Dalam Kegiataan Training yang saya alami dalam waktu 5 Hari yang schedulenya Berikut:
Terdapat di ISO 19011:2018
Annex A.1 audit method
dan
Annex A.15 Visiting the auditee location
Yang Perbedaan point2 adalah =
Cost
Safety
Complexcity
=======================================================
Resourcing Competency Halaman 26
Personal Character Sbgai auditor
( sesuai dengan ISO 19011 Cla 7 Competence and evaluation of auditors )
7.2 Determining auditor Competence
7.2.1 General
7.2.2 Personal behavior
a) ethical ( yaitu = Fair(adil) , truthful(jujur), sincere(tulus), honest(jujur),discreet(bijaksana)
= tell another departemen all the information seurity N/C's the last departement you audited = had- have a laugh about people getting non-conformities. lie or twist the facts to get
= someone you dont like into trouble
b) open-minded (yaitu = willing(rela) to consider alternative ideas or point of view;
c) diplomatic = tactful ( bijaksana) in dealing with individuals;
= if the auditee is worried about getting his/her document into trouble, but you find a major
= problem. be tactfull in dealing with this person it is not you im auditing, this is chance for
= improvement so we should all welcome it etc
d) observant = actively observing physical surrounding( sektarnya) and activities
e) percpective = aware(sadar) of and able to understand situations;
f) versatile(serbaguna multiporpose) = able to readliy adapt to different situations;
g) tenacios( gigih) = persistance and focus on achieving objectives;
= hasil explore lagi jngn trima
= perlu aktual lagi smpai ditrima klu ada evidance dibagian mana halamn brp point brp
= the auditor asks to see a particular sample, but the auditee provides a different one, the
= auditor accepst this and moves on
h) decisive ( menentukan ) = able to reach timely conclusion based on logical reasoning and analysis
= mampu memutuskan auditor perlu untuk berani memutuskan(bukan pokoknya
= harus clear memutuskan c / nc ( jngn tnya2 lagi / terus )
= the auditee keeps arguing and giving different axcuses and the questioning is going
= round and round, even thought(meskipun) theres is sufficient(cukup) objectives
=evidance to close the finding|
i) self-reliant(mandiri) = yaitu able to act and function independently while interacting effectively with = others;
j) able to act with fortitude( ketabahan) = yaitu able to responsibliity and ethically , even though(meskipun)
= these action may not always be popular and may sometimes result in disagreement = or confrontattion
k) open to improvment = yaitu wiling(rela) to learn from situasi
l) culturally sensitve = observent and respectful to the culture of the auditee;
= shaking a woman;s hand when this would not be appropriate, or continuing to audit
= when certain prayer times are normally adhered to . offering food/drink to the auditee
= when they are fasting
m) collaborative = yaitu effectively interacting with others, including audit team members and the auditee personal
=======================================================
Stage 1 Audit
Simplenya =
Stage 2 Audit
Stage 2: As defined by ISO 17021 ( ocnformity assesment, Requirments for bodies providing audit and cerfitication of management systems), has the purpose of:
Assesing the 'implementation' and ' effectiveeness' of the management system.
Some preparation considerations for this stage of the audit includes:
- determine scale of audit and resources required
- consodier past result ( if available)
- consider current problems
- consider management;s concern
- consider management; priorities ( where appropriate(Sesuai))
- contact and agree date(s)
- stage 1 visit to auditee( if not carried out on stage 1 )
- Determining the process and impotance/risk
- identify the interaction of the process
- Prepare and agree audit plan
- assigning work to the audit team
- audit team briefing
- preapre work documents
Simplenya =
Stage 2
- opening meeting
- audit
- summary report
- closing meeting
Audit Plan Details Refernce ISO 19011:2018 Cla 6.3.2.2 Audit Plans Details
The Scale and content of the audit planning can differ, for example , between initial and subsequent audits, as well as between internal and external audits. audit planning should be sufficiently(cukup) flexible to permit hanges which can become necessary as the audit activities progress
Audit planning should adress or reference the following:
a) the audit objectives:
b) the audit scope, includeing identification of the organization and its functions, as well as processes to be audited;
Partially(sebagian)/ Wholly(seluruhnya)
Waktu preparation =
Apa yang perlu dipersiapkan
kalusal terkait dokument
audit criteria
audit report
any follow aktifitasnya
roles and responsibilites
c) the audit criteria and any refernce documented information:
d) the locations ( physical and virtual), dates, expected time and duration of audit activites to be conducted, including meetings with the auditee; management;
e) the need for the audit team to familarize themselves with auditees facilites and processes ( yaitu conducting a tour of physical lcoation(s), or reviewing information and communication technology);
f) the audit methods to be user, including the extend to which audit sampling is needed to obtain(memperoleh) sufficient (cukup)audit evidance
g) the roles and responsibiltes of eht audit eam members, as well as guides and observers or interpretes
h) the allocation of appropriate(sesuai) resource based upon consideration of the risks and oppurtunities relate to the activities that are to be audited;
Audit planning should take into account, as appropriate;
- identification of the auditee representative fot the audit:
- the working and reporting languange og the audit hwere this is different from the langange of the auditor or the auditee or both:
- the audit report topics;
- logistics and communication arrangement, including specific arrangements for the locations to be audited:
- any speficif actions to be taken to address risks to be achieveing the audit objectives and oppurtunities arising:
- matters related to confidentiality and information security:
- any follow-up actions from a previous audit or other source(s) yaitu lesson learned , project reviews,
- any follow-up activities to the planned audit;
- coordication with other audit activities, in case of a joint audit
audit plan should be presentaed to hte auditee, Any issue with the audit plans should be resolved between the audit team leader, the auditee, and if necesssary, the indiviaul managing the audit programme
Pada Tujuan Closing meeting menyampaikan tujuan :
contoh penolakan
Tujuanya untuk menyampaikan saran
reporting metodology
tujuanya untuk ensure(memastikan)memahami pentingnya temuan dan konsekuensi dari yang didapat dan dapat memproritaskan corektive action
bagaimana penemuan audit dapat dialamatkan berdasarkan prosess yang disepakati
Tujuanya untuk mendapatkan respons dari audit client untuk tujuan penemuan audit
kemungkinan konsekuensi yang diterima
tujuanya memberikan komunikasi konsekuensi yang diterima apabila ada temuan dari third party, second party atau internal senior auditor
Presentation temuan dan kesimpulan
memastikan auditee paham dan memahmi
setelah aktftas Audit
Tujuanya adalah untuk mengkomunikasi proses dan implementasi hasil dari ulasan kegiataan koreksi
============================================================
Preparation
1. Ceklist = sbgai reminder dan harus tau bgmn menggunakanya
2. sampling plan = apa yang perlu dipersiapkan dan dokumen yang digunakan
3. dari recording
==================================================
kebanyakan dokumen
Keuntunganya =
- Sample relevant to audit objektiv
- Formality : defines the audit procedure
- requires research
- helps maintain the pace(kecepatan) dalam mengaudit
- keeps audit objectives clear
- historical refernce as audit record( report)
- reduces workload on auditor during audit
- assures(meyakinkan) auditor keep the processes in mind(mengingat)
Kerugian =
- can become a tick list
- full of yes/no questions
- if not on checklist will not look at that area
- stifles(mencekik) initiative and analysis of the process
Sample size should be based on :
Risk
importance
status
findings from the previos/current audit
=======================================================
Opening meetings
- MD proposes and hour; long video of the company
- Mengenalkan tim dan rulenya
- site tour
- memastikan kegiataan audit dapat dilaksakan
- Alasan menolak
Ethical / diplomatik etc didalam konteks personal behavior
Bagaimana caranya personal diplomatik sperti disebutkan diatas ( menggunakan alasan yang tepat )
sebutkan reason hal yang anda gunakan sblm anda menerima / menolak
NC > followup > report > 1. preventif
2. correction
3. correction action ( RCA )
Kita trima tp NC masih tetap sya tulis y pak krena sudah diverified oleh auditor
paradigmanya NC itu bukan sebuah aib ( tujuanya menyakaman persepsi ) tapi sebuah transparant
=========================================================
Audit evidance di ISO 19011:2018 Clausal 6.4.7 collecting and veriying information
Audit evidance apa saja yang disebtu evidance
1. obeservasi =
Tujuan = untuk melihat langsung
untuk membuktikan langsung
Outputnya = real kondisi
Aktual aktivity
2. interview = di Anex A.17
Tujuan = untuk menemukan informasi yang jelas
= explore informasi
Outputnyaa = pernyataan / statement
Interview methode
1st pair = open and spesicif
open qustion
mebiarkan audity bercerita bebas
gelar simak catat
tolong terangkan
bgmna proses dilakukan
bgmna menangani resiko
2st pair = leading and closed
sudah blm
ada tidak
betul / salah
sebagai konfirmasi
3st pair = hypothical and reflective = pertanyaan risk based
bgmna jika ..
