Information Security Management System Auditor/ Lead Auditor

Training Course

Pre-Course Reading Material

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 1 © IRCLASS Systems and Solutions Private Limited 2019
Course Description

Course title: ISO 27001:2013 Lead Auditor (Information Security Management Systems)
Training course

Level: Professional

Course indicative duration: 40 hours training + 2 Hrs written exam.

Course short description:

The aim of this course is to provide delegates with the knowledge and skills required to perform first,
second and third-party audits of information security management systems against ISO/IEC 27001 (with
ISO/IEC 27002), in accordance with ISO 19011 and ISO 17021, as applicable. All references in this
document to ISO standards are to the current versions unless otherwise stated.

Delegates who successfully complete this CQI and IRCA Certified ISO 27001:2013 Lead Auditor (ISMS)
Training course successfully (within the three years prior to making an application to become a
certificated auditor) will satisfy the training requirements for initial certification as an IRCA ISMS auditor.

Topic areas: Management system, Audit

Assessment: Continuous assessment and a 2 hour examination

Recommend prior knowledge: ISO 27001:2013 Foundation level knowledge.

- Understand the Plan-Do-Check-Act (PDCA) cycle
- Information security management
o Knowledge of the following information security management principles and concepts:
o Awareness of the need for information security;
o The assignment of responsibility for information security;
o Incorporating management commitment and the interests of stakeholders;
o Enhancing societal values;
o Using the results of risk assessments to determine appropriate controls to reach
acceptable levels of risk;
o Incorporating security as an essential element of information networks and systems;
o The active prevention and detection of information security incidents;
o Ensuring a comprehensive approach to information security management;
o Continual reassessment of information security and making of modifications as
appropriate.
- ISO/IEC 27001
o Knowledge of the requirements of ISO/IEC 27001 (with ISO/IEC 27002) and the
commonly used information security management terms and definitions, as given in
ISO/IEC 27000, which may be gained by completing CQI and IRCA Certified ISO
27001:2013 Foundation (ISMS) Training course or equivalent.

Learning Objectives

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 2 © IRCLASS Systems and Solutions Private Limited 2019
 - The aim of this course is to provide delegates with the knowledge and skills required to perform
first, second and third-party audits of information security management systems against ISO/IEC
27001 (with ISO/IEC 27002), in accordance with ISO 19011 and ISO 17021 as applicable.

Learning objectives:

On completion, successful delegates will have the knowledge and skills to:

Knowledge

- Explain the purpose and business benefits of an information security management system, of
information security management systems standards, of management system audit and of third-
party certification.
- Explain the role of an auditor to plan, conduct, report and follow up an information security
management system audit in accordance with ISO 19011

Skills

- Plan, conduct, report and follow up an audit of an information security management system to
establish conformity (or otherwise) with ISO/IEC 27001.

Enabling Objectives:
- Explain the purpose and business benefits of an information security management system, of
information security management systems standards, of management system audit and of third-
party certification.
Knowledge
2.1.1 Explain the purpose and business benefits of an information security management system and the
business benefits of improving the effectiveness of an information security management system.
2.1.2 With reference to ISO/IEC 27001:
a) Explain the Plan-Do-Check-Act framework and its application to information security management
processes
b) Outline the processes involved in establishing, implementing, operating, monitoring, reviewing,
maintaining and improving an information security management system, including the significance of
these for ISMS auditors
c) Explain the terminology defined in the standard (and in ISO/IEC 27000)
d) State requirements for ISMS documented information.
2.1.3 Explain the purpose of and differences between first-party, second-party and third-party
certification audit of management systems, including the role of the ISMS auditor in evaluating an
organisation’s capability to protect the confidentiality, integrity and availability of information.
2.1.4 Explain the benefits of third-party accredited certification of information security management
systems for organisations and interested parties.

