Know your next Internal Auditor

 

Chirayu is a PECB Certified ISO/IEC 27001 Senior Lead Auditor with over 13 years of experience in the InfoSec domain, focused on leading the development of IT security design and architecture projects in alignment with business, operations and compliance requirements. He has carried out a few Oracle DB deployments for some of Australia's most prominent fashion industry retailers. Chirayu has worked across a wide variety of sectors including information technology, public transport, risk management, professional services and engineering. 

In addition to ISO, Chirayu earned a graduate degree in Data Science from RMIT, PRINCE2, ACMT (Apple Certified) and BrainBench Windows Navigation Expert certifications.

Chirayu has worked as a Senior Lead Auditor for ISO/IEC 27001, 27017, 27018, DESE ISMS Scheme, Essential 8, ISO9001 and also developed and implemented an ISMS framework for small and medium-sized enterprises.  

Importantly, Chirayu’s technical and management experience allows him to “walk in your shoes”, understanding that you want systems that contribute to your profitability and minimise your administration.

Chirayu founded BitSecure in 2018 to provide businesses with the support they need to design and implement information security management systems (ISMS) to improve business performance.

What is an ISO Internal Audit and why it is important?.

 

The objective of the internal audit is to evaluate the effectiveness of your organisation's Information Security Management System (ISMS) and the overall efficiency of your organization. Your internal audits show that you are complying with the "provisions", for example, ISMS and how its processes are implemented and sustained.

Why perform Internal Audits?

Your organisation will likely perform internal audits for at least one of the following reasons:

  • An ISO 27001 internal audit involves an extensive review of your organisation's ISMS to ensure that it meets the requirements of the Standard.

  • The purpose of the audit is to identify non-compliances, determine the effectiveness of the ISMS, and provide an opportunity for improvement.

Advantages of Internal Audit.

 

  • Discover non-conformities before others do.

  • Ensure a strong security stance by identifying areas that require attention prior to a security event

  • Demonstrate and inform leadership engagement.

  • Support staff in understanding and raising awareness.

  • Drive continuous improvement

To support you in meeting the requirements of the ISO/IEC 27001, especially with the internal audit, we have developed below mentioned key elements that organisations of all sizes can follow. We have also developed an automated SaaS platform that will assist organizations in preparing the Statement of Applicability, Risk Assessment, Risk Treatment, Risk Ratings, and controls in Annex-A. BitSecure's SaaS tool reduces the complexity of the design, navigation and execution of an information security management system for ISO27001 certification.

Document & Management Review

  • The document review will assist us with information that should be gathered and reviewed.

  • We will extensively work with management to agree on the timing and resourcing for the audit.

Screening

  • This is the stage where the practical evaluation of your organisation takes place.

  • We will observe how the ISMS works in practice by speaking with front-line staff, carry out audit tests to validate evidence as it is gathered, complete audit reports to document the results of each test and review any other relevant data.

analysis

  • ​We will sort the evidence gathered during the internal audit and review it against your organisation's risk treatment plan and control objectives.

IA Reporting

  • The audit findings will be shared with management, including: clarifying the scope, IS objectives and extent of the work performed, an executive summary covering the non-conformities (major/minor), high-level analysis and a conclusion and recommended corrective actions.

    How we conduct your ISO27001internal audit    

    How often I need to conduct an internal audit    

As with many standards, ISO 27001 does not specify how often an organisation must carry out an internal audit. This is because the ISMS of each organisation is different and will need to be dealt with as such. We recommend an annual ISO 27001 internal audit. This is the length that most ISO 27001 certification bodies validate an organisation’s ISMS for. This suggests that beyond this point, there is a high probability that the organisation will no longer be compliant.