certification body - university of embu
Embed Size (px)
TRANSCRIPT
UNIVERSITY OF EMBU
3.2 ICT Department.………......................................................................................7
3.4 Department of Land and Water………………...................................................10
3.5 Management Representative............................................................................11 3.6 Directorate of Examinations.…................................................................................14 3.7 Admissions…………...........................................................................................15 3.8 Internal Audit.....................................................................................................17 3.9 Procurement and Stores....................................................................................18 3.10 Department of Public Health............................................................................. 19
6.0 RECOMMENDATION...................................................................................... 20
APPENDICES..............................................................................................................21
3
Representative : Prof. Kiplangat Kotut, DVC ARE & QISMR
Date(s) of audit : 24th & 25th April 2019. No of audit days – 2 Audit Basis/Criteria : ISO\IEC 27001, ISMS Documentations.
Audit Scope : Provision of training, research and extension
Audit No : KEBS/ISMS/SC/004/01/19
No. of site audited : N/A
Audit Team : Elizabeth Kisilu - Lead Auditor
James Njuki - Auditor
Audit objective(s) -Determination of the conformity of the client’s management
system, or parts of it, with audit criteria;
-Determination of the ability of the management
system to ensure the client meets applicable statutory,
regulatory and contractual requirements;
system to ensure the client can reasonably expect to
achieve its specified objectives;
the management
4
2.0 AUDIT SUMMARY The purpose of the audit was to evaluate the continued fulfilment of the requirements of ISO
27001:2013 standard of the Information Security Management System implemented by University of Embu for the purpose of continued certification
The University’s information security management system (ISMS) was observed to be preserving the confidentiality, integrity and availability of information in the departments audited. There was evidence that by applying a risk management process information security risks are being adequately managed risks.
The audit was carried out as per the attached audit timetable, appendix A. The
opening and closing meetings were held on 24th and 25th April 2019 and attendance register is attached. During the audit, the auditors were accorded the necessary cooperation that enabled the gathering of the information and evaluation of the same to come up with the audit findings and conclusions in this report.
The auditors established that;
ISMS context has been established, communicated and understood by the auditees audited.
Needs and expectations of interested parties have been determined as well as the documented in ISMS context.
Risks assessment is done at planned intervals. Risk assessment reviewed between January and March 2019.
Implementation of controls is done through monitoring tool documented in risk register as evident in all areas audited.
There compliance to Legal requirements determined in the ISMS context.
There is demonstration o f commitment t o implementation of Information Security Management System.
However, it was noted that
There was no evidence that risks that can cause the system not to achieve its intended outcomes, prevent, or reduce, undesired effects and achieve continual improvement have been determined neither was there evidence of a plan of actions to address these actions.
No data is captured in incidence registers. During the audit, several positive findings and opportunities for improvement were recorded as in clause 3.0 of this report. In addition, three (3) minor non-conformities were identified. During the closing meeting, it was agreed that, an Acceptable Corrective Action Plan (CAP) for the non-conformities shall be submitted to the lead auditor within two (2) weeks.
Elizabeth Kisilu, Lead auditor, 8th May 2019
5
6.1.1 Actions to address risks and opportunities
Positive findings
i. Risks have been determined based on the processes of the department ie Unit allocation,
Teaching and examination.
ii. There was evidence that needs and expectations of interested parties were considered
when determine the risks
iii. Risk register for biological sciences was reviewed in January 2019 and some of the risks
determined include;
Leakage of Draft examination
iv. Actions taken to address these risks are document in risk treatment plan indicating the
existing controls and additional controls selected from 27002.Effectiveness of these controls
selected is determined through the use of monitoring tool also documented in the biological
sciences risk register.
Areas of improvement
i. Additional controls from ISO 27002 instead of ISO\IEC 27001 Annex A.