- Explain the role of an auditor to plan, conduct, report and follow up an information security
management system audit in accordance with ISO 19011 (and ISO 17021 where appropriate)
Knowledge
2.2.1 Audit process
Explain the audit process, making reference to similarities and differences in the process between first-
party, second-party and third-party certification audit, including:

a) Determining audit objectives, the purpose and significance of the audit scope and criteria

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 3 © IRCLASS Systems and Solutions Private Limited 2019
 b) Resourcing the audit, the importance of auditor and team competency and the selection of
team members, particularly with regard to knowledge of the relevant management system
discipline, industry sector, regulations and legislation, and auditor training

c) Outline different audit methods; including on-site and remote audits and audit activities
requiring human interaction and no human interaction.

d) The purpose of a stage 1 audit, including the documentation review, and describe a typical
stage 1 audit process and outputs

e) Preparing for a stage 2 audit, including preparing an audit plan

f) Conducting on-site audit activities, including preparing working documents, conducting audit
meetings, gathering audit evidence, preparing and approving and distributing the audit report,
and conducting the audit follow up.

2.2.2 Auditor responsibilities

a) Describe the roles and responsibilities of the audit client, auditors, lead auditors, auditees,
guides and observers
b) Explain the management responsibilities of the lead auditor in managing the audit and the
audit team
c) Explain the need for effective communication with the auditee throughout the audit process
d) Explain the need for auditor confidentiality
e) Outline the content and intent of the IRCA code of conduct.

- Plan, conduct, report and follow up an audit of an information security management system to
establish conformity (or otherwise) with ISO/IEC 27001 and in accordance with ISO 19011 (and
ISO 17021 where appropriate)

Skills are to be practised and tested through tasks and in real or simulated audit situations.

2.3.1 Planning the audit

a) Establish that the scope, objectives, criteria, duration and resources for an audit are
appropriate
b) Prepare an on-site audit plan that is appropriate to 2.3.1 (a), above and the organisation's
context and processes
c) Perform document review in preparation for the audit and prepare the necessary work
documents, such as an audit checklist, sampling plan and forms.
2.3.2 Conducting the audit

a) Demonstrate the ability to manage meetings effectively

b) Demonstrate the ability to implement the audit plan, use work documents and to follow audit
trails
c) Demonstrate the ability to build rapport with the auditee during the audit, including
sensitivity to the needs and expectations of the auditee

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 4 © IRCLASS Systems and Solutions Private Limited 2019
 d) Demonstrate the ability to manage audit interviews effectively, including the ability to
formulate effective audit questions
e) Demonstrate the ability to collect and verify appropriate audit evidence, including
appropriate sampling (see 2.3.3)
2.3.3 Auditing information security management system requirements

a) Verify the purpose and the intended outcome(s) of the ISMS and the relevant external and
internal issues, as established by the organisation
b) Verify the relevant interested parties and any relevant requirements have been established
by the organisation
c) Verify the scope of the ISMS in relation to
o the external and internal issues
o the requirements of the relevant interested parties
o the interfaces and dependencies of activities undertaken internally and externally
d) Verify that the information security policy and objectives have been established by top
management and that they
o are compatible with the organisation’s strategic direction
o reflect the organisation’s needs and objectives, size and structure, security
requirements and the processes used
o have been communicated (including to relevant interested parties)
e) Verify that responsibilities and authorities for relevant roles have been assigned and
communicated
f) Evaluate the actions to address risks and opportunities, to ensure that the ISMS meets its
intended outcome(s) and that it prevents (or reduces) undesired effects. These should take into
consideration:
o the external and internal issues in a) above
o the relevant interested parties’ requirements in b) above
g) Verify that the actions, in f) above, have been implemented and integrated into the ISMS
processes
h) Verify that the risk assessment process has been planned and regularly implemented and
delivers consistent, valid and comparable results and that the process has
o information security risk criteria, including the risk acceptance criteria;
o criteria for performing information security risk assessments
i) Verify that the risk treatment process selects appropriate treatment options and the
necessary controls and that no necessary controls have been omitted
j) Verify that the Statement of Applicability (SoA) contains the necessary controls (with
reference to Annex A and ISO/IEC 27002) and that all inclusions (whether they are implemented
or not) and exclusions have justification

