Friday, October 19, 2007

auditing ISO 27001

You may please look for all mentioned below during internal audit.. in addition to Annex A controls..

Basic Checklist
List of assets (with owners, threats, controls and vulnerabilities) available?
Access controls defined? (Authorization forms)
Information labelling carried out?
Security Incidents monitored?
Security events monitored?
Backup integrity monitored?
Risk assessment methodology defined?
Risk assessment covers all the assets?
Risk assessment study documents available?
Additional Control Records maintained?
Test records maintained? (mainly for System admin)
SoA Prepared and complete?
Employee Training records available with respect to ISMS?
Internal audit Plan and Audit reports maintained?
Risk Mitigation plan available?
Competency Matrix available?
Training effectiveness records available?
Roles and Responsibilities defined?
Department specific procedures documented?
(mainly HR / Admin/ System admin / MR related)
BCP and management Process available?

Thursday, October 18, 2007

Audit standards

The Department of Employment and Industrial Relations has developed an audit program that employers can access that allows employers to evaluate their performance against ten defined elements. Details of this standard are available from the Tri-safe management systems audit program (PDF, 342 KB).

Self-insurance audit standard
The Department of Employment and Industrial Relations is responsible for the administration of the occupational health and safety performance requirements for current and prospective self-insurers. This role includes the accreditation of self-insurer auditors, coordination of audits with self-insurers and reporting of audit findings to Q-COMP.

Employers seeking a self-insurance licence from Q-COMP are required to have an assessment of occupational health and safety performance as part of licence requirements.

An element of this assessment process is a requirement for an OHS management systems audit. The standards that this audit is conducted against are detailed in the The Workers’ Compensation Self Insurers Performance Criteria and Guidelines.

Audits conducted for the purposes of self-insurance licence requirements are conducted by auditors accredited by the Department of Employment and Industrial Relations. Persons wishing to become accredited can apply to the Department of Employment and Industrial Relations after addressing the requirements set out in the Self Insurance Accreditation Criteria.
Last updated October 17, 2006


ISO 19011:2002 provides guidance on the principles of auditing, managing audit programmes, conducting quality management system audits and environmental management system audits, as well as guidance on the competence of quality and environmental management system auditors.
It is applicable to all organizations needing to conduct internal or external audits of quality and/or environmental management systems or to manage an audit programme.
The application of ISO 19011 to other types of audits is possible in principle provided that special consideration is paid to identifying the competence needed by the audit team members in such cases.
Revision information
Revises: ISO 10011-1:1990
Revises: ISO 10011-2:1991
Revises: ISO 10011-3:1991
Revises: ISO 14010:1996
Revises: ISO 14011:1996
Revises: ISO 14012:1996


Hazard specific audits

Hazard specific audits address particular issues such as confined space entry, or working at heights and involve the inspection and testing of current workplace control methods. This type of audit has a narrow focus and looks at the effectiveness of policies and procedures in dealing with specific hazards.

These audits differ from compliance audits in that the standards set by the organisation to address a risk of injury may exceed legislative requirements. Many organisations use suitably qualified external providers to undertake these types of audits especially when hazardous tasks are being undertaken.

Workplace Health and Safety Queensland inspectors may review specific hazards in order to monitor legislative compliance at a workplace.

The Workplace Health and Safety Act 1995 (PDF, 766 KB) requires that workplace health and safety officers (WHSO’s) conduct a hazard based assessment of the workplace using criteria approved by the Chief Executive of Workplace Health and Safety Queensland or criteria agreed to by the Workplace Health and Safety Committee at the workplace.

More on WHSO’s.
These assessments must be conducted at least once every twelve months, or at intervals agreed between the WHSO and the Health and Safety Committee. There are eight elements referred to under this criteria and includes a number of common workplace hazards-
Hazard identification, risk assessment and control
Work environment
Hazardous substances
Manual tasks
Information, instruction, training and supervision

An example of a hazard based assessment form (PDF, 144 KB) is provided for your convenience.
Last updated July 18, 2005



An occupational health and safety management systems audit has a wider scope, and although addressing hazards and risk controls, it also looks at organisational structures, planning activities, responsibilities, implemented procedures, review cycles and measurement and evaluation issues.
A basic occupational health and safety management system has some of the following characteristics:
Existence of a health and safety policy that is communicated to staff
Management commitment
Allocation of responsibilities and accountability for health and safety matters
Controls for suppliers, sub-contractors and purchasing
Health and safety consultation
Hazard identification, evaluation and control
Provision of information and training of staff
Incident recording, investigation, analysis and review
Measuring and evaluating workplace health and safety performance.


Audit Management

An audit is a systematic examination used to determine whether or not an object meets previously specified requirements, and is usually performed using question lists. The results of an audit are valuated and documented.

SAP PLM QM Audit Management helps you plan and process audits, monitor corrective and preventive actions that were determined during audits, and evaluate audit data according to different criteria.

The audit management solution is very flexible and allows you to perform any type of audit that you require, for example, quality audits (system audits, process audits, product audits, supplier audits), environmental audits, security audits (site security, function security, data security), or industrial safety audits. The solution can be applied to the needs of all relevant norms like QS9000 or the DIN ISO 9000 series.

It encourages integration of different audits, for example, in accordance with DIN ISO 19011. Since audits are usually performed outside the office, mobile options are essential in supporting effective audit processing. Collaboration between the auditor and the audited party is required when corrective or preventive actions are agreed on, and have to be monitored. The audited party may use an Internet or intranet-based access to the actions to report their completion.

The solutions suitability to processing a wide variety of audit usages meets the requirements of companies to unify different management systems in one integrated management system. This greatly reduces audit expenses. A HTML interface ensures that the functions of the audit management solution are accessible for everyone who has authorization, from any location, on the Internet or intranet. Moreover, you can directly attach documents and notes to the data objects used in audit management. Thus, the information on audits is available company-wide avoiding double work and leading to improvement of products, processes, and supplier relationships. The integration of the audit management solution with the data environment of provides access to a vast array of information from other areas.

If necessary, it is possible for you to use interfaces to tools such as Microsoft Project® for the project management of an extensive audit plan, and Microsoft Excel® for the handling of question lists. The multi-lingual nature of the user interface and of the audit information supports you when working with foreign partners. For each audit phase, you can specify the partners and communicate with them using the platform. Audit management provides a complete solution, which is easy-to-use and enables benchmarking and the evaluation of best practices inside and outside the company.