02c - 27001LA en Day3 V8.2.2 20130730EL Unlocked

Schedule for Day 3
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contact PECB
PECB
PECB
Customer
Customer
CustomerServic
Servi
Serv
Section 11: Stage 2 Audit (Part 2)
Section 12: Communication during the audit
Section 13: Audit procedures
Section 14: Creating audit test plans
Section 15: Drafting audit findings and non-conformity reports
© 2005 PECB
Version 8.2.2
René St-Germain / Eric Lachapelle (Editors)
Document number: ISMSLAD3V8.2.2
Documents provided to participants are strictly reserved for training purposes and are copyrighted by
PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written
permission, reproduced or used in any way or format or by any means whether it be electronic or
mechanical including photocopy and microfilm.
© PECB official training – Reproduction prohibited without authorization 1

Determine how you will verify each of the following controls. You must provide examples that you would
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please Please
look for to obtain reasonable assurancecontact
contact
that contact PECB
this control has in PECB
factPECB Customer
Customer
Customer
been implemented. Servic
State at least Servi
two Serv
pieces of evidence for each control.
1. Improvement (10);
2. Preparing the statement of applicability (6.1.3d.);
3. Procedure for distribution, access, retrieval and use of documented information (7.5.3c.);
4. Determine legal and regulatory requirements and contractual obligations of interested parties (4.2);
5. Internal audit (9.2).
Duration of activity: 20 minutes

Comments: 10 minutes

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

An opening meeting should be held with the auditee’s management and, where appropriate, those responsible for
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
the functions or processes toPlease contact
contact
be audited. During contact
the PECB
PECB
PECB
meeting, an opportunity to askCustomer
Customer
Customer
Questions Servic
Servi
should be provided. Serv
The degree of detail should be consistent with the familiarity of the auditee with the audit process. In many
instances, e.g. internal audits in a small organization, the opening meeting may simply consist of communicating
that an audit is being conducted and explaining the nature of the audit.
For other audit situations, the meeting may be formal and records of attendance should be kept. The meeting
should be chaired by the audit team leader, and the following items should be considered, as appropriate:
− introduction of the participants, including observers and guides, and an outline of their roles;
− confirmation of the audit objectives, scope and criteria;
− confirmation of the audit plan and other relevant arrangements with the auditee, such as the date and time for
the closing meeting, any interim meetings between the audit team and the auditee’s management, and any late
changes;
− presentation of the methods to be used to conduct the audit, including advising the auditee that the audit
evidence will be based on a sample of the information available;
− introduction of the methods to manage risks to the organization which may result from the presence of the audit
team members;
− confirmation of formal communication channels between the audit team and the auditee;
− confirmation of the language to be used during the audit;
− confirmation that, during the audit, the auditee will be kept informed of audit progress;
− confirmation that the resources and facilities needed by the audit team are available;
− confirmation of matters relating to confidentiality and information security;
− confirmation of relevant health and safety, emergency and security procedures for the audit team;
− information on the method of reporting audit findings including grading, if any;
− information about conditions under which the audit may be terminated;
− information about the closing meeting;
− information about how to deal with possible findings during the audit;
− information about any system for feedback from the auditee on the findings or conclusions of the audit, including
complaints or appeals.

The audit information collection process follows procedures similar to those of scientific experiments.
The auditor tries to obtain, in the most objective way, factual information and will also evaluate it
objectively. The auditor relies on samples of available information, in as much as the audit is
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
performed in a limited period of time with limited resources.
The auditor has the right to insist on having access to all sources of information available in
the audited organization to be able to adequately evaluate the declared controls.
Here are some examples of information sources:
• Records: Access logs to the server room consigned by the magnetic card system access, visitors
log.
• Documents: Security policy, software installation procedure, employee manual, reports from other
sources (for example, customer feedback, external surveys and measurements).
• Interviews: Interview of a network administrator, group interview with the help desk personnel.
• Databases and website: The organization’s employee databases, and Intranet.
• Indicators: Dashboards concerning indicators on security incidents.
• System configurations: Firewall configurations demonstrating that access to prohibited web sites
is blocked.
• Observation: Observation that the server room is indeed locked by a magnetic card access
mechanism.
ISO 27007, clause 6.4.6.1: Collecting and verifying information

Gathering information and evidence that ISMS processes and controls are implemented and effective
is an important part of ISMS auditing. Possible methods to collect relevant information during the audit
include:
a) review of information assets and the ISMS processes and controls implemented for them; and b)
use of automated audit tools.
ISMS auditors should ensure appropriate handling of all information received from auditees according
to the agreement between the auditee and the audit team.

This step is the heart of the audit both in terms of importance and duration. Most of the work of an
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
auditor is to collect information, conductcontact
contact
contact
audits PECB
test, corroborate PECB
PECB
and Customer
evaluate Customer
theCustomer
audit evidence. Servic
Servi
Serv
Although the activities associated with this step are presented sequentially, in reality, it is an iterative
process. After an initial gathering of information, the auditor will perform and will switch back and forth
between the audit tests, new collections of information, the corroboration and evaluation of evidence.

The auditor must evaluate the audit evidence against the audit criteria to issue audit findings. Audit
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
findings can indicate either contact
contact
a conformity contact
or PECB
PECB
a non-conformity PECB
to auditCustomer
Customer
Customer
criteria. Servic
When the audit Servi
is Serv
performed by several auditors, the audit team members meet to proceed to a review of the audit
findings.
The auditor must identify the conformity points by comparing them against the audit criteria as well as
the locations, functions or processes that were audited. The auditor must document the non-conformities
and associated evidence. Non-conformities can be classified.
Everything must be done to resolve any differences of opinion relating to evidence and/or audit findings
within the audit team. It is recommended to record the unresolved items.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. The Stage 2 audit contains the following steps:
a) Opening meeting;
b) Collecting information;
c) Performing audit tests with appropriate procedures;
d) Drafting of audit findings and non-conformity reports;
e) Quality review of the audit findings.
2. The process of collecting information during an audit follows procedures similar to those of
scientific experiments. The auditor seeks to obtain, in the most objective way, factual information
and evaluates these objectively.
3. Most of the work of an auditor is in fact to collect information, perform audit tests and to corroborate
audit evidence and do the evaluation.
4. The auditor must evaluate the audit evidence against the audit criteria to formulate the audit
findings. Audit findings can indicate either conformity or non-conformity with the audit criteria.
5. The quality review ensures compliance with audit procedures and consistency of the conclusion of
the audit.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Conducting oneself in a professional manner: An auditor conducts himself as a professional by

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
following the audit plan, Please contact
contact
by being punctual, contact
by following thePECB
PECB
PECB
principles ofCustomer
Customer
the Customer
profession Servic
and laws, Servi
byServ
observing internal policies of the audited organization, etc.
Looking professional: An auditor can give the wrong impression if he is dressed too casually. A useful
hint would be to dress as the organization’s management dress. Auditors could also be “overdressed”
and thus be seen as intimidating by the audited personnel. Observation during the preliminary visit and
common sense are useful tools to determine the most appropriate dress code.
Setting an example: An auditor should set an example in information security matters by not leaving his
audit notes unattended, by securing his computer, by closing his work session when he leaves his
workstation, by not using pirated software, by using a secure USB flash drive, etc.
Being polite and courteous: An auditor must demonstrate his sense for public responsibility during the
audit by being courteous and polite. An auditor should thank each person that he interviews for their
contribution and their participation. This also implies respecting the organization’s culture and avoiding
getting involved in organization’s internal conflicts.

The audit team leader should inform the auditee of all possible non-conformities identified by
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
the audit team thus enabling contact
contact
contact
the auditee to comment PECB
PECB
the PECB Customer
evidence Customer
Customer
collected Servic
Servi
and/or provide Serv
additional information. The auditor should communicate the information to the person who has been
designated as the representative by management.
Based on the scope and complexity of the audit, it could be necessary to define formal channels of
communication during the audit within the audit team and with the auditee. To ensure regular
communication, the auditor must discuss the frequency of communication with management during the
opening meeting. Usually, the auditor must allow for a period at the end of the day to discuss the
observations of the day and the progress of the audit with the representative of the auditee.
In some cases, the auditor could need to communicate information as soon as it is collected. For
example, it is recommended to inform the auditee immediately of any situation observed during the audit
which could represent a potential short term risk.
Any problem related to an out of scope question is routinely noted and communicated to the
representative of the auditee. However, the auditor must not consider it when drafting the audit report.
For example, the auditor observes, that in a department outside the scope of the audit, work sessions
are left unlocked during lunch breaks when employees are absent. He should inform the auditee of the
situation observed, but only take it into account if he observes the same situation in a department
included in the scope of the ongoing audit.
ISO 19011, clause 6.4.4: Communicating during the audit

During the audit, it may be necessary to make formal arrangements for communication within the audit
team, as well as with the auditee, the audit client and potentially with external bodies (e.g. regulators),
especially where legal requirements require the mandatory reporting of non-compliances.

The auditor should also pay attention to non-verbal communication, that is to messages sent through
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
body language, and otherPlease contact
contact
non-verbal signs. contact
PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Non-verbal communication includes:
• Tone of voice;
• Dress;
• Facial and eye expressions;
• Body language;
• Distance between sender and receiver;
• …
The auditor should also pay special attention to the cultural differences. Non-verbal communication can
easily be misunderstood or not understood if there are cultural differences.

Documenting verbal communications can include the discussions between the auditor and the persons
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
delegated by auditee. In certain contact
contact
contact
circumstances, based on thePECB
PECB
PECB
nature, Customer
Customer
Customer
the sensitivity Servic
Servi
and the importance Serv
of the subject, the auditor can consider sending written confirmation of these items to the organization’s
management.
A written confirmation is usually a more reliable audit evidence than the verbal account and can
be:
• A letter of confirmation or an email from management.
• A letter from the auditor, stating the auditor’s understanding of management’s explanation, duly
approved and confirmed by management.
• Minutes from a meeting of the board of directors, or other similar body.

Communication on the progress of the audit is often an informal communication.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
The audit team should meet every morning and every evening during the audit. These meetings are
important to ensure compliance with the audit plan and to discuss the problems encountered.
Tips for the audit team leader to conduct an effective meeting:

1. Set specific hours and start meetings on time even if it's an informal meeting.
2. At the beginning of the meeting, make an update on the progress of the audit by asking each
auditor in turn, to present his work and problems.
3. Make a list of priorities to be discussed.
4. Plan a duration for each point to be addressed and a margin of additional time to manage the
unexpected.
5. Stimulate a large exchange of information between members of the audit team, avoid that
discussions are monopolized by a few and seek the participation of those who speak the least.
6. Promote the development of a climate of listening and openness to each other.
7. Use the objections and conflicts in a positive way as a source of progress: have the problems
targeted, not the people.
8. In case of an important disagreement on the audit findings, downplay the situation by explaining the
involved principles and requirements, in order to identify points of divergence and convergence.
9. Be sensitive to deviations that are "irrelevant" and aside, and try to recover or to get them involved
again by "soft" refocusing if necessary.
10. Keep an eye on the time and sometimes remember the time already spent and the remaining time.
These meetings should be kept brief.
11. Do not end the session without a final synthesis, for example, a reminder of what was said or
decided, or an update on the final progress, compared with the objectives of the audit.
12. The same way you started the meeting on time, finish it on time.

A guide and observers can accompany the audit team, but they should not interfere with the conduct of
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
the audit. For example, the observerscontact
contact
can contact
be auditors in PECB
PECB
PECB
training or a Customer
Customer
Customer
member Servic
Servi
of the certification Serv
organization conducting a quality control of the audit. The auditee has the right to refuse the access
to observers and the audit team must always request authorization before inviting observers.
The guide must be appointed by the auditee. His role is to assist the audit team and maintain continual
communication between the person responsible for the audit team and the personnel of the audited
organization. However, the auditor can insist that the guide and/or observers not attend the interviews if
he judges that it could influence the representatives answers.
A good guide must know the organization, internal procedures and the personnel without being
in a position to exercise authority over the representatives. An example of a good guide would be
an executive secretary because she has a global view of the organization, but does not have authority
over the auditees. In addition, being close to management, she can rapidly report/escalate problems to
the right people.
ISO 19011
Clause 3.11 - Observer: Person who accompanies the audit team but does not audit
Clause 3.12 - Guide: Person appointed by the auditee to assist the audit team.

The guide’s responsibilities can include the following:
1. Coordinate and facilitate audit activities: Planning interview meetings, greeting the
auditors, introducing them to the different representatives, guiding them towards the right
resources, ensuring good cooperation from the personnel, following up on documentation
and information requests, etc.
2. Take care of logistics: Booking workrooms for the auditor, making sure that the internet
and phone connections are working, ordering meals/refreshments, requesting access
cards (and parking permits, if needed), informing security/HR of their arrival, acting
according to organization procedures, etc.
3. Ensure Health and Safety policies are observed: If applicable, the guide must inform
the audit team of the organization’s internal regulations, especially the ones concerning
health and safety at work. For example, in an area with a high risk of hurricanes, the audit
team must be aware of emergency measures and evacuation procedures. On a
construction site, wearing a hard hat is mandatory.
4. Witness the audit on behalf of the auditee: The guide can take audit notes to present
internal summaries and provide, if needed, clarifications on points raised by the audit
team.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Conflicts can come from several causes, such as a misunderstanding in communications,

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
pressure that is too high, contact
contact
unfair treatment, contact PECB
PECB
PECB
differences in personality, etc.Customer
Customer
TheCustomer
auditor must take Servic
Servi
Serv
action to limit potential sources of conflicts. If, despite these efforts, a conflict arises, the audit
team leader has the responsibility to find a way to solve it.
Internal conflict: It is possible that a conflict arise or a pre-existing conflict situation exist
between various people or units in the audited organization. An auditor must never take part (take
sides) in an audited organization’s internal conflict.
Lack of cooperation/antagonism: The audited personnel could be hostile towards the auditors.
In general, this is due to a communication problem. Normally, corporate management should
correctly inform the personnel in charge of the audited processes. If the audited personnel is
uncooperative, a situation report must be drafted and sent to corporate management to try and
solve the problems.
Inefficient interview: The interviewee can talk too much or not enough resulting in an inefficient
interview. The auditor will always have to be in control of his interview. The auditor must be well
prepared for the interview.
Wasted time: Auditors can waste time, and this in many different ways. Here are a few
examples: introduction of a department, three-hour meal breaks, guides who are late every
morning, request for documents archived in a different location of the organization, lack of
personnel availability, etc. The auditor must respect the schedule as planned in the audit plan.

Internal conflict in the audit team

Sometimes during the audit, auditors will be faced with a conflict situation involving members of
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
the audit team. Team conflicts can be due to:
• A difference in opinion concerning a statement during the audit, the drafting of a non-
conformity, etc.
• Differences in work methods related to the gathering of information.
• A personal conflict between two auditors.
• An auditor’s work attitudes: being late for appointments, lack of courtesy, etc.
The intervention of a third party is often the best way to solve a conflict and is generally the role of
the audit team leader.
Conflict resolution techniques

The typical conflict resolution techniques are:
• Resolution of problems: The two parties confront each other and cooperate in finding a win-
win agreement.
• Compromise: Following a negotiation, each party makes concessions and parties arrive at
an agreement.
• Toning down or accommodation: Points of agreement are emphasized and points of
disagreement are put into perspective (but the conflict is not completely resolved).
• Force or domination: The audit team leader uses his authority to solve the conflict
• Avoidance or withdrawal: The audit team leader assigns the auditors in conflict to different
tasks so they will not have to work together, but this does not solve the conflict (Only for
personal conflicts. This is not an option if the conflict is related to the audit.)

During the course of their career, auditors will be faced with auditing organizations with very different
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
corporate cultures and presenting contact
social, contact
contact
economic, PECB
political or PECB
PECB
religious Customer
Customer
culture Customer
differences. Servic
Servi
Serv
It is important to keep in mind that it is the auditor’s responsibility to adapt to the linguistic abilities of the
auditee and that a lack of linguistic capability from the auditee should not compromise the carrying out
of the audit. Also, there can be different cultures and languages used within the organization, in
particular in multinational corporations.
Source: tc176-ISO9001 Auditing Practices Group

All corporations are different and there is no standardized corporate culture. The internal
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
culture can be independent contact
from the contact
contact
external PECB
PECB
culture where PECB
the Customer
Customer
company Customer
exists. Here are a Servic
Servi
Serv
few important points to consider:
1. Level of formality / dress code: An auditor can send the wrong message if he is
dressed in an inappropriate way based on the local culture. For example, in some
cultures, persons could be ill at ease seeing a female auditor wearing a skirt or a low-cut
neckline blouse. Observation during the preliminary visit and common sense are useful
tools to determine the most suitable dress code.
2. Hierarchical organization: Certain cultures are very informal, others are very formal in
their type of management, and in particular, in their hierarchical interactions and
communications. Auditors need to be aware of these cultural protocols concerning
corporate hierarchy.
3. Approach to issue audit conclusions: It is important that all identified non-conformities

during the audit be correctly documented and submitted to the organization (see section
on “Documenting a non-conformity” ). Some organizational cultures are extremely
sensitive and defensive concerning non-conformity reports and, in some situations,
management can seek assigning blame to the person responsible. This can create
additional tension during the audit, but this should not, however, discourage auditors from
reporting such non-conformities.

During the audits, an auditor needs to communicate with the management. To properly prepare for an
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
interview or a meeting, one shouldcontact
contact
contact
figure PECB
PECB
PECB
out what management style Customer
is Customer
Customer
practiced Servic
Servi
Serv
in the organization.
Without changing the audit techniques an auditor will adjust to the management style and culture of the
organization in his communications.
According to psychologist Kurt Levin, there are three main leadership categories: autocratic,
paternalistic and democratic.
1. Autocratic managers like to make all the important decisions, closely supervise and control their
employees. They do not trust their employees and mostly give them orders to execute.
2. Paternalistic managers are much more attentive to the needs and opinions of their employees.
They try to find out how employees feel, acting in a paternalistic way. They consult employees
beyond the Questions and listen to their opinions. However, they make the final decisions
because they believe that it is their responsibility.
3. Democratic managers have confidence in their employees and encourage them to make
decisions. The decision making authority is delegated to employees and the manager listens to
their recommendations.
Charles Manz and Henry Sims consider that there are four types of leadership:
1. The strongman is based on authority and coercion to get his subordinates to execute the tasks.
2. The negotiator uses rewards and sanctions to motivate employees. This approach assumes that
employees evaluate the relationship between the reward and performance in a rational manner.
3. The hero-visionary uses inspiration and vision to motivate employees.
4. The super-leader encourages subordinates to become leaders by encouraging the individuals to
establish their own goals, evaluate their own behavior and develop their own intrinsic reward.

By talking to the management, the auditor shall first validate the commitment of the management in the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
establishment, implementation, contact
contact
contact
maintenance, PECB
monitoring, PECB
PECB
updating Customer
Customer
and Customer
improvement ofServic
Servi
the Serv
management system.
A few pointers on conducting the interview with management:
• Keep a professional distance: The auditor shall use a formal communication mode (courtesy
formulas, etc.), avoid informal gestures such as taking hold of a person by the shoulders or inviting
him out etc.
• Use a language intended for management: the auditor shall avoid using technical jargon or
acronyms. He should use non-technical explanations, a level understood by management, and
should question management on strategic rather than on specific technological aspects.
• Be prepared for the meeting: The interview with management usually lasts 15 to 30 minutes,
consequently, the auditor shall always arrive prepared with an agenda. Given the time constraint,
small talk has to be reduced to a necessary minimum (small talk is always useful at the beginning of
the meeting to relieve the tension, but must not be needlessly drawn out). It is to be noted that
management may request that an expert, such as the compliancy manager, attends the meeting to
clarify certain points.
The first impression conveyed to management is very important, the audit

team’s credibility is at risk.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Your group will interview the General Manager of the enterprise. Given that he is a very busy man, your
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
team will only have 10 to Please contact
15 minutes for contact
the contact
interview. It will PECB
bePECB
PECB
necessaryCustomer
toCustomer
Customer
properly Servic
Servi
use the available Serv
time.
Duration of the exercise: 30 minutes


Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. An auditor acts in a professional manner by respecting the audit plan, being punctual, following
professional and legal principles, complying to internal policies of the audited organization, etc.
2. The auditor should inform the auditee of all possible non-conformities identified by the audit team to
enable him to comment the evidence collected and/or provide the additional information.
3. When drafting the audit report, the auditor must not consider any problem concerning a question
that is out of the audit scope.
4. When audit results are communicated verbally, the discussions must also be reported in writing in
work documents, with all the appropriate answers.
5. The audit team should meet every morning and every evening during the audit to ensure respect of
the audit plan and to discuss problems encountered.
6. A guide and observers can accompany the audit team, without being part of the team. The guide’s
role is to assist the audit team and to maintain continuous communication between the person
responsible for the audit team and the personnel of the audited organization.
7. The audit team leader shall act to limit potential sources of conflict. If, in spite of these measures, a
conflict arises, it is the audit team leader’s responsibility to find a way to solve it.
8. Cultural aspects need to be considered during the audit stages.
9. During the interview with management, an auditor must, using appropriate business language,
validate the commitment of management in matters of information security management.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

To ensure a control is in place, the auditor must collect evidence from different sources of information
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
and evaluate them objectively. contact
contact
contact
The collection PECB
of evidence can PECB
be PECB Customer
done usingCustomer
Customer
different Servic
Servi
audit procedures Serv
(methods) and the use of sampling is sometimes required.
After evaluating the audit evidence against the audit criteria, the auditor drafts the audit findings. Finally,
following the analysis of all the audit findings and the quality review, the audit team issues the audit
conclusion.
ISO 19011
3.3 Audit evidence: Records, statements of fact or other information, which are relevant to the audit
criteria and verifiable
Note: Audit evidence may be qualitative or quantitative.
3.4 Audit findings: Results of the evaluation of the collected audit evidence against audit criteria
3.5 Audit conclusion: Outcome of an audit, provided by the audit team after consideration of the audit
objectives and all audit findings

Examples of audit evidence collection steps
Let’s take 2 examples to illustrate the steps from the collection of audit evidence to issuing of the
audit conclusion:
• Manual control (example A): Assigning access rights to the organization’s financial
application must previously be approved by the system owner (internal audit criteria set forth
by the auditee).
• Automated control (example B): Backups must be performed automatically and daily
(internal audit criteria set by the auditee).
1. Information sources: Information sources are raw information available to the auditor. This
information has not yet been selected or analyzed. In the case of samplings, the sources of
information represent the population.
• Example A: The signed authorization forms.
• Example B: Configurations of backup systems.
2. Audit evidence: When the auditor selects and obtains information, it becomes audit evidence.
With regards to sampling, the auditor must follow a systematic or random approach in a
sampling selection. This audit evidence has not yet been analyzed by the auditor.
• Example A: Sample of signed authorization forms.
• Example B: Observation and screen shots of backup configurations.
3. Audit findings: Following an audit findings analysis against the audit criteria, the auditor must
compare the audit findings to be conform with the criteria.
• Example A: Three access forms out of the sample of 25 were not signed by the owner of the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
application of the system  Partial conformity with criteria  Minor non-conformity.
• Example B: Configurations show that backups are performed automatically and daily 
Conform to the criteria  Conformity.
4. Audit conclusion: The auditor analyzes all the audit findings and another auditor performs a
quality review. Finally, the auditor issues an audit conclusion.
• Example A: Following the reviewer’s comments, the auditor modifies his audit finding to a
major non-conformity because the non-conform forms are related to requests for access rights
to critical systems. Subsequently, the auditor issues his audit conclusion: recommendation
unfavourable to certification.
• Example B: The reviewer has the same opinion as the auditor and deems that the control is
conform. Subsequently, the auditor issues his audit conclusion: recommendation favourable to
certification.

The auditors use audit procedures to collect evidence in sufficient quantity and quality to validate the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
conformity of the management system of an organization. The use of audit procedures in a systematic
way reduces the audit risk and reinforces the objectivity of the auditor. The auditor usually use a
combination of evidence collection procedures to create his audit test plan (see section on audit plan
test).
Several audit procedures exist, which the auditor can use to collect evidence in a systematic way.
Names of procedures may vary depending on the authors. We have grouped the most frequently used
audit procedures in seven major categories.
Please note that the categories are mutually not exclusive. In fact, it is generally expected to use a
combination of procedure categories to obtain the most precise conclusion. For example, the auditor
can interview the auditee to collect information on how the backups are performed, but can also obtain
the written procedure that describes the steps followed or, even still, observe the backup with the
operator.
It is to be noted that ISO 19011 and ISO 17021-1 do not indicate specific procedures to be
followed to comply to the requirements of the standard.
Each team must establish its own test strategy and test plans based on the controls to be audited and
the audit objectives. Professional judgement is important in the establishment of test strategies and the
evaluation the collected audit evidence.
ISO 27008 present the audit procedures in 3 methods: examination, interviews and test. The
« test » correspond to PECB category called « technical verification ».
Note on terminology:
• (Audit) test and (audit) test procedure are used as synonyms for evidence collection procedure;
• (Audit) test strategy means the evidence collection strategy;
• (Audit) test plan means the evidence collection plan.

The auditor must be conscious that, in spite of his independence, he observes reality with his own
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
subjectivity. To observe isPlease
to single outcontact
contact
contact
certain PECB
PECB
elements of reality,PECB Customer
Customer
and to ignoreCustomer Servic
others. InterpretationServi
isServ
inevitable in observation and the objectivity quality of an observation evidence will depend on the
experience and the training of the auditor with regards to the subject matter.
To limit his subjectivity, the auditor should use checklists or observation checklists to guide
him.
ISO 27008, clause 7.2: Review method: Examine

7.2.1 General The process of checking, inspecting, reviewing, observing, studying, or analyzing
one or more review objects
to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to
support the determination of control existence, functionality, correctness, completeness, and potential for
improvement over time.
Review objects typically include:

• specifications (e.g., policies, plans, procedures, system requirements, designs),
• mechanisms (e.g., functionality implemented in hardware, software, firmware), and
• processes (e.g., system operations, administration, management, exercises).

General observation: This type of observation allows the auditor to reach a sufficient level of
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
understanding of the operation contact
contact
of a processcontact PECB
PECB
PECB
or a group of controls relatedCustomer
toCustomer
Customer
the Servic
Servi
management system. Serv
This type of observation mainly allows validating the existence and the general design of the processes
in place. Usually, the auditor will subsequently use another procedure to conduct a more detailed
analysis on the activities that these processes are intended for.
Example: the auditor visits the data center.
Detailed observation: This type of observation allows the auditor to get an increased level of
understanding and determine if the controls implemented operate without noticeable error and operate
effectively in a repetitive and continuous way. In other words, this type of observation evaluates the
operational effectiveness of the controls. Sometimes a process is implemented (it is therefore properly
formalized), but it is not applied consistently (ie, with inadequate operational effectiveness).
Example: From a monitoring station dedicated to quality control, the auditor listens to several live calls
sent to the help desk.

• Taking notes during observations: When an auditor observes a process or a control, he must
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
make sure to document contact
all relevant contact
contact
information PECB
PECB
PECB
in an observation Customer
Customer
Customer
checklist. Servic
For example, note Servi
the Serv
serial numbers of the audited computers, the persons observed, the locations where the
extinguishers are installed, the make as well as several features of the air conditioner, etc.
• Photocopying documents: When an auditor reads a document, and if this is part of an agreement
with the auditee, he can document the reading by photocopying part or all the document. In most
cases, the auditor can limit himself to photocopying the table of contents and the executive summary
to support his reading notes.
• Taking photos or audio/video recordings: These are particularly practical to document controls
and processes related to physical security or facility management. However, you must always ask
the auditee for permission before taking photos and this must usually be part of the agreement to
start with. The auditee has the right to refuse the taking of images in his organization without this
having any adverse effect on the audit conclusions.

Note: See information contained in the Stage 1 Audit section (Day 2).
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Non-directive interview: This type of interview proceeds very freely based on one or several high-level
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
Questions. It can be very contact
suitable in contact
contact
exchanges PECB
PECB
PECB
with members Customer
Customer
Customer
of management as long asServic
Servi
the Serv
participants stay on the subject.
Directive interview: This type of interview is performed starting from checklists and constitutes a rigid
frame. The auditor should as much as possible avoid this type of interview because, in most situations,
Questions will not be adapted to the particular context of the audited organization.
Semi-structured interview: This type of interview allows to focus the narrative of the persons
interviewed around different themes previously defined by the auditor and placed in a guide or an
interview checklist. The semi-structured interview is one of the most used methods during audit
interviews. This type of interview allows to obtain greater reliability in the information gathered thanks,
in particular, to the continuation and interaction possibilities between the interviewer and interviewee.

General interview: This type of interview is usually performed with the person responsible for the whole
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
process: human resources, contact
contact
legal aspects, contact
development PECB
PECB
PECB
of applications, Customer
etc. Customer
Customer
This Servic
enables the auditorServi
toServ
grasp a sufficient level of understanding of the global operation or of a group of controls related to the
management system. This type of observation allows mainly to validate the existence and the general
design of the processes in place. Generally speaking, subsequently, the auditor will go on with other
interviews to do a more detailed analysis with the persons involved in the operations.
Example: The auditor interviews the Human Resources manager to understand the Human Resources
management process.
Detailed interview: This type of interview is done with persons who master the functions and operations
related to the specific processes and controls. This allows to reach a greater level of information to
evaluate and determine if the controls implemented operate without visible error and effectively, in a
repetitive and continuous way. In other words, this type of interview evaluates the effectiveness of the
operational processes and controls. Sometimes a process is implemented, but is not applied
systematically (with an inadequate operational effectiveness).
Example: The auditor interviews a Human Resources administrative assistant to understand and
validate how employee files are kept (control of records).

Individual interview
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
Individual interviews are preferred contact
contact
because contact
the PECB
PECB
PECB
auditor can concentrate hisCustomer
Customer
Customer
efforts Servic
on a single person.Servi
InServ
general, the auditor obtains more detailed information (contrary to a group interview where each
member gives his summarized opinion) and individual interviews prevent that a dominant member from
the group influences the response of others (the “herd instinct”).
The individual interview enables to more easily:

• Read the body language of the individual interviewed;
• Identify the sensitive elements of the discussion;
• Ensure the confidentiality of discussions with the interviewee;
• Adjust the follow-up Questions;
• Obtain detailed information;
• Avoid having dominant members influence others.
Group interview
Use of group interviews must be limited unless the auditor wants to validate the interaction and the
dynamics between the various members of the group. When a group interview is absolutely necessary,
two auditors should be present and the number of participants must be as small as possible, up to a
maximum of 5 individuals.

The persons selected for the interviews must have the proper competencies and duties, and perform
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
activities or tasks related to contact
contact
contact
the management system . PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Unless there are particular agreements, interviews should be conducted during regular working hours
and at the workplace of the person interviewed.
The auditor must establish the objectives of each audit interview and make an appointment with the
audited person. The auditor should set aside 15 minutes per interview hour to complete the audit notes.
The auditee must be informed long enough in advance so he can be available. The appointments are
usually made by the guide delegated by the audited organization.
ISO 27008, clause 7.3.1

Typical information security control review auditor actions may include interviewing: management,
information asset and mission owners, information security officers, information security managers,
personnel officers, human resource managers, facilities managers, training officers, information system
operators, network and system administrators, site managers, physical security officers, and users.

During the opening, the auditor should:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• Explain the specific objectives contact
of the contact
contact
interview PECB
(and specify PECB
PECB
that Customer
Customer
Customer
the interview Servic
is not an evaluationServi
ofServ
the interviewee).
• Inform the interviewee that confidentiality will be respected if the interviewee wishes to remain
anonymous.
• Inform the interviewee about the note taking.
• Try to put the interviewee at ease and gain his trust (especially if he exhibits signs of stress).
A good method consists of asking a very open-ended question to initiate the interview, for example by
asking individuals to describe their involvement in the management system as well as their roles and
responsibilities. This allows the person to introduce himself, to destress and to describe his
responsibilities of the management system based on his own understanding.
The auditor shall have an effective listening attitude:

• Focus on the interview: listen carefully.
• Pay attention to non verbal language: Pay attention to body language, to the tone of your voice.
• Be involved: use body position, be careful to encourage the person who is speaking and signal your
interest (not only listen, but give feedback to show you understand the interviewee).
• Ensure you have a good understanding of what the interviewed person is saying, for example
reformulate what has been previously said and ask the interviewee for confirmation.

The interview can be recorded if the auditee agrees to it. However, the most common practice is simply
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
to take notes. Recording Please contact
contact
the interview can contact
be interpreted as PECB
PECB
PECB
intimidating Customer
by Customer
the Customer
person audited andServic
Servi
that Serv
could influence the interview. Also, an auditor rarely has the time to playback an interview he would
have recorded.
The interview notes should contain:

• Function of the interviewee (usually no name except for members of management: confidentiality)
and date.
Example: Discussion with employee from information technologies department, September 3, 2006.
• Interview objectives
Example: Validating conformity of cryptographic controls of the organization according to applicable
agreements, laws and regulations.
• Summary of evidence collected

The information documented must be gathered in a clear, concise and accurate language. The
auditor should only write facts, not judgements and identify weaknesses. Then, the identified
weaknesses will be reported in a list of potential non-conformities. The reference to the related
standard should be listed.

Close-ended Questions
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Questions that can be answered by yes or no, such as:
1. Has your policy been approved by management?
2. Do you have a procedure to update your antivirus?
3. Do you inform your supervisor when you detect an irregularity?
4. Have all employees received an adequate training?
Guided Questions
Questions that presuppose something, such as:

1. Your employees are all aware of information security, are they not?
2. You do not respect the configuration management procedure, don’t you?
3. Everyone knows Windows servers are less secure than Linux servers. Why do you use a Windows
server?
4. Why are you not concerned by information security?

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

After an interview, the auditor should also evaluate his intervention:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• Was the preparation effective? contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• Have I reached my objectives?
• How could I improve my interviewing technique?

Suggested solutions to correct potential problems encountered during interviews:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please Please contact
contact
contact PECB
PECBPECB Customer
Customer
Customer Servic
• Unlikely statement: If an interviewee expresses unusual or unlikely statements, the auditor
Servi
Serv
must first ensure that the respondent has understood the Questions asked or ask the same
Questions in a different way, and ask for evidence of the information provided. Then, the
auditor should corroborate the facts with the guide or with other individuals.
• Auditee wants to choose interviewees: If the auditee insists that a particular individual be
interviewed or not be interviewed (the candidate must be selected by the auditor), the auditor
must remain courteous but firm reiterating the audit principles and the terms of the
certification agreement.
• Interference of guide: There are times when the guide answers for the interviewee or
influences his response. The auditor must remind the guide his role as observer and his duty
of restraint during interviews. To limit the potential influence of the guide, the auditor must
address his Questions directly at the interviewee and maintain eye contact and thus pay no
attention to the guide’s presence. If the guide continues to interfere, the auditor should ask
him to leave the interviews.
• Unavailability of interviewee: An emergency or situation can occur that prevents an

interviewee from respecting the interview schedule. The auditor must be able to adapt to the
situation and readjust his plan so as not to delay the audit. He can also take advantage of the
situation to observe the interviewee while he is performing his tasks.
• Irrelevant responses: The interviewee can give out irrelevant information during interviews.
It is the auditor’s responsibility to bring the individual back on the subject of discussion to
avoid wasting time or delay the completion of the audit. This must be done tactfully so as to
not offend the individual. For example, politely interrupt the conversation when there is a
pause and remind him that the time allotted is limited. Another way of doing it is to ask for
specific evidence or relevant explanations for a particular process or show him the list of
elements that the auditor would like to validate.

Your group will interview the personnel from the head office of the enterprise. You need to prepare a
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
series of Questions basedPlease
on the casecontact
contact
contact
studies and indicate PECB
PECB
with PECB
whom Customer
your Customer
Customer
team will want to talk.Servic
Servi
The Serv
tutor will play the role of the various persons that you need to audit.
Duration of exercise: 45 minutes


The analysis procedure allows the auditors to draw conclusions concerning a whole by examining a part.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
It allows the auditor to estimate contact
contact
contact
characteristics PECB
of a population PECB
by PECB
directly Customer
Customer
Customer
observing Servic
Servi
a part of the whole Serv
population. The auditors are not interested by the sample itself, but at what can be learned from its
analysis and the way this information can be applied to the whole population.
The confidence that can be granted to the audit conclusions is closely related to the proper use
of the sampling during audit missions.

Statistics is the science and practice of the production of information based on quantitative empirical
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
data. It is the science of the collection,contact
contact
the contact
organization and PECB
thePECB
PECB Customer
Customer
interpretation ofCustomer Servic
Servi
numerical facts, called Serv
data.
The whole statistical analysis is based on a population made up of several units from which the
auditor can observe characteristics and draw samples.

In statistics, normal distribution is also called Gaussian distribution, named after the German
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
mathematician Karl Friederich Gauss (1777-1855). It is the most popular (widespread) statistical
distribution and the most useful because it enables the auditor to explain several random phenomena. It
represents the distribution of a continuous variable, defined from – infinity to + infinity according to its
density of probability. The distribution enables the auditor to state the audit findings on a given
population based on the analysis of a sample.
What you must remember, is that the normal distribution of a large number of elements extracted
randomly is symmetrical around the mean [μ] and spreads in a distributed way based on the
standard deviation[σ]. The standard deviation[σ] of a distribution is defined as being the square root of
the variance. The Variance of a distribution is the average of squared deviations compared with the
mean of all the values of the variance.
According to normal distribution, we find:

• 68.27% of the population is in the interval [μ - σ , μ + σ ];
• 95.45% of the population is in the interval [μ - 2σ , μ + 2σ ];
• 99,73% of the population is in the interval [μ - 3σ , μ + 3σ ].
For example, after having statistically compiled all the documented incident tickets in the audited
organization’s helpdesk database, it is established that the average response time for a call is 3 hours
with a standard deviation of 30 minutes. This means the auditor, in his sample, should find that:
• 68.27% requests were answered in a 2:30 hour to 3:30 hour time period (car σ=1);
• 95.45% requests were answered in a 2:00 hour to 4:00 hour time period (car σ=2);
• 99,73% requests were answered in a 1:30 hour to 4:30 hour time period (car σ=3).

Competence and awareness of employees (7.2 & 7.3) Verifying a sample of employees to determine
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
if they have been adequately trained and made aware.
Distribution and understanding of the information security policy (A.5.1.1): Verifying a sample of
employees to determine if they have received and are aware of the information security policy of the
audited organization.
Assignment of responsibilities (A.6.1.1): Verifying a sample of employees to determine if they know

their roles and responsibilities in matters of information security.
Ownership of assets (A.8.1.2): Verifying a sample of employees to determine if each asset is

associated to an owner.
Protection against malware present on workstations (A.12.2.1): Verifying a sample of computers to

check for the presence of a working and current software that protects against malicious codes.
Controls related to access control (A.9): Verifying a sample of requests for access rights to validate if
the requests comply with the procedure in place.
Controls related to incident management (A.16): Verifying a sample of incident reports to validate if
their treatment complies with the incident management procedure.

Statistically speaking, a sample is a set of units extracted from an initial population to represent this
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
population. Sampling allows contact
the auditor contact
to contact PECB
PECB
obtain and evaluate PECB Customer
Customer
Customer
audit evidence objectively andServic
inServi
a Serv
reliable way based on the characteristics of the data selected.
Sampling can use a probabilistic approach (based on chance) or a non-probabilistic (based on

judgement). The difference between the two lies in the belief that in the case of probabilistic sampling
each element has a “chance” of being selected and that this chance can be quantified, which is not true
for non-probabilistic sampling.

The selection of a sampling method should be made based on characteristics of the population to be analyzed. The
auditor can use several sampling approaches. Following are the main methods:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. Random sampling
• Description: Selecting a sample the probability of which is known (and not void) and of which each element of
the population has the same probability of being selected.
• Advantages: This method is statistically the most reliable. It is possible to calculate the inclusion probability of
each element in a sample as well as estimate the error margins.
• Disadvantages: More complex method and is usually more time consuming than the other methods.
• Use: Preferred method when the elements of the population are contained in an information system. The auditor
must first make a list of all the elements included in the population, then select a random sample based on the
size of the population. To choose the elements, a statistical analysis software (ex: SPSS or Excel’s random
selection function) can be used or simply resort to randomly picked samples.
• Example of usage: Sample analysis of security event tickets pulled from the Help Desk database.
2. Systematic sampling (or interval sampling)

• Description: Sample selection from a population of which the probability of selection is known (and not void)
using a defined interval between each element.
• Advantages: This method is statistically reliable, simple to use and fast.
• Disadvantages: Depending on the characteristics of the population to analyze, this method can require more
time than the other non-probabilistic methods.
• Use: Most frequently used method in audit because of its ease of use and its simplicity while being statistically
reliable. This method is normally used starting from a predefined sampling table (see slide related to sampling
tables).
• Example of usage: See slide related to Systematic Sampling Example.

3. Stratified (layered) sampling

• Description: Stratified sampling is a method, which first consists of subdividing the population into
homogenous groups (layers) to then extracting a sample from each layer.
• Advantages: Stratified sampling provides the assurance of obtaining a sample size sufficient to
represent each subset of the population for which the auditor wants to analyze the characteristics.
• Disadvantages: This method assumes the knowledge of the population structure and can lead to
methodological biases.
• Use: The auditor should use this method if the population contains subsets having very different
characteristics from one to the other. When using stratified sampling, the population is divided into
homogenous groups (called stratums (layers)) that are mutually exclusive. Then, independent
samples are selected from each stratum. You can use any sampling method mentioned in this
section (and others exist) to select the sample inside each stratum.
• Example of usage: An organization has 170 servers of which 60 are classified as being critical
and 10 very critical. The auditor divides the server population into three subsets: very critical,
critical and non-critical. Then, he selects, based on his sampling table, a sample containing 2
servers considered very critical, 15 critical and 25 from his last subset.
4. Block selection sampling

• Description: Sample selection from a subset of the population.
• Advantages: This method avoids having to identify the set of elements of the population.
• Disadvantages: This method assumes that the selected block is representative of the total
population.
• Use: Method to be favoured when the identification of the set of elements of the population is
difficult to determine and to account for.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
Servi
• Example of usage: An organization with 1700 employees uses a colour code to identify the types
Serv
of cabling used. Seeing it is almost impossible to calculate the cable population exactly, the auditor
arbitrarily decides to select a sample of cables in a server room.
5. Judgement based sampling

• Description: Sample selection fashioned based on the auditor’s judgement (based on his
experience and knowledge) to directly identify the units that adequately represent the population.
• Advantages: This method constitutes a net advantage when competent individuals have a
relevant experience because it is simple and fast. It also allows to directly select elements from the
population that could represent non-conformity risks.
• Disadvantages: It is impossible to objectively evaluate up to what point the sample is
representative of the audited population.
• Use: When the auditor has an intuition that leads him to believe that the selected elements are
representative of the population. He can also use this method to select elements identified as
material or that present a greater risk of non-conformity.
• Example of usage: Based on his experience, an auditor observes that commercial representatives
and members of management are those who activate security functions on their intelligent portable
phones the least (ex: Iphone, Blackberry). Therefore, based the auditor’s judgement, selecting
these people for tests could be indicated because they represent a higher risk of detecting a non-
conformity.

The sampling plan and the information collection method must be performed by the auditor. However,
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
collecting the informationPlease contact
contact
contact
from the information PECB
systems must PECB
bePECB Customer
Customer
performed Customer
by Servic
the personnel of Servi
the Serv
auditee.
Example
1. Define the population: All changes to the financial application performed during the last six
months (for a total of 250).
2. Determine the sampling method: Systematic selection.
3. Determine the sample size: According to sampling rules, the size is 15.
4. Execute the sampling plan: By starting the selection randomly with the 5th change, the auditor
selects the rest of the sample at every 16 changes (250/15=16).
5. Evaluate the results: The auditor records the results of the test on a worksheet and evaluates if
the changes in the sample were properly approved by the owner. At the end, he documents the
global conclusion of the test on a worksheet.
Sampling is frequently done using Computer Assisted Audit Techniques (CAATs). This allows to select
and analyze a sample randomly.

1. Risks or errors related to sampling: It is an error that occurs because the data are collected on a
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
part of the populationPlease contact
contact
contact
that is not representative PECBPECB
for the entire PECB Customer
population. Customer
It isCustomer Servic
Servi
the difference between Serv
the calculated estimate derived from a collection of data and the "real" value that would be obtained
if the entire population was under the same conditions. In an inventory (100% of the population),
there is no sampling error since the calculations are based on the entire population. In general, the
sampling error decreases as the sample size increases.
Example: In an organization with 125 employees, the auditor examines the records of 15 people to
confirm they have followed the mandatory awareness session required for all new employees.
Although the analysis of 15 employee files enables the auditor to determine if there is a reasonable
assurance that the control has been followed, there is always a risk of error. There is no guarantee that
110 other employees have followed the session. The only way to have a 100% insurance would be to
validate all 125 files.
2. Risks or errors related to the auditor: It is an error caused by factors other than sampling. This
may be an inappropriate audit procedure and / or negligence of the auditor or a lack of
performance.
Examples:
• When the auditor tests a bad security control by checking the approval of the change put into
production instead of checking the initial approval of the change by the owner.
• When the auditor selects the first items of the year (or from a list) rather than selecting a sample of
the whole population by a random or systematic method.
• Use responses from proxies (taking into account replies from a person other than the respondent).

The sampling table introduced above is the most frequently used used by large audit firms to determine
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
the minimum sample required during ancontact
contact
contact
audit to validate the PECB
PECB
PECB
effectiveness Customer
of Customer
Customer
a control. Servic
It is proposed Servi
byServ
the IT Governance Institute in its guide: “IT control objectives for Sarbanes-Oxley”. This table is based
on a 4% to 6% margin of error. It is an acceptable alternative to the use of a statistics software to
indicate the exact size of a sample based on the population to be audited and the error margin desired.
Automated controls do not usually require any sampling. You only need to validate that it works properly.
For all manual controls, the occurrence rate at which the control works will determine the size of the
sample.
Despite these general principles, you must remember that the more a control is considered material by
an auditor, the more he should increase the size of the test samples to obtain the desired level of
assurance.
Examples of table usage:

1. A system update procedure performed twice a week  Sample of 15;
2. Backup copies performed morning and evenings  Sample of 25;
3. Department with 70 employees  Sample of 15;
4. Computer population with 8 computers  Sample of 2.

You must follow the steps listed below to select a systematic sample:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECBPECB Customer
Customer
Customer Servic
1. Define the population to analyze: The auditor must first define the characteristics of the
Servi
Serv
population he wishes to analyze, then ensure that he has well identified all the elements
composing the population. Finally, the auditor numbers the elements from 1 to N (N being
the size of the total population).
Example: The auditor wishes to analyze the change requests placed during the past year.
To perform his analysis, he uses the list of the 400 changes that were studied by the audited
organization’s change management committee. Taking into account that he is not sure that
all the changes have been documented in the list he has received from the committee, the
auditor enters a note in his work documents. Then, he enters the numbers 1 to 400 in an
Excel file.
2. Determine the sampling interval: The auditor defines a sampling interval (K) by dividing
the number of elements contained in the population by the size of the desired sample.
Example: Given that there are 400 change requests, the average occurrence is more than
once a day. Thus, the auditor will select a sample of 25 change requests. He divides 400 by
25 and gets an interval of 16.
3. Execute the sampling plan: The auditor must select a random number between 1 and K
as first element of the sample (X). This is to include a random value to avoid that the auditee
be able to anticipate the elements that will be selected. Finally, the auditor selects each Xth
element after the first element selected until N.
Example: The auditor obtained 5 following the selection of random number between 1 and
16. Then, he selects the 5th change request, the 21st, the 37th, etc.

Technical verifications usually take place with the assistance of the organization’s personnel. And this
can be done in different ways.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
1. The auditor can verify contact
contact
the system contact
configurations PECB
inPECB
PECB
real timeCustomer
Customer
with Customer
the administrator.Servic
Servi
For Serv
example: validate the Windows security parameters (password policy, lock account policy, etc.),
validate the planning of the data backup (daily/weekly/monthly/annually automatic/manual),
validate user accesses to certain directories, etc.
2. The auditor can also observe a real time operation as a witness. For example: observe the
monitoring performed by the network personnel on the console, attend the recovery of a backup
copy, observe a user access a restricted module of the financial application, etc. When routine
operations are involved, the auditor can usually observe a real time operation. However, when he
wishes to analyze an exception or do a test without disturbing routine operations, he can opt for a
simulation. Simulations are generally performed in a laboratory or a development environment to
avoid an impact on operation.
The real time operation procedure generally constitutes strong evidence. However, the time
constraint sometimes forces the auditor to choose this type of test during an audit. In addition, this
can require a lot of resources from the auditee. The auditor must be careful to limit impacts of
tests on the operations. For example, it would be inappropriate to ask to set off an unplanned fire
alarm to validate if the organization complies with fire procedures.
3. Scanning will be explained in the next slide.
The auditor can also validate more technical controls by performing a documentation review of the
procedures in place as well as the results of past exercises. Consequently, the auditor must use
his judgement to determine the relevance of using certain tests.

During the audit of a management system, CAATs (Computer Assisted Audit Techniques) are
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
rarely used. However, the auditor will read, interpret and validate test that were performed by
the internal personnel of the auditee or by third parties. For example, several organizations
have an intrusion test performed on their network every year by an external service provider.
Consulting these reports is a source of evidence for the auditor to validate certain implemented
controls.
ACL (Audit Command Language) is a software widely used by firms to extract and
analyze the data from a whole data population.
CAATs include several types of tools and techniques, such as:
1. Global audit software: Program designed to execute certain automatic functions. These
functions include the reading of computer files, the selection of samples, the sorting of
data, the execution of calculations, the selection of sampling, the printing of reports or
letters in a format specified by the auditor, etc.
2. Utility software: Program generally provided by the manufacturer to execute certain

functions related to the operation: review of activities processes, testing, problem solving
support, system record analysis.
3. Data test: Simulation of transactions that can be used to validate the logic of operations,
calculations and controls currently programmed in the software applications. Individual
programs or the entire system can be tested.

4. Plotting and cartography software applications: Specialized tools that can be used to
analyze data flow in the processing logic of software applications and to document the
logic, the paths, the control conditions, and processing orders of applications.
5. Audit expert systems: Decision support or expert systems that can be used to assist the
auditors in the decision support process thanks to the automation of knowledge of experts
in the field. This type of application generally includes an automated risk analysis and
decision support system that will guide the auditor.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

ISO 27008, Clause 7.4: Review method: Test
7.4.1 General The process of exercising one or more review objects under specified conditions to
compare actual with
expected behaviour. The results are used to support the determination of control existence, effectiveness,
functionality, correctness, completeness, and potential for improvement over time. Testing has to be
executed with great care by competent experts and possible effects on the operation of the organization
have to be considered and approved by management before commencing the testing, also considering the
options of running tests outside operational windows, in low charge conditions or even in well reproduced
test environments. Failures or unavailability of systems due to testing can have significant impact on the
normal business operations of the organization. This may lead both to financial consequences and impact
the reputation of the organization so particular care has to be taken into the test planning and its correct
contractualization (including consideration of legal aspects).
False positives and false negatives results of the tests have to be carefully investigated by the information
security control review auditor before making any induction.
Typical review objects include mechanisms (e.g., hardware, software, firmware) and processes (e.g.,
system operations, administration, management; exercises)
Typical information security control review auditor actions may include: testing access control,
identification, authentication and review mechanisms, testing security configuration settings, testing
physical access control devices, conducting penetration testing of key information system components,
testing information system backup operations, testing incident response capability, exercising
contingency planning capability, testing the response of security systems capable of detecting, alerting
and responding to intrusions, testing encryption and hashing mechanism algorithms, testing user id and
privilege management mechanisms, testing authorization mechanisms, and verifying the cascade
resilience of security measures.
Note: Attributes do not apply for testing
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
7.4.2 Test types
Please
contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
7.4.2.1 Blind Testing The information security control review auditor engages the review object with
no prior knowledge of its
characteristics other than publicly available information. The review object is prepared for the review,
knowing in advance all the details of the review. A blind review primarily tests the skills of the information
security control review auditor. The breadth and depth of a blind review can only be as vast as the
information security control review auditor's applicable knowledge and efficiency allows. Thus this testing is
of limited use in security reviews and should be avoided. This is also commonly referred to as Ethical
Hacking.
7.4.2.2 Double Blind Testing The information security control review auditor engages the review
object with no prior knowledge of its
characteristics other than publicly available information. The review object is not notified in advance of the
scope of the review or the test vectors being used. A double blind review tests the preparedness of the
review object to unknown variables of agitation.
7.4.2.3 Gray Box Testing The information security control review auditor engages the review object
with limited knowledge of its defences and assets but full knowledge of the test vectors available. The
review object is prepared for the review, knowing in advance all the details of the review. A gray box review
tests the skills of the information security control review auditor. The nature of the test is efficiency. The
breadth and depth depends upon the quality of the information provided to the information security control
review auditor before the test as well as the information security control review auditor's applicable
knowledge. Thus this testing is of limited use in security reviews and should be avoided. This type of test is
often referred to as a Vulnerability Test and is most often initiated by the target as a self-assessment
activity.

ISO 27008, Clause 7.4: Review method: Test
7.4.2.4 Double Gray Box Testing The information security control review auditor engages the
review object with limited knowledge of its defences and assets but full knowledge of the test
vectors available. The review object is notified in advance of the scope and time frame of the review
but not the test vectors. A double gray box review tests the target's preparedness to unknown
variables of agitation. The breadth and depth depends upon the quality of the information provided to
the information security control review auditor and the review object before the test as well as the
information security control review auditor's applicable knowledge.
7.4.2.5 Tandem Testing The information security control review auditor and the review object
are prepared for the review, both knowing in advance all the details of the review. A tandem review
tests the protection and controls of the target. However, it cannot test the preparedness of the target
to unknown variables of agitation. The true nature of the test is thoroughness as the information
security control review auditor does have full view of all tests and their responses. The breadth and
depth depends upon the quality of the information provided to the information security control review
auditor before the test as well as the information security control review auditor's applicable
knowledge. This is often known as an In-House Review and the information security control review
auditor has often an active part in the overall security process.
7.4.2.6 Reversal The information security control review auditor engages the review object
with full knowledge of its processes
and operational security, but the review object knows nothing of what, how, or when the information
security control review auditor will be testing. The true nature of this test is to review the
preparedness of the target to unknown variables and vectors of agitation. The breadth and depth
depends upon the quality of the information provided to the information security control review auditor
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
and the information security control review auditor's applicable knowledge and creativity. This is often
also called a Red Team exercise.
7.4.3 Extended review procedures

In addition to the review procedures that are applied to individual controls, an extended review
procedure can be applied to the review as a whole. The extended review procedure is designed to
work with and complement the review procedures to contribute to the grounds for confidence in the
effectiveness of the controls.
The extended review procedure and the associated review objectives are also closely linked to the
risk level of the information system.

When analyzing the identified defects and deviations, it is possible that the auditor observes that many
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
of them have one common contact
characteristic, contact
contact
such as the type ofPECB
PECB
PECB
operation, Customer
Customer
Customer
location, Servic
the responsible for Servi
the Serv
process or the concerned period. In addition, such defects or deviations may indicate the possibility of a
non-conformity or observation. In such cases, the auditor may decide to search all the elements sharing
the same characteristic and extend the audit procedures to all these elements. He may also perform
other types of tests to confirm his initial observation.
The auditor should always try to corroborate evidence which is based solely on interviews, especially if
the elements are considered as material in the context of the audited organization.

The evaluation is a more subjective procedure that essentially relies on the auditor’s experience. Based
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
on his judgement, the auditor contact
contact
will determine contact
when evidence isPECB
PECBPECB
sufficient, Customer
Customer
Customer
relevant and reliable. Servic
Servi
Serv
During the evaluation procedure, the auditor must take into account the materiality of information to
determine when the evidence is sufficient, relevant and reliable.

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. To ensure that a control is in place, the auditor must collect evidence from different information
sources and evaluate them objectively.
2. The auditor has the right to demand (insist) to have access to all sources of information available in
the audited organization to adequately evaluate the declared controls.
3. The gathering of evidence can be performed using different audit procedures and the use of
sampling is sometimes required.
4. The observation procedure is the one where the auditor observes a phenomenon based on his
senses (hearing, sight, touch), without modifying them, using proper procedures.
5. The documentation review procedure consists of a systematic and methodical review of textual
documents.
6. The interview procedure consists in asking employees and other appropriate persons (third parties)
Questions (oral or written) to collect audit evidence.
7. The analysis procedure consists of a systematic and methodological review of data or information
to identify and analyze relationships or tendencies.
8. The technical verification procedure consist of a technical analysis of a process or a control (ex:
configuration analysis, scanning, simulation, etc.)
9. The corroboration procedure consists of verifying information with at least one other audit
procedure.
10. The evaluation procedure is the act by which the auditor judges the results of the preceding
procedures to ensure that the evidence is sufficient, relevant and reliable.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

It is important to remember that each clause or control of the standard covers a very wide range. In this
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
section, PECB proposesPlease
six examplescontact
contact
to contact
illustrate PECB
as many PECB
PECB
audit Customer
Customer
Customer
test options Servic
as possible. It is Servi
the Serv
auditor’s responsibility to evaluate and identify which are applicable and most suitable to meet the
requirements of the audit.
Important points to note:

1. In most cases, there are several applicable and valid audit test procedures to validate a clause or a
control. The auditor must develop his audit test plan by selecting the suitable and valid test for each
clause and control declared by the auditee. Consequently, several types of procedures should be
used to verify an audit criteria.
2. The use of a combination of audit test procedures is recommended, especially when the first audit
procedure is an interview. An oral evidence is usually not considered sufficient evidence in itself.
3. The auditor must evaluate and determine the most appropriate types of procedures to verify the
audit criteria. In absence of the most reliable audit evidence, the auditor can manage by obtaining
evidence that is still valid, but of a lesser quality. For example, to validate the update process of a
procedure, in the absence of the update meeting minutes, the auditor could ask for the agenda and
the new version of the procedure.
4. The auditor should always try to group together audit test procedures intended for the same
individual to avoid multiple meetings and thus disturbing operations.
From visit to visit to a same auditee, the auditor should vary his audit test procedures. This
enables to corroborate the audit tests performed during the previous audits.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Observation: The auditor can observe how employees ensure the protection of documented
information and whether those actions are consistent with the policies and procedures of the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contact
organization.
PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Documentation review: The auditor can analyze and validate the following documents: policy
on management of documented information and procedures on management of lifecycle of
documented information (identification, storage, backup, protection accessibility and
conservation time). The legal aspect must also be taken into account. For example, financial
documents must generally be kept for a minimum period of 5 years.
Interview: The auditor can interview a member of management to confirm the policies and
needs of the organization related to documented information and personnel responsible for
information and archive management to obtain details on documented information
management.
Technical verification: The auditor can perform a technical verification by validating the
electronic structure of documented information classification and storage, verifying protection
mechanisms of records, observing the compilation of the journals report.
Analysis: The auditor can select a sample of documented information and verify if they
respect the documentation structure and criteria of the policy on records.

Observation: N/A, except for internal auditor. As observer, the internal auditor could attend a
meeting on the selection of the criteria to be included in the agreement with the supplier or the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
follow-up/evaluation of performances of suppliers.
Documentation review: The auditor can evaluate and validate the following documents:
internal policies and guidelines on the management of suppliers, standard agreement including
clauses on information security, principal contracts signed, follow-up/performance report
related to the monitoring of services by suppliers.
Interview: The auditor can interview a member of management (to confirm the guidelines
related to the agreements with suppliers) and the personnel that handles the relations with
suppliers (to validate if the guidelines have been followed).
Technical verification: N/A
Analysis: The auditor can select a sample of agreements concluded with suppliers and
validate if they respected the guidelines of the organization related to the management of
relationships with suppliers.

Observation: Although backups are usually performed automatically, the auditor can observe
certain tasks performed manually by the operator (Ex: manually load the tapes, perform
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
recovery tests) and the locations where backup copies are kept (physical and environmental
security, labelling of tapes).
Documentation review: The auditor can analyze and validate the following documents: the
organization’s backup policy (definition of the required backup level, its adequacy with the
security criteria stated in the risk analysis related to the information assets and the
requirements stated in the business continuity plan), procedures (description of backup and
restore operations, planning of backups and conservation, dry run tests) and records (system
logs, tape release request, test results), etc.
Interview: The auditor can interview the operations manager (validate the backup strategy and
policy) and an operator (validate the understanding of and conformity with the backup
procedures).
Technical verification: The auditor can verify the configurations of backup systems to ensure
they comply with established procedures (taking screen shots), verify security mechanisms of
backup copies (ex: passwords, encryption) and request the restoration of an archived file.
Analysis: With automatic backups, there is no sample to obtain. If the backup is performed
manually and the result is recorded in a log, the auditor can select a sample and verify if the
entries were really documented in the backup logs.

Observation: Observe the registration or deregistration of a user’s accesses with an analyst

from the help desk. Validate if the steps of the access management procedure were followed.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Documentation review: The auditor can analyze and validate the following documents:
access management policy, approval forms, results of an access review performed by owners,
user declaration stating that they understand their responsibilities related to access rights,
access rights matrix.
Interview: The auditor can interview the help desk manager (to confirm the features covered
by the access management policy) and an analyst from the help desk (to validate
understanding of and compliance with the policy during registration and deregistration of user
accesses).
Technical verification: The auditor can verify the configuration and the operation of systems
used for user registration. He must request the administrator’s help to perform the technical
verification. When validating a deregistration, verify if the user in question is still in the user
directory (ex: Active Directory). When validating a registration or modification, verify in the
system if accesses have been adequately granted according to the user’s level/department.
Analysis: The auditor can select a sample of registration or deregistration requests and
validate if the key features included in the access management policy/procedure were really
followed. Example: immediate superior’s approval, authorization of the application owner,
removal request originating from Human Resources, etc.

Observation: The auditor can observe a technician performing activities related to

vulnerabilities management (intrusion test, analysis of vulnerabilities, etc.)
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
network intrusion test reports, management procedure of technical vulnerabilities
(identification, classification, resolution), inventory of computer material to facilitate the
identification of potential vulnerabilities (including serial number, equipment model, installed
OS, geographic location, version of installed patches and antivirus, etc.), list of technical
vulnerabilities, including corrective actions, responsible resource, time limit to correct the
situation, criticality, impact on the operation, etc.
Interview: The auditor can interview the information security manager (to confirm technical
vulnerabilities management procedure) and a technician who monitors and treats technical
vulnerabilities (to validate procedure steps and their application).
Technical verification: Verify with an administrator if the versions of the installed applications
are the most recent and if the security patches have been installed.
Analysis: The auditor can select a sample of known technical vulnerabilities for systems
operation in the organization and validate if they have been treated according to the criteria in
the vulnerabilities management procedure.

Observation: As observer, the auditor can assist to declaration of an information security

event (if its happened during the audit) and observe the treatment of it by the auditee.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
events declaration and escalation procedure related to information security (this procedure
must be accessible to all employees so they can use it), declaration report (all identifications
must be documented), awareness plan (so employees have the reflex to identify any incident
related to information security).
Interview: The auditor can interview the information security manager or the help desk
manager (to confirm the security incident notification process and procedure) and technicians
(to validate the application of the procedure). It is possible that when a notification is highly
confidential and affects employees, Human Resources also be involved.
Technical verification: The auditor can verify the configuration of automated alerts embedded
in information systems and test the effectiveness of them.
Analysis: The auditor can select a sample of security events declaration reports and verify if
they have been treated to be conform with the events notification and escalation procedure.

Your group will interview the personnel at the second office of the enterprise. You will need to prepare a
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
series of Questions basedPlease contact
contact
contact
on the case studies PECB
and indicate with PECB
PECB
whom yourCustomer
Customer
Customer
team wants to talk. TheServic
Servi
tutor Serv
will play the role of the various persons that you need to audit.
Duration of exercise: 45 minutes


Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. The auditor must develop his audit test plan by selecting appropriate and valid procedures for each
clause and control declared by the auditee.
2. In most cases, there are several applicable audit test procedures to validate a clause or control.
Consequently, sometimes several types of procedures must be used to verify the audit criteria.
3. The auditor must evaluate and identify which procedures are applicable and the most appropriate
to meet the audit requirements.
4. The use of a combination of test procedures is recommended, especially when the first procedure
is an interview. An oral evidence is not considered sufficient evidence on its own.
5. The auditor must evaluate and determine the most appropriate types of procedures to verify the
audit criteria. In the absence of the most reliable audit evidence, the auditor can settle for obtaining
evidence that is still valid but of lesser quality. For example, to validate the update process of a
procedure, in the absence of the update minutes, the auditor could request the agenda and the new
version of the procedure.
6. The auditor should always try and group together test procedures intended for an individual to
avoid multiple meetings and thus disrupting operations.
7. From one visit to the next to a same auditee, the auditor should vary his audit test procedures. This
allows to corroborate tests performed during previous audits.

Section 15 : Drafting audit findings and non-conformity reports
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

The audit findings are probably one of the most important elements to be provided by the auditor. The
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
audit findings are the determining contact
factor contact
in contact PECB
PECB
PECB
formulating the conclusions ofCustomer
Customer
the Customer Servic
audit. It consolidates Servi
all Serv
relevant information relating to a particular verification, where a potential lack or ineffectiveness of a
control exists.
The fact that the auditor is forced to carefully consider and document this information (for example, by
using a audit findings form), he will be able to decide more easily if the issue raised must be reported in
writing (in the report), discussed verbally with the auditee or simply omitted.
Note that the audit findings may not be confused with the audit evidence. Audit evidence is factual (e.g.,
a change management procedure). The audit findings, however, are the result of an evaluation by the
auditor. So even if the auditor strives to be objective, audit findings are based on the judgment and
interpretation of the auditor depending on his experience and knowledge.
For example, his observation on the change management procedure can indicate whether it complies
with the requirements of the standard and the specific requirements of the organization.

If the audit criteria are selected from legal or other requirements, the audit finding is termed compliance
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
or non-compliance in replacement contact
contact
contact PECB
of conformity/non-conformity.PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

The necessary requirements can originate from several sources: they can be specified in the standard,
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
be part of a requirement internal to the contact
contact
contact
organization, originatePECB
PECB
fromPECB
a law orCustomer
Customer
Customer
regulation, Servic
or still, be partServi
ofServ
a contract signed with a client or partner.
Reasons for non-conformity can be:

• Documentation is not adequate;
• The control is absent or does not fulfil its function (design);
• The control does not provide the expected results (effectiveness).
ISO 9000
3.6.11 Conformity: Fulfilment of a requirement
3.6.9 Nonconformity: Non-fulfilment of a requirement.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

The following examples represent minor non-conformities:
1. Description of the observed non-conformity: The organization has implemented procedures to ensure
compliance with Intellectual Property Rights (IPR) (license log, reference in the security policy, employee
awareness, etc.). The organization is compliant for the main software such as operating systems and
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
office suites. However, the Adobe Illustrator software is installed on 46 workstations despite the
fact that the organization only has 40 user licenses.
Audit criteria: Appropriate procedures shall be implemented to ensure compliance with legislative,
regulatory and contractual requirements related to intellectual property rights and use of proprietary
software products. (A.18.1.2).
2. Description of the observed non-conformity: The organization has defined and distributed the ISMS
policy that includes a frame to set objectives and has indicated a global orientation and action principles
concerning information security. The policy takes into account the requirements related to business
characteristics and legal, regulatory and contract requirements. However, there is no reference to
continual improvement of the ISMS.
Audit criteria: Top management shall establish an information security policy that: (…) includes a
commitment to continual improvement of the information security management system. (5.2d.)
3. Description of the observed non-conformity: The organization has implemented and maintains a
documentation management system for the ISMS. However, there is no document or reference in the
documents related to the ISMS that specifies the location where the official versions of the current
operating security procedures are kept.
Audit criteria: Documented information required by the information security management system and by
this International Standard shall be controlled to ensure: a) it is available and suitable for use, where and
when it is needed; and b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss
of integrity).. (7.5.3 a.-b.)

Usually, a major non-conformity is easily identifiable because it consists of a total absence or complete
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
failure of a control. Please
contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
It is important that the auditor ensures that the major non-conformity is valid because the
presence of only one major non-conformity automatically results in a negative certification
recommendation.

The following are examples of major non-conformities:
1. Description of the observed non-conformity: The internal users of the organization are not
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
all aware of the security contact
contact
risks related tocontact PECB
the use of mobilePECB
PECB Customer
computing Customer
and Customer
there is no formal Servic
Servi
Serv
procedure in place to ensure the protection of mobile communication devices (Blackberry and
Iphone). In a sample of 25 mobile communication devices (15 Blackberries and 10
Iphones), only 5 devices had an activated authentication mechanism.
Audit criteria: A policy and supporting security measures shall be adopted to manage the
risks introduced by using mobile devices. (A.6.2.1)
2. Description of the observed non-conformity: The organization has an internal audit

programme with planning and audit procedures. The past year’s audit activities were
performed by an intern (student at university), specialized in computer sciences. The internal
auditor is competent in network security, but has no experience or training in audit.
Audit criteria: The organization shall ensure that these persons are competent on the basis
of appropriate education, training, or experience; (7.2 b.).
3. Description of the observed non-conformity: The organization has developed an

approach and a risk assessment methodology adapted to the ISMS. The methodology is
adequately documented and the risk acceptance criteria are clearly defined. The risk
assessment methodology allows to ensure consistent, valid and comparable results.
However, the risk assessment methodology does not evaluate the information security
risks.
Audit criteria: The organization shall define and apply an information security risk
assessment process that: e) evaluates the information security risks (6.1.2 e.)

The auditor should document his observations in the working papers because some observations may
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
constitute weaknesses toPlease contact
contact
the management contact
system (withoutPECB
PECB
PECB
being Customer
Customer
Customer
non conformities). The auditorServic
Servi
may Serv
want to follow-up on these during the next audits. For example, the auditor finds that there is an annual
turnover of 20% of employees in the IT department. The auditor should document this in the working
papers and validate each year if personnel competencies are still adequate to maintain the management
system.
The auditor may share his observations with the auditee in the audit report (in the section “General
observations and opportunities for improvement”). As an example, the auditor can mention that the
auditee could implement a documentation management system that automatically manages and retains
versions.
It is important to note that observations must not influence audit conclusions. The auditee has no
obligation to implement corrective actions following the observations mentioned in the audit report.

Example of an anomaly:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
An organization with 100 employees has defined that 90% of employees must have completed an
awareness session in the first three months of being hired. If the auditor finds that five employees did not
follow the session within a period of three months, he will consider this finding as being conform. The
five documented cases individually are anomalies, a deviation from the requirement of the organization,
but the overall process is "effective and consistent.”
On the contrary, if he had found 15 employees, the situation would lead to a non-conformity because the
number of anomalies is beyond the acceptable threshold of 10% as set by the organization.
Important notes :
• Anomalies are documented in working papers of the auditor but they are normally not mentioned in
the audit report.
• It should be noted that the anomaly is not an accepted non-conformity by the organization. An
accepted non-conformity remains an non-conformity.

