ISO27001 ISMS internal Audits

[magic-k]

I have a few questions about Ciso Assistant in an 27001 ISMS

1. If i do internal audits and i find a NC or OFI, i would like to link a finding/follow up to this audit, so i can track the remediation. But as far as i see i can't link a finding to a specific audit or vice versa.
2. We span internal audits over a time frame of 3 years where we try to cover every control at least once. To do this we do partial audits (only a group of controls with a certain division e.g. all controls about employees concerning HR)
   The Audit module seems to only know complete audits covering all controls.

How is everyone, who needs 27001 compliance, is using Ciso Assistant for daily work? Risk Assessment, BIA etc. work great but i feel that my work flow is not compatible with Ciso Assistants audits.

[xcampax]

Hi @magic-k, here are my 2 cents on your questions/topics:

ad 1) I have tried two ways, and depending on your internal setup or requirements, both might be feasible.
Option A: The audit is conducted outside of CISO Assistant, and only the results, i.e., the findings per the audit report, are registered under Governance > Findings tracking. I am going this route for any penetration tests or other kind of audits that are conducted by external personnel; I have done this once for the official internal ISMS audit (norm chapters) as well.
Option B: Create and conduct the audit via Compliance > Audits. I am recording all other internal audits and SaaS evaluations this way, and now doing this for the ISMS audits as well.
Both options allow you to define an Applied Control for each finding, which again can be tracked for remediation.

ad 2) Is your concern the "progress X%" indication on audits or the selection of controls? Regarding the first aspect, I also believe that the progress indicator should reflect the amount of controls looked at (todo vs. done) rather than the compliance state (not assessed vs. any of the other ones). IIRC there was some discussion on Discord or maybe even an issue ticket around this a while ago (I believe by someone other than you!?), but I am not sure what came from it - maybe @ab-smith knows? If your concern is rather the second aspect, yes, as long as you are not using a specifically crafted framework that allows for more granular assignment of controls into an audit, it's all or nothing. Personally, I am conducting audits by making use of the Operational capabilities per 27002, which I am using by ways of implementation groups in a modified framework.

I hope I understood your questions correctly, and I hope this helps :)

[magic-k]

regarding 1)
If i do the audit in ciso assistant. When i find a non conformity, i can't directly create a finding out of the audit or from an applied control. I have to create a findings tracking and then findings, link the to applied controls. That way i lose the connection to the audit where the finding came from.

regarding 2) I made a template with all controls as not applicable and mark the ones of the particular audit a as not assessed. I also started to play with the framework builder to add groups but i lose the mapping capability with that approach.

Thanks for your answers.

[xcampax]

Hi,

ad 1) Why do you want or feel you need to go through a dedicated finding? Why not conduct the audit in C.A., create an applied control on the non-conformity, and track this?

ad 2) Yeah, not assessed items reduce the "progress" value... As I said, I believe this should be changed to correctly reflect on the Todo vs. Done status. Personally, I created the modified ISO framework the old way, using the Excel file. I tried the framework builder out once when it was released but was not happy with it...

[magic-k]

Maybe i'm thinking wrong and maybe i'm trying to force my current process into CA and another aproach would work better. I try an example to make clearer what i'm actually talking about_

I'm conducting an internal audit of HR regarding the on-/offboarding process. I find an Employee who has no recorded background check. That's a nonconformity violating A6.1 screening (reference control) as well as our onboarding policy (applied control).
The finding would need actions:
a) HR needs to find out i only the documentation is not recorded properly or if the background check wasn't done
b) I need to find out if that's only a solitary problem or if there's an underlying process/communication/responsibilty problem

Currently the audit would have been documented in confluence and the findings would be tracked in youtrack. How would you do this in CA without losing the conncection between the findings, the applied controls and the source for all this, the audit.

[xcampax]

Hi again, I pondered over what you wrote for a few days, and I understand now what you are saying. What I can offer as input is that, by linking an applied control to the audit as well as to the subsequent finding, you can establish a connection. However, if you want to record a finding that does not directly relate to an applied control, then your connection would be lost (but shouldn't everything be related to a control???). And even though I have not been using this functionality yet, I think the "sync to actions" should come in handy here and automatically update the audit result with the status of an applied control - let's hope that this also considers the status of any related findings (I have not looked into this).