Question - Internal audits, analysis and their findings?

At the moment we use Compliance Package, Compliance Analysis and Compliance Analysis Findings to fascilitate internal audits and their findings.

For example we create a ISO 27001 Compliance Package, adjust the corresponding ISO 27001 Compliance Analysis with the result of the internal audit and also add Compliance Analysis Findings related to the result of the internal audit.

In this way we are able to have a quick overview of the compliance of the scoped audit and schedule the findings with the right collaborators.

Question 1: Is this the right way?
Question 2: Is there another way?
Question 3: Is there a way to import the result of the internal audit, resulting at least with a “complete” Compliance Analysis of the result?

Hi

These are the questions I asked myself as well multiple times. I’m still testing the best way to add audit findings. In my case, we have various audits which are not directly linked to Standards or just cover a small portion of a standard.
I have opened a Project for each Audit, and as Task I have added the findings. So I can set a Deadline and add all the documents to this Task.

Anyway, I wonder if there are other ways, the way I do it there is no real linking to a risk, which would be great to have.

hello,

let me try and respond this although this should be clear on the documentation :slight_smile:

For example we create a ISO 27001 Compliance Package, adjust the corresponding ISO 27001 Compliance Analysis with the result of the internal audit

Im not sure if this is a typo or you are using the tool incorrectly. Once you upload a compliance package the task on the compliance analysis module is to link the controls (control catalogue / sec. services) and policies (control catalogue / policies) that address each requirement.

and also add Compliance Analysis Findings related to the result of the internal audit.

the results of your interal audits (i’m assuming you refer to the testing of security services) is not attached to compliance analysis, but to the security services. Since this security services are attached to your compliance requirements the link is closed there.

In this way we are able to have a quick overview of the compliance of the scoped audit and schedule the findings with the right collaborators.

Question 1: Is this the right way?

i think i made a few comments, perhaps you referred to the same steps?
Question 2: Is there another way?
Question 3: Is there a way to import the result of the internal audit, resulting at least with a “complete” Compliance Analysis of the result?

Let me know if your understanding was different from what i describe here, i anyway strongly recommend you use the documentation to refresh what compliance, controls, policiles do aorund. alternatively you can access our latest trainings recordings (they anwyay follow the documentation) if you think tha twould help?

regards!

Hi, Now 1 1/2 year later.
Has somebody found out a good solution to add Internal Audit findings, and use them in your control- and risk management?

In our earlier GRC-tool we could relate Internal Audit findings to Assets and Policies used for the asset owner when doing risk assessments. The he/she could see how many security incidents, Internal Audit findings, and risk there is related to his/hers system when making an update of the risk assessment