bgmna kalau ...
bgmna yang anda exlude tp anda terapkan sehari?..
4th pair = probing and rhetorical = menguji lebih detail
kolom mana
tenasius ( tidak gigih )
cba detailkan yang mana kolom brp klausal brp ?
3. dokumen review =
Tujuanya = kecukupan guidance
= kecukupan prosedur
outputnya = lampiran yang diverifikasi
=========================================================
Halaman 50
auditor tidak sebagai konsultasi
solusinya memberikan pernytaan berdasarkan fakta
================================================
Halaman 54
Closing meeting
ISO 19011:2018 Cl 6.4.10 conductiong closing meeting
agendanya apa
purposenya apa
closing meeting
ditnyakn agendnya apa
purposnya apa? tp yang ditnyakna purpose dari subjek yang ditnyakna
===================================================
Halaman 57 dan Halaman 59
Audit report
- The audit objectives, scope and criteria
- identification of the audit client
- audit team and auditee;s participants
- dates and locations where conducted
- audit findings and evidance
- audit conclusion
- statemen to which the criteria have been fulfied
audit report
agree follow-up plans
harus tau mitigasinya dn bgmn mengcover itu
jangan harus ditrima dan jangan harus ditolak mentah2
audit followup
Day 1
Day 2
Day 3
Day 4
Day 5
================================================
# ISO
>Manfaat implementasi ISO :
- Meningkatkan Kredibilitas Perusahaan Serta Kepercayaan Pelanggan
- Meningkatkan Efektifitas pengelolaan biaya menuju penghematan biaya
- Meningkatkan Kinerja Karyawan
- Meningkatkan Image Perusahaan
- Meningkatkan Revenue Perusahaan
- Meningkatkan flexible and fast responses to market oppurtunities
- Alligment of process which will best achive desired result
- Meningkatkan Keuntungan melewati keunguntan kemampuan improved orgnanisasi
- Memahami dan memberikan motivasi people toward( terhadap) the organizational goals and objectives, as well as participation in continual improvment
- Confidence of interested parties in the security and effectivness of the organization, as demonstrated by the financial and social benefits from the organization's performance and reputation
- Ability to create value for both the organization and its suppliers through reduction of risks optimization of cost and resources, avability of information process facilities and ability to control and manage change
ISO 27001:2013
Adalah information security
Adalah information security
berbeda dengan pengertianya dengan it/service security
it service itu smpai level service
Tujuan level auditor adalah
- Evidance apa yang mw kita cari ?
- yang mengaccessor audit2 external / audit2 internal
Struktur Clausal ISO 27001:2013
0. Intoduction
Tujuan level auditor adalah
- Evidance apa yang mw kita cari ?
- yang mengaccessor audit2 external / audit2 internal
Struktur Clausal ISO 27001:2013
0. Intoduction
1. Scope = Scope of standrt
>> ada 3 pengertian scope dalam iso ini =
scope of standart #1
>> ada 3 pengertian scope dalam iso ini =
scope of standart #1
scope of audit cla 4.2
scope of isms cla 4.3
2. Normative
3. Terms and Definitions
4. Context of the organization
4.1 understanding the organisasi and it's context
4.2 understanding the needs and expectations of interested parties
4.3 determaining the scope of isms ( information security management system )
4.4 information security management systemn
5. Leadership
5.1 leadership and commitment
5.2 policy
5.3 Organizational RRA ( roles, responsilbility, and authorities )
6. Planing
6.1 Actions to address risk and oppurtunities
6.2 information security objectives and planning to achive them
7. Support
7.1 Resource
7.2 Competence
7.3 Awarness
7.4 Communication
7.5 Documented information
8. Operation
8.1 Operational plannig control
8.2 Information security risk assesment
8.3 Information security risk treatment
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 internal audit
9.3 management review
10. improvement
10.1 nonconconformity and corrective action
10.2 continuatl improvment
Annex A(Normative) Reference Conctrol objectives and controls
=====================================================
Course Aim :
Provide knowledge and skills required to perform first, second and third
ISO 19011:2018 = untuk audit
and
ISO 17021 = untuk lembaga sertifikasi
====================================================
ISO 19011:2018 = untuk audit
and
ISO 17021 = untuk lembaga sertifikasi
====================================================
Struktur Clausal 19011:2018
1. Scope
2. Normative reference
3. Terms and Definitions
3.1 Audit
3.2 Combine Audit
3.3 Joint Audit
3.4 Audit Programme
3.5 Audit Scope
3.6 Audit Plan
3.7 Audit Criteria
3.8 Objective evidance
3.9 Audit Evidance
3.10 Audit Findings
3.11 Audit Conclusion
3.12 Audit Client
3.13 Auditee
3.14 Audit team
3.15 Auditor
3.16 Technical Expert
3.17 Observer
3.18 Management System
3.19 Risk
3.20 Conformity
3.21 Nonconformity
3.22 Competence
3.23 Requirment
3.24 Process
3.25 Performance
3.26 Effectivness
3.1 Audit
3.2 Combine Audit
3.3 Joint Audit
3.4 Audit Programme
3.5 Audit Scope
3.6 Audit Plan
3.7 Audit Criteria
3.8 Objective evidance
3.9 Audit Evidance
3.10 Audit Findings
3.11 Audit Conclusion
3.12 Audit Client
3.13 Auditee
3.14 Audit team
3.15 Auditor
3.16 Technical Expert
3.17 Observer
3.18 Management System
3.19 Risk
3.20 Conformity
3.21 Nonconformity
3.22 Competence
3.23 Requirment
3.24 Process
3.25 Performance
3.26 Effectivness
4. Principles of auditing
5. Managing and audit programme
5.1 General
5.1 General
5.2 Establishing audit programme objectives
5.3 Determining and evaluating audit programme risks and oportunities
5.4 Establishing the audit programme
5.4.1 Roles and responsibilities of individual(s) managing the audit programme
5.4.2 Competence of individual(s) managing audit programme
5.4.3 Establishing extent of audit programme
5.4.4 Determining audit programme resources
5.5 Implementating audit programme
5.5.1 General
5.5.2 Defining the objectives, scope and criteria for and individual audit
5.5.3 Selecting audit team members
5.5.4 Assigning responsibilty for and individual audit to the audit team leader
5.5.5 Assigning responsibillity for an individual audit to the audit team leader
5.5.6 Managing audit programme results
5.5.7 Managing and maintaning audit programme records
5.6 Monitoring audit Programme
5.7 Reviewing and improving audit programme
6. Conducting and audit
6.1 General
6.2 Initiating audit
6.2.1 General
6.2.2 Establishing contact with auditee
6.2.3 Determining feasibilitty of audit
6.3 Preparing audit activities
6.3.1 Performing review of documented information
6.3.2 Audit planing
6.3.3 Assigning work to audit team