k) Verify that the information security risk treatment plan has been approved by the risk owner
and that the residual information security risks have been accepted and that the plan has been
implemented

l) Evaluate the approach to the determination and provision of competent people doing work
under the organisation’s control

m) Evaluate the internal and external communication process

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 5 © IRCLASS Systems and Solutions Private Limited 2019
 n) Evaluate the arrangements for the creation, update and control of documented information
in the ISMS

o) Evaluate the arrangements for monitoring, measuring, analysis and evaluation:

o what needs to be monitored and measured
o the methods for monitoring, measuring, analysis and evaluation, when it will take place
and who will perform it
o when will the results be analysed and evaluated and who will perform it
p) Evaluate the effectiveness of the internal audit of the ISMS

q) Evaluate the management review of the ISMS based on changes in relevant external and
internal issues, feedback on information security performance and feedback from interested
parties

r) Evaluate improvement, including the organisation’s arrangements

o to react to a nonconformity, evaluate the need for action to eliminate the causes of
nonconformity, take corrective action and evaluate its effectiveness
o for continual improvement of the suitability, adequacy and effectiveness of the ISMS
2.3.4 Generating audit findings
a) Demonstrate the ability to evaluate audit evidence to identify correctly conformity and
nonconformity with requirements

b) Demonstrate the ability to prepare audit conclusions, including the extent of conformity of
the management system, identification of positive audit findings in addition to nonconformity,
and identification of potential risks and opportunities for improvement.
2.3.5 Reporting the audit
a) Write and grade nonconformity reports correctly

b) Present audit conclusions and recommendations clearly to the auditee at a closing meeting.
2.3.6 Following up the audit
- Evaluate proposals for corrective action and differentiate between correction and corrective
action.

The aim of this course is to provide delegates with the knowledge and skills required to perform first,
second and third-party audits of information security management systems against ISO/IEC 27001 (with
ISO/IEC 27002), in accordance with ISO 19011 and ISO 17021 as applicable. The course does not include
clause-by-clause analysis of ISO/IEC 27001.

This course does require delegates to audit an information security management system against the
requirements of ISO/IEC 27001 (with ISO/IEC 27002), including the ability to identify audit evidence to
establish conformity or nonconformity.
It is informed that delegates that course examination questions can relate to any requirement of
ISO/IEC 27001 and the expected prior knowledge.

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 6 © IRCLASS Systems and Solutions Private Limited 2019
Introduction
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). International Standards for management systems provide a model to
follow in setting up and operating a management system. ISO/IEC JTC 1/SC 27 technical committee
maintains an expert committee dedicated to the development of international management systems
standards for information security, otherwise known as the Information Security Management system
(ISMS) family of standards.

Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.

The ISMS family of standards includes standards that:

a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.

Information Security Management Systems

Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important
assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.

All information held and processed by an organization is subject to threats of attack, error, nature (for
example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information
security is generally based on information being considered as an asset which has a value requiring
appropriate protection, for example, against the loss of availability, confidentiality and integrity.
Enabling accurate and complete information to be available in a timely manner to those with an
authorized need is a catalyst for business efficiency.

Protecting information assets through defining, achieving, maintaining, and improving information
security effectively is essential to enable an organization to achieve its objectives, and maintain and
enhance its legal compliance and image. These coordinated activities directing the implementation of
suitable controls and treating unacceptable information security risks are generally known as elements
of information security management.

As information security risks and the effectiveness of controls change depending on shifting
circumstances, organizations need to:

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 7 © IRCLASS Systems and Solutions Private Limited 2019
a) monitor and evaluate the effectiveness of implemented controls and procedures;
b) identify emerging risks to be treated; and
c) select, implement and improve appropriate controls as needed.

