Information Security Management System (ISMS) Audit

PURPOSE

The HIC Services External Audit is commissioned by the HIC Governance Committee and is carried out annually by an external auditing company. The audit includes a review of operating standards, documentation, Standard Operating Procedures, systems, facilities, and projects for compliance with conditions of approval (by Caldicott Guardian, Ethics Committee and other authorities) and requirements of UK data protection legislation.  The audit is carried out at the Health Informatics Centre located in Ninewells Hospital.   

HIC also receives a second annual external audit involving an external penetration test of HIC’s Safe Haven environment and IT systems, to check for system security vulnerabilities.  

This SOP describes procedures to follow-up and resolve actions raised in the audit reports and the routine internal audits carried out more widely across HIC processes to provide information on whether HIC Services’ Information Security Management System (ISMS) is being effectively implemented, maintained, and followed.

SCOPE

This SOP covers the HIC’s response to external HIC audits and wider routine internal audits. It is applicable to all HIC staff. This SOP is made available to all users and potential users of the HIC Service and will be externally visible on the public HIC website.  

RESPONSIBILITIES

PROCEDURE

Policy

For overall Policy see Legal and Governance Policy. 

External Audit Steps

1. HIC Services will receive 2 external audits annually, one an IT System Penetration test and the other a wider audit of HIC Processes and Procedures.   

2. Once the external audits have taken place and the Auditor reports are received by HIC Services, they will be circulated to the Chair of the HIC Information Governance Committee and the HIC Services Executive Committee. They are subsequently discussed, along with HIC’s response, at the HIC Information Governance Committee meeting.   

3. All action points raised will then be taken from the audit reports and inputted to the HIC Services PM system which allows the progress of each point to be monitored until complete, with space for additional comments and updates.  Each action will be assigned to the appropriate member of staff, with a completion deadline, who will then carry out the remedial work needed.  

Internal Audit Steps 

1. A quarterly internal audit plan of HIC’s Information Security Management System (ISMS) will be prepared in advance, covering a 12-month period, to ensure that HIC’s ISMS is conforming to the International Standard requirements and is being effectively implemented and maintained.  

2. Individual audits are planned, including methods, responsibilities, and reporting; and a scope of audit agreed with the Team Leader as appropriate.  

3. Audits are carried out throughout the year, following the audit plan, by staff independent of the work being audited, or by external auditors employed for the purpose.  

4. Previously issued corrective/preventative action requests are reviewed at audits and entered, where appropriate, onto the audit plan.  

5. The internal audit results, including target implementation dates for completion of corrective/preventative action, will be recorded centrally, and reported to the HIC Governance Manager who is then responsible for assigning responsibility and ensuring remedial action is taken. The results of audits are presented for discussion at the HIC Executive Committee meeting.  

APPLICABLE REFERENCES

• Security Policy

• Standard Operating Procedures

• For Definitions see ISMS Glossary

DOCUMENT CONTROLS