6.3.4 Preparing documented information for audit
6.4 Conducting audit activities
6.4.1 General
6.4.2 Assigning roles and Responsibilites of guides and observers
6.4.3 Conducting opening meeting
6.4.4 Communicating during audit
6.4.5 Audit information avabilities and access
6.4.6 Reviewing documented information while conducting audit
6.4.7 Collecting and verifying information
6.4.8 Generating audit findings
6.4.9 Determining audit conclusions
6.4.10 Conducting closing meeting
6.5 Preparing and distributing audit report
6.5.1 Preparing audit report
6.5.2 Distributing audit report
6.6 Completing audit
6.7 Conducting audit follow up
7. Competence and evaluating of auditors
7.1 General
7.2 Determining auditor competence
7.2.1 General
7.2.2 Personal behavior
7.2.3 Knowledge and skiils
7.2.4 Achieving auditor competence
7.2.5 Achieving audit team leader competence
7.3 Establishing auditor evaluation criteria
7.4 Selecting appropriate auditor evaluation method
7.5 Conducting auditor evaluation
7.6 Maintaining and improving auditor competence
Annex A ( informative ) Additional guidance for auditors planning and conducting audits
==========================================================
27007:2020
1. bgmn bertanya tentang anex 1 aa
ini adanya ada di 27007:2020 ini untuk ceklist isms sifatnya tmbhan
knowledge and skill ISO 19011 versi icon untuk > iso 17021 blm
============================================
Ada 3 Domain auditor
1. First party = internal auditor Sesuai dengan ISO 27001:2013 Clausal
9 Performance Review
9.2 tentang internal auditor
2. Second Party = external auditor (customer to supplier) anak ke bapak
3. Third Party = diaudit ( independen audity ) oleh kantor lain
27007:2020
1. bgmn bertanya tentang anex 1 aa
ini adanya ada di 27007:2020 ini untuk ceklist isms sifatnya tmbhan
knowledge and skill ISO 19011 versi icon untuk > iso 17021 blm
============================================
Ada 3 Domain auditor
1. First party = internal auditor Sesuai dengan ISO 27001:2013 Clausal
9 Performance Review
9.2 tentang internal auditor
2. Second Party = external auditor (customer to supplier) anak ke bapak
3. Third Party = diaudit ( independen audity ) oleh kantor lain
Pertanyaanya perbedaanya apa dari first party, second party , third party
Approach =
Durasi =
Formality =
Objetives =
ISO 27001:2013
Anex A.15
Supplier relationship
ISO 19011:2018
Annex A.8 Auditing context
Many management systems standarts require an organization to determinde its context, including
the needs and expectations of relevant interested parties and external and internal issues. To do this and organization can use varios techniques for strategic analysis and planning
Auditors shold confrm that suitable processes have been developed for this and are used effectivelly so that their results provide a reliable basis for determining the scope and the development of the management system. To do this, auditors should consider objective evidance related to the following:
a) the process(es) or methode(s) used:
b) the suitable and competence of the individuals controbuting to the process(es);
c) the results of the process(es)
d) the application of the results to determine management system scope and development;
e) periodic reviews of context, as approriate;
Auditor should have relevant sector-specific knowledge and understanding of the management tools tha organization can use in order to make a judgement regarding the effectiveness of the process used to determine context.
=============================================
Audit Process : Halaman 16
Input >> Audit Activity >> Output
Audit Criteria
( requirments)
Evaluation Audit Findings
Audit Evidance
(Objective evidance)
Audit Main Dimensi =
1. Assesment Dokument = Assesment documented Management system ( INTENT)
2. Assesment of degree of implemntation ( IMPLEMENTATION ) = C or NC
3. Assesment of the ISMS effectivness ( EFFECTIVENESS ) =
Pertanyaan dasar dalam menguji dimensi
Dimensi Dokument
1. Apakah top management intend to implment and ISMS? if so how is this intent communicated ?
2. Conformance with documentation; as auditors we need to know that the organization has planned to meet the requirments
Dimensi Implementasi
1. Apakah impelentasi ISMS reflect the intent of top mangement ?
2. Conformance here is all about checking if activiies are as they are supposed, following process, procedures, policies, protokols etc
Dimensi Effectivnes
1. Apakah impelemntasi ini effective ?( i.e does it meet the parameters established by the intent )
2. Conformance here is in the effectivness of the management system - is it on target to deliver the organisasi internal and external informatino security requirments >
3. Continual improvments - as auditors we want to see that the system is healty and self healing; if there are problems they are address, and that there is a continual focus on how the system could be improved
Audit Process Halaman 19
Main Area
Preparation - before the audit
Communcation - during the audit
Collection and verifying findings
Conclusions - from findings
Reporting - preparation and distribution
P.E.R.C =
Planing
Execute
Reporting
Close out/down findings
In Game
Header Cards
Conducting audit activities Execute 3
Conducting audit follow-up Close out 6
Completing audit Close out 5
Initiating audit Planing 1
Prepare and distributing audit report Reporting 4
Prepare audit activities Planing 2
Approach =
Durasi =
Formality =
Objetives =
ISO 27001:2013
Anex A.15
Supplier relationship
ISO 19011:2018
Annex A.8 Auditing context
Many management systems standarts require an organization to determinde its context, including
the needs and expectations of relevant interested parties and external and internal issues. To do this and organization can use varios techniques for strategic analysis and planning
Auditors shold confrm that suitable processes have been developed for this and are used effectivelly so that their results provide a reliable basis for determining the scope and the development of the management system. To do this, auditors should consider objective evidance related to the following:
a) the process(es) or methode(s) used:
b) the suitable and competence of the individuals controbuting to the process(es);
c) the results of the process(es)
d) the application of the results to determine management system scope and development;
e) periodic reviews of context, as approriate;
Auditor should have relevant sector-specific knowledge and understanding of the management tools tha organization can use in order to make a judgement regarding the effectiveness of the process used to determine context.