6.1.2 Information security risk assessment Positive findings i. There was evidence that risk assessment process was followed during risk assessment
done in January 2019.criteria followed if
Likelihood scale of 1-3
Consequence –High, Medium, Low, (1-3 scale)
Risk appetite 3*3 matrix ii. Risk assessment demonstrates loss of CIA on processes. Processes assessed are Unit
allocation, Teaching and Examination as documented in 2019 risk register.
iii. Risk levels determined 2,4 and 6 where Examination had the highest risk level of
6.1.3 Information security risk treatment Positive Findings
i. There was evidence that controls have been selected to address risks determined as documented in Biological sciences ISMS Risk register_2019.These controls are existing controls and controls selected from 27002
ii. Some of the controls sampled are
6
iii. There was evidence that statement of applicability (SOA) was formulated. Among
departments implanting controls in SOA is teaching departments. iv. Risk treatment plan has been formulated indicating the existing controls, additional controls
from annex A, Risk assessment levels as well as residual risk level.
Areas of improvement There was no evidence that risk treatment option was selected. 7.2 Competence Positive findings
i. Competencies are determined as per areas of specialization and acquired. Evidence of competencies is maintained in by human resource
ii. All members of staff in biological sciences have been trained on ISMS either implementation or awareness course.
8.1 Operational planning and control
Positive findings
i. Examination papers and results are controlled through controlled examination office,
lockable cabinets and classification of information.
8.2 Information security risk treatment
i. There was evidence that controls selected from annex A are being implemented.
Institute Disciplinary process -A.7.2.3; Implemented by human resource department procedure manual no UoEm/HR/HRPM/003
Create Information Security Awareness, Education and Training process owners training report on implementation of ISO 9001:2015 & ISO\IEC 27001:2013 dated March 29, 2019(A.7.2.2)
ii. Code of conduct is signed to ensure confidentiality by lecturers iii. Computer sampled had updated Kaspersky antivirus, Licensed software eg Windows 10
and Microsoft office 2016
Falsification of information on teaching units
Existing authority approvals, implementation of existing curriculum
Institute Disciplinary process - A.7.2.3;
Existing authority approvals
6.1.2 Information security risk assessment Positive findings
i. Risk assessment done in March 2019 followed the determined risk criteria Likelihood scale of 1-3 Consequence –High, Medium, Low, (1-3 scale) Risk appetite 3*3 matrix
ii. Risk register for 2018 risk level for denial of service is 6 residual risk is 2 same as the one for 2019 because of the criticality of the risk if it were to materialize.
iii. Risk assessment is done considering loss of Confidentiality, Integrity and availability of processes.
iv. ICT risks assessed include;
Denial of access to information
Loss of backed up information
Unauthorized access to information v. There was evidence that risk assessment process produced different risk levels between 2
and 9. vi. Risk prioritization is done as per risk appetite documented in the risk register.
6.1.3 Information security risk treatment Positive findings
i. There was evidence that ICT chose risk treatment option defined as “Strategy” in the risk register where the risk treatment options chosen are reduce for High & Medium and accept for low risks.
ii. There was evidence that existing controls are determined and additional controls selected from ISO\IEC 27002.
iii. Risk treatment plan for all risks has been formulated together with the monitoring tool documented in ICT ISMS risk register 2019.Time frame for all risks in the treatment plan is December 2020.
6.2 Information security objectives and planning to achieve them Positive findings
i. ICT has established two information security objectives as per the requirements. CT information security objectives dated 12th March 2019.
ii. There was evidence that plan to achieve the objectives has been established as documented on ICT information security objectives dated 12th March 2019.
7.2 Competence Positive findings
i. Competencies for ICT staff is determined and achieved through performance appraisal and training eg PC target for FY 2018/2019 indicating staff performance targets and appraisal
8
form UOEM-HRM-008 Competency /training needs assessment form for PF No 0143 was sampled. Evidence of training on system administration and server administration was availed.
ii. There was evidence that training is done to enhance competency of ICT staff eg On job training on ICT service delivery through knowledge base accessed through sup ort.embuni.ac.ke.
iii. There was evidence that ICT staff are competent in their roles eg sampled staf were able to demonstrate how segregation of network and on site back up is done.
