Information Security Management System (ISMS) Audit

PURPOSE

The purpose of this SOP is to define the process for conducting independent audits of the Information Security Management System (ISMS) at the Health Informatics Centre. These audits aim to ensure compliance with regulatory standards, assess the effectiveness of security measures, and promote continuous improvement through impartial evaluation.  

This SOP establishes the process for conducting independent audits of the Information Security Management System (ISMS). The purpose of these audits is to ensure compliance, effectiveness, and continuous improvement of the ISMS from an impartial auditor.

SCOPE

This SOP applies to all ISMS components across the organisation and covers internal and external audits which includes penetration testing of HIC’s technical environment. The independent audits are conducted by internal or external impartial personnel.

RESPONSIBILITIES

PROCEDURE

1. Plan Audit

   • Audits are scheduled based on their frequency requirements.

   • Auditor plans the details of audit.

     • Define Objectives: Establishes specific objectives of the audit.

     • Define Scope: Determines the scope of the audit.

     • Prepare Documentation: Gathers relevant evidence and documentation.

     • Establish Timeline: Sets clear timelines for audit activities and report preparation.

2. Conduct Audit

   • Auditor performs internal or external audits to assess compliance.

   • Audits may include review of documentation and interviews with relevant stakeholders.

3. Review Audit Report

   • Auditor prepares report and submits to HIC.

   • Governance and Project Co-ordinator circulates reports to Leadership Team, ISMS Management Reviews, Information Security and Governance Committee and Executive Committee for review.

   • Governance and Project Co-ordinator works with relevant stakeholders to develop an action plan for addressing findings.

4. Follow - up and Monitor Progress

   • Governance and Project Co-ordinator, or delegated person, inputs findings and corrective actions from the reports into the project management system. Each finding will be assigned to the appropriate member of staff, with a completion deadline, who will then carry out the remedial work needed.   

   • Governance and Project Co-ordinator will monitor until completion and progress will be reviewed at ISMS Management Reviews.

   • Auditor reviews previously issued corrective actions at audits and enters, where appropriate, onto the audit plan.  

APPLICABLE REFERENCES

• For Definitions see ISMS Glossary

DOCUMENT CONTROLS