=============================================
Audit Process : Halaman 16
Input >> Audit Activity >> Output
Audit Criteria
( requirments)
Evaluation Audit Findings
Audit Evidance
(Objective evidance)
Audit Main Dimensi =
1. Assesment Dokument = Assesment documented Management system ( INTENT)
2. Assesment of degree of implemntation ( IMPLEMENTATION ) = C or NC
3. Assesment of the ISMS effectivness ( EFFECTIVENESS ) =
Pertanyaan dasar dalam menguji dimensi
Dimensi Dokument
1. Apakah top management intend to implment and ISMS? if so how is this intent communicated ?
2. Conformance with documentation; as auditors we need to know that the organization has planned to meet the requirments
Dimensi Implementasi
1. Apakah impelentasi ISMS reflect the intent of top mangement ?
2. Conformance here is all about checking if activiies are as they are supposed, following process, procedures, policies, protokols etc
Dimensi Effectivnes
1. Apakah impelemntasi ini effective ?( i.e does it meet the parameters established by the intent )
2. Conformance here is in the effectivness of the management system - is it on target to deliver the organisasi internal and external informatino security requirments >
3. Continual improvments - as auditors we want to see that the system is healty and self healing; if there are problems they are address, and that there is a continual focus on how the system could be improved
Audit Process Halaman 19
Main Area
Preparation - before the audit
Communcation - during the audit
Collection and verifying findings
Conclusions - from findings
Reporting - preparation and distribution
P.E.R.C =
Planing
Execute
Reporting
Close out/down findings
In Game
Header Cards
Conducting audit activities Execute 3
Conducting audit follow-up Close out 6
Completing audit Close out 5
Initiating audit Planing 1
Prepare and distributing audit report Reporting 4
Prepare audit activities Planing 2
==========================================================
Audit Method
Onsite Remote
Human interaction
No human interaction
Terdapat di ISO 19011:2018
Annex A.1 audit method
dan
Annex A.15 Visiting the auditee location
Yang Perbedaan point2 adalah =
Cost
Safety
Complexcity
=======================================================
Resourcing Competency Halaman 26
Personal Character Sbgai auditor
( sesuai dengan ISO 19011 Cla 7 Competence and evaluation of auditors )
7.2 Determining auditor Competence
7.2.1 General
7.2.2 Personal behavior
a) ethical ( yaitu = Fair(adil) , truthful(jujur), sincere(tulus), honest(jujur),discreet(bijaksana)
= tell another departemen all the information seurity N/C's the last departement you audited = had- have a laugh about people getting non-conformities. lie or twist the facts to get
= someone you dont like into trouble
b) open-minded (yaitu = willing(rela) to consider alternative ideas or point of view;
c) diplomatic = tactful ( bijaksana) in dealing with individuals;
= if the auditee is worried about getting his/her document into trouble, but you find a major
= problem. be tactfull in dealing with this person it is not you im auditing, this is chance for
= improvement so we should all welcome it etc
d) observant = actively observing physical surrounding( sektarnya) and activities
e) percpective = aware(sadar) of and able to understand situations;
f) versatile(serbaguna multiporpose) = able to readliy adapt to different situations;
g) tenacios( gigih) = persistance and focus on achieving objectives;
= hasil explore lagi jngn trima
= perlu aktual lagi smpai ditrima klu ada evidance dibagian mana halamn brp point brp
= the auditor asks to see a particular sample, but the auditee provides a different one, the
= auditor accepst this and moves on
h) decisive ( menentukan ) = able to reach timely conclusion based on logical reasoning and analysis
= mampu memutuskan auditor perlu untuk berani memutuskan(bukan pokoknya
= harus clear memutuskan c / nc ( jngn tnya2 lagi / terus )
= the auditee keeps arguing and giving different axcuses and the questioning is going
= round and round, even thought(meskipun) theres is sufficient(cukup) objectives
=evidance to close the finding|
i) self-reliant(mandiri) = yaitu able to act and function independently while interacting effectively with = others;
j) able to act with fortitude( ketabahan) = yaitu able to responsibliity and ethically , even though(meskipun)
= these action may not always be popular and may sometimes result in disagreement = or confrontattion
k) open to improvment = yaitu wiling(rela) to learn from situasi
l) culturally sensitve = observent and respectful to the culture of the auditee;
= shaking a woman;s hand when this would not be appropriate, or continuing to audit
= when certain prayer times are normally adhered to . offering food/drink to the auditee
= when they are fasting
m) collaborative = yaitu effectively interacting with others, including audit team members and the auditee personal
=======================================================
Stage 1 Audit
As Define by ISO 17021 ( conformity assesment, Requirmets for bodies providing audit and certification of management system, has purposes of :
- Clarifying the scope and objective of and audit
- Gain an understanding of the bussiness
- Define process flow and interaction
- Agree procedures to be userd during audit
- Resolve any misunderstandings
- indetify any special needs, skiils, protective clothing
- indetify layout of company/ plant
- Establish the adequacy (kecukupan) of documentation - The key word here is ' establihs'. This is just an overview and not testing the implenetation or effectivness of proccesses
- Asses the organization readiness for the next stage
- Plan the next stage of the audit
Third partu audits oftern include a stage 1 site visit, and the costs are bult into the initial proposal. The visit can be of greate value. They allow the team leader to meet varios(berbagai) members of the auditee's staff, and they are a good oppurtunity for the team leader to be given a 'quick tour' of the site , and thus appreciate the scale, layout and geography involved. should transport around the site, or special protective clothing be neccassary. it also gives the team leader time before the audit to ensure(memastikan) these will be available, thus saving vauaabe audit time. The meeting obviously( jelas) provides the auditee with an oppourtunity to ask the team leader about the way the audit will be conducted.
Please note BS ISO/IEC 27006 adds additional requirments to ISO 17021 for certification of ISMS
in summary : the purpose of the stage 1 siti visit is to:
- clarify(menjelaskan) the scope and objective of the audit
- agree the procedures to be adopted during the audit, and to
- resolve any misunderstandings
Simplenya =
Stage 1 from iso 17071
- outputnya = rekomendasi
- audit go/no-go-decision
- document review
- audit plan
- checklist
Inputs
-Audit objectives, scope, criteria
- Audit methods, duration, location
-Audit team member(including Team leader -responsibilites)
Activities
-Establish initial contact with the auditee
- Determine feasibility of the audit
- Request documentation relevant to the scope, objective and criteria
Outputs/Inputs:
Contact is established and audit is feasible(layak)
(or not as the case may be - inform audit client),
relevant documentation
Activity:
-Perform document review
Output/Inputs:
-Documentation meets criteria ( or not)
-Areas or concern/risk identified
Activity
Prepare audit plan
Output/inputs:
Audit plan to achieve audit objective and consider risk/importance, sent to auditee;management for agreement( or change)
Activity:
Assign work to the audit team
Outputs/inputs:
Auditor communicataed and referenced in the audit plan
activity:
prepare work documents according to the audit plan
Output
Ready for stage 2
ISMS = - Asset
- informasi
( C.I.A )
Stage 2: As defined by ISO 17021 ( ocnformity assesment, Requirments for bodies providing audit and cerfitication of management systems), has the purpose of:
Assesing the 'implementation' and ' effectiveeness' of the management system.
Some preparation considerations for this stage of the audit includes:
- determine scale of audit and resources required
- consodier past result ( if available)
- consider current problems
- consider management;s concern
- consider management; priorities ( where appropriate(Sesuai))
- contact and agree date(s)
- stage 1 visit to auditee( if not carried out on stage 1 )
- Determining the process and impotance/risk
- identify the interaction of the process
- Prepare and agree audit plan
- assigning work to the audit team
- audit team briefing
- preapre work documents
Simplenya =
Stage 2
- opening meeting
- audit
- summary report
- closing meeting
======================================================
Audit Plan Details Refernce ISO 19011:2018 Cla 6.3.2.2 Audit Plans Details
The Scale and content of the audit planning can differ, for example , between initial and subsequent audits, as well as between internal and external audits. audit planning should be sufficiently(cukup) flexible to permit hanges which can become necessary as the audit activities progress
Audit planning should adress or reference the following:
a) the audit objectives:
b) the audit scope, includeing identification of the organization and its functions, as well as processes to be audited;
Partially(sebagian)/ Wholly(seluruhnya)
Waktu preparation =
Apa yang perlu dipersiapkan
kalusal terkait dokument
audit criteria
audit report
any follow aktifitasnya
roles and responsibilites
c) the audit criteria and any refernce documented information:
d) the locations ( physical and virtual), dates, expected time and duration of audit activites to be conducted, including meetings with the auditee; management;
e) the need for the audit team to familarize themselves with auditees facilites and processes ( yaitu conducting a tour of physical lcoation(s), or reviewing information and communication technology);
f) the audit methods to be user, including the extend to which audit sampling is needed to obtain(memperoleh) sufficient (cukup)audit evidance
g) the roles and responsibiltes of eht audit eam members, as well as guides and observers or interpretes
h) the allocation of appropriate(sesuai) resource based upon consideration of the risks and oppurtunities relate to the activities that are to be audited;
Audit planning should take into account, as appropriate;
- identification of the auditee representative fot the audit:
- the working and reporting languange og the audit hwere this is different from the langange of the auditor or the auditee or both:
- the audit report topics;
- logistics and communication arrangement, including specific arrangements for the locations to be audited:
- any speficif actions to be taken to address risks to be achieveing the audit objectives and oppurtunities arising:
- matters related to confidentiality and information security:
- any follow-up actions from a previous audit or other source(s) yaitu lesson learned , project reviews,
- any follow-up activities to the planned audit;
- coordication with other audit activities, in case of a joint audit
audit plan should be presentaed to hte auditee, Any issue with the audit plans should be resolved between the audit team leader, the auditee, and if necesssary, the indiviaul managing the audit programme
Pada Tujuan Closing meeting menyampaikan tujuan :
contoh penolakan
Tujuanya untuk menyampaikan saran
reporting metodology
tujuanya untuk ensure(memastikan)memahami pentingnya temuan dan konsekuensi dari yang didapat dan dapat memproritaskan corektive action
bagaimana penemuan audit dapat dialamatkan berdasarkan prosess yang disepakati
Tujuanya untuk mendapatkan respons dari audit client untuk tujuan penemuan audit
kemungkinan konsekuensi yang diterima
tujuanya memberikan komunikasi konsekuensi yang diterima apabila ada temuan dari third party, second party atau internal senior auditor
Presentation temuan dan kesimpulan
memastikan auditee paham dan memahmi
setelah aktftas Audit
Tujuanya adalah untuk mengkomunikasi proses dan implementasi hasil dari ulasan kegiataan koreksi
============================================================
Preparation
1. Ceklist = sbgai reminder dan harus tau bgmn menggunakanya
2. sampling plan = apa yang perlu dipersiapkan dan dokumen yang digunakan
3. dari recording
==================================================
kebanyakan dokumen
Keuntunganya =
- Sample relevant to audit objektiv
- Formality : defines the audit procedure
- requires research
- helps maintain the pace(kecepatan) dalam mengaudit
- keeps audit objectives clear
- historical refernce as audit record( report)
- reduces workload on auditor during audit
- assures(meyakinkan) auditor keep the processes in mind(mengingat)
Kerugian =
- can become a tick list
- full of yes/no questions
- if not on checklist will not look at that area
- stifles(mencekik) initiative and analysis of the process
Sample size should be based on :
Risk
importance
status
findings from the previos/current audit
=======================================================
Opening meetings
- MD proposes and hour; long video of the company
- Mengenalkan tim dan rulenya
- site tour
- memastikan kegiataan audit dapat dilaksakan
- Alasan menolak
Ethical / diplomatik etc didalam konteks personal behavior
Bagaimana caranya personal diplomatik sperti disebutkan diatas ( menggunakan alasan yang tepat )
sebutkan reason hal yang anda gunakan sblm anda menerima / menolak
NC > followup > report > 1. preventif
2. correction
3. correction action ( RCA )
Kita trima tp NC masih tetap sya tulis y pak krena sudah diverified oleh auditor
paradigmanya NC itu bukan sebuah aib ( tujuanya menyakaman persepsi ) tapi sebuah transparant
=========================================================
Audit evidance di ISO 19011:2018 Clausal 6.4.7 collecting and veriying information
Audit evidance apa saja yang disebtu evidance
1. obeservasi =
Tujuan = untuk melihat langsung
untuk membuktikan langsung
Outputnya = real kondisi
Aktual aktivity
2. interview = di Anex A.17
Tujuan = untuk menemukan informasi yang jelas
= explore informasi
Outputnyaa = pernyataan / statement
Interview methode
1st pair = open and spesicif
open qustion
mebiarkan audity bercerita bebas
gelar simak catat
tolong terangkan
bgmna proses dilakukan
bgmna menangani resiko
2st pair = leading and closed
sudah blm
ada tidak
betul / salah
sebagai konfirmasi
3st pair = hypothical and reflective = pertanyaan risk based
bgmna jika ..
bgmna kalau ...
bgmna yang anda exlude tp anda terapkan sehari?..
4th pair = probing and rhetorical = menguji lebih detail
kolom mana
tenasius ( tidak gigih )
cba detailkan yang mana kolom brp klausal brp ?
3. dokumen review =
Tujuanya = kecukupan guidance
= kecukupan prosedur
outputnya = lampiran yang diverifikasi
Halaman 50
auditor tidak sebagai konsultasi
solusinya memberikan pernytaan berdasarkan fakta
================================================
Halaman 54
Closing meeting
ISO 19011:2018 Cl 6.4.10 conductiong closing meeting
agendanya apa
purposenya apa
closing meeting
ditnyakn agendnya apa
purposnya apa? tp yang ditnyakna purpose dari subjek yang ditnyakna
===================================================
Halaman 57 dan Halaman 59
Audit report
- The audit objectives, scope and criteria
- identification of the audit client
- audit team and auditee;s participants
- dates and locations where conducted
- audit findings and evidance
- audit conclusion
- statemen to which the criteria have been fulfied
audit report
agree follow-up plans
harus tau mitigasinya dn bgmn mengcover itu
jangan harus ditrima dan jangan harus ditolak mentah2
audit followup
==================================================
ISMS
What is
ditempat anda bgmna menerapkan confidentialiity diterapkan ? lalu diterapkan dan verifikasi
bgmn integritya ?
inegtarity =
bgmn melengkapinya ?
apa yang perlu ktia tnyakanya ?
adakah metode yang verifikasi sblm masuk ke server ?
avability =
bgmna anda menjaga proses2 anda ? dari sisi pembuatan smpai ke pemusnahan (propsesional,suitbalble)
kita menjamin proses/bisnis ni berhasil tnpa ada gangguan / disruptive
mencegah dampak incident
konsekuensinya resiko yang ada di assess dan di managed
it'ok tp bgmn anda mengcover resiko tersebut ?
Disruptive >> insiden >> BCP
Abnormal >> EPR
===============================================================
PDCA
PDCA ClA
Halaman 68
Framework PDCA
fase plan klausal 6.1 dan 6.2
plan klausal 7.1 - 7.5
fase do/implnetasi cl 8.1 , 8.2, 8.3
fase evalusasi 9.1, 9.2, 9.3
fase improve 10.1, 10,2
fase LC (ledership ) 5.1, 5.2, 5.3
input 4.1 , 4.2
isms 4.4
proses 4.4
scope 4.3
outputnya
intendents
result
maintance CIA
maintance life cycle asset / information
=============================================
klausal diwajibkan iso informasi terdkokumentasi terkait determining scope pernytaan guidence
============================================
======================
Smpai sini dulu untuk
======================
===========================================================
6.1.2
the organiztion informasi terdokumentasi terkait resikos assesment
bentukny adalah bukti
apabila tidak diwajibkan
ke clausal 7.5.1
a.iso
b.org
lebih boleh kurang jangan
menambahkan SOP terkait
yang penting isianya
klu ada bahasnya maintance atau tnpa maintance
as d/s itu bermakan statement yang ujunya sbgai guidence
advantege dan disanvate kelebihan dokument
jadi overprotektiv
referensinya ke 7.5.1
=============================
contoh untuk advante d/i effective
contoh
===============================
halaman 80
initisiate audit ujung2nya visibility
==============================
halaman 81
waktu saat prepare
segera review dokument sblm wktunya boleh
Halaman 82
4.3
a. external dan internal issu
b. kebutuhanya apa
c. interface dan depedensi antara aktftas performa perushaan dan performa yang lain
5.2 ada
a. sesuai tujuan perushaan
b. terkait informasi security objekd ari framewrok seting informasi security object
c. include komitmen yang dapat diterapkan
d. include komitmend kontinue improvment
e. tersedia dokumen informasi
6.1.2 ada (e) the organication shall retaion
6.1.3 ada (f) the organication shall retain
6.2 ada (e)
be update and appropirate
7.2 tidak ada
7.5.1 ada > document ism include
7.5.3 ada > dokument informasi required by the
8.1 ada > the organisasi shall kepp document
8.2 ada > the oraganisasi shall reatin dokumen
8.3 ada > the organisasisasi shall retain dokumen
9.1 ada > f the organisasi shall retain appropriate
9.2 ada > g retain documented informasi
9.3 tidak ada
10.1 tidak ada
iso 27001 clause :
7.4 tidak ada
7.5 ada > a, b,
8.1 ada > the organisasi shall kepp document
9.1 ada > f the organisasi shall retain appropriate
ISO 27001 clause :
5.3 tidak ada
7.4 tidak ada
=====================
risk assesmsnt
halaman 24,26,27,28,32-36
risk tratement
halaman d10 issue 1
halaman 25,
Rtp
halaman 46-57
===
diminta untuk review Tolong dibaca terkait dngn template
risk assement
risk tratement
kemudian identifikasi potensial NC,hal apa saja yang anda curiga nc didokumen itu
di file 0.43
========================================
halaman 84
===================
halaman 85
PR
ceklist
item apa yang kita curigai potensial NC
========================
1. office rear entrance
pintu diganjal selalu terbuka security leluasa keluar masuk
2. unattended reception area
orang k eluar masuk tidak teridentifikasi tujuanya
3. notice board
informasi
4. new starters joining the company
annex
a.7 human resource security
a.722 terkait awernes edukasi training
siapa aja yang boleh akses dokumen itu
siapa aja yang nyimpan
berapa lama yang nyimpan
klu hilang ada backup data
siapa yang sudah liat / blm issuenya
5. confidential waste bins
kluasal 8
7.53
A.8.3.1
A.15
prosedurnya bgmna
siapa aja yang membuang
yang dibuang dlm bentuk apa
6. subcontractors in a meeting with management
7. open plan call center
8. records on a desk
9. managing directors;office
10. empty office space/staff movement
11. removable media and software
12. patch panel
13. equipment siting .air condition unit
14. staff lockers
15. post/parcerls entering the organization
apakah data itu crudential
apakah alamt itu penting ?
apakah visitor itu melihat ?
kontrak terkait dengan backup data
inisial saja untuk prosedurnya untuk melindungi crudential
dari data2 informasi yang disediakan
itu yang disebut audit investigasi
============================================
halaman 88
untuk besok dijabarkan
apa peran dan tanggung jawab top management
1. verifikasi data dll
===========================================
halaman 92
hari ketiga
=====================================
halaman 94 hari keempat
==============================
halaman 95 hari kelimat
audit trails
saya ingin mempeljari terkait dengan
a , c, d, e sequence controlnya
==========================
halaman 98
hari keempat
=========================
halaman 99
non conformity
(major nonconformity) kemampuan untuk menjaga CIA gojah
systemic major nonconformity
minor nonconformity
untuk 3rd parties
=============================================
halaman 100
bgmn membuat nc yang
1. refernce clausal brp
2. evidance buktinya apa
nama pt
dokument
hala dokument
no kontrak
3. diskcirpenyimpangan / problemnya apa?
problem
location
objection
requirment
==================================
halaman 102
audit report
adanya finding nc dan nc
===================
halaman 103
audit follow up
domainya auditee
evaluasi
membuat laporan
==================
halaman 104
specimen exam paper di hari keemapt
1. simulasi audit
2. membahas specimen contoh soal
3.
klu dengan template ini bgman menemukan justifikasi
klu dngn template ini bgmn menemukan level
================================================
Tgl 15Juli2020
1. jangan lupa daftar isi
4. konteks of the organisasi ( kata kunci )
4.1 issue ( context )
4.2 interested parties
4.3 scope
4.4 isms ( processes )
the organization shall the processec needed induknya 4.4
proses apa saja yang anda lakukan ? iso tidak menjelaskan
klu mnrt anda butuh ya lakukan
5. leadership
5.1 kepemimpinan leadership = nnanya ke anggota yang dipimpinnya
comitment = menanyakan ke top management ( strategic vision )
tidak bisa mendirecit
5.2 strategic policy
5.3 RRA ( roles, responsibilites and authorities )
kewenangan anda apa ?
tanggung jawab anda apa ?
authorities harus ditetapkan / distate
2 fungsi orang yg g boleh ditinggalkan
kompeten dan rra nya
8.1 operation
8.1 clausal control ( operational planning and control )
8.2 risk assesment ( risk planing )
8.3 risk treatment ( risk implentasi )
9. performace evaluation
9.1 MMAE ( monitoring, measurement, analysis dan evalution )
point evaluasinya harus bergerak
apa kurang kita tnpa dana besar apa ?
kekurangan kita adalah evaluasi harus dimasukan dalam laporan
untuk maturity indikator melihat performa pada 9.1
auditee punya methodenya atau tidak ?
apakah metode itu valid tidak
yang penting ada asset itu bisa di MMA
yang mengetauhi komptensi adalah proses owner
hr untuk penetapnya iya
hr untuk penyediaanya iya
9.2 internal audit
9.3 management review
hr adalah administrativ
prosess audit hrus dibedakan antara prosess konsultasi
10. imprvment
introduction
arah pentingnya mengarah kemana ?
menyedediakan establishing, implentiming maintance , contonually
sesuai dengan cl 4.4
preserver CIA
ada 3 scope
#1 scope of standrt
4.3 scopr of isms
4.2 scope if audit
#3 Terms and definitions 9001 - 9000 270001 ini urusan uang
ini yang saya haruskanya how to nya tidak peduli
apabila membahas detail sering ditnyakan berarti itu penting mnrt bapak saat opening meeting
Annex A adalah lampiran
control objektiv dan controls
A.1 dimulai dari A5. smpai A.18.2.3
Steering komite dari versi sebelumnya
Bibiliograhphy
guideance
27007:2020 audit ISMS
membaca2
AnexA = 14001 isinya klrafiikasi dan panduan
apa pangertian dari
skrng sudah bukan 9001 krena komitenya sudah diganti
kalimat consider dan take info account itu keteranganya di annex A
=========================
ISO 27001
==========================
Halaman 9
clausal PDCA
verbal shall
waktu explore sebuah cluasal mencari kata shall lalu mencari kata verb ( activity
4.1
issue = topik, item to beconcern , yang berhubungan dengan purpose visi dan company goals dan
auditor itu bertanya bukan menyimpulkan
seorang auditor
terkait dengan performance , terkait dengan commpalience
4,2
Determining
a)untuk point no 4 ni siapa partiesnya ?,misal ojk
ojk itu siapa ?
perlu diperjelas terminologinya dengan jelas
b) yg penting informasi yang mereka buat ada parties terminologinya sama
4.3 determining the scope
shallnya ada 3
perlu disamakan persepsi
c) interfaces dan depedencie
>>6.1 mitigasi
butuh risk potensial
mereka senang dengan menggali
klu memberikan informasi detail berrti penting buat anda
4.4 proses apa saja yang mnrt anda penting
establish dan maintance
5. leadership
shall -> activity ( kejadian )
clausal
bgmna anda membimbing pentingya spirit pentingnya ini..
top management RRA klausal 5.1
a) ensure = can be delegate
b)
c)
d)
e)
f)
g) promoting ( tidak bisa didelegate )
h)
5.2 Policy
-shall establish tp beliau yang membuat arahanya
-apa saja tanggung jwb dan weweangn top management
memastikan bawahnya di assign RRAnya
khususnya dengan key person
5.3 memastikan RRA ensure , assigned dan komunikasi
jika kasusnya
6. planning
6.1 risk ( threat )and opurtinities
kenapa risk = bisa postf dan negatif
6.1.2 di access dan dinilai risk assement
a) shall define apply = prosess
menetapkan membuat kritieria
1) kriteria accept
2) kreteria performing
b)
c) risk assement= risk identity(c)+ risk analysa(d) + risk evaluate(e)
Risk identity = - berhubungan dengan CIA
- mesti harus ada risk ownernya
risk analisis = - dampak
- level of risk bebas menggunakan matri 3x3 atau 5x5 yang perlu ditnyakan adalah kenapa metode itu dipilih
risk evaluasi = - dicompare dengan list criteria 6.1.2a tujuanya untuk treatmen validasi
6.1.3 kelanjutan dari risk assement
1) mulai memilih
a) risk treatmen options ada di 27000 3.72
b)
c) compare dan verifikasi kalu butuh diambil
d) membuat SOA(Statement of applicability) matrik
justifikasi for inclusion
justifikasi for exlusion
- perushaaan kami tidak menerapkan itu
- infrastruktur tidak disaipakan
- peraturan legal kami tidak menyebutkan itu
- pernytaaan itu hrus ada di SOA
-
wajib disebutkan
Soa yang membuat tidak it tapi cross function
e) RTP ( risk treatmen plan ) itu progress dan aktual >> buktinya mana ada di RTP( risk treatmen plan )
f) siapa yang bertanggung jawabnya disamakan dengan risk owner
==================================================================
6.2 sasaran kpinya ada di 6.2 lalu ownernya ada di kluausal 5.3
prosesnya prosesnya ada di klausal 4.4.
==================================================================
6.1.2
memastikan kegiataan yang berulang mampu dibandingkan dengan risk kretiria
=================================================
7.1
salah tugas top management memastikan sumber daya disiapkan sesuai dengan klausal 5...c
secara tidak langsung
basisnya
pendidikan, training, atau experience
7.2
kompetensi
7.4
aset, berisi informasi, CIA
7.5
terkait dengan dokumen yang dibutuhkan
a)- memang diminta dengan iso
- memang dokument as being neccessery
b) sifatnya maintance / retain = iso mintanya retain
- organisasi perlu panduan untuk mengisi
8.1 operation plannig and control
Paragprahp 1 = shall plan ( normal rutin ) = daily rutin aktftas
clausal 61 dan g2 b/d = planingnya
clausal 8 = impelentasi(action) dan control lalu kasih contoh di anexA
yang sdah diteteapkan di 6.1
Paragraph 2 = ( menyimpan smua arsipnya) normal dan regular sifatnya
shall keep informasi dokumentasi ( maintan / retain ) untuk kebutuhan tambah pd = bukti
bahwa itu dilakukan pemantauan > ada recordnya
paragrph 3 = control perubahan yang terencana dan mereview ( new modifikasi )
paragrph 4 = outsource prosess baik prosess maupung partiesnya
ditetapkan dan dikendalikan di annexA
baik pihaknya dan prosessnya
turuninya ke RiskTratementP = sharing, avoiding,
8.1 yang penting controlnya bagaimana
>> ke anex
A.5 secrity prosudur
A.6 organisasi secara internal
A.6.2 bisa iya bisa tidak apakah mengadopsi klausal ini ?
lalu bgmna ini bekerja ?
bagaimana ini proses bekerja ?
bagaimana ini mengukur kesuksesan ini bekerja ?
A.7 terkait dngn HR
A.7.3.1 tugasnya harus dicek kembali
A.8 Assets
disini tidak disebutkan bgmnya
tapi disebutkan bgmna controlnya ?
yang penting bgmna mendeterminasinya
A.10 bisa iya bisa tidak
A.9 Access control
A.12 Change management referensi ke 8 parapgraph ke 3
8.2 dari 6.1.2
8.3 dari 6.1.3 aktual
A.16 pintunya dari mana
weeknees dan vurnabilities
A.18 penaatan ( complience )
A.18.1.1. clausal 6.13
A.18.1.2 proierty akun product
logo
licensi
protection record
klu irisanya kecil lebih baik disisihkan dulu
nanti klu sudah steedy baru bisa ditmbhakan
A.18.2.3 tecnical compliance review
clausal 9.1.2 evaluasi
neccessery dibuktikan minimal record
1 matrix smua undang2 yang diandoop
>> responsible parties
Clause >> shall >> verb activitynya >> req key of clayse >> Mandatory >> neccesery
maintance
retain
real activity
------------------------------------
ceklist plan actual
clausal activity req key word Evidance
9.1 9.1.1 evaluate is perf
is effectivnes
determine a. needs to be mon/measure -
b. methode for Monitoring
methode for measurement
methode for analysis
methode for evaluasi ( short term )
c) determine when yang harian apa
yang mingguan ap
d) determine who ( pic )
e) kapan dianalisa kapan di evaluasi long term
f) siapa yang analisa dan evaluasi
bisa dihubungkan ke 7.terkait competensi
PR
membuat ceklist checkpoint audit trails
6.1.2
6.1.3
8.1
yang akan kita gunakan untuk simulasi besok untuk mengaudit ldcc
================================================
9.2 internal audit
c ) take into consideration mempertimbangkan tidak boleh di kecualikan wajib ain
audit programme importance of the process hrus beda2 beda rasa
e) bagaimana memilih select ?
bagaimana memastikan ensure ?
kemampuan utnuk menerapkan pengetauhan definisi kompetensi
==========================================================
closing meeting
tujuan ini apa ?
tujuan dilakukan ini untuk apa ?
tmbahn2n
smpling disclaimer
any relate post
persiapan2n final exam
boleh key of point / dalam
===============================================
simulasi auditor
jam 10-12
lead auditor
jam 12-s/d
report nonconformity
problem statemtn
buktinya apa
cklausalnya apa
============================================
siapa : operation manager di lcc amanda french
beberapa fungsi yang terlibat
is manager :clief richard
facility manager : cimond clock
===================================
overview
penyediaan call cnenter spesialis
terkait dngn informasi complain dan penwran2
150 seat call center
ISMS scope
jasa penerimaan telfon
user dlm bertanya terkait dengan perushaan tertentu menelepon dikami
lokasi dimumbai ( india )
SOA rev 3 /21/sept/20xx
- kendala dan issue yang kantor alami
( pengembangan teknologi dan persaingan2n harga di call center )
naikin infra terbatas oleh harga budget yang dibutuhkan juga tdk kecil
- terkait issue dan penyelesaianya ada didokumen kontex
halaman 16 disebut security context
- issue tersebut apakah sudah terdistribusi
legal dan kontrak
secara kontrak dan multicompany dan format yang disampiakan
k3
tunduk kepada undang2 k3
harus prosedur
- cultur
bagaimana issue ini untuk issue untuk penerapan issue yang terjadi
- terkait dengan screening
===========================================
floor
red = requirment
mnrt pak tiar
scope = kendali outsource
Ref = 6.1.2 information security risk assesment
c) identfy the risk owners;
masih kurangnya informasi terkait risk owner yng belum terdefinisikan dalam proses
evidance = approval kolom kosong
halaman 33 dari 0.4.3casestudy file
Ref Annex A.12.3 backup
information backup
Ref Annex A.13.2 information transfer
file dvd backup tidak terveifikasi dan terkonfirmasi itu kurir yang tepat
krena itu berisi informasi dan asset di dalam data backup tersebut
================================
speciment
section 1
pertanyaan2 sederhana
listed
described
objectivity =
impartiality =
explain
paling kiri argumentatid paling kanan emosional
13. level of legal
list 2 methode organisasi
1.managemnt review
2. internal audit
3. ikut seminar
4. ikut konsultasi
risk tratement options that may be applied to a risk
1.5 2 cara verifikasi
1. write respon ( pakai email )
2. verifikasi dilapangan
3. verifikasi di next audit
2.1 explain risk base thinking
keputusan harus dianalisa dan dievaluisasi
klausal 4.1 issue lalu ke cl 6.1.1 lalu ke 6.1.2
2.2
bgmn cari tahu komitmen top management
melihat dokumen2 mereka
melihat action2 mereka
top managemnt
5.1
5.2
5.3
9.3 ada gak top management punya andil tidak
terus mana top maangent punya andil
termasuk komen2 dan
arti diplomatic tactfull and dealing
2.3
ISMS audit- audit investigation
klu tidak yakin NC , investigasi aja jawabnya
klu alasanya / evidancenya blm jelas
kondisi realnya blm saya liat
prosesnya blm saya saksikan sya masih butuh beberapa item
yang harus ditulis adalah apa ?
di cla
9.1 saya mw explore terkait analisa dan evaluasi tujuanya memperjelas kondisi
8.1 sya mw checkpointnya apa tujuanya apa ?
===================================================
persiapaanya sblm exam
1.
Section 1 max 10
Section 2 max 12
Section 3 max 30 marks dpt 7 atau 8
sifatnya ceklist
pemaparan logic
Section 4 ada 3
klu menuliskan NC dapat 2
model answer dn sempurna nilai 10
jwab true nilai
nc nc 10
nonc investigasi 10
nonc membuat audit investgasi 7
nc audit/investasi 0
investigasi 5
======================================
pahami pr 1
- apa maksudnya tujuanya
- pahami dengan internal audit program 9.1
- pahami ceklist terkait dengan cla top maangement bikin 10
5.1
5.2
5.3
- jika kita punya dokumen yang ideal apa keuntunganya
- jika kita tidak punya
- advantage terkait overleas atau ideal
apa keuntungan kita keutnungan punya sop yang tepat
disavantage kelebihan dokument
bnyk peraturan
aktftasnya bertambah
- terkait dengan external origin
contoh external origin dokumen ( dokumen yang masuk dari luar ke kita
- anda diminta audit terkait hr / ga diminta diambil beberapa
sample item apa yang menjadi checkpoint hr, operation , it ?
keyword / cla
- sebutkan dokumen2 yg dipersiapkan sblm audit dn bgmn menggunakanya ?
- item2 closing meeting dan bgmna memaparkan itu ?
- terkait dengan terminologi dengan risk assement, risk identifiy , apa bedanya
section 4 ada 3 cla
No comments:
Post a Comment