8.2 Information security risk assessment
Positive findings
i. There was evidence that risk assessment is done at planned interval and evidence
maintained. Eg risk assessment is done annually. Risk registers for 2018 and 2019 were
evident.
Positive findings
i. Risk treatment plan has been formulated and documented in ICT ISMS risk
ii. There was evidence that controls selected are effectively implemented. some of the controls selected are;
Network segregation done through Vlans (Virtual Local Area Network) these VLANS include WAN, VOICE, administrators, Wireless, management and labs done through firewall.
iii. VLAN for staff has resources only authorized to be accessed by staff only. Traffic graphs for different vlans was demonstrated in the firewall.
iv. There are two types of back up for university information, onsite back up and offsite back up. Onsite for biological sciences was sampled.
v. Onsite back up logs were available, indicating that the last back up was done on 24th April 2019 at 12.15pm next back up scheduled for 25th April 2019 at 11.40 am. Back up retention form is used to communicate to ICT on information that they need to be backed up.
vi. Users can also back up their data on once drive. vii. ICT support system is used to manage user requests/Repairs/accessory replacement using
request form ICT-002 1219.All tickets had been closed at the time of audit.
10.1 Nonconformity and corrective action
Positive findings
There was evidence that ICT addressed the non-conformity raised during certification audit CAR 2 of 3. This was done by developing a form that is signed by all risk owners as an evidence of approval for residual risk. Records maintained by QISMR.
9
4.2 Understanding the needs and expectations of interested parties Positive findings
i. Website has determined its Interested parties that include; students, university management, suppliers, parents etc
ii. Some of the needs for the interested parties are
Students -Accurate and timely information on website
University Management-Timely uploading of information on the website, procedure to be followed when uploading information on the website
iii. There was evidence that information about interested parties is monitored for realization as documented in monitoring template for interested partied & requirements /internal and external issues /risks and opportunities.
iv. Risks and opportunities have been determined and documented in monitoring template for interested partied & requirements /internal and external issues /risks and opportunities
6.1.2 Information security risk assessment Positive findings
i. Risk assessment done in March 2019 followed the determined risk criteria Likelihood scale of 1-3 Consequence –High, Medium, Low, (1-3 scale) Risk appetite 3*3 matrix
ii. Risk assessment is done considering loss of Confidentiality, Integrity and availability of processes.
iii. ICT risks assessed are;
Denial of service
Uploading inaccurate content
iv. There was evidence that risk assessment process produced different risk levels is 6 and 9 which is high in risk matrix.
v. Risk prioritization is done as per risk appetite documented in the risk register. 8.3 Information security risk treatment Positive findings
i. There was evidence that controls selected in risk treatment plan are being implemented. Some of the controls sampled are; Firewall (PFsence) is regularly updated once the updates are released
Training is done to website and repository team eg secure systems management KENET by KLISC/EIFL training for repository managers and library ICT PERSONS and IBM DATA Engineer done between 11th and15th March 2019 member of website committee attended.
ii. There was evidence that documents are approved by registrar before being uploaded on the website eg Contract award document for February 2019 was approved by Timothy authorized by registrar to approve for uploading.
10
iii. Incoming document register UoEm-Reg-WNR-001 vol.2 is used to monitor website contents being uploaded.
iv. Web content is backed onsite and offsite
3.4 Department of Land and Water 6.1.2 Information security risk assessment Positive findings
i. There was evidence that risk assessment was done following the defined criteria. ii. Some of the risks in the department are;
Acceptance of falsified academic credentials for the part time lecturers
Leakage of Examination during submission and Moderation of Examinations drafts
Falsification of information on lecture/CAT/practical attendance/course coverage iii. Opportunities Attachment for students in industry
6.2 Information security objectives and planning to achieve them Positive findings
i. The department has established information security objectives and a plan to achieve them Information Security objectives
ii. have been determined considering results of risk assessment and risk treatment they are measurable. plan to achieve them
8.3 Information security risk treatment Positive findings
i. There was evidence that existing controls and controls selected form Annex A are being implemented. The following controls were tested for implementation;
Draft examinations are protected by password and backed up in an external hard disk.
