diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05b - Performance evaluation.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05b - Performance evaluation.md index 8395dea..079861b 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05b - Performance evaluation.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05b - Performance evaluation.md @@ -1,6 +1,7 @@ # Clause 9: Performance evaluation Clause 9 handles Performance evaluation. It consists of 3 parts: + - [Monitoring, measurement, analysis and evaluation](../../../MoCs/ISO_27001_2022_9.1_MoC%20Monitoring,%20measurement,%20analysis%20and%20evaluation.md) - [Internal audit](../../../MoCs/ISO_27001_2022_9.2_MoC%20Internal%20audit.md) - [Management review](../../../MoCs/ISO_27001_2022_9.3_MoC%20Management%20review.md) diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05d - Prindos case.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05d - Prindos case.md new file mode 100644 index 0000000..9e917cf --- /dev/null +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/PECB 27001 LA S05 E05d - Prindos case.md @@ -0,0 +1,39 @@ +# Prindos case + +## Description + +Prindos is a software development company, headquartered in Milan, Italy, that specializes in creating custom solutions for financial institutions. The software applications and tools that the company develops help companies in the financial sector to tackle challenges and achieve their objectives, including processing sensitive data, which necessitates a strong commitment to information security. + +The company's reputation for robust security was recently challenged when one of its major clients experienced operational disruptions due to a software vulnerability of the application provided by Prindos. The software had availability problems as it was not adequately tested for high user loads, leading to server downtime and slow response times during peak hours. Customers were unable to access their accounts or perform critical transactions, causing significant inconvenience and frustration. + +To address this, Prindos initiated an update project. This project aimed to transition to a platform that uses auto-scaling features in cloud to automatically adjust resources as needed. This would ensure that sufficient resources are available and can be dynamically allocated based on demand. + +However, the project encountered critical issues related to internal governance, including a lapse in the segregation of duties. This issue became particularly evident when Julia, the software development team leader, went on maternity leave, and her responsibilities were transferred to the software developing team members. Due to staffing constraints, some members of the software development team were also tasked with software quality testing responsibilities. This dual role created a conflict of interest, as developers were essentially reviewing and approving their own code. + +Recognizing the importance of the situation and the need to uphold trust with its clientele, Prindos decided on a series of strategic initiatives. The main initiative of the company was the implementation of an information security management system (ISMS) based on ISO/IEC 27001. This decision aimed to enhance its security posture to a globally recognized benchmark. + +While reviewing and selecting security controls, Prindos decided to review ISO/IEC 27001’s 93 security controls and implement all those that are applicable. Before selecting the necessary controls for implementation to ensure information security, Prindos chose to initiate a risk assessment to identify security gaps. Recognizing the paramount importance of proactively scrutinizing potential vulnerabilities in the software development and deployment processes, the company opted for a self-directed methodology. This approach focuses on evaluating organizational, strategic issues, and security practices, ultimately leading Prindos to select the OCTAVE method. + +Prindos committed to refining its maintenance and support protocols to swiftly address and investigate any security breaches or incidents. To prevent a recurrence of the same problem, it also introduced clearer segregation of roles within the software development team, ensuring that responsibilities are distributed appropriately and that each team member's role is well-defined and aligned with their expertise. + +Based on the scenario above, answer the following question. + +1. Which of the following options presents a vulnerability in Prindos’ system? + 1. Server downtime and slow response times + 2. Insufficient software testing for high user loads + 3. Cloud auto-scaling features to dynamically allocate resources + +2. The update of the software failed due to the lack of staff. What is Prindos facing in this case? + 1. A personnel vulnerability + 2. A human actions threat + 3. An organizational threat + +3. As part of the ISMS implementation, Prindos defined clear roles and responsibilities for the software development team. What is the function of this control? + 1. Preventive + 2. Detective + 3. Corrective + +4. What type of security controls did Prindos implement to address segregation of duties issues? + 1. Managerial control + 2. Administrative control + 3. Legal control \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.22.37.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.22.37.png new file mode 100644 index 0000000..33ac47c Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.22.37.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.23.04.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.23.04.png new file mode 100644 index 0000000..78cc794 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.23.04.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.27.14.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.27.14.png new file mode 100644 index 0000000..3a00c94 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.27.14.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.45.48.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.45.48.png new file mode 100644 index 0000000..4c401b8 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 11.45.48.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 14.49.17.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 14.49.17.png new file mode 100644 index 0000000..fb91530 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-07 at 14.49.17.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.3-Fundamental-concepts-and-principles-of-information-security.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.3-Fundamental-concepts-and-principles-of-information-security.md index d92eab8..a1d2d06 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.3-Fundamental-concepts-and-principles-of-information-security.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S04.3-Fundamental-concepts-and-principles-of-information-security.md @@ -28,7 +28,9 @@ So we have some controls that you might call **technical controls**. So technica **Categorizing controls by what they do** -But I think most people would accept, even with really good technical controls, that a lot of them are dependent on good processes that are followed by an organization. And this is where we talk about **administrative controls**. So administrative controls are where organizations bring in certain *processes to manage risk*. So you could have things around people like segregation of duties, job rotations, proper approval processes, your change management processes. These would all be example of administrative controls. But also having adequate procedures in place to manage technical controls. So for example, let's say we introduced a a security incident and event monitoring tool, which is a technical control, we'd probably have a bunch of administrative controls to go with it, such as stating how often the reviews of those logs have having a process that would be followed if we detected something suspicious. Those would be administrative processes. So often these will go hand in hand. And when we think about setting up an ISMS, we also have managerial controls. So **managerial controls are focused on people, and management of people** within the organization. So having things like management reviews, training and awareness programs, having proper internal audits to check that policy, etc. has been followed properly, disciplinary processes, etc. These would all fit under the the banner of managerial controls. +But I think most people would accept, even with really good technical controls, that a lot of them are dependent on good processes that are followed by an organization. And this is where we talk about **administrative controls**. So administrative controls are where organizations bring in certain *processes to manage risk*. So you could have things around people like segregation of duties, job rotations, proper approval processes, your change management processes. These would all be example of administrative controls. But also having adequate procedures in place to manage technical controls. So for example, let's say we introduced a a security incident and event monitoring tool, which is a technical control, we'd probably have a bunch of administrative controls to go with it, such as stating how often the reviews of those logs have having a process that would be followed if we detected something suspicious. Those would be administrative processes. So often these will go hand in hand. + +And when we think about setting up an ISMS, we also have managerial controls. So **managerial controls** are focused on people, and management of people within the organization. Things like management reviews, training and awareness programs, having proper internal audits to check that policy, etc. has been followed properly, disciplinary processes, etc. These would all fit under the the banner of managerial controls. And then we also have **legal controls** and there's two points of view on that. Legal controls are controls we would implement in order to fulfill our obligations under laws and regulations. And also where we use legal instruments to protect our information and information systems. So for example, if we asked people to sign a non-disclosure agreement, providing it's legally sound, that would be a legal control. Or let's imagine you have a supplier and you expect that supplier to meet certain security requirements and that's specified in contract, then that contract is essentially a legal instrument, it's a legal control that's helping to protect us. diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S05.3-Overview-of-ISO-27001-requirements.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S05.3-Overview-of-ISO-27001-requirements.md index 06d0e83..5326c3e 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S05.3-Overview-of-ISO-27001-requirements.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S05.3-Overview-of-ISO-27001-requirements.md @@ -26,6 +26,7 @@ And we know that in Annex A, there are a list of 93 security controls that we ca Also what's important is point f, obtaining the risk owners approval for the risk treatment plan and the acceptance of residual risk. That's the risk that's going to be left after the treatment has took place. This is vitally important. This is one that sometimes I have identified as being a problem as an auditor, where I've seen very good risk processes, but then a disconnect between the process and the risk owner. So I'm always looking to see that the risk owner was involved and ultimately made that final decision. But before we look at the statement of applicability, and a risk treatment plan, we need to talk generally about the different risk treatment options that exist. So let's imagine an information security risk has been identified and we want to do something about it. I'll go through a few different options. + ![](CleanShot%202026-06-06%20at%2015.33.55.png) **Risk modification** means changing the circumstances around a risk. So that might be about implementing controls to reduce vulnerability. So let's say for example I have a network architecture and we identify the way in which the network segregated leaves its vulnerable to the attack. So we propose more granular segregation and introducing some kind of firewalling technology. We'd be doing a risk modification to **reduce the vulnerability and the likelihood**. @@ -55,7 +56,7 @@ Now as an auditor, I still look at ISO 27002, to make sure I'm familiar with the ![](CleanShot%202026-06-06%20at%2015.55.57.png) -Now, there's a diagram we've included here, this sort of thing that looks a bit like a wheel, if you like. And this is for people who may be familiar or may have worked with the 2013 version of the standard. and want to see the comparison between the Annex there and Annex A in the newer standard, the newest version being the 20th So in the 2013 version of the standard, and some organizations are still aligned to that because they've got till the uh I think the end of uh October in 2024 to try transition so maybe some of us still sort of uh using that. That had in the annex 114 security controls grouped into areas which were called control objectives A5 through A18, covering many topics. And what we've seen in the new version is an effort to simplify that, to put 93 controls into four distinct areas. And people certainly have their opinions on what they prefer, but that's where we are today. And of course, the logical question I get asked is, hang on, we've gone from 114 controls to 93, so surely the newer version of the standard isn't quite as strong. +Now, there's a diagram we've included here, this sort of thing that looks a bit like a wheel, if you like. And this is for people who may be familiar or may have worked with the 2013 version of the standard. and want to see the comparison between the Annex there and Annex A in the newer standard, the newest version being the 20th. So in the 2013 version of the standard, and some organizations are still aligned to that because they've got till the uh I think the end of uh October in 2024 to try transition so maybe some of us still sort of uh using that. That had in the annex 114 security controls grouped into areas which were called control objectives A5 through A18, covering many topics. And what we've seen in the new version is an effort to simplify that, to put 93 controls into four distinct areas. And people certainly have their opinions on what they prefer, but that's where we are today. And of course, the logical question I get asked is, hang on, we've gone from 114 controls to 93, so surely the newer version of the standard isn't quite as strong. That's not actually true at all because none of the controls from 2013 have been deleted as such. What's happened is in the newer version in 2022 quite a few of those controls have been merged. So in other words, where you had separate controls, describing something that have been brought together. And actually there's new controls in Annex A of the 2022 version. Things like threat intelligence, data loss prevention, data masking and information deletion, configuration management, web filtering, those are a few that I can name, that have been added. So believe it or not, actually you've now got more controls in the annex than you did in the previous version. There are plenty of documents out there that do show a mapping as well available online that if you want to see the mapping between the two annexes So, with all of this in mind, the organization implementing the ISMS needs to to create a document called a **statement of applicability**. This SoA, statement of applicability, is a document that lists all 93 controls, and the organization will state whether they apply or not. If they do, why? And if they don't, why not? diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.1-Fundamental-audit-concepts-and-principles.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.1-Fundamental-audit-concepts-and-principles.md index 118e86a..c862b72 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.1-Fundamental-audit-concepts-and-principles.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.1-Fundamental-audit-concepts-and-principles.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S06.1 Fundamental audit concepts and principles @@ -17,4 +17,70 @@ This session introduces fundamental audit concepts based on ISO 19011, ISO 17021 ## Transcription -Hi there, my name is Carl Carpenter. I will be your instructor. I am a consultant for Arrakis Consulting, a full service cybersecurity firm. I've been dealing with cybersecurity for over 30 years. I'm also a former chief information. Security officer for a $6 billion entity dealing with all types of regulatory environments. And for this course, this is the ISO IEC 27001 lead auditor course Sponsored by PECB. Hi, thank you for joining me. This is section six for the ISO IEC 27001 course. Fundamental audit concepts and principles. In this section, we're going to talk about audit standards, what is an audit, types of audits, involve parties, audit objectives, and criteria a combined audit, principles of auditing, and competence and evaluation of auditors. Be warned this is a fairly long section, so make sure that you have plenty of coffee So what is an audit? Well as per ISO 19011 Clause 3. 1, it's a systematic, independent, and documented process For obtaining objective evidence and evaluating it again objectively to determine that the extent to which the audit criteria is fulfilled. So it's basically An assessment by an auditor on the evidence and the facts that a company is trying to present to that auditor. So it's it's very simple just asking a lot of questions and then evaluating the evidence that's provided, making sure that the evidence is in alignment with uh policy standards, procedures, processes, things like that, as well as possibly national or international guidelines So audits can come in a variety of flavors. There could be financial audits, there could be administrative audits, there could be an information systems or information security audit, which is what ISO 27001 is based on. So there's international standards on auditing, so ISO 1911, that provides guidance on managing an audit program, planning and conducting management system audits, as well as the competence of auditors. 19,011's most crucial aspect is that it provides the fundamental principles of auditing. But we also have 17,021. Uh-huh, which contains requirements for bodies providing audit and certification of management systems. So by complying with this standard, a certification body can prove competence, consistency impartiality and ensure credible certification. There's also ISMS audit standards, so 27,000 six-1, in addition to the requirements of 20 of 17,001-1 Certification bodies that provide ISMS auditing and certification services must also meet the requirements of 27006-1. This standard specifies requirements regarding the competencies that auditors must possess to audit an ISMS. There's also 27,007 And that twenty that standard provides guidance on managing an ISMS audit program, on auditing an ISMS against the requirements of ISO IEC 27001, and on the necessary competencies. That auditors should have to effectively audit an ISMS. So this standard focuses on ISMS audit activities and their steps. The importance of vocabulary is critical when it comes to auditing, not only from the standpoint of what the auditors say or do or write, but also from the standpoint that when the auditors are interacting with the auditee, that we're all using the same language and we understand that. So auditors need to have a firm understanding of the vocabulary and terminology that ISO uses in its management system standards and the terms and definitions that are specific to 27001. And we'll go over some terms and definitions in a few slides for now. So there are potential sources for the different types of vocabulary. So the one that uh is highly suggested is online browsing platform. It's a tool developed by ISO which provides access to ISO standards, terms, and definitions. But you can have other sources as well. So there could be specific publications by ISO, guidance documents, articles. possibly a glossary or or so on. You just want to make sure that if you're going to pick a term for vocabulary in or when you're interacting with the auditee, that you are using consistency in in relation to the terms. So standards themselves, like guidance standards, they will also have terms that could be relevant that you'd want to make sure that you're consistent with in relation to your conversations and your uh your recording of information or reporting or so on. So for example, ISO 9000 has uh deals with uh quality management. 27,000 is the ISMS family of standards. 27,001, as you know, is this is the course that would be for uh information security. And then based on the harmonized structure of the management system standards, clause three of a management system. Standard will contain relevant terms and definitions which are typically organized according to the veri uh hierarchy of concepts It's also important to understand that clause 3 is fairly consistent across any standard. They're always going to have the same set of terms. So we also have verbal forms. So ISO IEC directives provide the general principles for structuring and drafting ISO IEC documents. So, among other things, the document states that particular attention should be given to the verbal form of a document to distinguish between requirements, recommendations, permissions, possibilities, and capabilities. So auditors should be aware of these forms as well as how they evaluate the auditees when they're evaluating the audite's conformity to 27,001. So the important part in in relation to these uh different verbal forms, so if we have the verb shall, That is a requirement. That's not something that the uh the oddity can decide to not do. It's they shall do it. If there is the the verb should is uh in use, then that means they should do it, but that's not a requirement. It's highly suggested that they do it, but it's not a requirement. And then may means that the auditee could do something if they chose to, or maybe they don't. And then the other one is can, which is a possibility or a capability. So again, from the standpoint of shall, should may can, it is very important that you understand the difference Not only from the standpoint of auditing, but also from the standpoint of when you're going to basically be taking the certification test, you are expected to understand those words. Now in relation to shall uh shall you know is a requirement. It's also important as an auditor to understand that in certain cases if something is not done then there needs to be uh there needs to be some sort of explanation of why it's not applicable. So for example If a company is completely hybrid, they have no physical location, but the ISO 27001 requires physical security. uh it it's not possible. So while there is a shall statement in relation to physical security, that doesn't mean it's uh completely applicable. So isoglossary, these are the definitions, so terms uh applicable means relevant, appropriate, possible to apply appropriate, suitable, meaning suitable, authority, power to command or give a decision. And the authority could be in a variety of different ways. It could be the CEO of the auditee uh or could be some other internal group. Competence, the ability to apply knowledge and skills to achieve the intended results I think that's fairly fair fairly self-explanatory and what competence is you guys are taking this course so you can gain the uh the competence so you can perform activities But that doesn't mean you're not going to continuously learn elsewhere. Conformity, fulfillment of a requirement. So in 27,001 If there is a requirement and they uh they meet the requirements, the guidelines of the requirements, then then that's a conformity. They've conformed with it. And obviously the opposite of that would be a non-conformity. which are repeatedly discussed in 27001. Continual improvement, that's recurring activity to enhance performance. Corrective action, that's some sort of action to remediate or mitigate a possible nonconformity and to prevent recurrence. So if there's an issue with an oddity of some sort, uh and you've identified that issue and they've they've understood it, they've recognized it, and so on. And you've said, hey, we need to have a plan to fix this problem, that would be known as a corrective action plan. So or a CAP, CAP. Documented information, that's pretty self-explanatory, information required to be controlled and maintained by an organization and the medium on which it's contained. So continuing on with glossaries. Determine, appraise or analyze quantitatively or otherwise find out. Identify Find out, mark or label, show, to reference something without ambiguity. Interested parties, persons, or organizations that can affect, be affected by or perceive itself to be a affected by a decision or activity. In relation to interested parties, it's important to understand that interested parties don't always have to be internal. They could be external. They could be regulatory bodies. They could be law enforcement It could be clients, it could be board of directors or shareholders. Interested parties are essentially going to be anybody that might have a reason to care about whatever it is. Maintain can enable to continue. So if you're sufficiently doing something correctly and you continue to do it correctly, then you are maintaining Nonconformity, that's the opposite of a conformity, that's when you're not meeting the requirements of the standard or whatever particular area of the standard. Organization, company, corporation, firm, enterprise, authority, or institution, person or persons or part of combination thereof, whether incorporated or not, public or private. That has its own functions and administration. So again, in 27001, you'll hear this a lot through other sections, understanding the context of the organization. So think of that as uh in most cases it's going to be the um the odd T. Retain means keep top management. Person or group of people who directs and controls an organization at the highest level. So there's different types of audits that you should be aware of. We'll go through those. The first party audit is when the organization audits its own processes. So say for example an organization had an internal audit team. And they audited themselves and most organizations at some point will get to that point or uh or have somebody do it for them. That's a first-party audit. Now you can also have It's still a first-party audit, but you can also have an organization outsourcing internal audit functions to a trusted entity that basically acts as an internal audit team. So if you're auditing yourself, that's a first-party audit. We also have second party audits. So if uh a second party audit Could be where the uh the the actual customer of the organization itself is auditing the organization to determine if they want to do business with the organization. And it's important to understand that the organization is the auditee. So we have the audit the auditee and we have the customer. If the customer wants to do business with the auditee, then they can audit them And to find out if they're safe to do business with. That would be a second party audit. Another type of second party audit is when the organization or the auditee has vendors So possibly say for example uh an audit T is uh on Amazon or or Azure or G Suite or something like that, and they want to evaluate are those entities safe to do business with. So they may audit them. That's also a second party audit. In some cases that's that could be known as vendor due diligence. Now in a lot of cases, not saying Microsoft or Google or Amazon or Oracle are dangerous to do business with, because they're probably not. But other vendors that are less well known, that are probably startups or something like that, that an organization might do business with, this might be more critical for that. You can also have third-party audits. A third-party audit is when a organization is audited by an independent organization that's completely independent. They have no knowledge of any previous audits. Uh they have no knowledge of anything. They're coming in uh basically not knowing anything at all, and uh they're gonna audit and and uh give an assessment. And that's the kind of audit that uh you'll have certifying bodies uh participate in so that they can certify the auditee themselves So in this particular slide, we can see different forms of audits. We have the customer, which could audit the organization. That would be a second-party audit. We have the organization that could audit their own vendors That would also be a second party audit. If the organization audits themselves, that's a a first-party audit. And then again, a third-party audit would be something like a certifying body coming in to uh to double check make sure the organization is following the the guidelines of 27001 and then that could lead to certification for the organization You can also do a combined audit, and a combined audit is exactly what it sounds like. It's taking more than one framework or more than one standard, but auditing it all of it at the same time. There are some benefits to this because uh most in most cases it's going to save time and money. Uh so it's not necessarily a bad bad thing to consider. In relation to combined audits, 27,000 one, 9001, 37,001, and then 20,000-1 A combined audit can be much more than just ISO IEC frameworks. So in the United States, for example, it's very common to do 27001 and SOC2 together. And that's two different two different standards, two different frameworks completely. So again, from the standpoint of combined audits, they're certainly possible. You just need to make sure that there's adequate planning And again, if you're going to have somebody who's going to do a combined audit, make sure you have adequate competence training, certification to even do the audit um and and go from there. Involved parties out of 1911, clauses 312, 313. 314, 315, and then out of 17,021-1 clauses 38, 39, and 316. So these are some examples of A uh involved party, we have the audit client, otherwise known as the auditee. That's the organization or person requesting an audit. We have the auditee, that's the organization as a whole, or parts thereof being audited. And again, remember for 27001 or basically how you set up different frameworks. You don't necessarily have to audit the entire organization. You can audit just sections of it if if that's the goal of the audit client. You have the auditor, the person who conducts an audit, and that's basically you guys who are taking this course. You're going to be the auditor. You have the audit team, one or more persons conducting an audit supported if needed by technical experts. So obviously the audit team would be people composed of auditors. and everybody's capable of doing the auditor job, they're certified, or or so on. You can also have a technical expert, person who provides specific knowledge or expertise to the audit team. It's important to understand that as an auditor, you're not required to know every single thing for every possible concept of every single framework that's out there. So for example, if you're going to audit a software development company, for example, and you're not a developer, you probably are going to have to have some help. Or maybe there's a company, an auditee. uh audit organization that uh wants to that's heavily heavily using databases or something like that but you're not necessarily a database person you may want to bring in a database person to evaluate their configuration So technical experts are certainly possible. They're certainly also possible in the areas of network engineering, network security from the standpoint of network architecture, and so on. So it's not it's not unheard of to do that. There's also observers, a person who accompanies the audit team but does not audit. This could be a person from the audit company themselves, possibly somebody who's uh learning how to be an auditor or possibly somebody within the audit company that is uh evaluating the performance of the auditor or the audit team uh themselves And then there's also a guide. That's a person appointed by the client to assist the audit team. I'm a huge fan of implementing and using guides whenever I help a company get ready or if I'm involved directly with audits. The reason why is because a guide will generally have direct access uh to people or areas of the auditor or audity environment that allows for faster access to get things done. They basically can cut through what we call red tape. You can get things done faster and smoother with less hassle. And realistically, guides make things go uh a lot easier \ No newline at end of file +Hi there, my name is Carl Carpenter. I will be your instructor. I am a consultant for Arrakis Consulting, a full service cybersecurity firm. I've been dealing with cybersecurity for over 30 years. I'm also a former chief information security officer for a $6 billion entity dealing with all types of regulatory environments. And for this course, this is the ISO IEC 27001 lead auditor course Sponsored by PECB. + +Hi, thank you for joining me. This is section six for the ISO IEC 27001 course: fundamental audit concepts and principles. In this section, we're going to talk about audit standards, what is an audit, types of audits, involve parties, audit objectives, and criteria, a combined audit, principles of auditing, and competence and evaluation of auditors. Be warned this is a fairly long section, so make sure that you have plenty of coffee. + +So what is an audit? Well, as per ISO 19011 Clause 3. 1, it's a *systematic, independent, and documented process for obtaining objective evidence, and evaluating it – again objectively – to determine the extent to which the audit criteria are fulfilled*. So it's basically an assessment by an auditor on the evidence and the facts that a company is trying to present to that auditor. So it's very simple, just asking a lot of questions and then evaluating the evidence that's provided, making sure that the evidence is in alignment with policy standards, procedures, processes, things like that, as well as possibly national or international guidelines. + +So audits can come in a variety of flavors. There could be financial audits, there could be administrative audits, there could be an information systems or information security audit, which is what ISO 27001 is based on. + +**Relevant standards for auditing the ISMS are**: + +*for certification bodies* +- ISO 17021-1, certification body requirements for competence, consistency, and impartiality, allowing them to demonstrate credibility and reliability. +- ISO 27006-1, certification body requirements for ISMS certification. + +*for auditors* +- ISO 19011, for audit steps and audit program management, also emphasizing the fundamental principles of auditing. +- ISO/IEC 27001 itself, for the ISMS requirements. + +The importance of vocabulary is critical when it comes to auditing. Auditors need to have a firm understanding of the vocabulary and terminology that ISO uses in its management system standards, and the terms and definitions that are specific to 27001. + +There are potential sources for the different types of vocabulary. Highly suggested is the [ISO online browsing platform](https://www.iso.org/obp/ui/), a tool developed by ISO which provides access to ISO standards, terms, and definitions. Other sources could be specific publications by ISO, guidance documents, articles, possibly a glossary, and so on. + +ISO management system standards will contain relevant terms and definitions in clause 3, based on the harmonized structure ISO management systems. These are typically organized according to the hierarchy of concepts. Clause 3 is fairly consistent across standards. + +Particular attention should be given to the verbal form in a document, to distinguish between requirements, recommendations, permissions, possibilities, and capabilities: + +- The verb **shall** indicates a requirement. +- The verb **should** means it's highly suggested, but not a requirement. +- The verb **may** means that the auditee could do something if they chose to +- The verb **can** indicates a possibility or a capability. + +So *shall* is a requirement. When it's not done, then there needs to be an explanation of why it's not applicable. For example, if a company has no physical location, complying to the physical security requirements of ISO 27001 is not possible (or 'applicable'). + +Here are some important definitions: + +![](CleanShot%202026-06-07%20at%2011.22.37.png) + +![](CleanShot%202026-06-07%20at%2011.23.04.png) + + + +--- +### Different types of audits + +The **first party audit** is where an organization audits itself. For example by an internal audit team, or somebody contracted to do it for them (a trusted entity that basically acts as an internal audit team). + +A **second party audit** is where an organization audits its vendors or external providers, to ensure that they are fulfilling contractual obligations, or to make purchasing decisions (due diligence). + +A **third-party audit** is the kind of audit done by certifying bodies: an organization is audited by a completely independent organization, that are coming in with basically zero knowledge, to give an assessment. + + +![](CleanShot%202026-06-07%20at%2011.27.14.png) + +You can also do a **combined audit**, where you are auditing multiple frameworks or standards at the same time. There are some benefits to this because most in most cases it's going to save time and money. A combined audit for 27001, 9001, 37001, and 20000-1 is common practice, just as a combined audit for ISO 27001 and SOC2. Make sure the involved parties have adequate competence training and are certified to do the audit. + +--- +### Involved parties + +ISO 19011, clauses 3.12 through 3.15, and ISO 17021-1 clauses 3.8, 3.9, and 3.16, give examples of involved parties. + +![](CleanShot%202026-06-07%20at%2011.45.48.png) + +With regards to the **technical expert**: as an auditor, you're not required to know every single thing for every possible concept of every single framework that's out there. So for example, if you're going to audit a software development company, and you're not a developer, you are probably going to have some help. They're certainly also possible in the areas of network engineering, network security from the standpoint of network architecture, and so on. + +There's also **observers**, a person who accompanies the audit team but does not participate in the audit. This could be a person from the audit company themselves, possibly somebody who's learning how to be an auditor, or possibly somebody within the audit company that is evaluating the performance of the auditor or the audit team. + +And then there's also a **guide**. That's a person appointed by the client to assist the audit team. This can be a huge benefit to the auditor, as a guide will generally have direct access to people or areas, which allows for faster access to get things done. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.2-Fundamental-audit-concepts-and-principles.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.2-Fundamental-audit-concepts-and-principles.md index 7253501..0e7aa7b 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.2-Fundamental-audit-concepts-and-principles.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.2-Fundamental-audit-concepts-and-principles.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S06.2 Fundamental audit concepts and principles @@ -17,4 +17,40 @@ This session covers the seven principles of auditing from ISO 19011 clause 4: in ## Transcription -So there's audit principles. This is out of ISO 1911, clause four Auditing is characterized by reliance on a number of principles. Adherence to those principles is a prerequisite for providing audit conclusions that are relevant and sufficient and for enabling auditors working independently from one another to reach similar conclusions in similar circumstances. So we have an example of integrity, fair presentation, due professional care Confidentiality, independence, evidence-based approach, and a risk-based approach. And we'll talk about each one of those in the following slides. So integrity out of 1911 clause 4A. Integrity is the foundation of professionalism. Auditors and the individuals managing an audit program should Perform their work ethically with honesty and responsibility, only undertake audit activities if competent to do so Perform their work in an impartial manner, and in other words, remain fair and unbiased in all their dealings. Be sensitive to any influences that may be exerted on their judgment while carrying out an audit So in relation to cybersecurity or auditing of any kind, integrity is the core principle of professional behavior. So let's talk about this a little bit. So perform their work ethically with honesty and responsibility. So meaning that You're not going to lie in relation to or be un less than truthful in relation to the work that you perform. We're we're not going to uh uh create wordy words and reports and documents or emails or anything like that that could possibly be misleading. We also want to make sure that we only undertake audit activities if competent to do so. So if you'll remember in a previous slide we talked about technical experts. You want to use technical experts if you feel like you need to. Just because you're the only auditor, that doesn't mean that you're expected to know every single thing about the audit. You want to perform your work in an impartial manner remaining fair and unbiased in all everything you do. That doesn't mean that you have to be insulting in how you do the work, but you do have to remain impartial. You have to be truthful. Fair presentation. So this is out of 1911 clause 4B. The obligation to report truthfully and accurately So audit findings, audit conclusions, and audit reports should reflect truthfully and accurately the audit activities So how did you perform the audit? Who did you interface with? What date and time did you interface with them? What evidence was provided to you? Things like that. All of this should be documented in the audit report. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. Now a lot of times in relation to obstacles, if you have a guide, some obstacles can go away. If you understand the organization that you're auditing uh fairly well, you get along with them, you're polite, you're respectful, and so on, then a lot of times uh obstacles can go away very easily. It depends on how diplomatic you are I don't want to say how politically correct you are, but you do need to understand the environment, the culture, the political situation, possibly with the audit. The communication should be truthful, accurate, objective, timely, clear, and complete. So again, no ambiguity. Make sure that you're always objective during the audit. You're not going to compromise yourself, your professional judgment on the ground of any predetermined prejudice or conflicts of interest or anything like that. If there is an issue in relation to some sort of bias or whatever, then you definitely want to try to avoid that at all all opportunities Due professional care, so 19011 clause 4C, the application of diligence and judgment in auditing Auditors should exercise due care in accordance with the importance of the task they perform and the confidence placed in them by the audit client and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgment in all situations. So one of the examples I'd like to give for this particular slide The application of diligence and judgment in auditing relates to the the the fact that as an auditor, when you're asked to come in to audit a client or an auditee There's a tremendous amount of trust placed into you as the auditor. So we don't want to violate that trust The confidence and trust that the auditee is placing into you is expected to be upheld at all times. So, to conduct an audit, auditors will have to consider the following beforehand: the context of the organization, critical processes of the organization, the expectations of the clients complexity of the client activities to be conducted, and the resources needed in order to do the actual audit Again, there's a tremendous amount of trust placed in auditors, so you don't want to violate that trust. Professional judgment, this again goes into the trust. by the auditees. Professional judgment means applying relevant training, knowledge, and experience to make informed decisions in various situations. During an audit. In exercising professional judgment, auditors maintain independence and objectivity and adopt an attitude of skepticism to reach the audit objectives Again, a lot of the professional judgment that you're going to be making as an auditor is going to rely not only just on the auditor training that you're going on right going through right now, but also possibly prior training. So for example, if you're an auditor and you before you became an auditor, maybe you were a network administrator, maybe you were a network engineer, or maybe you were a security architect. That knowledge can carry over into auditing, but you want to make sure that if you're if you're uh auditing particular areas that you're not necessarily trained on or you don't have the knowledge on, then don't make informed decisions based on things that you don't know. Rely on technical experts or possibly other members of your own audit team Professional skepticism, that's necessary to reduce the risk of overlooking possible issues or intentional issues that are intentionally being hidden from you. Which could obviously lead to incorrect audit conclusions. So auditors should not ever take the word of the auditee as fact. Instead, what you want to do is look for evidence to support their claims. of whatever they're trying to tell you. So an attitude of professional skepticism implies that auditors perform a critical evaluation on the validity of the evidence obtained and are on the lookout for evidence that could contradict or question the reliability and validity of the documented information received The answers to questions asked during an interview or any other information related to the audit itself. So again, just because the auditee says that they they have antivirus, for example, across their entire network, that doesn't mean that you should believe them. You should ask them, okay, prove it. Uh you say you do, but prove it. Irregularities and illegal acts in an audit If auditors encounter exceptional circumstances, so significant irregularities or illegal acts that affect their ability to continue with the audit, they should take into account the legal implications. And they should also consider withdrawing from the audit. However, I will uh expand on this a little bit. So in the United States, and and I assume most other countries have something similar to this. We have the concept of mandated reporting if it's an illegal act. So examples of mandated reporting if it's an illegal act. Could involve national security like terrorism, uh things like that, anything to do with child pornography, uh that's a illegal act that it requires a uh reporting to law enforcement So based on the country that you're in the and the company that you're auditing as an auditor, you need to understand what your legal implications are. If, for example, I ran across a company that had a mandated reporting event and I detected that, I uncovered it somehow or another, and I did not call law enforcement, then I personally to be held accountable for that. So I'm I don't want that risk, uh that burden. So uh just understand if you have something that's a mandated reporting event, then you you have to report it, whether the c audity likes it or not. Now in other cases though, let's say for example theft, you run across a person who has stolen a computer. The victim would be the auditee. That is not a mandated reporting event. That might be something where you report to the auditee, hey, we we caught this guy stealing a laptop. or or something, uh you can do whatever you want with it. We're just letting you know. The victim in this case would be the auditee and it's up to the auditee if they want to report it or do something about it. However, you could also run across irregularities that may put the auditor, you guys, the students. For this course, then you may consider withdrawing from the audit because you're just not comfortable anymore in dealing with it Obviously, if you're in a situation where you're auditing a company and you run across a mandated reporting event, depending on how that interaction goes, You may still consider withdrawing from the audit just just because it's not appropriate for you to be there anymore. So there are different types of situations. So again, notifiable illegal acts Countries around the world have established various laws that obligate this to happen. Child pornography, again, is a major one. It's certainly a mandated reporting event in the United States. highly suggest that you understand the country laws uh for whatever uh country you're going to be auditing in. You may also want to understand your own country laws if you're auditing a client that's not in your country, but you are in your country where you reside and you're auditing remotely Confidentiality. So clause 19011, clause 4D, rationale is security of information. Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client or in a manner detrimental to the legitimate interests of the auditee. And the con this concept includes proper handling of sensitive or confidential information. In most cases, when you go uh and Perform an audit, you're most likely going to be required to sign a non-disclosure of some sort. In addition, the certifying body that you're working under, so you can do the audit They're probably going to have a non-disclosure as well. It would be extremely irregular if you did not sign non-disclosures and then started doing audits. So again, with with some exceptions, always attempt to protect the auditee or the audit client. With whatever information that you're exposed to because again, as an auditor, there's a tremendous amount of trust that's placed on your shoulders by them working with you The only area that you need to be aware of in relation to confidentiality has to do with criminal activity. So again, there's mandated reporting criminal activity, which a non-disclosure clause is not going to protect you from. Confidentiality requirements. So there's several different requirements from 17021-1, 8. 4. 1. The certification body shall be, and again, shall means it will be. It's not an option. The certification body shall be responsible through legally enforceable agreements for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf. 8. 4. 3 Except as required in the part of 1702 information about a particular Certified client or individual shall not be disclosed to a third party without the written consent of the certified client or individual concerned. So again, if you're going to release anything, make sure that the people you're releasing information about agree. Personnel, including any committee members, contractors, personnel of external bodies or individuals Acting on the behalf of the certification body shall keep, again, shall is a requirement. Keep confidential and information obtained or created during the performance of the certification body's activities except as required by law. That's your clause right there that says if there is a mandated reporting event, then as required by law, it's okay to release that information. The certification body shall have processes and where applicable equipment and facilities that ensure the secure handling of confidential information. So certification body is going to hold on to the information and get and going to protect it. A lot of certification bodies, they have the material and then uh after a certain time period uh they they purge the material so they don't have to protect it anymore. It's just simply not there. Implications for auditors in relation to those requirements. So the certification body will most likely include confidentiality requirements in the contract which the auditor signs. Auditors must be aware of these requirements and their implications. Again, it would be extremely irregular if you audited anybody without some sort of non-disclosure in place. Auditors must obtain written consent from the audit client before disclosing any information to a third party. The certification body may also have to be kept informed. Auditors must handle with confidentiality all information created or obtained during the audit except when disclosure is required by law. We talked about that Auditors must handle all confidential information per the certification body's processes. Auditors must have knowledge of the certification body's solutions for handling confidential information. information. This doesn't mean you have to be a network engineer and understand in great detail how data is encrypted or backed up with the certificate certification body, just that it is being performed. And again, a lot of certification bodies, they will capture the data, they'll produce a certification of some sort once they've evaluated that there's no more need for the audit evidence or whatever information that could be viewed as sensitive. A lot of them are actually uh deleting them uh on a on a time-bound basis. Exceptions to the confidentiality principle. Confidential information can be disclosed only if it is authorized by law by the audit client or by the auditee. So if it's authorized by any of those law clients or auditee, then it can be disclosed. Or required by law. So required by law is uh something you again you have to be aware of. An obligation or right to disclose when not prohibited by law. And I can't really think of too many examples why you would want to uh disclose something when not prohibited by law because you felt obligated uh to do so as an auditor. Uh you may not be asked to do too many more audits if that's if that's the case In a general sense, what I suggest people do, just don't release anything about any of your auditees, your audit clients, unless they say it's okay or the law requires you to do so. \ No newline at end of file +So there's **audit principles**. This is out of ISO 19011, clause 4. Auditing is characterized by reliance on a number of principles. **Adherence** to those principles **is a prerequisite** for providing **audit conclusions** that are **relevant and sufficient**, and for **enabling auditors** working independently from one another **to reach similar conclusions in similar circumstances**. + +So we have an example of integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and a risk-based approach. + +So integrity out of 1911 clause 4a. **Integrity** is the foundation of professionalism. Auditors and the individuals managing an audit program should perform their work ethically with honesty and responsibility, only undertake audit activities if competent to do so, perform their work in an impartial manner, and in other words, remain fair and unbiased in all their dealings. Be sensitive to any influences that may be exerted on their judgment while carrying out an audit. So in relation to cybersecurity or auditing of any kind, integrity is the core principle of professional behavior. +So let's talk about this a little bit. So perform their work ethically with honesty and responsibility. So meaning that you're not going to lie or be less than truthful, in relation to the work that you perform. We're not going to choose our words in a manner that could possibly be misleading. We also want to make sure that we only undertake audit activities if competent to do so. You want to perform your work in an impartial manner remaining fair and unbiased in everything you do. That doesn't mean that you have to be insulting in how you do the work, but you do have to remain impartial. You have to be truthful. + +**Fair presentation**. So this is out of 19011 clause 4b. The obligation to report truthfully and accurately, reflecting the audit activities How did you perform the audit? Who did you interface with? What date and time did you interface with them? What evidence was provided to you? Things like that. All of this should be documented in the audit report. +Significant obstacles encountered during the audit, and unresolved diverging opinions between the audit team and the auditee, should be reported. A lot of times, if you have a guide, some obstacles can go away. If you understand the organization that you're auditing fairly well, you get along with them, you're polite, you're respectful, and so on, then a lot of times obstacles can go away very easily. You do need to understand the environment, the culture, the political situation, etc. **The communication should be truthful, accurate, objective, timely, clear, and complete. No ambiguity.** Make sure that you're always objective during the audit. + +**Due professional care**, so 19011 clause 4c, the application of diligence and judgment in auditing auditors should exercise due care in accordance with the importance of the task they perform, and the confidence placed in them by the audit client and other interested parties. An important factor in carrying out their work with due professional care is having the ability to make reasoned judgment in all situations. + +When you're asked to come in to audit a client there's a tremendous amount of confidence and trust placed into you as the auditor. We don't want to violate that trust. Auditors will have to consider the following before conducting an audit: the context of the organization, critical processes of the organization, the expectations of the complexity of the client activities to be conducted, and the resources needed in order to do the actual audit + +**Professional judgment** means applying relevant training, knowledge, and experience to make informed decisions in various situations during an audit. +In exercising professional judgment, auditors maintain **independence** and **objectivity** and adopt an attitude of **skepticism** to reach the audit objectives + +A lot of the professional judgment that you're going to be making as an auditor is going to rely on prior training. So for example, if you're an auditor and you before you became an auditor, maybe you were a network administrator, maybe you were a network engineer, or maybe you were a security architect. That knowledge can carry over into auditing, but make sure that you don't take decisions based on things that you don't know. Rely on technical experts or possibly other members of your own audit team. + +**Professional skepticism**, is necessary to reduce the risk of possibly overlooking issues, or overlooking issues that are intentionally being hidden from you. Auditors should not ever take the word of the auditee as fact. Instead, what you want to do is look for evidence to support their claims. Professional skepticism implies that auditors perform a critical evaluation on the validity of the evidence obtained, and are on the lookout for evidence that could contradict or question the reliability and validity of the documented information received. Just because the auditee says that they have antivirus across their entire network, that doesn't mean that you should believe them. You should ask them to prove it. + +**Irregularities and illegal acts in an audit.** If auditors encounter exceptional circumstances, so significant irregularities or illegal acts that affect their ability to continue with the audit, they should take into account the legal implications. And they should also consider withdrawing from the audit. + +You should take into account the laws of the country your auditing in. Most countries have the concept of mandated reporting of illegal acts to the authorities, like in the case of terrorism or child pornography. Other illegal acts you may report to the company your auditing, like if you catch a guy stealing a laptop – in that case the auditee is the victim and it's up to them if they want to report it. + +However, you could also run across irregularities that may put the auditor, you guys, the students. For this course, then you may consider withdrawing from the audit because you're just not comfortable anymore in dealing with it Obviously, if you're in a situation where you're auditing a company and you run across a mandated reporting event, depending on how that interaction goes, You may still consider withdrawing from the audit just just because it's not appropriate for you to be there anymore. So there are different types of situations. So again, notifiable illegal acts Countries around the world have established various laws that obligate this to happen. Child pornography, again, is a major one. It's certainly a mandated reporting event in the United States. highly suggest that you understand the country laws uh for whatever uh country you're going to be auditing in. You may also want to understand your own country laws if you're auditing a client that's not in your country, but you are in your country where you reside and you're auditing remotely + +**Confidentiality**. Clause 4d of ISO 19011 states that Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes proper handling of sensitive or confidential information. In most cases you're going to be required to sign a non-disclosure of some sort. In addition, the certifying body that you're working under will probably have a non-disclosure agreement as well. So again, with with some exceptions, always attempt to protect the auditee or the audit client. The only area that you need to be aware of in relation to confidentiality has to do with criminal activity. + +**Confidentiality requirements**. So there's several different requirements from 17021-1, 8.4.1. The certification body shall be responsible through legally enforceable agreements for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf. +And 8.4.3: information about a particular certified client or individual shall not be disclosed to a third party without the written consent of the certified client or individual concerned (except as required in the part of 17002). So again, if you're going to release anything, make sure that the people you're releasing information about agree. +Personnel, including any committee members, contractors, personnel of external bodies or individuals acting on the behalf of the certification body shall keep confidential any information obtained or created during the performance of the certification body's activities except as required by law. +The certification body shall have processes, and where applicable equipment and facilities, that ensure the secure handling of confidential information. +Auditors must handle all confidential information per the certification body's processes. Auditors must have knowledge of the certification body's solutions for handling confidential information. +A lot of certification bodies, purge the material the have after a certain period of time. + +**Exceptions to the confidentiality principle**. Confidential information can be disclosed only if it is authorized by law, by the audit client, or by the auditee. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.3-Fundamental-audit-concepts-and-principles.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.3-Fundamental-audit-concepts-and-principles.md index 4eec584..9341850 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.3-Fundamental-audit-concepts-and-principles.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.3-Fundamental-audit-concepts-and-principles.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S06.3 Fundamental audit concepts and principles @@ -17,4 +17,28 @@ This session covers the audit principles of independence, evidence-based approac ## Transcription -Independence, this is out of 1911, clause 4E, the basis of impartiality of the audit and objectivity of the audit conclusion. So we have independent auditors that are going to audit the ISMS. We have management that deals with the information security management. Then we have the auditee and then we have the users. There's an independence in relation to all of those. So the independent auditors are not going to report directly to management. Their independent auditors are not one of the users. They're not the auditee either. Threats to independence. This is actually something that can happen and has been discussed repeatedly in a lot of different auditor courses. But out of 17021-1 clauses 4. 2. 4 and 5. 2. 11, the certification body shall take action to respond to any threats to its impartiality arising from the actions of other persons, bodies, or organizations. Threats to impartiality may include, but are not limited to self-interest, self-review familiarity or trust and intimidation. So it's important to understand the certification body shall take action, meaning again, it's not an option. They must take action. If they don't, then there could be an issue with the certification body itself, which could be very detrimental to their business So we want to make sure that we are always accurately being aware of what's going on. We're protecting all the information. So threats to uh independence, uh self-interest is one of them. So threats that arise uh from a person or body uh acting on their own interest. Uh so a concern relating to certification uh could be that way like financial self-interest. So say for example I was auditing a company and I, strangely enough, for some reason or another, had a whole bunch of shares of stock in this company Uh and I knew that if they passed an ISO 27001 certification audit that their business would uh improve and their likely their sales would go up or things like that And that would naturally make my uh my shares of stock uh be more v more valuable. Uh that would be a an example of self-interest. We also have self-review. You can't audit yourself. That's essentially what that means. You can't audit yourself Intimidation is obvious. If somebody says, you know, you are going to give us a good report so we can get certified or bad things will happen. But then there can also be familiarity or trust. So that's not necessarily self-review. That's where you have so much of familiarity with the oddity that It's almost you're almost part of the team that's being audited, which kind of rolls back into self-review. So items of or threats to independence. So we can uh some examples. Items Or GIFs. That's certainly something that I've I've never personally run across any of these before. But I have heard of situations where an auditor uh may have received a gold Rolex or may have received something else. a free laptop. I have heard of a in one case I heard of an auditor. He was going through an audit and the auditee said, here's the laptop we want you to use and when we're done you can keep it. So that's that would be a gift, we can't do that. Trips, there could be cases of of in of threat to independence for a trip where for example let's say a company says hey we're gonna get audited we want you to be our auditor okay great oh and we're gonna do the uh the we're gonna do the audit in Maui uh or in Hawaii uh or in Bora Bora or in Fiji uh and it's gonna take three weeks but we're only actually gonna be interviewed for uh four days That would be can viewed as a as a gift. It would be basically a bribe. Meals, again, very expensive meals or elaborate meals. That could be a threat to independence And another one is contracts. I have heard of cases where uh uh companies, an auditee has told uh uh an auditor If you pass us and if we get certified, then we will give your organization a follow-on contract. So again, that that is a threat to independence. We we don't want to We don't want to put ourselves in that position. We don't want to put the certifying body in that position. And we don't want to put our company into that position Consultancy services and audits. Auditors should not provide management systems, consultancy services for the auditee Meaning they cannot contribute to the design, implementation, or the maintenance of a management system for the Auditee. In case the auditee received consultancy from a body that has a relationship with the certification body A minimum period of two years must pass before the certification body can certify the auditee. So essentially this goes back into self-review and familiarity. You cannot Help the auditee get ready for the audit, uh maybe perform functions for the auditee, maybe perform services for the auditee. And then turn around and act as an auditor to evaluate your own work. That would be inappropriate. Now, that second bullet, in case the audite receives consultancy from a body that has a relationship with the certification body. It's in most cases I've seen companies they will have different wings or different divisions. They'll have the implementation division, then they'll have the auditing division, but it's the same company In my opinion, that is inappropriate. And in a lot of cases, they'll have a separate legal entities, but it's it would be common knowledge that they're the same company. Again, in my opinion, that's that would be inappropriate. Realistically, if you needed uh as an auditor, if you're auditing an auditee uh and the auditee needs help, then it should be a completely independent uh entity from the audit firm That doesn't mean that the auditee and the the consulting party as well as the audit auditing firm, that doesn't mean they may not know each other or they may not uh you know, interact with each other through different clients or or so on. But we definitely want to avoid the case of of a uh consulting company acting as an auditor and then uh grading their own work so to speak All right, consultancy services and audit requirements for the certification body. So this is out of 17,021-1, clauses 5. 2. 1 and 27006-1 clause 5. 2. 2. Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial, or other pressures to compromise impartiality. So again remember commercial financial or other pressures, so other pressures could be viewed as intimidation. Commercial could be gifts in some form of fashion. Financial could be literally somebody trying to bribe you or the certifying body. And again, understand that conformity assessment activities shall be undertaken This is something that the certification body is going to do. Certification bodies may add value during certification and surveillance audits by identifying opportunities for improvements. Those are commonly called OFIs as they become evident during the audit without recommending the specific solutions. So they there could be a situation the auditor sees that there is a potential for improvement by the auditee. And they say, hey, you really need to do this, it's not a requirement, you really need to do that, but not explain exactly how to do it. That's where the audit T is uh suggested to go talk to a third party to maybe help them uh with that OFI. without it being considered as consultancy or having a potential conflict of interest. Again, avoid conflict of interest. And again, if you're the auditor and you're telling the auditee specifically how to do something or what to do step by step, then that could be viewed as consultancy. So you want to avoid it. The certification body shall not provide internal information security reviews of the client's ISMS subject to certification Furthermore, the certification body shall be independent from the body or bodies which provide internal ISMS audit So the certification body is an independent body. Then you have the the auditor, which is generally going to be a contracted individual or possibly a contracted company And then you're gonna have a separate the auditee in whatever environment they're in. Consultancy services and auditors. So 17,021-1 requirements In order to ensure there's no conflict of interest, personnel who have provided management system consultancy, including those acting in a managerial capacity. shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in the management system consultancy towards the client or the auditee. A recognized mitigation to this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy. So what this means if if I'm helping a company, uh XYZ company, uh get ready for an audit and then uh maybe their their audit company that's gonna come in and do the certification uh on this XYZ company, they say, hey Carl, we really want you to show up and and be an auditor uh for us because we we like your work and everything else Then essentially I can go to work for them as an actual auditor doing certification audits and things like that. But XYZ company I can't even go to for at least two years Now in my experience, uh it's actually a lot longer than two years. Uh I've seen companies that say three to five years just to make sure that any interaction you may have had, including maybe people actually just not working there anymore, uh That there's no uh connection anymore. So the implication of this clause, uh the provision of consultancy services may constitute a conflict of interest. Certification bodies establish safeguards such as a two-year waiting period or possibly longer, or even prohibit their auditors from providing consultancy services to their audit clients. Auditors must be aware of the safeguards and policies established by the certification body. So 5. 2. 12, all certification body personnel, whether internal or external, or committees Who could influence the certification activities shall act impartially and shall not allow commercial, financial, or other pressures to compromise impartiality. Basically, that means doing the right thing. Don't let yourself get bribed or influenced in any way that could be uh could look like a conflict of interest. uh that could affect the certification process or even the certification body or the auditee themselves. You have to maintain your independence through the audit. You have to be aware of possible threats to independence. And I gave some examples like gifts, hotel stays, trips, financial promises, or anything like that. Any undue pressure from the audit client should be reported to and consulted with the certification body. In a lot of cases, you're not going to run across any of these. I've personally never run across any of them myself, but I've heard about it. One that would definitely affect me would be anything that would concern me greatly would be anything involving the concept of a bribe or intimidation. You need to understand as auditors, your name means everything. The very second that your name is tarnished, and that means your integrity is untarnished And it very rapidly will go around the audit world that your integrity is not to be trusted. 5. 2. 