Audit – the key to maintaining security in the organization

Regular audits are necessary to maintain continuous improvement and security within the organization.

Eligibility

Members of the Audit Team may show:

Certificate of the Lead Auditor of the Information Security Management System
Certificate of the Lead Auditor of the Business Continuity Management System

Audit (according to EN ISO 19011)

A systematic, independent and documented process for obtaining objective evidence and objectively evaluating it to determine the extent to which audit criteria are met.

Principia of audit

Purpose – OpenBIZ Ltd. audit team examines the compliance of the management system or its elements with the audit criteria.
Scope – the area and boundaries of the audit. The scope of the audit is usually determined by the Auditee.
Criteria – a set of requirements to which the Audit Team compares objective evidence. The audit criteria are determined by the Auditee nevertheless the set of requirements may be adjusted by the Audit Team Chairman to ensure the reliability of audit evidence acquisition and objective evaluation.

Types of audits performed by the Audit Division of OpenBIZ Ltd.

Internal audit (first-party audit) – according to the name, it is usually performed by the organization’s employees, however, due to the obligations associated with maintaining an internal audit group, the organization may contract the audit as a service. As OpenBIZ Ltd. we provide such a service.
Audit of an external stakeholder (second party audit) – a type of audit that can be commissioned to OpenBIZ Ltd. by an organization authorized to gain knowledge about its supplier, customer, partner.
Audit for legal, regulatory or similar purposes (third-party audit) – this is a type of audit that is required to be performed by the provisions of the internal or external legal system.
OpenBIZ Ltd. does not perform audits for certification and/or accreditation purposes

Examples of normative-legal system elements (audit criteria for the OpenBIZ Ltd. Audit Team).

DORA
SWIFT
NIS2
RODO/GDPR
KSC Law
Information Security Management System
Security of Cloud Processing
Security of Cloud Processing of Personal Data
Risk Management System
Business Continuity Management System

Rules for performing an IT/OT security audit or business continuity management system audit

Comprehensive Audit:

Includes all resources, within the scope specified by the Auditee. Audit evidence is obtained through measurement, observation, analysis of document resource, interviews. Measurements are carried out by the Competence Center using Tenable® tools. If the audit is a requirement of the legal or normative system and is a check of the actual state with the required state, then it is considered an audit and, according to the provisions of the Law of March 6, 2018. Business Law, it must be entered in the audit book and the Audit Report must be presented at follow-up audits.

Why security Inventory?

It is not an audit and it is not an inspection. A security inventory is an internal check of IT/OT infrastructure elements, document assets, and personnel preparedness for tasks.
No normative and/or legal requirements are placed on the safety inventory.
It is performed according to the audit procedure in both technical and process areas.
It does not have to be entered in the audit book.
The Safety Inventory report is treated as a “working” document and does not have to be presented during the follow-up audit.

Support/supervision

In the establishment and implementation of the Information Security Management System SZBI/ISMS together with the Risk Management System
In the establishment and implementation of the Business Continuity Management System SZCD/BCMS
When establishing and implementing a Management System for meeting DORA requirements
When establishing and implementing a Management System for meeting the requirements of NIS2