There is 1 Lockable well labelled cabinet for storing controlled documents
Information contained in this lockable cabinet was classified as per Information Classification, Handling & Transfer policy eg Individual mark sheet UoEm/LWM/IM/Vol.3 was classified as confidential
genuine software are installed in the sampled PC eg Win 7 ultimate and MS office 2007
Kaspersky antivirus was updated at the time of audit.
Information assets are identified CPU in the department is identified as UoEm/LWM/CPU/01
Network computers cannot be accessed by unauthorized staff / person .Auditor tried to access desktop-479tnh0 and it requested for authentication password.
Clear screen/desk policy is being observed.
11
ii. Risk treatment plan has been formulated and is being implemented as documented eg control for incompleteness of examination results leading to missing marks is to sensitize students to correctly register for units in ERP
SOA
A.11.1.3 Securing offices, rooms and facilities
The offices have lockable doors and windows A.11.2.4 Equipment shall be correctly maintained to ensure its continued availability and integrity. Computer were maintained by ICT department; all software’s were up to date at the time of audit.
3.5 Management Representative
Positive findings
i. There was evidence that the university has established its ISMS context as documented in
UoEm ISMS context UoEm/QISMR/PD/005 dated 05-December-2017.
ii. Some of the internal issues are;
Lack of enough capacity to secure information
Use of inaccurate/incomplete information
Legal requirements to divulge confidential information
Inaccurate or incomplete information from external organisations
Counterfeit IT resources
iv. Document containing the context has been classified as restricted information.
4.2 Understanding the needs and expectations of interested parties
Positive findings
i. 14 interested parties relevant to Information Security Management System have been
determined as documented in ISMS context UoEm/QISMR/PD/005.
ii. There was evidence that needs and expectations of these interested parties have also been
established including legal requirements. They include;
Interested Party Expectation or requirement
Students a) Availability and accuracy of results
12
e) Accuracy of information passed to them
iii. Some of the legal requirements relevant to interested parties are
Constitution of Kenya chapter 4 Article 35- Availability – every Kenyan have the right
to access to information held by another person and every person has the right to
correction or deletion of misleading information.
Public Procurement and Asset Disposal Act 2015 section 67- Confidentiality-no
procuring entity, employee or agent shall disclose information on procurement whose
disclosure will impede law enforcement or which will be the interest of the public,
information relating to procurement whose disclosure would prejudice legimate
commercial interest intellectual property right or inhibit fair competition, information
relating to evaluation comparison, or clarification of tenders, proposals or quotations,
the contents of tender proposals or quotations.
4.4 Information security management system
Positive findings
i. There was evidence that the university has established an ISMS that is implemented at all relevant functional areas, levels and processes as per Information Security Policy UoEm/QISMR/PD/002
ii. There was evidence that ISMS is improved through review of ISMS documents eg risk assessment. Monitoring of ISMS processes such as monitoring tool for risk treatment plan. Internal and external audits carried out at planned intervals.
6.2 areas of improvement
There are no determined information security objectives determined in QISMR’s office.
7.1 Resources
Positive findings
i. There was evidence that resources required for information security management system have been determined and provided eg Approved Budget budgetary allocation for FY 2018/2019 UoEm/fin/budgets/voll.3/243
ii. Other resources provided include competent personnel, IT infrastructure, security services
etc
7.2 Competence
Positive findings
i. Competence for internal auditors has been determined and acquired through training
undertaken in February 2018.
13
ii. IQA certificates for the following auditors who audited during internal audits of 13th to 14th
November 2018 were availed.
Caroline Wambui Ndiri
Beatrice Wanjiru Gitonga
Kelvin Muchunga Ndaru
iii. Audit reports for the internal audit reports and CAR forms were availed. The report reflected
quality audit finding and CAR forms. Records maintained in
UoEM/MR/NCQRF(ISMS)/VOL.1.
i. The university has established several methods for monitoring ISMS performance eg
Monitoring of Risk Treatment Plan
Monitoring and evaluation of information security objectives
Analysis of internal audits. ii. