Cookie Consent by FreePrivacyPolicy.com

AUDITING YOUR SYSTEMS

about ParkinsonHowe
Having a cost-effective internal audit programme, and utilising an experienced auditor effectively is vital to any business.

My role would be to provide independent assurance that your business's security and continuity risks, governance and internal control processes are operating effectively.

I will provide an unbiased and objective view of your business. By providing an impartial and independent view of your operations, to provide senior managers, stakeholders and audit committee with an unbiased report.

My skills and qualifications have been developed over many years in management, operations, and technical roles, working with all types and sizes of organization from Educational organisations to Major Cloud providers, from Pharmaceutical to Financial and from manufacturing to Consultancy, the following is a sample of some of these companies: Oracle Paragon Banking Group, Cornerstone OnDemand, Basware, Ingenico (Worldline), NavBlu, IGT, APC Workforce Solutions, Fidessa (Ion), PA Consulting. The audit work ranges from ISO Standards (27001, 27701, NIST, CSA*, 22301 and 9001) to NIST and TISAX.

Because of my background, I can look beyond day-to-day operational risks to consider the wider issues you may be facing for example reputation or recovery risk, together with employee awareness.

Overall, I will re-assure the business that processes are being followed, and if required I can inform managers on how well the systems and processes are working to keep your business on track and working.

If you require more bespoke audit work then please get in touch, and I will see what can be done

My role would be to provide the following:

  • Report to the board and senior management who are within the organisation’s governance structure.
  • Evaluate and improve the effectiveness of risk and control processes. providing your senior management with assurance that the business is performing as expected and within legal and regulative requirments.
  • Audit coverage will be across your businesses inforamtion security and business resilience governance and processes.
  • Continual improvement is fundamental to the requirements of internal auditing. This will be achieved through advising, training, and facilitating with management.
My audit finding reports have been developed to give both a textual report format and more importantly a graphical format, so that you can very easily see where you are and what requires addressing. The audit report graphics can be formatted to show Strategic, tactical, and operational views. This allows for patterns and trends to be far more easily understood.

For an audit to be successful and based on my experience of International certification and accreditation requirements, I will propose using and conducting the audit using a well recognised approach.

The audit approach will ensure that your audit has been properly planned, and undertaken in the best timeline and to meet audit requirments including:

  • Development of an audit strategy including a loopback approach;
  • Making an appropriate assessment of audit risk; and;
  • Development of a three-year audit plan and agreeing the process moving forward;
In subsequent years, I would ensure that changes to your organisation have been adequately considered and documented before the audit.

MY AUDIT APPROACH

Audit Planning

My audit process follows the requirements laid down by ISO (International Organization for Standardization). However, if you have a specific procedure for auditing I can adopt.

The planning and preparation for your audit would consist of evaluating your businesses management of security and continuity risk. All companies fundamentally face the same types of risks. For example, risks due to a failure in the supply chain, reputation, risks associated with IT failure or cyber security. The key to an organisation’s success is to manage those risks effectively and be able to have continuity in the business to initially limit the damage and recover in acceptable timescales.

All that said, the planning would evaluate well risks have been captured and are being managed through your risk management processes and systems, once completed we can then determine the approach to take, to give you the best value and depth for the audits.

It is at this stage, with the assistance of your team, that any areas of concern, can be built into the audit schedule, so that we could help to identify improvements or ensure that new or changing project risks are clearly identifying and assessing security and recovery improvements.

The following areas will be used to provide you with a consistent approach equal or better than the certification/accreditation bodies you use:

  • Determining audit objectives, scope and criteria
  • Audit team selection and assignments
  • Audit plan and key delivery dates and tasks

Audit Preparation

In preparing for the audit a review of the following would take place as follows:

For information security an evaluation and review of the statement of applicability, level of security control required by both the business, customers, and the supply chain. A review of the major features of the information technologies in use - including network plans and dependencies on other parts of the business or supply chain.

