auditing Information Security Management in ITIL

Discussion of any ITIL or related issues that don't fit well into any of the above.
Post Reply
User avatar
apn888
Newbie
Newbie
Posts: 3
Joined: Mon Jun 05, 2017 8:00 pm

auditing Information Security Management in ITIL

Post by apn888 » Tue Jun 06, 2017 3:48 am

Information Security Management is one of the process areas in ITIL (Service Design phase). We are about to conduct a mini-assessment or audit on a client. And on this process area ONLY. Could someone shed some light on any template we can use? What are the generic high-level steps you would undertake to perform the mini audit?



User avatar
UKVIKING
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Post by UKVIKING » Tue Jun 06, 2017 3:02 pm

So you want a complete stranger to tell you how to do your job ?
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter

User avatar
apn888
Newbie
Newbie
Posts: 3
Joined: Mon Jun 05, 2017 8:00 pm

Post by apn888 » Thu Jun 08, 2017 5:57 am

UKVIKING wrote:So you want a complete stranger to tell you how to do your job ?
You need to read the post carefully before jumping the gun :)

User avatar
UKVIKING
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Post by UKVIKING » Thu Jun 08, 2017 7:00 am

I did read it... In fact multiple times

You state that you are doing a assessment of ISO27001 which is Information Security management

You ask for the forum members to provide you templates

You ask for the forum members to identify the generic high level steps that make up the audit

Hence my question

if you don't know how to do the audit - wtf is your organisation being paid to do something it does not know how to do

If you want people in the forum to assist you - are you going to pay them ?

Are you subcontracting this work to the ITIL Community Forum. I am sure the owners wouldn't mind that

My advice - look at ISO 27001 requirements and audit against that.
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter

User avatar
apn888
Newbie
Newbie
Posts: 3
Joined: Mon Jun 05, 2017 8:00 pm

Post by apn888 » Tue Jun 13, 2017 11:17 pm

UKVIKING wrote:I did read it... In fact multiple times

You state that you are doing a assessment of ISO27001 which is Information Security management

You ask for the forum members to provide you templates

You ask for the forum members to identify the generic high level steps that make up the audit

Hence my question

if you don't know how to do the audit - wtf is your organisation being paid to do something it does not know how to do

If you want people in the forum to assist you - are you going to pay them ?

Are you subcontracting this work to the ITIL Community Forum. I am sure the owners wouldn't mind that

My advice - look at ISO 27001 requirements and audit against that.
Again, jumping the gun.

When I said 'shed some light on template' it could also mean providing references to articles or sections from ISO documents or diagrams found on the web.

You got temper mate. Thats not a characteristic of a good auditor or any professional and you will never succeed with your clients if you respond to people the way you do.

User avatar
UKVIKING
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Post by UKVIKING » Thu Jun 15, 2017 2:48 am

Apn888

Since there are no globally recognised templates for doing ISo27001, how can any one shed light on what template you should use without providing you the template - thereby doing your work for you ?

Second, we donot know what your customer has in regards to IT, IT Service Management, IT Data Manageemnt, IT Estate - Domain management - AD or what,. We also do not know which part of the world the company is located and how the country's local data protection are or are not.

In addition, you should know what to do as the high level steps for assessing a company's adherence to ISO27001 and what is missing and what is to be done next.

There -- you have the generic high level steps

Finally, I am not angry. I am embarrassed for your client. They have hired what was suppose to be a professional organisation capable of doing the ISO27001 assessment; however, they get you instead.

Oh. And I am not a consultant - neither are you by the way
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter

Post Reply