13 Certification Body Shall require personnel, internal and external, to reveal any situation known to them that can present them or the certification body with a conflict of interest. In other words, if you're going to go in and audit a company and you are you have more information or you have a past with this company or something something like that, you have to disclose it before you actually do anything. Uh you want to disclose it right away to the certification body. We simply don't want to have any sort of conflict of interest. We have an evidence-based approach as well. 19011 clause 4F. The rationale behind this is the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. So we have information that's objectively obtained. It's also evaluated objectively, and then we have the evidence. So ideally, uh if we ask a company, uh, you know, we're interviewing somebody We're going to ask them, say, say for example, do you have encryption at rest? If they say yes, okay, well what level of encryption at rest? Encryption at rest is AES 256. Okay, well then how do we know that? So one of the things we can do is compare what they're telling us with the actual evidence. And the actual evidence could be a policy. an encryption policy for example. Or maybe they have encryption at rest in relation to their databases. We could say let show us the database settings that show us what level of encryption to support the words that you're telling us. Again, unless there's absolutely no way of doing it, never trust the just the words that uh an interviewee or auditee uh tell you because they in in some cases in most cases they're wrong uh or in some cases they'll just tell you what they're expecting you to hear \ No newline at end of file +### Independence and objectivity + +**Independence**, this is out of 19011, clause 4e, is the basis of impartiality of the audit, and the objectivity of the audit conclusion. Auditors must have independence of the auditees management – can not have a direct reporting relationship to management. They cannot be one of the users or the auditee. + +![](CleanShot%202026-06-07%20at%2014.49.17.png) + +**Threats to independence**. Out of 17021-1 clauses 4.2.4 and 5.2.11, the certification body shall take action to respond to any threats to its impartiality arising from the actions of other persons, bodies, or organizations. Threats to impartiality may include, but are not limited to self-interest, self-review, familiarity or trust, and intimidation. So it's important to understand the certification body shall take action, meaning again, it's not an option. They must take action. If they don't, then there could be an issue with the certification body itself, which could be very detrimental to their business. So we want to make sure that we are always accurately being aware of what's going on. + +So threats to independence: **self-interest** is one of them. So say for example the auditor has shares of stock in the company he's auditing, and knows that passing the ISO 27001 certification audit would make their business improve, would be a an example of self-interest. We also have **self-review:** you can't audit yourself. **Intimidation** is obvious. **Familiarity or trust** is an issue, when you are so close to the auditee that you are almost part of the team that's being audited, which kind of rolls back into self-review. You cannot accept **Gifts**, like items or trips or meals or follow-up contracts. **Consultancy services**: auditors should not provide implementation or consultancy services for the auditee. There should be a minimum period of two years between consultancy from a body that has a relationship with the certification body, and the audit. This essentially goes back into self-review and familiarity. You cannot help the auditee **prepare** for the audit or **perform services** for the auditee, and then turn around and act as an auditor to evaluate your own work. + +All right, consultancy services and audit requirements for the certification body. So this is out of 17021-1, clauses 5.2.1 and 27006-1 clause 5.2.2. Conformity assessment activities shall be undertaken impartially. The certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial, or other pressures to compromise impartiality. So again remember commercial financial or other pressures, so other pressures could be viewed as intimidation. Commercial could be gifts in some form of fashion. Financial could be literally somebody trying to bribe you or the certifying body. And again, understand that conformity assessment activities shall be undertaken This is something that the certification body is going to do. + +Certification bodies **may add value** during certification and surveillance audits by identifying **Opportunities for Improvements**, or OfI's, but *without recommending specific solutions*. Again, avoid conflict of interest. + +The certification body shall not provide internal information security reviews of the client's ISMS, subject to certification. Furthermore, the certification body shall be independent from the body or bodies which provide the internal ISMS audit. + +Then you have the the auditor, which is generally going to be a contracted individual, or possibly a contracted company. ISO 17021-1 requires: In order to ensure there's no conflict of interest, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities, if they have been involved in the management system consultancy towards the client or the auditee. So the certification body cannot add (former) employees from or consultants to the organization under audit, to the audit team. The implication of this clause is the **provision of consultancy services may constitute a conflict of interest**. Certification bodies establish safeguards such as a two-year waiting period or possibly longer, or even prohibit their auditors from providing consultancy services to their audit clients. + +Auditors must be aware of the safeguards and policies established by the certification body. So 5.2.12, all certification body personnel, whether internal or external, or committees who could influence the certification activities, shall act impartially and shall not allow commercial, financial, or other pressures to compromise impartiality. You have to maintain your independence through the audit. Any undue pressure from the audit client should be reported to and consulted with the certification body. + +Clause 5.2.13: Certification Body Shall require personnel, internal and external, to reveal any situation known to them that can present them, or the certification body, with a conflict of interest. + +### Evidence-based approach + +**Evidence-based approach** is described in 19011 clause 4f. The rationale behind this is, to reach reliable and reproducible audit conclusions, you need a systematic audit process. Evidence-based means if the auditee claims something, you will need objectively obtained and evaluated information, that's the evidence. The actual evidence could be a policy, or proof of database settings. Never just trust the words of an interviewee or auditee, because in some cases they're wrong and in some cases they'll just tell you what they think you want to hear. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.4-Fundamental-audit-concepts-and-principles.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.4-Fundamental-audit-concepts-and-principles.md index 1eab2c1..734baf2 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.4-Fundamental-audit-concepts-and-principles.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.4-Fundamental-audit-concepts-and-principles.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S06.4 Fundamental audit concepts and principles @@ -17,4 +17,44 @@ This session covers auditor negligence, ethics, and the risk-based auditing appr ## Transcription -Negligence of auditors, there's different uh four levels of responsibility in case of torturous acts Now you may go, what does tortuous acts mean? Tortuous means the actual damage that is done as a part of your involvement in that. What damage is done to the company because you're involved? And that could be a variety of different ways. It could be financial, it could be commercial, it could be reputational. So definitely understand that. So first off is no negligence. And that's realistically where. Where you want to be. That means that you are a perfect auditor. You did everything great. You followed the rules exactly the way they're supposed to be followed, and everything else. And it's it's just ideal There's also ordinary negligence. Now that doesn't mean that you are a bad person or you're a bad auditor, but possibly you just didn't do 100% in one area. uh more like 98 or 95 or 80 percent uh success in that particular uh area that you're you're working in. So you're still able to produce enough evidence to show that The auditee does deserve a certification of some sort. They pass their certifying audit. It's just that there's areas that could be done a little bit better the next time So during a surveillance audit, anything that could possibly be viewed as ordinary negligence, that could get double-checked to make sure it's adequate at that point in time. However, there's also other forms of negligence, and that's not the kind that we ever want to be in. So gross negligence is certainly one of them. So that's basically a total lack of diligence. The auditor did not report the facts that another auditor could have easily observed without being even without being qualified to conduct an audit. So for example, let's say an auditor did not really conduct the audit very well, but submitted a uh a positive audit report to the certifying body. So what could happen, the audit findings could be challenged by the certifying body and a new audit assigned before the auditee can claim some sort of certification or be granted or awarded that certification. Disciplinary actions could happen in cases like this for uh you know for the auditor themselves, including uh administrative actions like termination uh or Just basically being banned from working with that certifying body. Now, in cases of ordinary uh negligence, if there were cases of ordinary negligence, That could be just additional training, or it could be just maybe somebody's observing the auditor the next time they go around. So gross negligence is not something that we ever want to be in. Fraud, though, is the worst kind. That's where the auditor knowingly, consciously and deliberately participates in falsifying uh reports that is being sent to the certifying body in order to deceive this the uh certifying body or maybe even another party of some sort, law enforcement, regulatory bodies Anything like that. That is pretty much a worst-case scenario if if you're accused of fraud and actually found to have been fraudulent as an auditor. uh you might as well just plan on not being an auditor anymore uh because again as an auditor there's a tremendous amount of trust placed on you not only from the auditee with the information they give you but also on the certifying body that has contracted you to perform the audit. So it's super important that you never want to be in the gross negligence or fraud areas. Always strive for the best job you can do. Ways to reinforce ethics with auditors, conduct background checks before contracting the auditor, if if that's uh or or employing the auditor Make sure you understand the background of people. So one of the examples I give in relation to background checks for auditors If you're going to hire an auditor to do a financial records check of some sort, you want to make sure that that auditor wasn't convicted of embezzlement. Uh if same thing with uh information security. If you're gonna hire an auditor to perform information security, uh you may wanna make sure that the auditor not only is qualified to do the standpoint of information security audits. But also they were not charged with or convicted of some sort of cybersecurity crime. So it's also important to understand that background checks also don't necessarily mean uh criminal action that could have happened, but also from the standpoint of what's their knowledge. If they say that they are former network engineer, Then they should be able to prove that. And a background check should possibly, depending on how you're doing it, uh, could possibly prove that yes, they were a network engineer. So they understand the concepts of TCPIP and subnetting and VLANs and routers and switches. Or maybe they don't, but they put it on their resume. So make sure that you do a adequate background check for your uh your contractors, your auditors, whether the contractors or employees, to make sure they're they're living up to the name that they say they are. We can also have the uh sign, the auditors sign a code of ethics on uh company policy, company actions code of conduct, things like that, uh on ethics or surrounding auditing, uh possibly you could make the uh auditors that you're uh bringing on aware of the laws that they have that they will be beholden to, things like that. Conduct training and awareness programs. This is always good. There's computer security awareness training in any company, in any regulatory environment requires it. There's no real reason you could not add additional auditor training. to auditors in relation to uh being an auditor or awareness around things they should that the company or the certifying body wants to make sure that they're aware of Draft workplace policies and procedures based on best practices. That's going to vary based on the entity that you're working with. Establish an ethics committee and implement their decisions. Just because an auditor really does a great job and everything, that doesn't mean that they would pass ethically. There might be cases where reports need to be reviewed, they need to be approved, they need to be uh evaluated, and so on. Number six, evaluate the auditors continuously. Always do that. Always make sure that you're being aware of what your auditors are doing, what their experiences are like, how they interact with the auditees, and so on. Implement legal and professional sanctions if necessary. And again, the certifying body, the auditee, the auditor environment, that's going to vary based on what it is. and perform external audits by accreditation authorities. So we also have a risk-based approach to auditing. So this is 19011 clause 4G. So the rationale behind this is an audit approach that considers risks and opportunities. The risk-based approach should be a Should substantively influence the planning, conducting, and reporting of audits in order to ensure that audits are focused on matters that are significant for the audit client and for achieving the audit program objectives. So we want to, when we're performing the audit or when we're going to perform the audit, we don't want to perform the audit in such a way that it creates risk for the auditee because you pretty much will never get asked to come back if you cause a problem for the auditee as a part of doing the audit. So we want to ensure that the audit process is being conducted efficiently. And as an auditor, we should follow a risk-based approach by focusing on the audit areas that pose the greatest risk. The audit process would be inefficient if auditors use the same level of effort and utilized the same techniques in less risky audit areas So an audit risk-based approach helps enhance the effectiveness of the audit, as well as reduce risk for the auditee So one way to address the audit planning and testing while considering a risk-based approach is the top-down approach. So a top-down approach is basically the ranking of detailed audit procedures from the highest risk to the lowest risk. And then auditors should obviously use professional judgment to perform a top-down risk-based approach This implies, if we're going to do something like that, this implies that we have technical experts who can help out, as well as constant communication with the auditee to make sure that they agree with our risk-based approach. So clause uh 6. 3. 2. 1 out of 1901, the audit team leader should adopt a risk-based approach to Plan the audit based on the information in the audit program and the documented provided by the auditee. Audit planning should consider the risks of the audit activities on the audite's processes and provide the basis for the agreement among the audit client, audit team, and auditee regarding the conduct of the audit Planning should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the objectives. effectively. So again all of the planning that's going to go into place, we're going to communicate uh everything, make sure everybody's in complete agreement uh specifically uh not only in relation to the audit team uh with each team member understanding but specifically the audit client And the audit. We want to make sure that we don't create additional risk by performing the audit themselves. Audit risk refers to the risk that the auditor may express a flawed audit opinion. and recommendation for certification based on inaccurate audit evidence. There is no audit approach that ensures a perfect audit process. Each client is going to be different, each company is going to be different, each environment's going to be different. Different. However, the risk-based approach is considered as an effective approach for most organizations for minimizing the possibility of not meeting audit objectives. The focus of risk-based approach is analysis and risk management. So simply due to the nature of audit process, every audit is a challenge to auditors. Every audit is a puzzle that has to be solved, and every puzzle is going to be different. Every client is different Given that there are no two organizations with the same complexity of operations, meaning that while you may have two two two organizations that do the same thing, they don't Internally they don't do the same thing the same way every single time. They may produce the exact same thing that gets marketed to the public, that gets sold to the public or whatever, but how they do it is completely different for every single company. Risk-based audit planning requires auditors to keep a focus on risk throughout their audit activities. It requires that the focus on risk is maintained throughout the planning process, including the way that plans are broken down and implemented. It needs to be responsive to the risk management cycle as well as the adequacy of the cycle in meeting the changing risks of the industry. It must be based on and aligned with the organization's priorities and that of their key interested parties. Changing and evolving perspectives could come into play. And again, remember that uh interested parties could be anybody. It could be a regulatory body, could be law enforcement, could be uh clients, end users. The risk-based approach should continuously promote the view that risks are an integral part of the organization's operating processes, and they are not only related to compliance. and regulatory issues. So examples of risks that an organization could face that an auditor might be might want to keep in mind. Operational, so utility failure, inaccessible offices. So again, a guide can help out with inaccessible offices or areas. Utility failure, that could be something that the auditor accidentally creates or maybe somebody else creates it. IT and communication, loss of the internet and phone access. That's going to be out of the hands of the auditor in most cases. as well as the auditee, but it's could be something that needs to be reviewed or understood. Regulatory fines as a result of non-compliance violations of contracts. That could be a risk Financial budget reduction, fund canceling or decreasing personnel, staff loss, or possibly not enough staff in the first place. Or unqualified staff. And then reputation, negative media coverage, loss of trust from key interested parties. And again, key interested party could be uh shareholders, clients, law enforcement, regulatory bodies, and so on. \ No newline at end of file +**Negligence of auditors**, there's four levels of responsibility. + +**Torturous acts** is the actual damage that is done to the company as a part of your involvement in the audit. That could be financial, commercial, or reputational. + +So first off is **no negligence**. This is perfect. You did everything great. You followed the rules exactly the way they're supposed to be followed, and everything else. + +There's also **ordinary negligence**. This is normal. Possibly you just didn't do 100% in one area. You're still able to produce enough evidence to show that the auditee does deserve a certification of