UCL Research Data Information Security Management Audit Procedure #

Document Name: RISM05-Audit_Procedure.md

Classification: Public

Author: Tim Machin

version: 4.1

Created: 21/01/2025

Last Review: 11/04/2025

Last Reviewed by: Victor Olago

Approved by: OMG

Approved date: 12/03/2025

Review Period: 3 Years

Sources: SLMS-IG09a, SLMS-IG08 Internal-Audits-Process NHSE-Audits

1. Document Overview #

Internal audits are carried out at planned intervals to provide information on whether the Information Security Management System (ISMS) conforms to the organisation’s ISO 27001 requirements and is effectively implemented and maintained. Refer to the internal audit guidance document.

This document covers:

• Standards and Methods
• Frequency
• Responsibilities
• Protection of Systems During Audit
• Reporting
• Root Cause Analysis

This document addresses the following requirements in the ISO 27001:2022 standard:

• Clause 9.2

2. Standards and Methods #

Internal Audits will be carried out by comparing organisational processes and practices with:

• the clauses of ISO/IEC 27001, including:

Controls recorded as implemented in the Statement of Applicability, including:

• necessary controls from Annex A of ISO 27001
• additional necessary controls

Although all sections of the ISO 27001 standard will be audited over any three-year certification period, their inclusion may be hastened by concerns arising from intolerable or severe risks, non-conformities, incidents or changes which require greater scrutiny.

Audits will be planned at regular intervals and the participants informed in advance, unless there is a specific reason for not doing so. Audit activities will typically take a question-and-answer format or consist of ‘check’ activities. The audit scope and criteria will be decided in advance and documented in the Audit Schedule.

3. Frequency #

The frequency of internal audits will be continually reviewed to ensure that all sections of the ISO 27001 standard and the controls are covered in any three-year certification period.

4. Responsibilities #

Internal auditors are selected to ensure objectivity and the impartiality of the audit process. An auditor should never be a participant in the audit themselves. ISMS audits will be carried out by a suitably qualified member of staff or contractor. More detail on the auditor role can be found in the Roles and Responsibilities Document.

5. Protection of Information During Audit #

Auditors will be provided with access to documents as needed and are required to handle information according to its classification under the information management policy.

Audits will be designed so that service levels are not degraded by the audit process. For example, participants can be on-call for the audit without having to join the meeting if the focus is not expected to be on one of their areas of responsibility.

6. Audit Findings #

The findings from each audit will be documented and communicated by the auditor to the Research Information Governance Lead. Findings will be reviewed by the Operational Management Group, and the intended outcomes and actions arising from audit findings will be recorded. Actions will be assigned a reference number, owner, due date and status and tracked.

Any non-conformities must be addressed by corrective actions and these may be reported to the Information Risk Governance Committee.

7. Root Cause Analysis #

All non-conformities must be assigned a root cause. Root causes will be reviewed periodically through the Operational Management Group and remediating actions assigned as appropriate.