Conduct an Audit
Conduct an audit for review of compliance related to an industry standard or key Configuration Items.
To conduct an audit:
- On the CSM Desktop Client or the CSM Browser Client toolbar, select New > New ISMS Audit.
- Record the following details:
- Provide a description and details.
- Select a source and type.
- Select a priority and level of effort. The priority is displayed in the priority alert bar.
- Select a lead auditor.
- Select the Next: Assigned link under Status.
- In the
Audit Participants tab of the form
arrangement, define stakeholders for the audit. Use Table Management to
populate this table or select
New ISMS Participant.
Note: You need to have at least one participant with a role of Approver to move the audit to the Approving phase.
- In the
Audit Scope and
Schedule section, (in the
Overview tab of the form arrangement), provide
audit scope and audit criteria.
For the audit scope, provide information related to the extent and boundaries of the audit (example: Audit affects all laptops, but focuses on remote employee laptops). The audit criteria will be used as a reference for analyzing evidence found during the audit.
- Select the proposed start and end dates. These dates are populated and represented on the audit calendar.
- Select the Recurring Audit check box, if appropriate. If selected, choose the following:
- Review Frequency
- Future Start Date
- Future End Date
- Under
Status, select the
Next: Approving link.
- The audit automatically enters the Approving phase. An
Approval record displays in the
Approvals tab of the form arrangement. The
Approver reviews the audit record details and validates the dates, scope, and
criteria.
- After the audit is approved, the status changes to Active. During this phase, the Audit Description, Audit Scope, and Schedule fields are locked.
- The audit automatically enters the Approving phase. An
Approval record displays in the
Approvals tab of the form arrangement. The
Approver reviews the audit record details and validates the dates, scope, and
criteria.
- (Optional) On the
Security Incidents tab, select the
Link button.
The ISMS Security Incident Selector window opens.
- Select one or more Security Incidents from the list, and then select OK.
- (Optional) On the
Risk Assessments tab, select the
Link button.
The ISMS Risk Assessment Selector window opens.
- Select one or more Risk Assessments from the list, and then select OK.
- (Optional) On the
Controls tab, select the
Link button.
The ISMS Control Selector window opens.
- Select one or more controls from the list, and then select OK .
- Select an audit response (example: Corrective Actions Created).
- Select the actual start and end dates.
- Provide objective evidence.
This information is related to evidence found during the course of the audit (example: Discovered that two employees downloaded unauthorized programs on their computers).
- Provide an overall conclusion (example: Provided two employees with additional security training).
- Under
Status, select the
Next: Complete link.
The status changes to Completed. This indicates that the core auditor activities have been completed. Active compliance activities may still occur.
- Under Status, select the Next: Closed link to close the audit once all activities are completed.
(Optional) Select the Create Preventative Action or Create Corrective Action link in the Actions list and complete the form.