Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Compliance Readiness / SOC2 – Internal Audit
157SIA Base

SOC2 – Internal Audit

On this page

    Service Overview

    Many businesses have a significant amount of investment in IT and information security and place substantial emphasis on protecting sensitive and private information while ensuring service availability and integrity. In order to further mature their information security posture and to demonstrate their commitment to protecting the security and privacy of stakeholder information, organizations are implementing an ISO 27001:2022 certified Information Security Management System.

    In order to fulfill the requirements of the ISO 27001:2022 Standard as well as to demonstrate due diligence, DeepSeas will perform an internal audit of the Client's ISO 27001:2022 Information Security Management System (ISMS).

    This Internal Audit will provide a comprehensive performance evaluation of the Client's ISMS.

    Objectives

    The objectives of this initiative are as follows:

    1. Validate Client€˜s ISMS conforms to the requirements of the ISO 27001:2022 standard for Internal Audits
    2. Validate Client is adhering to their own audit objectives, criteria, schedule, and procedures defined by Client
    3. Validate the ISMS is effectively implemented, maintained, and continually improving
    4. Support compliance with regulatory requirements
    5. Develop a prioritized Corrective Action Plan

    Methodology

    This Internal Audit consists of the following phases:

    1. PLANNING: Preparation necessary to conduct an effective internal audit, including:
      1. Audit Scope Definition - Review the Scope of Registration, and Statement of Applicability and create the Internal Audit Plan (schedule). This Plan is sent by DeepSeas to the ISMS Manager for review and approval or changes.
    2. Evidence/Artifact Staging - DeepSeas will send an Information Request List in advance. This is the guide for the Client to use for gathering evidence for audit review.
      1. Population requests will be a component of the Information Request List. These are reports of a specified type of information needed before evidence is uploaded so that the auditor can produce a sample list for the Client to use for the drawing of specific evidence.
        1. Client to upload evidence into DeepSeas audit repository for an internal auditor to access and review.
      2. The Auditor predetermines the sampling methodology he or she will employ on the populations for testing.
    3. ENGAGEMENT: Conduct the opening meeting while communicating and clarifying the following:
      1. Audit scope, language, and audit criteria including standards, regulatory, contractual, and legal requirements.
      2. Communication channels, roles, and responsibilities.
      3.  The audit process for collecting and verifying objective evidence.
      4.  Generating and reporting audit findings and conclusions including grading of non-conformities.
      5. Audits may be terminated if, through Client actions, it is determined by the Lead Auditor, that audit objectives cannot be met.
    4. AUDIT: Perform the audit through:
      1. Review of previous audit findings (if any) and corrective actions.
      2.  Review of standards, processes, procedures, specifications, contracts, and other relevant documentation.
      3. Review of verifiable objective evidence or records to demonstrate compliance with documented policies, standards, and processes (Note: Evidence will be collected by appropriate sampling and must be verified).
      4. Review activities and supporting documentation.
      5. DeepSeas will evaluate the audit evidence against the audit criteria to generate audit findings. Audit findings will indicate non-conformities to mandatory and operational controls as well as opportunities for improvement.
    5. PRESENTATION: Conduct Closing Meeting:
      1. The audit findings and conclusions will be presented in a manner that is understood and acknowledged by the Client auditees.
      2. Closing Meeting minutes are distributed so the Client may begin remediation activities including root cause analysis.
      3. Audit Reporting - An Internal Audit Report document will be securely delivered within two (2) to four (4) weeks of the Closing Meeting.

    Deliverables

    DeepSeas will produce the following deliverables:

    1. INTERNAL AUDIT REPORT - DeepSeas will provide an ISO 27001 Internal Audit Report to address:
      1. Identification of nonconforming clauses and controls.
      2. Determination for nonconformance: major or minor.
      3. Identification of opportunities for improvement.

    Client Responsibilities

    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.