Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Topics
ISO 27001
NIS2
Getting started
Framework management
Product security
Settings & advanced
Trial and subscription
User management
Community
Documentation
Personnel guidelines
Reporting
Task management
GDPR
Internal auditing
Personnel security
Risk management
Working as a partner
Continuous improvement
Team collaboration
Show all topics
Webinars
Introduktion till NIS2-direktivet, lokal NIS2-lagstiftning och Cyberdays ISMS
ISO 27001: Bygg en cybersäkerhetsplan som gör att du uppfyller kraven
Intro to NIS2 directive, local NIS2 laws and Cyberday ISMS
ISO 27001: Entwickle einen Cybersecurity-Plan, der deine Compliance sichert
Show all webinars
Videos
Asset documentation
Continuously improving your ISMS
Cyberday overall intro
ISO 27001 and certification audit fundamentals
ISO 27001 and personnel awareness
ISO 27001 and risk management
ISO 27001 introduction
Mastering NIS2 Compliance with Cyberday
NIS2 introduction
Show all videos
Helps
Admins
Documentation
Frameworks
Guideline mgmt
Other features
Partners
Reporting
Setup and integrations
Task mgmt
User management
Show all helps
Blogs
SOC 2: Working towards compliance
DORA essentials: Introduction, Scope and key requirements
Cyberday goes Cyber Security Nordic 2024!
Cyber Security in Supply Chain Risk Management
From Compliance to Collaboration: How NIS2 Encourages Stronger Supply Chain Security Collaboration
Show all blogs
Content library
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Unfortunately something went wrong. You can contact us at team@cyberday.ai.
Cyberday.ai
Get started
Login
Academy home
Helps
How to use the (internal) audit feature

How to use the (internal) audit feature

An audit process in general is a review process with the purpose to ensure that the ISMS of the organization is compliant with the requirements of a specific framework, such as the ISO 27001 framework. However, before an organization is moving towards a certification audit, an internal audit usually takes place. The internal audit helps the organization to oversee the current position of the implementation of the controls of a specific framework and to find potential non-conformities, which should be addressed before the certification audit. Potential improvements that are found in either an internal or the certification audit will help the organization to continuously improve their own ISMS.

When should you do an audit in Cyberday?

An (internal) audit is an efficient tool to check the current compliance level of the organization. Internal auditing should not be used in the early stages of work, but when significant progress has been made on a requirements framework. Results will be documented directly in Cyberday and can be used as a base for further improvements.

Creating an internal audit

Dashboard -> Risk management and leadership -> Documentation -> Audits

  1. Go to "Risk management and leadership" from the Organization Dashboard
  2. Select "Documentation" and then "Audits"
  3. Click on "Add audit"
  4. Select the type of audit
  5. Open a new audit and choose the owner and status
The Audits page shows the audit list. The list contains all the audits that have been carried out and planned.
Select the type of new audit
You can schedule an audit

Defining an audit scope

Once you have created the audit in your list and opened the audit card, you can define the scope by answering the first question. The selections of the first question are necessary for creating the "Audit Progress Report", which is the third question of the card. You can review the content in the own ISMS from the point of view of a specific framework or by a related management system section, such as "Incident management" or "Personnel security". If you select a specific framework, you can also select specific sections, so you do not need to audit the full framework all at once, but rather split in smaller sections with more doable time slots. Many frameworks have e.g. the requirement, that the full framework needs to be covered with internal audits every three years.

Carrying out an internal audit

In order to carry out the audit, go to the audit card from the audit list and select "Create audit progress report" under the question three. Attention: You need to fill in the scope and etc. in question one before you can move to this step.

The audit progress report will open and you can do the following steps:

  • Check the tasks that are listed in the audit progress report
  • Document all observed non-conformities or observations for each requirement and then "Mark as reviewed"
The third section allows you to create an Audit progress report. Please complete the previous sections before creating the report
The Audit progress report records the tasks related to the improvements

The auditor can check from the list if all the information are still up to date (i.e. responsible persons, are all the actions actually done, are the tasks reviewed, are the descriptions up to date and so on). During the audit, write down everything that is not matching or wrong as a non-conformity, so it can be improved after the audit.

For the non-conformities, write down all the needed details in the new tab, that is opening when clicking "Add new non-conformity" and if possible potential improvement ideas. The non-conformities need to be fixed in order to be able to finish the audit.

Add a new non-conformity from the suggestions or make a new one
Enter any additional information of the non-conformities in the window that opens

In the audit card from the audit list, you can find an overview of all of the found non-conformities under section two. You can also add non-conformities directly from there or further add positive and other findings from the audit. Later on, you should plan and connect the improvements (section four) in order to be able to finish the audit. You can close the audit once all of the improvements are presented to the auditor and corrective actions have been "accepted" by the auditor.

Identified non-conformities and other findings are listed in section three. Positive findings and other findings can also be inserted.

Creating the final audit report

Once you have finished all of the above listed steps have marked the sections of the audit card as completed and have clicked "Finnish progress report", you can finish the audit and create a single document out of the audit card. Simply go to the audit card and open the drop down menu by clicking the three dots on the right side next to the headline. Select "View report" to open the report.

The internal audit report document may look like the following:

The audit progress report can later on be found in the reporting section in Cyberday as well. It is useful for showing the progress, but rather for the auditors, less for the auditees.

Questions and feedback

Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via team@cyberday.ai or the chat box in the right lower corner.

Content

Share article

Other similar content from Academy

Help articles

Available support methods for Cyberday use
Calculating risk level in Cyberday
Enabling CIA classification feature for main assets
Favourites: Highlight frequently used items
Feature: Improving translations - How you can help to develop Cyberday
Filling security assessments
How do I start to use Cyberday in Teams?
How is the Cyberday data backed up?
How to use the (internal) audit feature
How to use the metrics feature
Incident management: Extension for employee security incident reporting through Guidebook
Linking existing SharePoint files to your Cyberday content
Managing and sending vendor security assessments
Multilingual work in Cyberday
Optional data fields in Cyberday
Personalize the menu by pinning items
Posting, replies and notifications in Community
Setting a custom logo for your organization
Tips for processing automatically deactivated users
Unit-employee AD syncing
User management: Different user roles in Cyberday
Using "security statement" reports
Using compliance reports
Vote and post ideas on Development ideas -section
What kind of logging is available about changes in your Cyberday account?
What kind of notifications are available?

Subscribe to Academy today

Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.

Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.
Topics
Working as a partner
Continuous improvement
Risk management
Internal auditing
Personnel security
Show all
Webinars
Introduktion till NIS2-direktivet, lokal NIS2-lagstiftning och Cyberdays ISMS
ISO 27001: Bygg en cybersäkerhetsplan som gör att du uppfyller kraven
Intro to NIS2 directive, local NIS2 laws and Cyberday ISMS
ISO 27001: Entwickle einen Cybersecurity-Plan, der deine Compliance sichert
Show all
Videos
Mastering NIS2 Compliance with Cyberday
ISO 27001 introduction
NIS2 introduction
ISO 27001 and certification audit fundamentals
Asset documentation
Show all
Helps
Documentation
Partners
Other features
Reporting
Guideline mgmt
Show all
Blogs
DORA essentials: Introduction, Scope and key requirements
Cyberday goes Cyber Security Nordic 2024!
From Compliance to Collaboration: How NIS2 Encourages Stronger Supply Chain Security Collaboration
Agendium Ltd is now Cyberday Inc.!
10 compliance traps & how to avoid them
Show all
Content library
Open content libraryLabs
Kiitos! Saat jatkossa uutiskirjeen sähköpostiisi joka perjantai.
Valitettavasti jotain meni pieleen. Voit olla yhteydessä tiimi@tietosuojamalli.fi.