Access to personnel records
We will check and verify that auditors will be given access to all relevant records needed for effective assessment of the security scope. If the determination is the security scope cannot be effectively assessed without such access then we will advise that this will be a requirement before the certification audit can take place, and therefore access should be considered at the internal audit phase to understand any concerns in working practices.

Risk Analysis / Assessment
We will discuss your risk analysis / assessment and how it has been evaluated for significance. The aim of this is to establish that your risk assessment properly reflects the activities conducted by your business and extends to the boundaries and activities as defined by the security scope document.

Statement of Applicability
We will audit and verify the statement of applicability, in order to establish you have understood and defined the correct terms and that the statement of applicability correctly reflects the information security scope, that you require.

Conducting the Audit

In order to fulfil your requirements I will utilize a mixture of audit types to give you a breadth and depth review

System audit:
An audit conducted on a management system. It can be described as a documented activity performed to verify, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements.

The primary audit process used by internal auditors and certification bodies to determine security controls are in place and operational in order to grant certification or accreditation

Process audit:
This type of audit verifies that processes are working within established limits. It evaluates an operation or method against predetermined instructions or standards to measure conformance to these standards and the effectiveness of the instructions. A process audit may: Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance.

Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, and training and process specifications.

For the most companies this type of audit can be used, to increase performance and to determine new areas of efficiency.

Product audit:
This type of audit is an examination of a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to requirements (i.e., specifications, performance standards, and customer requirements).

For the most companies this type of audit can be used, to increase performance and to determine new areas of efficiency.

Audit Evaluation

ParkinsonHowe will verify how the ISMS scope has improved, how it has evaluated identified risks, and how this relates to the identified security requirements and the monitoring of the ISMS performance.

We will verify how the overall business objectives have been translated into internal information security requirements throughout the appropriate processes, and how these requirements are communicated and monitored.

We will look for evidence that the security team is analyzing data from the ISMS monitoring, and is then taking the results forward for evaluating the ISMS effectiveness and improving the ISMS, where necessary.

As part of the process we will confirm that the improvement objectives and priorities are consistent with the ISMS objectives. And review performance statistics (e.g. reduction of the number of certain security incidents) to measure improvements.

Knowledge Transfer
ParkinsonHowe will ensure knowledge transfer to the security or compliance team at every stage of the project to enable your business to carry out the work in the future.

If requested, ParkinsonHowe can deliver ISMS training to the SaaS ISMS team. Training will be available at a to be agreed location and it will be available during project duration i.e. over the project period of 3 years



INTERNAL AUDIT QUESTIONS AND ANSWERS ISO22301 Business Continuity Consultants
Security in an 'AGILE' operation and consulting environment

Security in an 'AGILE' environment

View more

Over the last few years more and more companies are moving toward ‘AGILE’ methodologies for consultancy engagements, which is fine, and I have very little problem with this. However, it has become more and more apparent that formally capturing risks and issues is not always completed

Where does it say we have to audit the scope before certification?

Do have to audit the scope ?

View more

To answer this question, we first must look at ISO/IEC 27006 - Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

ISO 22301:2019, What you need to know

ISO 22301:2019, What you need to know

View more

Protecting the information of an organisations is critical in todays world, where data breaches are becoming common place. The management and smooth operation of data transmittal is critical. Working towards compliance and certification to ISO 22301 information security management will aid

AUDIT ENDORSEMENTS

IT Manager

We certainly have a hill to climb, but I am certainly more confident about it now. I will be making sure we have ParkinsonHowe visit on a regular schedule"

Security Manager - SaaS and IaaS

We would like to thank you for your assistance over the past three years in maintaining our certification"

Governance and Security Manager

I would like to thank the team for great feedback and assistance"

Management System Superintendent

We would like to thank you for all the good work, help and assistance in establishing our Business Continuity Management System

Follow Us
I will only use your Details to make contact, once any work is completed I will destroy the information

3 DAVENPORT PARK ROAD, STOCKPORT, SK2 6JU, UK