To interrelate and coordinate such information security activities, each organization needs to establish
its policy and objectives for information security and achieve those objectives effectively by using a
management system.

An ISMS consists of the policies, procedures, guidelines, and associated resources and activities,
collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a
systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and
improving an organization’s information security to achieve business objectives. It is based on a risk
assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks.

Analysing requirements for the protection of information assets and applying appropriate controls to
ensure the protection of these information assets, as required, contributes to the successful
implementation of an ISMS. The following fundamental principles also contribute to the successful
implementation of an ISMS:
a) awareness of the need for information security;
b) assignment of responsibility for information security;
c) incorporating management commitment and the interests of stakeholders;
d) enhancing societal values;
e) risk assessments determining appropriate controls to reach acceptable levels of risk;
f) security incorporated as an essential element of information networks and systems;
g) active prevention and detection of information security incidents;
h) ensuring a comprehensive approach to information security management;
i) continual reassessment of information security and making of modifications as appropriate.

Information is an asset that, like other important business assets, is essential to an organization’s
business and, consequently, needs to be suitably protected. Information can be stored in many forms,
including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on
paper), as well as unrepresented information in the form of knowledge of the employees. Information
can be transmitted by various means including: courier, electronic or verbal communication. Whatever
form information takes, or the means by which it is transmitted, it always needs appropriate protection.
In many organizations, information is dependent on information and communications technology. This
technology is often an essential element in the organization and assists in facilitating the creation,
processing, storing, transmitting, protection and destruction of information.

Information security ensures the confidentiality, availability and integrity of information. Information
security involves the application and management of appropriate controls that involves consideration of
a wide range of threats, with the aim of ensuring sustained business success and continuity, and
minimizing consequences of information security incidents.

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 8 © IRCLASS Systems and Solutions Private Limited 2019
Information security is achieved through the implementation of an applicable set of controls, selected
through the chosen risk management process and managed using an ISMS, including policies, processes,
procedures, organizational structures, software and hardware to protect the identified information
assets. These controls need to be specified, implemented, monitored, reviewed and improved where
necessary, to ensure that the specific information security and business objectives of the organization
are met. Relevant information security controls are expected to be seamlessly integrated with an
organization’s business processes.

A management system uses a framework of resources to achieve an organization’s objectives.

Information security, a management system allows an organization to:
a) satisfy the information security requirements of customers and other stakeholders;
b) improve an organization’s plans and activities;
c) meet the organization’s information security objectives;
d) comply with regulations, legislation and industry mandates; and
e) manage information assets in an organized way that facilitates continual improvement and
adjustment to current organizational goals.

Benefits of the ISMS family of standards

The benefits of implementing an ISMS primarily result from a reduction in information security risks (i.e.
reducing the probability of and/or impact caused by information security incidents). Specifically,
benefits realized for an organization to achieve sustainable success from the adoption of the ISMS family
of standards include the following:
a) a structured framework supporting the process of specifying, implementing, operating and
maintaining a comprehensive, cost-effective, value creating, integrated and aligned ISMS that
meets the organization’s needs across different operations and sites;
b) assistance for management in consistently managing and operating in a responsible manner
their approach towards information security management, within the context of corporate risk
management and governance, including educating and training business and system owners on
the holistic management of information security;
c) promotion of globally accepted, good information security practices in a non-prescriptive
manner, giving organizations the latitude to adopt and improve relevant controls that suit their
specific circumstances and to maintain them in the face of internal and external changes;
d) provision of a common language and conceptual basis for information security, making it easier
to place confidence in business partners with a compliant ISMS, especially if they require
certification against ISO/IEC 27001 by an accredited certification body;
e) increase in stakeholder trust in the organization;
f) satisfying societal needs and expectations;
g) more effective economic management of information security investments.

