ISMS 27001 Audit Report Template

Audit Report

For

Lake Dale Contact Center (LDCC)

By Bernardino, Raul

Audit Objective:

LDCC intent to get ISO 27001:2013 certification

Audit Scope:

Information Security Management System (ISMS) applies to the provision of Telephony services, the management of information and business support services at our only site in Mumbai (India), in accordance with the ISMS Statement of Applicability (SoA) revision 03, dated 21/Sept/2014. The scope of this ISMS excluded all IS outsources process (as there is not controlled by LDCC)

Audit Criteria:

ISO/IEC 27001:2013

Conclusion:

The audit team found that there are several NCs during the auditing process. The audit team decided to not process the ISO 27001:2013 certification to LDCC yet until those NCs are corrected in the LDCC.

We encourage the Management Review to have a closed monitoring with the relevant risks owners in order to do a corrective and correction action and continual improve.

Recommendations:

The Audit team recommend to the Management Representative (MR) to take more serious on the Major Non-Conformities (NCs) and liaise with Risk Owner to take a 

Corrective Action and Correction Action of the findings.

The MR shall ensure all Risk Owner approvals are approved and accepted the risks.

The MR shall liaise with internal auditor to do internal audit periodically or as per internal auditing plan.

The MR should produce effectiveness report towards to the implementation the correctives of the NCs.

The external auditor will perform the follow up auditing process in next 60 days.

Description of Audit Process:

The Audit team consists of Mr. Dino, the Lead Auditor, Mr. Toha, the Auditor team member, and Ms. Qory, the Auditor team member. The audit team has held with Mr. Sanchez, as a Management Representative and the meeting happened as per agreed schedule.

The lead auditor greeted the Management Representative, Mr. Sanches and introduced auditor team members. The lead auditor explained the objective of the meeting and Mr. Sanchez was most welcoming the auditor team members. The situation was friendly or conducive for both auditors and auditee.

The lead auditor started with brief interviews the MR and followed with questions that were focusing on clause 6. For instant, how do you prevent or reduce your effects? MR replied that they had a risks assessment, risk evaluation, risk analysis, and risk evaluation toward to the external and internal issue. They had seriously tackling the issues which are compliance the ISMS standards.  Why in some risks, the RO did not sign or approved the risks? MR replied that because that staffs were on leave once the return the will signed.

The auditor team member was questioning how LDCC set the Risk criteria? MR replied to the team that they just use Low, Medium, High us their parameter’s. Ms. Qory has follow up question how if the risk owner change and the person does know the situation and adjusting with wrong judgment? MR replied they will know that.

Other auditor team member was questioning the SoA document which based on assets and not on the control. MR replied that they have a procedure for that.

The lead auditor was question about lot of loss on documents and unorganized file? MR replied that just lock the door when they out of office; the follow up question was how about Janitor has the key and access the room and looking the confidentiality files or documents? MR persistent that once they locked the door no one can access it;    

During this interviewed, auditor team members found several NCs and they are in the following section.

Non Conformity (NC):

1.     Risk Owner (RO) – [Minor-NC]:

Based on the Risk Assessment template ISO 27001 - D13 – issue 1, we found that some of “Risk Owner” did not approved, especially in the section A1 and A18.

During the audit process, the Management Representative (MR) stated that the Risk Owner did not approved because they were on leave

This is against requirement of standard of ISO 27001:2013 in clause 6.1.3 (f), which is to ‘obtain Risk Owner approval of the information security Risk Treatment Plan (RTP) and acceptance of residual information security risks’.

2.     The Statement of Applicability (SoA) document is not effective [Major-NC]

In the SoA document number SoA - D14 - issue 1, which is based on the asset and it is not based control.

This is against the requirement standard of ISO 27001:2013 clause 6.1.3 (d) which is to ‘produce a Statement of Applicability that contains the necessary controls (see also 6.1.3 (b) and (c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of the control from Annex A’.

