cyberday?
Where to find this view: Dashboard -> Theme: risk management and leadership -> Documentation -> Audits
If you want to create an audit schedule, go to the Organization Dashboard in Cyberday and open the theme "Risk management and leadership" from the theme list. Once the theme is opened, you can find the box with "Documentation" on the right side. Open the link "Audits" to see the audit schedule.
The audit list includes all of the done and scheduled audits. If you want to schedule a new audit, add a new audit from the button in the upper right corner. A new audit will be added to the list. Open the new audit, set an owner, a name and the status "scheduled" from the drop down (if you simply want to schedule it). Select the date and time when the audit is planned to be done from the audit card.
How do you define an audit scope in Cyberday?
Once you have created the audit in your list and opened the audit card, you can define the scope by answering the first question. The selections of the first question are necessary for creating the "audit progress report", which is the third question of the card. You can review the content in the own ISMS from the point of view of a specific framework or by a related management system section, such as "incident management" or "management of data sets". If you select a specific framework, you can also select specific sections, so you do not need to audit the full framework all at once, but rather split in smaller sections with more doable time slots. Many frameworks have e.g. the requirement, that the full framework needs to be covered with internal audits every 3 years.
How do you carry out an internal audit?
In order to carry out the audit, go to the audit card from the audit list and select "Create audit progress report" under the question three. Attention: You need to fill in the scope and etc. in question one before you can move to this step.
The audit progress report will open and you can do the following steps:
- Check the tasks that are listed in the audit progress report
- Document all observed non-conformities or observations for each requirement and then "Mark as reviewed"
The auditor can check from the list if all the information are still up to date (i.e. responsible persons, are all the actions actually done, are the tasks reviewed, are the descriptions up to date and so on). During the audit, write down everything that is not matching or wrong as a non-conformity, so it can be improved after the audit.
For the non-conformities, write down all the needed details in the new tab, that is opening when clicking "add new non-conformity" and if possible potential improvement ideas. The non-conformities need to be fixed in order to be able to finish the audit.
In the audit card from the audit list, you can find an overview of all of the found non-conformities under section two. You can also add non-conformities directly from there or further add positive and other findings from the audit. Later on, you should plan and connect the improvements (section four) in order to be able to finish the audit. You can close the audit once all of the improvements are presented to the auditor and corrective actions have been "accepted" by the auditor.
How do you create the final audit report?
Once you have finished all of the above listed steps have marked the sections of the audit card as completed and have clicked "Finnish progress report", you can finish the audit and create a single document out of the audit card. Simply go to the audit card and open the drop down menu by clicking the three dots on the right side next to the headline. Select "View report" to open the report.
The internal audit report document may look like the following:
The audit progress report can later on be found in the reporting section in Cyberday as well. It is useful for showing the progress, but rather for the auditors, less for the auditees.
Questions and feedback
Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via firstname.lastname@example.org or the chat box in the right lower corner.