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 9 © IRCLASS Systems and Solutions Private Limited 2019
ISMS family of standards

Few standards:
ISO/IEC 27000 Information security management systems — Overview and vocabulary
ISO/IEC 27001 Information security management systems — Requirements
ISO/IEC 27002 Code of practice for information security controls
ISO/IEC 27003 Information security management system implementation guidance
ISO/IEC 27004 Information security management ―Measurement
ISO/IEC 27011 Information security management guidelines for telecommunications
organizations based on ISO/IEC 27002
ISO/IEC TR 27015 Information security management guidelines for financial services
ISO/IEC TR 27019 Information security management guidelines based on ISO/IEC 27002 for
process control systems specific to the energy industry

Structure of ISO/IEC 27001:2013 Standard

ISO/IEC 27001:2013 has the following sections:

0 Introduction - the standard describes a process for systematically managing information risks.
1 Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative references - only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the
remaining ISO27k standards are optional.
3 Terms and definitions - see ISO/IEC 27000.
4 Context of the organization - understanding the organizational context, the needs and expectations of
‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The
organization shall establish, implement, maintain and continually improve” the ISMS.

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 10 © IRCLASS Systems and Solutions Private Limited 2019
5 Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate
policy, and assign information security roles, responsibilities and authorities.
6 Planning - outlines the process to identify, analyze and plan to treat information risks, and clarify the
objectives of information security.
7 Support - adequate, competent resources must be assigned, awareness raised, documentation
prepared and controlled.
8 Operation - a bit more detail about assessing and treating information risks, managing changes, and
documenting things (partly so that they can be audited by the certification auditors).
9 Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information
security controls, processes and management system, systematically improving things where necessary.
10 Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective
actions), make continual refinements to the ISMS.

Annex A Reference control objectives and controls - The annex is ‘normative’, implying that certified
organizations are expected to use it, but the main body says they are free to deviate from or
supplement it in order to address their particular information risks. Annex A has 114 controls across 35
control objectives among 14 clauses (A.5 to A.18).

A quick overview of the purpose of the 14 sections from Annex A:

• A.5 Information security policies – controls on how the policies are written and reviewed
• A.6 Organization of information security – controls on how the responsibilities are assigned; also
includes the controls for mobile devices and teleworking
• A.7 Human resources security – controls prior to employment, during, and after the employment
• A.8 Asset management – controls related to inventory of assets and acceptable use, also for
information classification and media handling
• A.9 Access control – controls for the Access Control Policy, user access management, system and
application access control, and user responsibilities
• A.10 Cryptography – controls related to encryption and key management
• A.11 Physical and environmental security – controls defining secure areas, entry controls, protection
against threats, equipment security, secure disposal, Clear Desk and Clear Screen Policy, etc.
• A.12 Operational security – lots of controls related to management of IT production: change
management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities,
etc.
• A.13 Communications security – controls related to network security, segregation, network services,
transfer of information, messaging, etc.
• A.14 System acquisition, development and maintenance – controls defining security requirements
and security in development and support processes
• A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the
suppliers
• A.16 Information security incident management – controls for reporting events and weaknesses,
defining responsibilities, response procedures, and collection of evidence
• A.17 Information security aspects of business continuity management – controls requiring the
planning of business continuity, procedures, verification and reviewing, and IT redundancy

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 11 © IRCLASS Systems and Solutions Private Limited 2019
• A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual
property protection, personal data protection, and reviews of information security

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 12 © IRCLASS Systems and Solutions Private Limited 2019
PDCA – Plan, Do, Check, Act
The Plan-Do-Check-Act (PDCA) cycle is the operating principle of all ISO management system standards,
including ISO/IEC 27001. By following this cycle, you can effectively manage and continually improve
your organization’s effectiveness. Whether you are the managing director setting the direction of the
business, or an individual focusing on a specific task, the PDCA cycle is very useful in achieving
improvement

It is based upon the management principles concepts of Plan, Do, Check and Act and promotes policy,
organising, planning, measuring performance and auditing and reviewing Performance as the key
elements a being contributors to successful management system.

