4.1 – Audit situation one:

You are auditing an organisation that delivers information security awareness training on behalf of their main customer, a government department.

Requirements are defined in a contract issued each year to the training organisation’s Contract Manager. Appendix A of the contract shows the projected number of students for the next twelve-month period.

You notice that section 1 of the main body of the current contract includes a requirement to comply with Government Procedure 853 which specifies arrangements for maintaining the security and confidentiality of students’ personal data.

The Contract Manager tells you that he is not aware of this requirement and is not familiar with Government Procedure 853.

You confirm there is no reference to Procedure 853 in the original contract.

The contract manager explains that when they accepted the latest contract they only reviewed the projected number of students in the new Appendix A.

You establish that the training organisation is following its own procedures for maintaining the security and confidentiality of students’ personal data. These are the same as when the original contract was agreed.

If you think there is sufficient evidence to report your findings as a nonconformity:

• Complete the nonconformity report on the following page.

OR

• Complete the audit investigation template.