Audit and Assurance

Expand all | Collapse all

Coronavirus and physical audits

  • 1.  Coronavirus and physical audits

    Posted 12 Mar, 2020 12:22
    Hello,

    Some of my clients have cancelled onsite audits because of the Coronavirus. I am curious if there is an acceptable alternative for onsite physical audits (e.g. ISO 27001 Annex A.11) if I cannot directly examine the physical controls.

    Thank you.

    ------------------------------
    Lawrence Moore
    Consultant
    ------------------------------


  • 2.  RE: Coronavirus and physical audits

    Posted 13 Mar, 2020 01:38

    Hi Lawrence,

    The first rule of information security is always  the preservation of life.

    I'm not an expert though .... but
    If the audit report is due, you may just add that the controls will still need to be investigated, as you were unable to do so due to the corona crisis.

    Would it be sufficient? Is it acceptable to audit what you can, and "postpone" the other auditing activities? (especially as they may get you, or others a corona infection)?

    Another thing you could do, is do a preliminary check using a video conference. Maybe someone with a smartphone can help you with your audit questions and tests. Someone that is on-site, and has access to those controls, that is. (In our case, we'll have a skeleton crew on-site, for as long as we can). This could allow you to do a very basic check, and list the outcome in the report.

    Even though it may not be sufficient for the final audit reports, it can give you an idea.




    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce

    Feel free to connect with me on LinkedIn: https://www.linkedin.com/in/svendepreter/
    ------------------------------



  • 3.  RE: Coronavirus and physical audits

    Posted 13 Mar, 2020 03:14
    Hi Lawrance,

    This is a problem many of us are facing. ISO 27001 ISMS Annex A Control Objectives A.11 refers to Physical and Environmental Security. If you are doing an internal audit, you may use video or photographic evidence and audio/Skype interviews under the current circumstances. However, if you are doing a 3rd party certification audit, the certifying organisation has to give the consent.

    Hope this will help you in your audit.

    Best regards

    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 4.  RE: Coronavirus and physical audits

    Posted 19 Apr, 2020 07:30
    You can request the ISO certification compliance if it exist or the SOX files if it was done. You can also request the physical description and user guides as well as videos or pictures. It should be enough i think

    ------------------------------
    Zineb Gridda
    Senior IT Auditor
    ------------------------------