assessment report cav audit aeec, llc€¦ · purchase and review iso 27002, formally accept the...
TRANSCRIPT
Page 1 of 26
Assessment Report CAV Audit
AEEC, LLC Assessment dates 11/19/2019 to 11/21/2019 (Please refer to Appendix for details)
Assessment Location(s) Reston (000)
Report Author Anthony Aleman
Assessment Standard(s) ISO/IEC 27001:2013, ISO 9001:2015, ISO/IEC 20000-1:2011
Assessment Report.
Page 2 of 26
Table of contents
Executive Summary ..................................................................................................................................................... 4
Changes in the organization since last assessment ...................................................................................................... 5
NCR summary graphs .................................................................................................................................................. 6
Your next steps ........................................................................................................................................................... 8
NCR close out process ............................................................................................................................................. 8
Assessment objective, scope and criteria..................................................................................................................... 9
Statutory and regulatory requirements ....................................................................................................................... 9
Assessment Participants ............................................................................................................................................ 10
Assessment conclusion .............................................................................................................................................. 11
Findings from previous assessments .......................................................................................................................... 12
Findings from this assessment ................................................................................................................................... 14
Top Management Interview, Context of the Organization, Leadership, Planning, Doc Control, Risk: ...................... 14
Management Review , Customer Satisfaction, Measurement and Analysis, Planning (Operational Planning and Control), Purchasing and Subcontracts, Service Delivery - Project Planning, Monitoring and Control: .................... 14
Internal Audit, Improvement: ................................................................................................................................ 14
Business Relationship Management and Service Level Management: .................................................................... 14
Configuration Management, Change Management, Release and Deployment: ...................................................... 15
Problem Management, Incident Management: ..................................................................................................... 15
SOA, Sampling of Controls: .................................................................................................................................... 15
Minor (1) nonconformities arising from this assessment. .......................................................................................... 16
Next visit objectives, scope and criteria ..................................................................................................................... 17
Next Visit Plan ........................................................................................................................................................... 18
Appendix: Your certification structure & ongoing assessment programme ................................................................ 19
Scope of Certification ............................................................................................................................................ 19
Assessed location(s) .............................................................................................................................................. 19
Certification assessment program ......................................................................................................................... 22
Expected outcomes for accredited certification. .................................................................................................... 24
Definitions of findings: .......................................................................................................................................... 24
How to contact BSI ................................................................................................................................................ 25
Assessment Report.
Page 3 of 26
Notes .................................................................................................................................................................... 26
Regulatory compliance .......................................................................................................................................... 26
Assessment Report.
Page 4 of 26
Executive Summary
The strategic direction and expected outcomes for the AEEC, LLC organization is growth achieved through increasing revenue, pursuing new opportunities, increasing capabilities and leveraging new technologies to create new service offerings. The QMS, ISMS and SMS are aligned to support their strategic direction through providing focus on meeting service objectives and SLA's.
Assessment Report.
Page 5 of 26
Changes in the organization since last assessment
There is no significant change of the organization structure and key personnel involved in the audited management system.
No change in relation to the audited organization’s activities, products or services covered by the scope of certification was identified.
There was no change to the reference or normative documents which is related to the scope of certification.
Assessment Report.
Page 6 of 26
NCR summary graphs
Which standard(s) BSI recorded findings against
Assessment Report.
Page 7 of 26
Where BSI recorded findings
Assessment Report.
Page 8 of 26
Your next steps
NCR close out process
Corrective actions with respect to nonconformities raised at the last assessment have been reviewed and found to be effectively implemented.
A nonconformity requiring attention was identified. This, along with other findings, is contained within subsequent sections of the report. A minor nonconformity relates to a single identified lapse, which in itself would not indicate a breakdown in the management system's ability to effectively control the processes for which it was intended. It is necessary to investigate the underlying cause of any issue to determine corrective action. The proposed action will be reviewed for effective implementation at the next assessment.
