Internal Audit - Findings - Recent Internet Audit (Prior to Certification)

Adaym

Involved In Discussions
In recent internet audit (prior to certification) following findings were identified

1. lack of DR site for one of the sites clarify if
Please review solution below and advise if this will suffice to fulfill the requirement.
* set of members are equipped with data cards and all they need is an internet to connect to the VPN and start operations.
* incase of emergency situations we can just mobilize these identified members swiftly and also they hv to take their respective laptops and get on to work from home, or even some safe place nearby or even just do the work on the move or in some transport.

If not - what are the reasons.

2. Background verification - Is it not enough to seek candidate's passport, education certificates, salary slips, references,appointment letter?
Is it necessary to have proper character check done by any independent agency? Candidate's passport is the testimony that he has gone through all those checks.

Please clarify what is the logic of having an independent check done, it is quite possible that he may not have any criminal record history at the point recruitment stage but we don't know what's going to happen in future. Isn't it?
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
I am sorry for the delay in responding.

Can you tell me what "lack of DR for site" means? Is this about data security?

Do you have legal or customer requirements for any specific controls, such as security clearances?

Do you already do the things you described in #2? If so, did you show them to the auditor?

What risks have been identified in this process? Have/will your actions adequately addressed the identified risks? I did a Google search on the subject and came up with this list of information sources on the subject. How did you decide on the actions you listed?
 

howste

Thaumaturge
Trusted Information Resource
I'm still confused. Many companies use acronyms with different meanings. Please clarify what you mean by DR?
 

Richard Regalado

Trusted Information Resource
Hello.

I would like to clarify that "NO" security control is required by ISO/IEC 27001. You just need to justify if excluding any or ALL. (ISO/IEC 27001, 6.1.3.d).

1. DR site

There is no requirement from the standard to have a DR site. But it could be that you have specific contractual obligations to have one. In some countries, having a DR site is a regulatory requirement.

2. Background verification - same reason as above. Do you need it? Really? Why? Go to your risk registers and check. Do you have a risk that requires background verification? If none, think about excluding this.

Come back here with answers.

Regards,

Richard
 
Top Bottom