/
Information Security Management System (ISMS) Audit

Information Security Management System (ISMS) Audit

PURPOSE

The purpose of this SOP is to define the process for conducting independent audits of the Information Security Management System (ISMS) at HIC (Health Informatics Centre). These audits aim to ensure compliance with regulatory standards, assess the effectiveness of security measures, and promote continuous improvement through impartial evaluation.  

This SOP establishes the process for conducting independent audits of the ISMS. The purpose of these audits is to ensure compliance, effectiveness, and continuous improvement of the ISMS from an impartial auditor.

SCOPE

This SOP applies to all ISMS components across the organisation and covers internal and external audits which includes penetration testing of HIC’s technical environment. The independent audits are conducted by internal or external impartial personnel.

RESPONSIBILITIES

ROLE

RESPONSIBILITY

Auditor

  • Carries out assigned internal or external audit.

All Staff

  • Responsible for actions assigned from audit report.

Governance and Project Co-ordinator

  • Responsible for follow- up and monitoring of actions taken from audit reports.

Process Manager

  • Senior staff or delegated process manager whom is responsible for managing the process.

DEFINITIONS

  • Auditor: Auditor is defined as any impartial person whom evaluates, verifies and tests HIC complies with information security and governance standards.

  • ISMS: Information Security Management System which covers the full range of HIC ISO 27001 documentation covering HIC's governance and data security processes.

  • Project Management System: The database and software system used by HIC to store project details and documents relating to, in particular, approvals and data releases.

PROCEDURE

  1. Plan Audit

    • Audits are scheduled based on their frequency requirements.

    • Auditor plans the details of audit.

      • Define Objectives: Establishes specific objectives of the audit.

      • Define Scope: Determines the scope of the audit.

      • Prepare Documentation: Gathers relevant evidence and documentation.

      • Establish Timeline: Sets clear timelines for audit activities and report preparation.

  2. Conduct Audit

    • Auditor performs internal or external audits to assess compliance.

    • Audits may include review of documentation and interviews with relevant stakeholders.

  3. Review Audit Report

    • Auditor prepares report and submits to HIC.

    • Governance and Project Co-ordinator circulates reports to Leadership Team and ISMS Management Reviews meetings.

    • Governance and Project Co-ordinator works with relevant stakeholders to develop an action plan for addressing findings.

  4. Follow - up and Monitor Progress

    • Governance and Project Co-ordinator, or delegated person, inputs findings and corrective actions from the reports into the project management system. Each finding will be assigned to the appropriate member of staff, with a completion deadline, who will then carry out the remedial work needed.   

    • Governance and Project Co-ordinator will monitor until completion and progress will be reviewed at ISMS management reviews.

    • Auditor reviews previously issued corrective actions at next occurring audit.

APPLICABLE REFERENCES

  • N/A

DOCUMENT CONTROLS

Process Manager

Point of Contact

Process Manager

Point of Contact

Symone Sheane

hic-ops@dundee.ac.uk

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

1.0

01/01/24

  • Moved SOP to Confluence from SharePoint and updated into new template.

Bruce Miller and Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/01/24

1.1

04/04/24

  • Updated Roles and Responsibilities.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

5/04/24

1.2

10/04/24

  • Formatted document controls table and added in revision category.

  • Added in roles and responsibilities table.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/04/24

1.3

19/04/24

  • Updated Approved by title.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

19/04/24

1.4

30/04/24

  • Updated Header to conform with BSI guidelines.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone

30/04/24

1.5

02/05/24

  • Updated links to Definitions in ISMS Glossary.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

02/05/24

1.6

09/10/24

  • Updated Labels inline with 2022 standard.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

17/10/24

1.7

17/10/24

  • Updated Process Manager.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

17/10/24

1.8

12/11/24

  • Reformatted and condensed the purpose into the scope section.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

18/11/24

1.9

11/07/25

  • Updated point of contact email.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

11/07/25

1.10

03/10/25

  • Added definition section from glossary

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

03/10/25

1.11

03/11/25

  • Added definitions from glossary

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

03/11/25

1.12

12/11/25

  • Removed HIC Executive Committee and HIC Information Security & Governance Committee.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

12/11/25

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.