4.2 – Audit situation two:
You are auditing the incident management process of an organisation that includes Annex A control A.16 in its Statement of Applicability.
You review the report related to the loss of hand luggage by a senior executive at a foreign airport within the past week. The report lists that bag contained his laptop, smart phone and a USB stick. The report summaries the investigation carried out to assess the risk related to this incident. It concludes that as the laptop hard disk was fully encrypted, and the USB stick was also encrypted the information contained on these devices was appropriately protected from disclosure. The report observes that the residual risk to be remediated was the information contained on the smart phone.
You ask the auditee what happened after that report. She provides the update report which confirms that the installed security application on the phone was used to remotely wipe data when it was next connected to a network and that this was confirmed by an email from the application’s supporting service. The incident was closed.
You ask what else was in the bag such as a paper notebook or print outs that might have contained sensitive information. She replies that this is all the information she has. Because the devices were reported lost by the senior executive, the investigation and remediation were assigned to the IT department and this was their report.
If you think there is sufficient evidence to report your findings as a nonconformity:
- Complete the nonconformity report on the following page.
Or
- Complete the audit investigation template.