some sort. + +**Gross negligence** is certainly one of them. That's basically a total lack of diligence. The auditor did not report the facts that another auditor could have easily observed. The certifying body could assign a new audit before granting the auditee certification. Disciplinary actions could be taken against the auditor. In cases of ordinary negligence that could be just additional training, or it could be just maybe somebody's observing the auditor the next time they go around. + +**Fraud** is the worst kind. That's where the auditor knowingly, consciously and deliberately participates in falsifying reports that are being sent to the certifying body, in order to deceive the certifying body or another party. + +### Reinforce ethics + +Ways to reinforce ethics with auditors: **conduct background checks** before contracting the auditor, make sure that that auditor wasn't convicted of embezzlement or some sort of cybersecurity crime. Check that they actually possess the knowledge they claim they have, like if they say that they are former network engineer, then they should be able to prove that. +We can also have auditors **sign a code of ethics** on the company policy, code of conduct, things like that. Conduct **training and awareness programs**. +Draft **workplace policies and procedures** based on best practices. That's going to vary based on the entity that you're working with. +Establish an **ethics committee** and implement their decisions. Just because an auditor really does a great job and everything, that doesn't mean that they would pass ethically. There might be cases where reports need to be reviewed, they need to be approved, they need to be evaluated, and so on. +**Evaluate the auditors continuously**. Always do that. Always make sure that you're being aware of what your auditors are doing, what their experiences are like, how they interact with the auditees, and so on. Implement **legal and professional sanctions** if necessary. And again, the certifying body, the auditee, the auditor environment, that's going to vary based on what it is. +And perform **external audits by accreditation authorities**. + +### Risk-based approach + +So we also have a **risk-based approach** to auditing. This is 19011 clause 4g. So the rationale behind this is an **audit approach** that considers **risks and opportunities**. This approach should substantively influence the planning, conducting, and reporting of audits, in order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit program objectives. +We want to ensure that the audit process is being conducted **efficiently and effectively**, by focusing on the audit areas that pose the greatest risk. We also don't want to perform the audit in such a way that it creates **risk for the auditee**. An audit risk-based approach helps enhance the effectiveness of the audit, as well as reduce risk for the auditee. + +One way to address the audit planning and testing, while considering a risk-based approach, is the top-down approach. So a **top-down approach** is basically the ranking of detailed audit procedures from the highest risk to the lowest risk. This implies, if we're going to do something like that, this implies that we have technical experts who can help out, as well as constant communication with the auditee to make sure that they agree with our risk-based approach. + +So clause 6.3.2.1 out of 19001: the audit team leader should adopt a risk-based approach to plan the audit, based on the information in the audit program, and the documentation provided by the auditee. Audit planning should consider the risks of the audit activities on the auditee's processes, and provide the basis for the agreement among the audit client, audit team, and auditee regarding the conduct of the audit. Planning should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the objectives effectively. + +So again all of the planning that's going to go into place, we're going to communicate uh everything, make sure everybody's in complete agreement uh specifically uh not only in relation to the audit team uh with each team member understanding but specifically the audit client and the auditee. + +We want to make sure that we don't create additional risk by performing the audits themselves. **Audit risk** refers to the risk that the auditor may express a flawed audit opinion and recommendation for certification based on inaccurate audit evidence. +There is no audit approach that ensures a perfect audit process. Each client is going to be different, each company is going to be different, each environment's going to be different. However, the **risk-based approach** is considered as an **effective approach** for most organizations, for **minimizing the possibility of not meeting audit objectives**. + +The focus of risk-based approach is **analysis and risk management**. So simply due to the nature of audit process, every audit is a challenge to auditors. Every audit is a puzzle that has to be solved, and every puzzle is going to be different. Every client is different. Given that there are no two organizations with the same complexity of operations, meaning that while you may have two organizations that do the same thing, they don't do the same thing the same way every single time. They may produce the exact same thing that gets marketed to the public, that gets sold to the public or whatever, but how they do it is completely different for every single company. +Risk-based audit planning requires auditors to keep a **focus on risk throughout their audit activities**. It requires that the focus on risk is maintained throughout the planning process, including the way that plans are broken down and implemented. It needs to be **responsive to the risk management cycle**, as well as the adequacy of the cycle in meeting the changing risks of the industry. +It must be **based on and aligned with the organization's priorities** and that of their **key interested parties**. Changing and evolving perspectives could come into play. And again, remember that interested parties could be anybody. It could be a regulatory body, could be law enforcement, could be clients, end users. +The risk-based approach should **continuously promote the view that risks are an integral part of the organization's operating processes**, and they are not only related to compliance and regulatory issues. + +So examples of risks that an organization could face, that an auditor might want to keep in mind: **operational**, so utility failure. **Inaccessible offices or area's** – a guide can help out here. **Utility failure**, that could be something that the auditor or somebody else accidentally creates. **IT and communication**, loss of the internet and phone access. That's going to be out of the hands of the auditor in most cases. as well as the auditee, but it's could be something that needs to be reviewed or understood. **Regulatory fines** as a result of non-compliance violations of contracts. That could be a risk. **Financial budget reduction**, fund canceling or decreasing personnel, staff loss, or possibly not enough staff in the first place. Or unqualified staff. And then **reputation**, negative media coverage, loss of trust from key interested parties. And again, key interested party could be uh shareholders, clients, law enforcement, regulatory bodies, and so on. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.5-Fundamental-audit-concepts-and-principles.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.5-Fundamental-audit-concepts-and-principles.md index 45c1598..8ba59a5 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.5-Fundamental-audit-concepts-and-principles.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.5-Fundamental-audit-concepts-and-principles.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S06.5 Fundamental audit concepts and principles @@ -17,4 +17,47 @@ This session covers auditor competence requirements based on ISO 19011 clause 7. ## Transcription -Competence of auditors You do have to know what you're doing. So number one, personal behavior, generic knowledge and skills, discipline, specific knowledge, communication skills, and knowledge of certification bodies processes So in relation to competence, the three dimensions of competence are knowledge, skill, and attitude So knowledge is the acquaintance of facts, truths, principles during a study or an investigation, and it's the mastery of those concepts and theoretical knowledge So when you know something, that is knowledge. Now how you know it is is relative. So did you have a previous job where you learned it? Are you formally trained? Or are you Googling it and figuring out what knowledge means? Whatever the knowledge is for the uh oddity It's important to understand that if you're going to audit something, you should be competent enough to actually do that. And if you can't audit a particular area because you simply don't have the knowledge, get a technical expert to help you Skill refers to the practical competence and expertise of an individual. Attitude refers to the ability to display professional or behavior according to the characteristics of the environment situation or people. So read the room is a common common term. Make sure that you're professional in nature and so on and you understand the culture of the company. So personal behavior. So this is out of 17021-1 Annex D. Examples of personal behavior that are important for personnel involved in the certification activities for any type of management system are described as So ethical, open-minded, diplomatic, collaborative, observant, perceptive, versible Tenacious, dis decisive, self-reliant, professional, morally courageous, and organized. So let's go over a few of these So first off, ethical. Your word is your bond. If your word is bad, uh then then that means you're pretty much unethical. So always be fair, truthful, sincere, and honest. This ties greatly into integrity And again, in auditing, there's a tremendous amount of trust placed in you in information that's provided by the auditee. It would be unethical if you just simply disclosed all of that information uh unless you're r required to by law, it would be unethical to to do that. It would be unethical to uh not be truthful when you're writing uh you know certification suggestions or things like or uh reports to certification bodies. We always want to be ethical in relation to all activities we we do. We want to be beyond reproach. Open-minded. Willing to consider alternative ideas or points of view, basically meaning that maybe maybe you're making a mistake, maybe you're not right in uh how you're doing things So being open-minded. That could be being open-minded with your audit team, but it could also mean being open-minded with the audit client or the audit team. Diplomatic, being tactful and understanding, respectful of other people that you're interacting with and so on. Collaborative, working with other people as a part to uh you know coming up with a solution So you don't act like you're the Lone Ranger and nobody's there to help you. You're part of an audit team. They're there to help you and you're there to help them. observant, actively aware of physical surroundings and activities. As an auditor, I start the audit process the very second I get out of the car and I'm on the on the auditee's property. Uh if as I'm walking into uh the audit environment, I'm observing The doors, how are the doors secured? Are there cameras? Do I have to check in with somebody as a part of the you know a guest check-in process? I just observe all of those things before I even ask anybody questions And I take notes out of all of that. Perceptive, being aware of and able to understand situations. And those perceptiveness could be a variety of different types of situations could be uh also tied directly into diplomatic Versatile, adjust readily to different situations or be avail uh be able to uh uh flex. Tenacious, don't don't quit. Persistence is uh uh another way of saying tenacious, but uh just don't quit. Decisive, reaching timely conclusions based on logical reasoning and analysis. Self-reliant, basically you can act independently. You don't need other people. Professional, again uh being uh understanding of the culture, the environment, the people you're talking to, uh your professionalism is uh uh highly valued. Now also understand that a lot of these, for example, morally courageous, uh morally courageous and ethical are kind of hand in hand with each other. Diplomatic and professional are also diplomatic or also connected with each other So, and then organized, uh be organized in your activities, uh especially as an auditor in relation to organization. If uh if you're going to interview people and it it it appears that you're not organized, then what could happen is that the auditee uh might have a concern that you're not doing a very good job. Additionally, when you're interviewing people based on the stature or the position of those people, they simply just don't have the time for you to learn how to get organized while you're interviewing them So be very organized as much as you can. Generic knowledge and skills of auditors. So 19011 clause 7. 2. 3. 2. Auditors should have knowledge and skills in the areas outlined below. So audit principles, processes, and methods. That's the first one. So we should understand as auditors How to perform an audit. We should understand concepts of auditing, which we've talked about in other slides, like understanding risk. opportunities, understanding that we're supposed to be truthful and ethical and morally courageous as an audit principle. We should also understand the processes of audits That while an auditee or an audit client may say they have encryption, how are we really going to prove that? We should also understand other concepts around auditing in relation to processes and methods. uh like say possibly sampling or or so on and that that's other sections of uh this course We also have management system standards and other references. So this is a uh ISMS 27001 course. So Understanding 27001. That would be the management system that you need to understand. But this is this particular slide is talking about 1901, clause 7. 2. 3. 2 Which does not specifically say 27,001. So if you're going to audit, say for example, also 9001, make sure you understand it. Make sure you understand all the connecting references In relation to the management system that comes out. So here's an example. You have the ISMS 27001. But let's say you're a European company that you're also heavily involved in the GDPR space. You want to understand GDPR because there is a connection with 27001 in GDPR. So understand these references. The organization and its context. So essentially, in a nutshell, what does the organization do? What is the audity? What is their function? Do they make a product? Do they sell a product? Are they only financial? Are they this? Are they that? So understand the organization in its context. And an easy way of saying that is this is the organization, XYZ Company, and this is what the organization does. So understand as a part of that. You might also want to figure out what what regulatory environments are the organizations or the entity are they beholden to Do they have to uh you know comply with HIPAA or FERPA or GDPR, for example? Understand how big they are. Understand uh the the org chart of the company Understand the companies that they interact with. Try to understand the countries that they're in, and so on. So understand the organization in its context means understand the auditee. You don't have to be perfect at it. You don't have to know in great detail every single thing, but you do have to have the basics. Applicable statutory, regulatory requirements, and other requirements. I kind of touched on that under management system standards and other references. But yes, if if the company or the auditee is in a situation where they have to comply with other regulatory or statutory requirements, try to understand those too. Also understand though That every company is going to be different and not every company is going to have to comply with the same requirements that other companies do. Now it's it's also important to understand When it comes to statutory regulatory requirements or maybe contractual requirements, you don't have to be and you're not expected to be an attorney or a lawyer in order to uh do that portion of general of knowledge and skills. It it is expected that, you know, for example, if you're gonna work uh with a European company that once you get 27,000 women and they're also in a GDPR environment, it's expected that you understand what GDPR is, the basic concepts behind it But you don't have to understand every single article in GDPR in order to perform your skill as an auditor It would not be unreasonable though as a auditee if I was talking to an auditor and I knew I was in a GDPR environment. It would not be unreasonable of me to ask the auditor to have the ability to look up specific articles to make sure that we were good to go as a company. Knowledge of regulatory requirements again continuing. Auditors should have knowledge and understanding of regulatory requirements on the following Intellectual property, so non-disclosures are certainly going to come into there. Content protection and retention of organizational records That's going to vary based on the country and or state you're in. Data protection and privacy. So again, I've referenced GDPR, but there's other uh regulatory environments like uh hippa, FERPA, CAPA, CCPA. Uh the other countries like Brazil has a really uh intense privacy regulatory environment. Regulation of cryptographic controls. So regulation of cryptographic controls is something that uh you definitely want to be aware of. Some cryptography solutions are actually uh They actually fall under government entities uh environments in relation to arms trafficking. So for example, There's this guy named Phil Zimmerman. He's the guy who created PGP, Pretty Good Privacy. That was released outside of the United States. The United States FBI investigated him. Ultimately he was it was fine, he was let go, but um they the US government uh viewed PGP at one time as a uh regulated cryptographic control and it fell under uh ITAR. International trafficking and arms regulation So be aware, especially if you're crossing going from one country to another, be aware of the cryptographic controls. uh in the regulatory environment around that. Some countries literally do not allow high complex encryption because uh well It makes their spy agencies work harder to break in if they have to. But in other countries, they just don't care. Electronic commerce, so like uh uh PayPal and everything else. Um How money is uh transmitted from point A to point B electronically. Uh electronic and digital signatures, those are becoming more and more popular. Workplace surveillance The key thing to remember about workplace surveillance, regardless of the environment that you're in, the one place you absolutely can never have surveillance in would be restrooms, latrines, lavatories. things like that. You cannot record people using the bathroom. But in some other countries, uh the very second you walk through the door, you you could be expected to be surveilled The United States, for example, cameras everywhere. The U United Kingdom, cameras everywhere. And it's expected. You'll see signs that say you have no expectation of privacy. uh things like that in relation to surveillance. The other areas of workplace surveillance that could come into play could be electronic surveillance of basically What people are doing on their computers, what emails they're sending and receiving. That could be a form of surveillance. So understanding the regulatory requirements around workplace surveillance Also goes into what country you're in. Some forms of workplace surveillance in the United States would actually be illegal in the United Kingdom or European Union. Telecommunications interception and monitoring of data like email. In most places, if it's a company email system, You have all sorts of rights to monitor whatever you want and intercept and do whatever you have to in order to protect the company, not for surveillance reasons because you're trying to intrude upon people's privacies. Computer abuse. So what are the hacking laws in the country that you're in? In the United States, we have the Computer Fraud and Abruce Abuse Act. We have the Interstate Commerce and Communications Act. Uh there's all sorts of different things. Different countries have different laws around this. Electronic evidence collections or forensics You know, again, if you're gonna investigate somebody and you don't know how to do that, then uh get a forensics person to do that job for you. And also understand the concept of chain of custody Penetration testing. This is a big one. I'm a hands-on penetration tester in addition to being an auditor. But penetration testing is something that you want to make sure that you are doing legally Uh in some companies or some countries penetration testing is not as strict as other countries In the United States, if you perform penetration testing without a contract that allows you to do it, then it's a felony. You could be arrested for it. And so you don't want to get caught doing unauthorized penetration testing. In some other countries, simply having the ability penetration testing tools on your laptop is could be viewed as a crime. So make sure you understand that. International and national sector specific requirements, for example, banking. uh the SWIFT concept is comes to mind, uh but how uh national and international sector specific uh environments interact with each other. So there banking is an example, but it could be something else. \ No newline at end of file +### Competence of auditors + +You do have to know what you're doing. So, personal behavior, generic knowledge and skills, discipline, specific knowledge, communication skills, and knowledge of certification bodies processes + +The three dimensions of competence are knowledge, skill, and attitude. So **knowledge** is the acquaintance of facts, truths, principles during a study or an investigation, and it's the mastery of those concepts and theoretical knowledge. So when you know something, that is knowledge. Now how you know it, is relevant. So did you have a previous job where you learned it? Are you formally trained? Or are you Googling it and figuring out what knowledge means? Whatever the knowledge is, for the auditee it's important to understand that if you're going to audit something, you should be competent enough to actually do that. And if you can't audit a particular area because you simply don't have the knowledge, get a technical expert to help you. + +**Skill** refers to the practical competence and expertise of an individual. **Attitude** refers to the ability to display professional or behavior according to the characteristics of the environment, situation, or people. So read the room is a common term. Make sure that you're professional in nature and so on and you understand the culture of the company. + +So **personal behavior**. So this is out of 17021-1 Annex D. Examples of personal behavior that are important for personnel involved in the certification activities for any type of management system are described as: ethical, open-minded, diplomatic, collaborative, observant, perceptive, versatile, tenacious, decisive, self-reliant, professional, morally courageous, and organized. +So let's go over a few of these. First off, **ethical**. Your word is your bond. If your word is bad, uh then then that means you're pretty much unethical. So always be fair, truthful, sincere, and honest. This ties greatly into integrity. And again, in auditing, there's a tremendous amount of trust placed in you in information that's provided by the auditee. It would be unethical if you just simply disclosed all of that information uh unless you're required to by law, it would be unethical to to do that. It would be unethical to not be truthful when you're writing certification suggestions or things like reports to certification bodies. We always want to be ethical in relation to all activities we we do. We want to be beyond reproach. +**Open-minded**. Willing to consider alternative ideas or points of view, basically meaning that maybe maybe you're making a mistake, maybe you're not right in uh how you're doing things So being open-minded. That could be being open-minded with your audit team, but it could also mean being open-minded with the audit client or the audit team. +**Diplomatic**, being tactful and understanding, respectful of other people that you're interacting with and so on. **Collaborative**, working with other people as a part to coming up with a solution. So you don't act like you're the Lone Ranger and nobody's there to help you. You're part of an audit team. They're there to help you and you're there to help them. +**Observant**, actively aware of physical surroundings and activities. As an auditor, I start the audit process the very second I get out of the car and I'm on the on the auditee's property. As I'm walking into the audit environment, I'm observing: the doors, how are the doors secured? Are there cameras? Do I have to check in with somebody as a part of the you know a guest check-in process? I just observe all of those things before I even ask anybody questions. And I take notes out of all of that. +**Perceptive**, being aware of and able to understand situations. And that perceptiveness could be a variety of different types of situations, could also be tied directly into diplomatic. +**Versatile**, adjust readily to different situations or be flexible. +**Tenacious**, don't quit. Persistence is another way of saying tenacious, but just don't quit. +**Decisive**, reaching timely conclusions based on logical reasoning and analysis. +**Self-reliant**, basically you can act independently. You don't need other people. +**Professional**, again being understanding of the culture, the environment, the people you're talking to, your professionalism is highly valued. +**Morally courageous** and **ethical** are kind of hand in hand with each other. Diplomatic and professional are also diplomatic connected with each other. +And then **organized**, be organized in your activities, especially as an auditor in relation to organization. If you're going to interview people and it it it appears that you're not organized, then what could happen is that the auditee might have a concern that you're not doing a very good job. Additionally, when you're interviewing people based on the stature or the position of those people, they simply just don't have the time for you to learn how to get organized while you're interviewing them. So be very organized as much as you can. + +### Generic knowledge and skills of auditors + +So 19011 clause 7.2.3.2. Auditors *should* have knowledge and skills in the areas outlined below: + +- Knowledge of **audit principles, processes, and methods**. We should understand as auditors how to perform an audit, we should understand concepts of auditing, like risk and opportunities, understand that we're supposed to be truthful and ethical and morally courageous, etc. We should also understand the processes of audits. That while an auditee or an audit client may say they have encryption, how are we really going to prove that? We should also understand other concepts around auditing in relation to processes and methods, like possibly sampling. +- Knowledge of **management system standards and other references**. So in this case ISO 27001. Make sure you understand all the connecting references in relation to the management system that comes out. So here's an example. You have the ISO 27001. But let's say you're a European company and you're also heavily involved in the GDPR space. You want to understand GDPR because there is a connection with 27001 in GDPR. So understand these references. +- Knowledge of **the organization and its context**. So essentially, in a nutshell, what does the organization do? What is the auditee? What is their function? Do they make a product? Do they sell a product? Are they only financial? Are they this? Are they that? So understand the organization in its context. And an easy way of saying that is this is the organization, XYZ Company, and this is what the organization does. So understand as a part of that. You might also want to figure out what **regulatory environments** are the organizations or the entity beholden to. Do they have to know comply with HIPAA or FERPA or GDPR, for example? Understand how big they are. Understand the org chart of the company. Understand the companies that they interact with. Try to understand the countries that they're in, and so on. So understanding the organization in its context means understanding the auditee. +- Knowledge of **applicable statutory, regulatory requirements, and other requirements**. Every company is different, and not every company is going to have to comply with the same requirements that other companies do. Auditors should have knowledge and understanding of regulatory requirements on the following: + + - **intellectual property**, so non-disclosures are certainly going to come into there. + - **Content protection** and **retention of organizational records**. That's going to vary based on the country and or state you're in. + - **Data protection and privacy**, like GDPR, HIPAA, FERPA, CAPA, CCPA. + - Regulation of **cryptographic controls**: in some regulatory environments cryptographic solutions fall under laws related to arms trafficking. For example, the FBI investigated Phil Zimmerman, the creator of PGP, Pretty Good Privacy, which was released outside of the United States. The FBI at the time viewed PGP as a regulated cryptographic control and it fell under ITAR, International trafficking and arms regulation. So be aware, especially if you're crossing going from one country to another, be aware of the cryptographic controls. uh in the regulatory environment around that. Some countries literally do not allow high complex encryption, because it makes their spy agencies work harder to break in if they have to. + - **Electronic commerce**, so like PayPal and everything else, how money is transmitted from point A to point B electronically. + - **Electronic and digital signatures**, those are becoming more and more popular. + - **Workplace surveillance**: in some countries, the very second you walk through the door, you could be expected to be surveilled. In the United States and the United Kingdom, for example, cameras everywhere. Other areas of workplace surveillance could be electronic surveillance of what people are doing on their computers, what emails they're sending and receiving. Some forms of workplace surveillance in the United States would actually be illegal in the European Union. If it's a company email system, you have all sorts of rights to monitor whatever you want and intercept and do whatever you have to in order to protect the company, but not for surveillance reasons, because you're trying to intrude upon people's privacies. + - **Computer abuse**. So what are the hacking laws in the country that you're in? In the United States, we have the Computer Fraud and Abuse Act. We have the Interstate Commerce and Communications Act. There's all sorts of different things. Different countries have different laws around this. + - **Electronic evidence collection** or **forensics**. Again, if you're gonna investigate somebody and you don't know how to do that, then get a forensics person to do that job for you. And also understand the concept of chain of custody[^1]. + - **Penetration testing**. This is a big one. In the United States, performing penetration testing without a contract that allows you to, is a felony. In some other countries, simply having penetration testing tools on your laptop could be viewed as a crime. + - International and national **sector specific requirements**, for example, banking. The SWIFT concept comes to mind, how national and international sector specific environments interact with each other. + +[^1]: The chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of materials, including physical or electronic evidence. diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.6-Fundamental-audit-concepts-and-principles.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.6-Fundamental-audit-concepts-and-principles.md index 3de9f7d..35bbe74 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.6-Fundamental-audit-concepts-and-principles.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S06.6-Fundamental-audit-concepts-and-principles.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S06.6 Fundamental audit concepts and principles @@ -17,4 +17,50 @@ This session covers discipline-specific and sector-specific auditor competence r ## Transcription -All right, discipline and sector specific competence of auditors. So this is out of 27006-1 clauses 7. 1. 3. 1. 2. And 3. 1. 3. 1. 3. Each auditor in an ISMS audit team shall have, that means must. Shall have knowledge of ISMS-specific documentation structures, hierarchy, and interrelationships, information security risk assessment and risk management, processes applicable to the ISMS. Each auditor in an ISMS audit team shall have knowledge of all requirements contained in 27001. An easy way of thinking about that is. You have to be certified in 27,001 as an individual in order to be an auditor. That's the whole purpose of this course that you're in right now. The audit team members shall collectively have knowledge of information security management related tools, methods, techniques, and their application. The current technology where information security can be relevant or an issue. So the audit team members shall collectively, that's a key word, have knowledge of all controls contained in 27001 Annex A and their implementation. That doesn't mean that each audit team member has to know every single thing, but collectively you do. And again, if there's particular areas when you're performing an audit that you're simply not aware of uh then get a technical expert to help out. Specific knowledge about clients this is out of 27006-1 clauses 7. 1. 3. 1. 5 and 7. 1. 3. 1. 6 Each auditor and ISMS audit team shall have knowledge of the legal and regulatory requirements in the particular information security field, geography and jurisdictions. So again, I've said repeatedly how You need to be aware of the organization and its context. So where it is, what it does, what regulatory environments it's involved in. So a big one that's easy to use. would be uh GDPR in European countries or companies. Um it's it's just something you have to know. If you're in California And you meet certain requirements, you're going to be held bound to CCPA. If you have anything to do with the medical field in the United States, it's going to be HIPAA-based. If you have anything to do with credit card transactions globally, you're going to fall under PCI DSS. So you have to be aware of all that. Information security risk related to business sector. That's again going to change based on the type of auditee that you're working with. generic terminology processes and technologies related to the client business sector that they're in. The one thing I will say about generic terminology, if if you have a client that you're auditing Make sure your terminology aligns with their terminology. There could be cases where somebody views auditing terms. differently inside the company. So make sure that uh you have some sort of Rosetta Stone translation capability in there to understand uh what auditors mean is is the same or if there is a difference than what the uh business sector uh agrees with. Also the relevant business sector practices, so the criterion may be shared among the audit team The audit team also needs to have collectively have knowledge of impact of organization like type, size, governance, structure, functions, relationships. implementation of the ISMS and certification activities, including outsourcing, complex operations in a broad perspective, as well as the legal and regulatory requirements applicable to the product or the service. All right, communication skills, presentation, and interviewing. This is 17021, Annex A, 2. 9, and Annex A 2. 10. Perhaps two of the most important aspects related to communication are presentation and interviewing skills. The auditors should be capable of presenting audit findings and conclusions to be easily understood for the team leader. Easily understood. So the team leader presenting in a public forum, like a closed meeting, audit findings, conclusions, and recommendations appropriate to the audience So an easy way of understanding this is that if you're going to do something highly technical as an auditor and you're going to report on it, don't get highly technical for the non-highly technical people. uh that you're reporting on. If if for example y you have to s uh basically give a presentation about lack of encryption Uh you don't really need to tell the CEO of a company about how AES 256 works or the lack of uh configuration uh based on your findings or something like that. All you have to really do is say you're not adequately protecting data at rest. and have the other people within the company uh maybe give them a more technical explanation of something, but You don't really need to overwhelm people because ultimately what will happen if if you don't if you're not aware of your audience when you're doing a presentation They will get confused, they'll get lost, there will be numerous questions about what do you mean, how does this work, stuff like that. It could raise uh raise their stress level uh get them you know they could freak out or something you just don't want to do that just be aware of the people that you're presenting to interviewing skills so capable auditors should be capable of interviewing to obtain relevant information by asking open-ended, well-formulated questions and listening to understand and evaluate the answers. So there's a actually a lot in relation to interviewing, but definitely be open-ended, well formulated. And you want to listen, evaluate the answers, but at the same time you want to understand that the answers that a person that you've interviewed may not be the same answer as another person you've interviewed. So not only understanding and evaluate the answers, but also comparing the answers to make sure that they align with each other. Knowledge of certification bodies processes. So this is out of 17021-1. Annex A 2. 4. The auditor must have knowledge of certification body's processes sufficient to perform in accordance with the certification body's procedures and processes. This implies that the auditor must thoroughly understand the certification body's policies and procedures relevant to them. applicable to the audit process. Other relevant policies such as quality and information security of the certification body, not the auditee. So, if you're an auditor working for a certification body, performing a certification audit, you need to understand the policy relating to information security and quality for the certification body itself. So you understand so you don't violate those policies. Any established guidelines from the certification body. And then tools such as forms, templates that the certification body provides to its auditors. In in most cases, if you're an auditor and you're working for a certification body or you're contracted to a certification body, For a particular audit, they're gonna provide all the templates for you and they'll they'll give you all this uh in advance. But While certification bodies may do that, that doesn't mean that every certification body is going to have the exact same template for every single audit. So make sure you understand that it will be provided to you, but at the same time also understand there's no consistency. From one certification body to another. Responsibilities and competencies of the audit team leader. So as stated in 17021-1, the audit team leader is responsible for assigning or reassigning work to each and audit team member to audit specific processes, functions, sites, areas, or activities Generally, when work is assigned to an audit team member, that is going to be based on the skill sets of that audit team member And generally that also means the audit team leader is aware of those skill sets in advance of assigning uh work. Now reassigning work could be for a variety of reasons. Maybe the audit team leader felt like It wasn't done very uh good very well, or maybe uh the audit team leader didn't assign work uh equally across the board and somebody's now has has too much work and it has to be reass uh allocated to somebody else. The audit team leader is responsible for reporting to the audit client and certification body when evidence indicates that audit objectives are unattainable. Reviewing with the audit client any need for changes to the audit scope. In all of my experiences with uh audit clients, every single time the audit scope is going to get discussed Either the audit client uh underscopes or they over scope. And uh the auditor and the team leader uh uh you know has to Help the audit client saying, yeah, you know, this is really not in scope or that should be in scope. The audit team leader should attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings. It's going to be uh politically, diplomatically, uh professionalism, things like that. Uh but that doesn't mean that The audit client is going to be accurate in their assumptions. Sometimes audit clients produce evidence that totally contradicts what they believe is true. Overseeing the preparation of audit conclusions. conducting the opening and closing meetings and preparing the final uh the preparing the audit report. Uh in relation to preparing the audit report, uh that's the responsibility of the team leader, but that doesn't mean that the audit Team itself is not going to be involved in preparing the audit report. I I've worked in uh audits for very large entities. Can't name them, but uh very large entities where the team leader uh basically said, okay, Carl, you're gonna do this section, Bob you're gonna do that section, Joe, you're gonna do this section, you know, Janet, you're gonna do this section And then I will do this part, and then we'll all come together and and put all these sections into a singular document, and then we're going to do a constant peer review process to make sure we all agree. That is a very realistic scenario. Maintaining competence out of 17021-1, clause 7. 2. 10, 7. 2. 11. Auditors should maintain their competence and aim to complete their audit assignments. To the best of their abilities, they should adhere to all competency, requirements, standards, policies, and procedures of the certification body This is important because as per 17021-1, the certification body monitors and evaluates each auditor considering the type of management system. To which the auditor is deemed competent. So there's a variety of ways that we can maintain competence. We've listed some. We can have an on-site evaluation by the By the certifying body. We could review audit reports after the fact to understand the competence in relation to auditing. Do they write well? Do they read well? We could also have feedback from clients in general or the market. Now there's other areas where you can maintain competence, and that's something after you finish this complete course and you take your test And you get certified, you've met all the minimum requirements, and you're certified, and that's called taking uh continuing education. So that's another way of maintaining competence. Another area of maintaining incompetence or maintaining competence is taking other courses related to 27,001. For example, you could take 27,002, you could take 27,005. All of that can tie into maintaining competence and improving yourself. So a form of professional development. All right, and that is the summary of section six. So ISO 19011 provides guidance on managing an audit program and planning a management system, whereas 17021-1 Consists of requirements for bodies providing the audit and certification to the management system. An audit is the assessment of the fulfillment of certain criteria by means of evidence and professional evaluation Internal audits are also known as a first party audit. External audits are known as second and third party audits. Understand the difference. A second party audit could be A client auditing the auditee in order to determine if they want to hire the auditee for a function. Or it could be the auditee auditing vendors or their suppliers. And that's commonly called vendor due diligence. A combined audit is an audit carried out together at a single audity on two or more management systems. So it could be 27,001 or 9,001 at the same time. If you're going to do a combined audit, make sure that you have appropriately certified and trained people to do that Some audits, well for example, ISO uh ISO audits require that, but in other cases, for example, you could do an ISO 27001 and a SOC 2 with less certified people. Also understand that you may actually have in relation to a combined audit, you may actually have multiple audit teams in order to save time and money in relation to the auditee. The principles of auditing are integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach So keep in mind what I said about integrity. Once your integrity has been tarnished, it's going to be difficult for you to be an auditor So make sure that your integrity, your honor, your ethics, your moral courageousness, that is never violated It's your name means everything in the world of cybersecurity and auditing. Also understand the concepts of confidentiality. Unless you are given permission, do not release information about anything In relation to the client. The only exception to that is what's called what I call mandated reporting events. Audit team leaders must be professionally competent to plan and audit using resources efficiently Manage and counsel the audit team members, prevent and solve conflicts, and prepare, explain, and defend the audit conclusions. So if you're a team leader Leading an audit team, you have to be able to lead your team. Sometimes you'll have team members on your audit team, they will just disagree with each other. So maybe you have to change some work assignments As a team leader, you may also understand the culture or the personality of the people that are being interviewed. And you might want to reassign uh interview people Who are going to interview the auditee based on the type of culture and environment that you're in? There's also some questions. We'd ask those if this was a uh uh in-person class there's an exercise exercise two in quiz five you should do those on your own time obviously we can't do them because this is uh recording And with that, I want to thank everybody for your time. I will see you on the next one. \ No newline at end of file +### Discipline and sector specific competence of auditors + +- This is out of 27006-1 clauses 7.1.3.1.2 and 3.1.3.1.3. Each auditor in an ISMS audit team shall have knowledge of ISMS-specific documentation structures, hierarchy, and interrelationships, information security risk assessment and risk management, and processes applicable to the ISMS. Each auditor in an ISMS audit team shall have knowledge of all requirements contained in 27001. An easy way of thinking about that is. You have to be certified in ISO 27001 as an individual in order to be an auditor. That's the whole purpose of this course that you're in right now. +- The audit team members shall collectively have knowledge of information security management related tools, methods, techniques, and their application. The current technology where information security can be relevant, or an issue. Collectively is a key word here: it doesn't mean that each audit team member has to know every single thing, but collectively you do. And again, if there's particular areas when you're performing an audit that you're simply not aware of uh then get a technical expert to help out. +- Specific knowledge about clients – this is out of 27006-1 clauses 7.1.3.1.5 and 7.1.3.1.6. Each auditor and ISMS audit team shall have knowledge of the legal and regulatory requirements in the particular information security field, geography and jurisdictions. So again, you need to be aware of the organization and its context. +- Generic terminology processes and technologies, related to the client business sector that they're in. Make sure your terminology aligns with their terminology. +- Relevant business sector practices, so the criterion may be shared among the audit team. +- The impact of organization type, size, governance structure, functions and relationships on the design and implementation of the ISMS, and certification activities, including outsourcing +- Complex operations in a broad perspective +- Legal and regulatory requirements applicable to the product or the service. + +### Communication skills, presentation, and interviewing + +This is 17021, Annex A 2.9, and Annex A 2.10. Perhaps two of the most important aspects related to communication, are presentation and interviewing skills. + +**Presentation skills** +The auditors should be capable of presenting audit findings and conclusions to be easily understood. For the team leader, presenting in a public forum (like a closed meeting), audit findings, conclusions, and recommendations appropriate to the audience. So don't get highly technical in front of non-technical people. If you give a presentation about lack of encryption to the CEO, you don't have to get into how AES 256 works or how it should be configured. All you have to really say is: you're not adequately protecting data at rest, and save the technical explanation for other people within the company. + +**Interviewing skills** +Auditors should be capable of interviewing to obtain relevant information by asking open-ended, well-formulated questions, and listening to understand and evaluate the answers. You also need to be aware that the answers that one person gives you may not be the same as another person's answers. So you also need to comparethe answers to make sure that they align with each other. + +**Knowledge of certification bodies processes** +This is out of 17021-1, Annex A 2.4. The auditor must have knowledge of certification body's processes, sufficient to perform in accordance with the certification body's procedures and processes. This implies that the auditor must thoroughly understand the certification body's policies and procedures applicable to the audit process. Other relevant policies, such as quality and information security of the certification body, not the auditee. So, if you're an auditor working for a certification body, performing a certification audit, you need to understand the policy relating to information security and quality for the certification body itself. So you understand so you don't violate those policies. Any established guidelines from the certification body. And then tools such as forms, templates that the certification body provides to its auditors. +In most cases, if you're an auditor and you're working for a certification body or you're contracted to a certification body, for a particular audit, they're gonna provide all the templates for you and they'll they'll give you all this in advance. But while certification bodies may do that, that doesn't mean that every certification body is going to have the exact same template for every single audit. So make sure you understand that it will be provided to you, but at the same time also understand there's no consistency from one certification body to another. + + +**Responsibilities and competencies of the audit team leader**. +So as stated in 17021-1, the audit team leader is responsible for **assigning, or reassigning work** to each audit team member to audit specific processes, functions, sites, areas, or activities. Generally, when work is assigned to an audit team member, that is going to be based on the skill sets of that audit team member. And generally that also means the audit team leader is aware of those skill sets in advance of assigning work. +Now reassigning work could be for a variety of reasons. Maybe the audit team leader felt like it wasn't done very well, or maybe the audit team leader didn't assign work equally across the board, and somebody now has too much work and it has to be allocated to somebody else. +The audit team leader is responsible for **reporting to the audit client and certification body**, when evidence indicates that audit objectives are unattainable. +**Reviewing need for changes to the audit scope**. In all of my experiences with audit clients, every single time the audit scope is going to get discussed. Either the audit client underscopes, or they over scope. And the audit team leader has to help the client by adjusting the scope. +The audit team leader should attempt to **resolve any diverging opinions** between the audit team and the client concerning audit evidence or findings. It's going to be politically, diplomatically professionalism. Sometimes audit clients produce evidence that totally contradicts what they believe is true. +**Overseeing the preparation of audit conclusions**. Conducting the opening and closing meetings and preparing the final audit report. In relation to preparing the audit report, that's the responsibility of the team leader, but that doesn't mean that the audit team itself will not be involved – specific parts of the report may be given to different team members, and then they'll all come together into a singular document, in a constant peer review process to make sure we all agree. That is a very realistic scenario. +**Maintaining competence**, out of 17021-1, clauses 7.2.10 and 7.2.11. Auditors should maintain their competence and aim to complete their audit assignments to the best of their abilities. They should adhere to all competency, requirements, standards, policies, and procedures of the certification body. This is important because as per 17021-1, the certification body monitors and evaluates each auditor considering the type of management system to which the auditor is deemed competent. So there's a variety of ways that we can maintain competence. We've listed some. We can have an on-site evaluation by the certifying body. We could review audit reports after the fact to understand the competence in relation to auditing. Do they write well? Do they read well? We could also have feedback from clients in general or the market. +Now there's other ways to maintain competence, like taking continuing education, or other courses related to 27001. For example, you could take 27002, or 27005. All of that can tie into maintaining competence and improving yourself. So a form of professional development. + + +### Recap of Section 6 of this training + +- ISO 19011 provides guidance on managing an audit program and planning a management system, whereas 17021-1 consists of requirements for bodies providing the audit and certification to the management system. +- An audit is the assessment of the fulfillment of certain criteria by means of evidence and professional evaluation. +- Internal audits are also known as a first party audit. External audits are known as second and third party audits. A second party audit could be your client, auditing an auditee, in order to determine if they want to hire them for a function. Or it could be your auditee auditing vendors or suppliers, what's commonly known as vendor due diligence. +- A combined audit is an audit carried out at a single auditee on two or more management systems. So it could be 27001 or 9001 at the same time. If you're going to do a combined audit, make sure that you have appropriately certified and trained people to do that. Some audits require that, but in other cases, for example combining ISO 27001 and SOC 2, you can do that with less certified people. Also understand that you may actually have multiple audit teams in order to save time and money in relation to the auditee. +- The principles of auditing are integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach. So keep in mind what I said about integrity. Once your integrity has been tarnished, it's going to be difficult for you to be an auditor. So make sure that your integrity, your honor, your ethics, your moral courageousness, that is never violated. It's your reputation that means everything in the world of cybersecurity and auditing. +- Also understand the concepts of confidentiality. Unless you are given permission, do not release information about anything In relation to the client. The only exception to that is what's called what I call mandated reporting events. +- Audit team leaders must be professionally competent to plan an audit using resources efficiently, manage and counsel the audit team members, prevent and solve conflicts, and prepare, explain, and defend the audit conclusions. +- As a team leader, you may also understand the culture or the personalities of the people that are being interviewed. And you might want to reassign people who will do the interview based on the type of culture and environment that you're in. \ No newline at end of file