Please refer to Assessment Conclusion and Recommendation section for the required submission and the defined timeline.
Assessment Report.
Page 9 of 26
Assessment objective, scope and criteria The objective of the assessment was to conduct a surveillance assessment and look for positive evidence to ensure that elements of the scope of certification and the requirements of the management standard are effectively addressed by the organization's management system and that the system is demonstrating the ability to support the achievement of statutory, regulatory and contractual requirements and the organization's specified objectives, as applicable with regard to the scope of the management standard, and to confirm the on-going achievement and applicability of the forward strategic plan and where applicable to identify potential areas for improvement of the management system.
The scope of the assessment is the documented management system with relation to the requirements of ISO 9001: 2015, ISO 20000-1: 2011, ISO 27001: 2013 and the defined assessment plan provided in terms of locations and areas of the system and organization to be assessed.
ISO 9001: 2015, ISO 20000-1: 2011, ISO 27001: 2013 AEEC, LLC management system documentation
Statutory and regulatory requirements Statutory and regulatory requirements based on their individual contract per each client evidenced.
Assessment Report.
Page 10 of 26
Assessment Participants
Name Position Opening Meeting
Closing Meeting
Interviewed(processes)
Sangita Patil Owner President X
Raj Patil Owner CEO X
Scott Lucas IT Director X X X
Kim Hartley HR Director X X
Arella Thomas Business
Development X
Aryelle Young Business
Development X
Theresa Minton ISO Deputy X X X
Assessment Report.
Page 11 of 26
Assessment conclusion
BSI assessment team
Name Position
Anthony Aleman Team Leader
Assessment conclusion and recommendation
The audit objectives have been achieved and the certificate scope remains appropriate. The audit team concludes based on the results of this audit that the organization does fulfil the standards and audit criteria identified within the audit report and it is deemed that the management system continues to achieve its intended outcomes.
RECOMMENDED - Corrective Action Plan Required ('Minor' findings only): The audited organization may be recommended for certification / continued certification, based upon the acceptance of a satisfactory corrective action plan for all 'Minor' findings as shown in this report. Effective implementation of corrective actions will be reviewed during the next surveillance audit.
Please submit a plan to BSI detailing the nonconformity, the root cause, correction and your proposed corrective action, with responsibilities and timescales allocated. The plan is to be submitted no later than 01/03/2020. If the corrective action plan is not received by this date you may be putting your certification status at risk. Send the plan through the BSI Assurance Portal (if this is enabled for your account) or by email to [email protected], referencing the report number 8982204, 8982202, 8982206.
Use of certification documents, mark / logo or report
The use of the BSI certification documents and mark / logo is effectively controlled.
Assessment Report.
Page 12 of 26
Findings from previous assessments
Finding Reference
1683112-201809-N1 Certificate Reference
IS 637174
Certificate Standard
ISO/IEC 27001:2013 Clause A8.1.2
Category Minor
Area/Process: Asset management (A.8)
Details: Not all assets have owners assigned
Objective Evidence:
Computers which are not assigned to users do not have owners.
Cause
Assumption was made that a department could own an asset.
Correction/containment
Update the Reston Asset Inventory List and, for all assets that are currently assigned to a department, change the ownership to Scott Lucas, IT Manager. Scott will be responsible for updating and maintaining these assets until they are assigned to new users.
Corrective action
1 Go through Reston Inventory log and replace all department names with Scott 2 Update assets as required (Windows updates, etc.) 3 Create a policy for Asset Management 4 Approve/ Reject Asset Management policy Actions deemed effective.
Closed?:
Yes
Finding
Reference 1683112-201809-N2
Certificate
Reference IS 637174
Certificate Standard
ISO/IEC 27001:2013 Clause A16.1.7
Category Minor
Area/Process: Information security incident management (A.16)
Details: The organization has not defined procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
Assessment Report.
Page 13 of 26
Objective Evidence:
The organization has not defined procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
Cause
We did not have access to 27002 to gain clarification into the intention of this clause and were unaware that it involved forensic analysis and chain of custody for evidence.
Correction/containment
Purchase and review ISO 27002, formally accept the risk that we are vulnerable if a situation arises that requires Chain of Evidence and Forensics, and expedite the selection process for a local company that will be able to assist with this.
Corrective action
1 Purchase a copy of ISO 27002 2 Scott to reach out to local IT Evidence/ Forensic companies to get quotes 3 Scott to select best option and work with Executive Management to issue contract to keep company on standby in case an issue occurs 4 Issue contract to selected company. 5 Reach out to selected company if needed for security incident Ongoing 6 Update Security plan to reflect information for the company selected Actions deemed effective.
Closed?:
Yes
Assessment Report.
Page 14 of 26
Findings from this assessment
Top Management Interview, Context of the Organization, Leadership, Planning, Doc Control, Risk: QMS – Quality Policy resides within their Quality Manual section 4.3 ver 2.0 dated 10/13/19 evidenced. SharePoint is their repository to house their PAL verified. Document control reviewed. Mgmt Review Charter discussed. COTO and Objectives evidenced. Control of Documents ver. 4.0 dated as well as their Control of Records ver 5.0 dated. 2019 Activities Plan shows their review cycle appropriately verified. SMS - No scope change identified. SMS Policy ver 2.0 dated 922/19 evidenced. SMS Plan ver 5.09 dated 9/21/19 reviewed. CMDB is a spreadsheet within their SharePoint repository. SLA’s reviewed. COOP as well as their Service Catalog verified. RATP sampled. Cust Sat discussed. ISMS - ISMS Manual is a subset of their QMS and SMS Manual verified. IS Policy ver 7.0 dated 9/30/19 evidenced. RATP dated 11/17 19 reviewed. Risk Mgmt Process ver 3.0 reviewed. Processes deemed effective.
Management Review, Customer Satisfaction, Measurement and Analysis, Planning (Operational Planning and Control), Purchasing and
Subcontracts, Service Delivery - Project Planning, Monitoring and Control: MRB Charter ver 4.0 dated 5/31/19 evidenced. MRB 102519 sampled. Meeting minutes also sampled. Lessons learned addressed. Customer Satisfaction feedback reviewed. Service Delivery documents verified. Processes deemed effective.
Internal Audit, Improvement: IA Procedure ver. 5.0 critiqued. IA Scheduler and Report dated 8/12 thru 8/13/19 sampled. CAR’s 84 and 85 in RATP reviewed. Processes deemed effective.
Business Relationship Management and Service Level Management: Service Catalog ver dated 10/8/19 evidenced. Master Workbook sampled. BRM within section 2.1.1 of the Service Mgmt Plan ver 5.0 dated 9/21/19 reviewed. SLM resides within section 2.1.3 sampled. Processes deemed effective.
Assessment Report.
Page 15 of 26
Configuration Management, Change Management, Release and
Deployment: Change and Release Mgmt ver 4.0 dated 10/1/19 evidenced. Change Policy as well as RFC’s 52 and 53 sampled. PIR’s apart of their Change Mgmt verified. CI’s listed within section 2.5 of their Change process verified. 2019 Service Capacity Report sampled. Processes deemed effective.
Problem Management, Incident Management: Service Request, Incident and Problem Mgmt ver 4.0 dated 9/21/19 evidenced. 2019 Incident and Problem Mgmt Workbook sampled. Known Errors shown. KE’s ITK-23 and 24, Problems 5 and 6 as well as Incidents 138 and 139 sampled. SLA’s shown. Service Catalog Spreadsheet Instruction Guide ver 4.0 verified. Security Incident Report dated 9/10/19 evidenced. Processes deemed effective.
SOA, Sampling of Controls: SOA ver 7.0 dated 9/21/19 evidenced. Controls are only through A.18. Their SOA has an A.19 section that is not a part of the standard. A MINOR finding is noted. They have 6 exclusions which are as follows in their SOA: A.9.4.5, A.11.1.5, A.12.1.14, A.14.2.6 thru 2.8 verified. HQ Asset inventory Reston Inventory list verified. Asset’s SENIS003, CUSRS001 and CUSR002 sampled. Access Control Policy section 3.5 evidenced. IS Incident Mgmt process reviewed. Tickets 381, 378 and 376 sampled.
Assessment Report.
Page 16 of 26
Minor (1) nonconformities arising from this assessment.
Finding Reference
1859072-201911-N1 Certificate Reference
IS 637174
Certificate Standard
ISO/IEC 27001:2013 Clause A5
Category Minor
Area/Process: SOA, Sampling of Controls
Statement of non
conformance:
SOA control families incorrect.
Clause requirements
Information security policies
Objective Evidence
SOA has a Control A.19 when it does not exist.
Cause
Correction/containment
Corrective action
Assessment Report.
Page 17 of 26
Next visit objectives, scope and criteria
The objective of the assessment is to conduct a surveillance assessment and look for positive evidence to ensure the elements of the scope of certification and the requirements of the management standard are effectively addressed by the organization's management system and that the system is demonstrating the ability to support the achievement of statutory, regulatory and contractual requirements and the organizations specified objectives, as applicable with regard to the scope of the management standard, and to confirm the on-going achievement and applicability of the forward strategic plan.
The scope of the assessment is the documented management system with relation to the requirements of ISO 9001: 2015, ISO 20000-1: 2011, ISO 27001: 2013 and the defined assessment plan provided in terms of locations and areas of the system and organization to be assessed.
ISO 9001: 2015, ISO 20000-1: 2011, ISO 27001: 2013 AEEC, LLC management system documentation
Please note that BSI reserves the right to apply a charge equivalent to the full daily rate for cancellation of the visit by the organization within 30 days of an agreed visit date. It is a condition of Registration that a deputy management representative be nominated. It is expected that the deputy would stand in should the management representative find themselves unavailable to attend an agreed visit within 30 days of its conduct.
Assessment Report.
Page 18 of 26
Next Visit Plan
Date Auditor Time Area/Process Clause
Top Management Interview
Context of the Organization, Leadership, Planning
Organizational Knowledge, Documented Information
Management Review , Customer Satisfaction, Measurement and Analysis
Internal Audit
Business Development, and Contracts
Service Delivery - Project Planning, Monitoring and Control
Human Resource, Infrastructure and Work Environment
Assessment Report.
Page 19 of 26
Appendix: Your certification structure & ongoing assessment programme
Scope of Certification
FS 637173 (ISO 9001:2015)
The management of the provision of resources to provide environmental engineering and IT solutions and consulting services to support Federal and Commercial customers.
IS 637174 (ISO/IEC 27001:2013)
The management of information security for the protection of client and company information for Information Technology Services provided to Commercial and Federal Government customers. This in accordance with the Statement of Applicability v 7.0, dated 9/21/19.
ITMS 637176 (ISO/IEC 20000-1:2011)
The service management system for the management and delivery of support services provided internally within the AEEC organization needed to support client engagements with Federal and commercial customers.
Assessed location(s)
The audit has been performed at Central Office.
Reston / IS 637174 (ISO/IEC 27001:2013)
Location reference 0047563476-000 Address AEEC, LLC
11710 Plaza America Drive Suite #125 Reston Virginia 20190 USA
Visit type Continuing assessment (surveillance) Assessment reference 8982204 Assessment dates 11/20/2019 Deviation from Audit Plan No
Total number of Employees 9 Total persons doing work at
this site
9
Assessment Report.
Page 20 of 26
Scope of activities at the site The management of information security for the protection of
client and company information for Information Technology Services provided to Commercial and Federal Government customers.
Assessment duration 1 Day(s)
Reston / FS 637173 (ISO 9001:2015)
Location reference 0047563476-000 Address AEEC, LLC
11710 Plaza America Drive Suite #125 Reston Virginia 20190 USA
Visit type Continuing assessment (surveillance) Assessment reference 8982202 Assessment dates 11/21/2019 Deviation from Audit Plan No
Total number of Employees 12 Effective number of
Employees
12
Scope of activities at the site The management of the provision of resources to provide environmental engineering and IT solutions and consulting
services to support Federal and Commercial customers. Assessment duration 1 Day(s)
Reston / ITMS 637176 (ISO/IEC 20000-1:2011)
Location reference 0047563476-000 Address AEEC, LLC
11710 Plaza America Drive Suite #125 Reston Virginia 20190 USA
Visit type Continuing assessment (surveillance) Assessment reference 8982206 Assessment dates 11/19/2019 Deviation from Audit Plan No
Total number of Employees 9 Effective number of Employees
9
Assessment Report.
Page 21 of 26
Scope of activities at the site The service management system for the management and
delivery of support services provided internally within the AEEC organization needed to support client engagements with Federal and commercial customers.
Assessment duration 1 Day(s)
Assessment Report.
Page 22 of 26
Certification assessment program
Certificate Number - FS 637173 Location reference - 0047563476-000
Audit1 Audit2 Audit3 Audit4
Business
area/Location
Date (mm/yy): 08/18 09/19 09/20 09/21
Duration (days): 1.5 1.0 1.0 1.5
Top Management Interview X X X X
Context of the Organization, Leadership, Planning X X X X
Organizational Knowledge, Documented Information X X X
Management Review , Customer Satisfaction, Measurement and Analysis
X X X X
Internal Audit X X X X
Planning (Operational Planning and Control) X X X
Business Development, and Contracts X X X
Purchasing and Subcontracts X X X
Service Delivery - Project Planning, Monitoring and Control
X X X X
Human Resource, Infrastructure and Work Environment
X X X
Improvement X X X
Certificate Number - IS 637174 Location reference - 0047563476-000
Audit1 Audit2 Audit3 Audit4
Business
area/Location
Date (mm/yy): 09/2018 09/2019 09/2020 09/2021
Duration (days): 1.0 1.0 1.0 1.5
Leadership, (5) X X X X
Context of the organization (4) X X X X
Planning (6) X X X X
Operation: Risk Assessment and Risk Treatment (8.2, 8.3)
X X X X
Assessment Report.
Page 23 of 26
Support: Resources, Competence, Awareness & HR Security (7.1 - 7.3, A.7)
X X X X
Information security objectives and planning to achieve them. Operational planning and control, Monitoring, measurement, analysis and evaluation (5.2B, 6.2, 8.1, 9.1)
X X X X
Internal Audit and Management Reviews (9.2-9,3) X X X X
Improvement (10) X X X X
A.5 Security policy X X X
A.6 Organization of information security X X X
A.8 Asset management X X X
A.9 Access control X X X
A.10 Cryptography X X X
A.11 Physical and environmental security X X X X
A.12 Operations Security X X X
A.13 Communications Security X X X
A.14 systems acquisition, development and maintenance
X X X
A.15 Supplier relationships X X X
A.16 Information Security Incident Management X X X
A. 17 Business Continuity Management X X X
A. 18 Compliance with Legal Requirements X X X
Certificate Number - ITMS 637176 Location reference - 0047563476-000
Audit1 Audit2 Audit3 Audit4
Business area/Location
Date (mm/yy): 08/18 08/19 08/20 08/21
Duration (days): 2.0 1.0 1.0 2.0
SMS Policy, Objectives, and Management Responsibility
X X X X
Documentation Management X X X
Plan, Maintain and Improve SMS X X X
Management Review X X X X
Assessment Report.
Page 24 of 26
Internal Audit X X X X
Resource Management X X X
Supplier Management X X X
Business Relationship Management and Service Level Management
X X X
Service Continuity, Availability, and Capacity Management
X X X
Information Security Management X X X
Incident, Service Request, and Problem Management X X X
Design and Transition New or Changed Services X X X
Configuration Management, Change Management, Release and Deployment
X X X
Expected outcomes for accredited certification. What accredited certification to ISO 9001 means
ISO 9001:2015 specifies requirements for a quality management system when an organization: needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements; and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
What accredited certification to ISO 9001 does not mean
1) It is important to recognize that ISO 9001 defines the requirements for an organization’s quality management system, not for its products and services. Accredited certification to ISO 9001 should provide confidence in the organization’s ability to “consistently provide product that meets customer and applicable statutory and regulatory requirements”. It does not necessarily ensure that the organization will always achieve 100% product conformity, though this should of course be a permanent goal. 2) ISO 9001 accredited certification does not imply that the organization is providing a superior Product or service, or that the product or service itself is certified as meeting the requirements of an ISO (or any other) standard or specification.
Definitions of findings:
Nonconformity:
Non-fulfilment of a requirement.
Assessment Report.
Page 25 of 26
Major nonconformity:
Nonconformity that affects the capability of the management system to achieve the intended results. Nonconformities could be classified as major in the following circumstances: • If there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements; • A number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.
Minor nonconformity:
Nonconformity that does not affect the capability of the management system to achieve the intended results.
Opportunity for improvement:
It is a statement of fact made by an assessor during an assessment, and substantiated by objective evidence, referring to a weakness or potential deficiency in a management system which if not improved may lead to nonconformity in the future. We may provide generic information about industrial best practices but no specific solution shall be provided as a part of an opportunity for improvement.
Observation:
It is ONLY applicable for those schemes which prohibit the certification body to issue an opportunity for improvement. It is a statement of fact made by the assessor referring to a weakness or potential deficiency in a management system which, if not improved, may lead to a nonconformity in the future.
How to contact BSI
'Just for Customers' is the website that we are pleased to offer our clients following successful registration, designed to support you in maximizing the benefits of your BSI registration - please go to www.bsigroup.com/j4c to register. When registering for the first time you will need your client reference number and your certificate number
Should you wish to speak with BSI in relation to your registration, please contact our Operations Support Team:
BSI Management Systems 12950 Worldgate Drive Suite 800 Herndon VA 20170 Tel: +1 (800) 862 4977 Fax: +1 (703) 437 9001
Assessment Report.
Page 26 of 26
Notes
This report and related documents are prepared for and only for BSI’s client and for no other purpose. As such, BSI does not accept or assume any responsibility (legal or otherwise) or accept any liability for or in connection with any other purpose for which the Report may be used, or to any other person to whom the Report is shown or in to whose hands it may come, and no other persons shall be entitled to rely on the Report. If you wish to distribute copies of this report external to your organization, then all pages must be included.
BSI, its staff and agents shall keep confidential all information relating to your organization and shall not disclose any such information to any third party, except that in the public domain or required by law or relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual confidentiality undertakings and will only receive confidential information on a 'need to know' basis.
This audit was conducted on-site through document reviews, interviews and observation of activities. The audit method used was based on sampling the organization’s activities and it was aimed to evaluate the fulfilment of the audited requirements of the relevant management system standard or other normative document and confirm the conformity and effectiveness of the management system and its continued relevance and applicability for the scope of certification.
As this audit was based on a sample of the organization’s activities, the findings reported do not imply to include all issues within the system.
Regulatory compliance
BSI conditions of contract for this visit require that BSI be informed of all relevant regulatory non-compliance or incidents that require notification to any regulatory authority. Acceptance of this report by the client signifies that all such issues have been disclosed as part of the assessment process and agreement that any such non-compliance or incidents occurring after this visit will be notified to the BSI client manager as soon as practical after the event.