Conduct an Audit

Conduct an audit for review of compliance related to an industry standard or key Configuration Items.

To conduct an audit:

  1. On the CSM Desktop Client or the CSM Browser Client toolbar, select New > New ISMS Audit.
  2. Record the following details:
    1. Provide a description and details.
    2. Select a source and type.
    3. Select a priority and level of effort. The priority is displayed in the priority alert bar.
  3. Select a lead auditor.
    1. Select the Next: Assigned link under Status.
    2. In the Audit Participants tab of the form arrangement, define stakeholders for the audit. Use Table Management to populate this table or select New ISMS Participant.

      You need to have at least one participant with a role of Approver to move the audit to the Approving phase.

  4. In the Audit Scope and Schedule section, (in the Overview tab of the form arrangement), provide audit scope and audit criteria.
    For the audit scope, provide information related to the extent and boundaries of the audit (example: Audit affects all laptops, but focuses on remote employee laptops). The audit criteria will be used as a reference for analyzing evidence found during the audit.
    1. Select the proposed start and end dates. These dates are populated and represented on the audit calendar.
    2. Select the Recurring Audit check box, if appropriate. If selected, choose the following:
    • Review Frequency
    • Future Start Date
    • Future End Date
  5. Under Status, select the Next: Approving link.
    1. The audit automatically enters the Approving phase. An Approval record displays in the Approvals tab of the form arrangement. The Approver reviews the audit record details and validates the dates, scope, and criteria.
    2. After the audit is approved, the status changes to Active. During this phase, the Audit Description, Audit Scope, and Schedule fields are locked.
  6. (Optional) On the Security Incidents tab, select the Link button.
    The ISMS Security Incident Selector window opens.
    1. Select one or more Security Incidents from the list, and then select OK.
  7. (Optional) On the Risk Assessments tab, select the Link button.
    The ISMS Risk Assessment Selector window opens.
    1. Select one or more Risk Assessments from the list, and then select OK.
  8. (Optional) On the Controls tab, select the Link button.
    The ISMS Control Selector window opens.
    1. Select one or more controls from the list, and then select OK .
  9. Select an audit response (example: Corrective Actions Created).
  10. Select the actual start and end dates.
  11. Provide objective evidence.
    This information is related to evidence found during the course of the audit (example: Discovered that two employees downloaded unauthorized programs on their computers).
  12. Provide an overall conclusion (example: Provided two employees with additional security training).
  13. Under Status, select the Next: Complete link.
    The status changes to Completed. This indicates that the core auditor activities have been completed. Active compliance activities may still occur.
  14. Under Status, select the Next: Closed link to close the audit once all activities are completed.

(Optional) Select the Create Preventative Action or Create Corrective Action link in the Actions list and complete the form.