Before the closing meeting, the auditors must confer on the completion of the review of audit findings
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
and on other relevant information contact
contact
collected contact
during the audit inPECB
PECB
PECB
relation to theCustomer
Customer
Customer
audit Servic
Servi
objectives. The auditor Serv
should evaluate the evidence against the audit criteria and according to the particular context of the
auditee. It is always an act of judgment by the auditor. He must take into account the appropriateness of
the evidence (relevance and reliability) and its sufficiency in relation to the audit criteria.
The boundaries between the conformity findings “minor non-conformity” and “major non-conformity” are
not always easy to define. One can easily agree on a finding to be conform if an auditor observes 1
transaction in 1000 did not meet the requirements. Similarly, we can agree on a finding to be a major
non-conformity if 800 transactions do not respect the requirements. However, how many non
conformant transactions will be allowed to establish a minor non-conformity? 11, 20, 34, 58 ...? What is
the threshold to establish a major non-conformity: 50, 100, 300, 450, 501 600 ...? It is impossible to
answer without knowing the specific context of the auditee. This will depend on aspects related to
transactions that do not meet the requirements, potential impacts to the organization, etc.
Most certification bodies provide a checklist to be completed by the auditor.

For each requirement of the standard, the auditor must indicate whether the situation is conform or not.
In most cases, this involves checking a box between the different possibilities: conformity, minor non-
conformity or major non-conformity.
Note that by definition, an observation is a conformity. So many auditors do not show these as audit
findings. In the audit report, there is usually a section to show the observations.
To conclude, the thresholds between the types of audit findings are not established mathematically but
by the decision of the auditor, in each case, depending on the particular context of the auditee.

Once the non-conformity has been confirmed, the auditor must document it. To support traceability and
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
facilitate the monitoring Please contact
contact
of action plans, contact
it is essential PECB
PECB
that PECB Customer
Customer
Customer
non-conformities are recordedServic
Servi
and Serv
documented in a systematic way. The recording can be as simple as a description of the observation
and the reference to the appropriate clause.
It is to be noted that the standard contains several clauses that include more than one requirement. It is
important that the auditor identifies clearly and records the specific conditions concerning the non-
conformity. For example, by writing the exact text and requirement associated to the audit criteria.
A non-conformity report should:

• Be explicit and related to an ISMS requirement;
• Not be ambiguous, be linguistically correct, and as concise as possible.
On an audit, it is possible to identify findings related to multiple criteria. Depending on the arrangements
with the audit client, the auditor may raise either:
• Separate findings for each criterion;
• A single finding, combining the references to multiple criteria.
Where an auditor identifies a finding linked to one criterion on a combined audit, the auditor should
consider the possible impact on the corresponding/similar criteria of the other management systems.

The final part (and the most important) of the documentation of a non-conformity is writing a non-
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
conformity report. The report contact
contact
must specify contact PECB
the audit criteria, PECB
thePECB Customer
Customer
descriptionCustomer Servic
Servi
of the non-conformity Serv
as well as the audit findings. As an option, recommendations can be included. If the 3 parts of the
non-conformity are well documented, the auditee will be able to understand and recognize the non-
conformity. This will also serve as a useful record for a future report.
One of the most effective forms for documenting non-conformity reports in a comprehensive way is to
write them in a structure consisting of four elements: Evidence supporting the finding, Audit criteria,
Audit finding and Recommendation. The first three are mandatory for a certification audit.
1. Audit criteria: This element describes the standard used as a reference for the evaluation (e.g., a
specific clause of the ISO standard). In other words, it depicts the requirement.
2. Evidence supporting the finding: It refers to the description of the facts observed and recorded
during the audit in the field. When documenting it, it is important to detail the problem at an
appropriate level. Someone who was not involved in the audit but who has some basic
understanding of the purpose or function of being audited, should be able to understand the
evidence.
3. Audit finding: The auditor formulates a minor non-conformity or a major non-conformity.
4. Recommendation: This aspect of the non-conformity report suggests how the situation could be
remedied. A good recommendation maintains the proper balance between risk and cost presented
to control it. Before making a recommendation, the auditor should consider the following Questions:
• Does the recommendation allow solving the problem and eliminate or reduce the risk?
• Can it be implemented in the current context?
• The recommendation is it profitable?
• Can it act as a permanent solution or just a temporary one?

Remember that a non-conformity is the non-fulfilment of a requirement: if the auditor cannot identify a
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
condition that is not fulfilled, contact
contact
contact
then he cannot PECB
PECB
PECB
raise a non-conformity. Customer
Customer
Customer
By default, Servic
the principle benefit Servi
ofServ
the doubt applies. In the same way that an accused person is considered innocent by the court until the
evidence proves the contrary, an organization will be deemed to be conform to the requirements of the
standard as long as there is no evidence identified by the auditor that contradicts this statement.
If it turns out that the auditor did not have time to check some of the processes and controls, these will
be considered “conform" by default. In his working documents, the auditor will log the unchecked
processes in order to audit them in a subsequent surveillance audit. The same principle will be applied
to the divisions (or departments) of the organization included in the scope of the audit, but which were
not considered in the audit.
In the same spirit, if the auditor does not have enough evidence to make a finding non-conform, he will
be obliged to document the finding as conformity.

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
1. The auditor must contact
evaluate the contact
contact
audit PECB
PECB
evidence against PECB
the auditCustomer
Customer
Customer
criteria to issue audit Servic
Servi
Serv
findings. Audit findings can indicate a conformity or a non-conformity to audit criteria.
2. According to the definition of the ISO 9000 (clause 3.6.2) standard, a non-conformity is a
“non-fulfilment of a requirement”. There are two types of non-conformities: major non-
conformities and minor non-conformities.
3. A major non-conformity is the absence of a required control or the total failure of its
effectiveness such that it raises significant doubts as to the adequacy of the ISMS to
protect confidentiality, integrity of sensitive information and/or that it represents an
unacceptable risk as could be perceived by interested parties of the organization.
4. A minor non-conformity is a situation in which a characteristic of the implementation or
application was not met such that it raises some doubts as to the adequacy of the ISMS
to protect confidentiality, integrity or the availability of sensitive information and/or that it
present a minor but non negligible risk that could be perceived by the interested parties of
the organization.
5. To support traceability and facilitate the follow-up of action plans, it is crucial that non-
conformities be recorded and documented systematically.
6. There are 3 items in the adequate documentation of a non-conformity: evidence
supporting the findings, description of the requirements for which the non-conformity was
detected (the audit criteria) and the non-conformity report.
7. Remember that a non-conformity is a non-fulfilment of a condition: if the auditor cannot
identify a condition, then the auditor cannot raise a non-conformity.
8. An anomaly is an accidental or isolated deviation from a requirement.
9. An observation consists of a situation or an element uncovered during the audit which
could be the object of an improvement without being a non-conformity.

Part 1: Writing of a audit test plan
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Write an audit test plan to validate the following control identifying the different applicable audit
procedures (observation, documentation review, interview, technical verification and analysis):
Protection of log information (A.12.4.2). Logging facilities and log information shall be protected against
tampering and unauthorized access.
Part 2: Writing of non-conformity reports
Using your documentation review and the site audit of the organization, write a non-conformity report of
at least two non-conformities (one major and one minor) that you have identified in the management
system of this firm. Ensure you have identified defendable non-conformities because you can be asked
to discuss them with the management tomorrow.
Duration of homework: 45 minutes

Page for Note Taking
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Page for Note Taking
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

02c - 27001LA en Day3 V8.2.2 20130730EL Unlocked

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02c - 27001LA en Day3 V8.2.2 20130730EL Unlocked

Uploaded by

Copyright:

Available Formats

Schedule for Day 3

© PECB official training – Reproduction prohibited without authorization 1

Duration of activity: 20 minutes

© PECB official training – Reproduction prohibited without authorization 2

© PECB official training – Reproduction prohibited without authorization 3

© PECB official training – Reproduction prohibited without authorization 4

© PECB official training – Reproduction prohibited without authorization 5

© PECB official training – Reproduction prohibited without authorization 6

Here are some examples of information sources:

ISO 27007, clause 6.4.6.1: Collecting and verifying information

© PECB official training – Reproduction prohibited without authorization 7

© PECB official training – Reproduction prohibited without authorization 8

© PECB official training – Reproduction prohibited without authorization 9

© PECB official training – Reproduction prohibited without authorization 10

© PECB official training – Reproduction prohibited without authorization 11

© PECB official training – Reproduction prohibited without authorization 12

Conducting oneself in a professional manner: An auditor conducts himself as a professional by

© PECB official training – Reproduction prohibited without authorization 13

ISO 19011, clause 6.4.4: Communicating during the audit

© PECB official training – Reproduction prohibited without authorization 14

© PECB official training – Reproduction prohibited without authorization 15

© PECB official training – Reproduction prohibited without authorization 16

Communication on the progress of the audit is often an informal communication.

Tips for the audit team leader to conduct an effective meeting:

© PECB official training – Reproduction prohibited without authorization 17

© PECB official training – Reproduction prohibited without authorization 18

The guide’s responsibilities can include the following:

© PECB official training – Reproduction prohibited without authorization 19

Conflicts can come from several causes, such as a misunderstanding in communications,

© PECB official training – Reproduction prohibited without authorization 20

Internal conflict in the audit team

Conflict resolution techniques

© PECB official training – Reproduction prohibited without authorization 21

Source: tc176-ISO9001 Auditing Practices Group

© PECB official training – Reproduction prohibited without authorization 22

3. Approach to issue audit conclusions: It is important that all identified non-conformities

© PECB official training – Reproduction prohibited without authorization 23

© PECB official training – Reproduction prohibited without authorization 24

A few pointers on conducting the interview with management:

The first impression conveyed to management is very important, the audit

© PECB official training – Reproduction prohibited without authorization 25

© PECB official training – Reproduction prohibited without authorization 26

Duration of the exercise: 30 minutes

© PECB official training – Reproduction prohibited without authorization 27

© PECB official training – Reproduction prohibited without authorization 28

© PECB official training – Reproduction prohibited without authorization 29

© PECB official training – Reproduction prohibited without authorization 30

Examples of audit evidence collection steps

© PECB official training – Reproduction prohibited without authorization 31

© PECB official training – Reproduction prohibited without authorization 32

ISO 27008, clause 7.2: Review method: Examine

Review objects typically include:

© PECB official training – Reproduction prohibited without authorization 33

© PECB official training – Reproduction prohibited without authorization 34

© PECB official training – Reproduction prohibited without authorization 35

© PECB official training – Reproduction prohibited without authorization 36

© PECB official training – Reproduction prohibited without authorization 37

© PECB official training – Reproduction prohibited without authorization 38

The individual interview enables to more easily:

© PECB official training – Reproduction prohibited without authorization 39

ISO 27008, clause 7.3.1

© PECB official training – Reproduction prohibited without authorization 40

During the opening, the auditor should: