Audit Template
Audit Template
Document Creation: 1 August, 2024. Last Edited: 19 August, 2024. Authors: Jamison Begley, Rohan Batra, Muhamed Badri Abdulkadir.
Effective Date: 19 August 2024. Expiry Date: 19 August 2025.
Purpose
The purpose of this document is to provide the guidelines to conduct an official inspection of our companies progress in complying with all listed standards, allowing us to continue to strive for our business goals and foster a safe and secure working environment. The goal of this audit is to outline any gaps in compliance, and to formulate action plans in response to these gaps. In an ideal world, this audit will work towards zero gaps in compliance for our company.
Audit Template
General Audit Points
Policy Compliance
| Audit Area | Compliant? Yes or No | Ovservations / Comments | Action Required |
|---|---|---|---|
| 1.1 Are the correct encryption methods being used for data in storage and transmission? | |||
| 1.2 Are the related DLP Policies Being Adhered to? | |||
| 1.3 Are the related Data Classification Policies being adhered to? | |||
| 1.4. Have forms of physical security for data protection been implemented? | |||
| 1.5. Have forms of digital security for data protection been implemented? | |||
| 1.6. Have EASM risks been identified? | |||
| 1.7. Have appropriate EASM risk management strategies been implemented? | |||
| 1.8. Have all employees undergone the appropriate User Awareness Training? |
Ethical Considerations and Requirements
| Audit Area | Compliant? Yes or No | Ovservations / Comments | Action Required |
|---|---|---|---|
| 2.1. Are all forms of data collection briefed with customers, and consent is gathered? | |||
| 2.2. Has all collected information and data been classified with data classification requirements? | |||
| 2.3. Is data anonymity used to protect the privacy of customers? | |||
| 2.4. Is the cryptography policy being adhered to? | |||
| 2.5. Is data minimalization being put in place when collecting data? | |||
| 2.6. Looping back to the ISMS policies, are they being adhered to when required? |
Governance
| Audit Area | Compliant? Yes or No | Ovservations / Comments | Action Required |
|---|---|---|---|
| 3.1. Is the team adhering to the company’s governance framework? | |||
| 3.2. Are team roles and responsibilities clearly defined and documented? | |||
| 3.3. Is there a risk management plan in place? | |||
| 3.4. Is there an incident response plan in place? | |||
| 3.5. Are incidents logged and reviewed for continuous improvement? |
Project-Specific Audit Points
Auditors need to develop their own range of audit points for their respective project of audit, these may only apply to the project that they are auditing. The structure for the General Audit Points section should be used.
Summary
After the audit has been completed, a report needs to be formed. The structure of this report can be sourced from existing reports, though the video link below includes a tutorial on how to conduct the audit and formulate an audit report.