3.     Risk Criteria was not effective [Major-NC]

The LDCC did not defined the information security criteria properly based on the document Information Security Risk Procedure - D11- issue 2, there are no brief definition about the scoring level for consequences, likelihood, and occurrence in the procedure. It can be triggered a different assumption from the risk owners.

It is against requirement of the ISO 27001:2013 in clause 6.1.2 (b) which is to ‘ensure that repeated information security risk assessment produce a consistent, valid, and comparable results’.

Observation:

The interviewers and auditee were have more relaxing time and it is created a conducive situation while the flows of questions and answers were no proper implementation was enjoyable.

Schedule for Next external audit:

July 10, 2014

Dated: May 9, 2014

Prepare by,                                                                    Approved by,

Mr. Dino, Lead Auditor                                   Mr. Sanches, MR

Product Concept Testing

By Raul Bernardino

Abstract:

Concept of the testing is the attempt predicting the success of a new product idea before putting it on the market. It usually involves getting people’s reactions to a statement describing the basic idea of the product. It is usually conducted as a pass/fail, go/no go test. As I will explain later, this is usually an effective way to kill good ideas. It is disliked by creative people everywhere, with good reason.

Introduction:

The concepts of the testing are one of the processes whereas to use a qualitative and quantitative method in order evaluating costumer’s responses about new product ideas before it is entering to the market. In other word, it is challenging in predicting the successful of the new products ideas prior putting in the market.

The important is to make a distinction between products ideas, products concepts, and products images, Armstrong, G. and Kotler, P., (2010). The products ideas are ideas intended for possible products that industries can offer to the market. The products concepts are the details version of the ideas that are meaningful to the customers. The products images are the way customer perceive a potential products.

Concept development: Formulating new ideas gradually in to the forms are more likely to be accepted in the market. For instance battery powered all electrical cars. Initially the electrical car design was costly; the battery sells for about $100,000; later all electrical cars are can be recharge 120 volt in the normal electrical outlet and the cost is penny per miles to power. The markers have to develop new product into alternatives products concepts whereas those concepts are attractive to the customers.

The important of having the concept testing is to get an acceptance of the new product ideas from costumers and it is also to minimize the research and development cost. The testing method is different from one model to the other models. There are 4 (four) types of testing models. They are as follows:

•      The Exploratory;
•      The Assessment;
•      The Validation;
•      The Comparison;

Below is the diagram of concept testing model:

The Exploratory Test: The objective of this test is examine and exploring potential customers with preliminary design concept, including giving the questionnaires to the customers. This concept analysis is the most essential part of any concept test such as new product prototypes and new product evaluation.

The Assessment Test: The objective of the assessment test is digging more details with alternative solutions for the product to be developed including test the concept or assumption is still relevant.

The Validation Test: The objective is to validate all products developments are met the product standard. This validation test contains the usability, the performance, the reliability, the maintainability, the assembly methods, and the robustness. In other word the validation test aim to test the current functionality and performance of the product, including quality and friendly environment products are met the expectation. The validation test is also doing a formal test including giving a product certification, sign off the safety document, and or other legislative documents. The validation test is much greater than assessment test.

The Comparison Test: the objective of this comparison test is to test every single designs of the new product concept in which to ensure each solution is captured such as performance and preference data. The comparison test is also to determine the advantages and disadvantages of each alternative of the product design solutions.

Reference list:

·        Armstrong, G. and Kotler, P. (2010) Principles of marketing,13th edition, Global edtition: Prentice Hall, Ch. 9

·        Concept Testing, [on-line]. Available from: http://www.betterproductdesign.net/tools/concept/testing.html   (Accessed: 30, 2014)

·        Concept Testing, [on-line]. Available from: http://en.wikipedia.org/wiki/Concept_testing (Accessed: 30 April 2014)

·        The purpose of the concept testing, [on-line]. Available from: http://www.visitask.com/Concept-Testing.asp (Accessed: 30 April 2014)

·        Silverman, G., Concept testing: How to test a concept without killing it, [on-line]. Available from: http://mnav.com/focus-group-center/concept-testing/ (Accessed: 30 April  2014)