ISO 27001 sample audit report

Tahwar

Registered
Hi to all forum members,
I'm a newly qualified ISO 27001 lead auditor and have been tasked to produce an "as is" assessment of my company's controls against the 27001 framework. There is no desire to achieve the certification; senior management just want to gauge how they stack up against the ISMS and bolster some of the high risk areas.

I have viewed and reviewed the policies, observed staff , interview multiple stakeholders and produced an excel spreadsheet with a RAG rating and brief findings against each of the controls. I've been asked to provide more narrative in non technical language for the report with a summary highlighting key findings, areas of success and areas of improvement, a deeper dive into the observations (non tech language) together with key recommendations.

Do any of the forum members have anything like this (in an anonymised format) that they are willing to share or can point me where i could possible find some resources?

Thanks

Taz
 

John Broomfield

Leader
Super Moderator
ISMS Audit Report

Comprises:

1. Objective
2. Scope
3. Findings
4. Conclusion

1. Is determined by the audit client and is usually the question to be answered by the audit.

2. Is the extent of the audit determined by the lead auditor as sufficient to fulfill the audit objective.

3. Statements of fact from the audit, both positive and negative (aka Corrective Action Requests).

4. The answer to the question posed by the audit objective and based on 3 above.

The record will include a completed Statement of Applicability that addresses known and suspected vulnerabilities.

Naturally, this is highly confidential and a limited circulation.
 

xlogo

Registered
ISMS Audit Report

Comprises:

1. Objective
2. Scope
3. Findings
4. Conclusion

1. Is determined by the audit client and is usually the question to be answered by the audit.

2. Is the extent of the audit determined by the lead auditor as sufficient to fulfill the audit objective.

3. Statements of fact from the audit, both positive and negative (aka Corrective Action Requests).

4. The answer to the question posed by the audit objective and based on 3 above.

The record will include a completed Statement of Applicability that addresses known and suspected vulnerabilities.

Naturally, this is highly confidential and a limited circulation.


Thanks - do you have a sample ?
 

John Broomfield

Leader
Super Moderator
Sorry, no.

Being retired means that what I had either belonged to my former clients or to my former company/successor.
 
Top Bottom