The four phases in the Plan-Do-Check-Act Cycle involve:

Plan (defining your policy, objectives and targets

Determine risk and Opportunities:

Risk-based thinking is essential for achieving an effective information security management system.The
concept of risk-based thinking has been implicit in previous editions of this International Standard
including, for example, carrying out preventive action to eliminate potential nonconformities, analysing
any nonconformities that do occur, and taking action to prevent recurrence that is appropriate for the
effects of the nonconformity.
To conform to the requirements of this International Standard, an organization needs to plan and
implement actions to address risks and opportunities. Addressing both risks and opportunities
establishes a basis for increasing the effectiveness of the information security management system,
achieving improved results and preventing negative effects.
Opportunities can arise as a result of a situation favourable to achieving an intended result, for example,
a set of circumstances that allow the organization to attract customers, develop new products and
services, reduce waste or improve productivity. Actions to address opportunities can also include
consideration of associated risks. Risk is the effect of uncertainty and any such uncertainty can have
positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not
all positive effects of risk result in opportunities.

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 13 © IRCLASS Systems and Solutions Private Limited 2019
The InfoSec risks and opportunities are assessed based on the risk acceptance criteria, unacceptable
ones are planned for treatment. Appropriate information security risk treatment options are selected,
taking account of the risk assessment results; determine all controls that are necessary to implement
the information security risk treatment option(s) chosen; compare the controls determined with those
in Annex A and verify that no necessary controls have been omitted.

Objectives and programme

The way to achieve your InfoSec policy is through defined objectives. When setting these make sure
they are specific, measurable, agreed, realistic and time bound. Responsibility and authority for
achieving these objectives need to be evident as well as a plan to review them at regular intervals.

It is necessary to ensure that, throughout the organization, measurable InfoSec objectives are
established to enable the InfoSec policy to be achieved.

Do (implementing information security management system)

Resources and responsibility

Top management to appoint an Information Security management representative who will ensure the
availability of resources for the project. This person will assume responsibility for reporting performance
and compliance of the management system against the requirements of ISO27K.

Competence, training and awareness

To ensure that the employees are competent to deliver the result related to management system. Make
sure they understand their roles and responsibilities and the importance of conforming to the ISMS
policy and procedures – consider training to plug any knowledge and awareness gaps.

Documentation and control

Consult the ISO27K standard to understand the essential documentation and records which you must
hold, how you should control and update them. You must make sure you have a framework and
procedures for managing deviation from your policy and for the review of objectives and targets. Ensure
that your suppliers and contractors adhere to these too.

Operational control
You will need to regularly check that your operation control measures are being properly managed. This
includes the development of appropriate procedures and the maintenance of records.

Check & Act (Measurement review and Improvement)

Monitoring and Measuring Performance

A process for monitoring and measuring is required. This will give you the confidence that you are in
control of your ISMS risks and should provide a mechanism to determine your progress towards
achieving your objectives.

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 14 © IRCLASS Systems and Solutions Private Limited 2019
Non-conformity, corrective action
In order to eliminate the actual or potential cause you will also be required to put in place a procedure
to address non-conformities and for taking corrective actions.

Internal audits
These are required at regular intervals to assess your system’s suitability and on-going effectiveness.
Audits provide evidence that your ISMS system is working and that you are in control. Make sure that
your audits are impartial and objective.

Management review
Your top management will need to meet periodically to ensure that the management system is still
suitable and effective. Use these meeting to review your organization’s policy and performance against
its objectives. The review should also consider the changing business environment that is known as
context of the organization.

===============================

IRCLASS/TRG/ISMS/LA/PCR/Rev01 Mar 2019 15 © IRCLASS Systems and Solutions Private Limited 2019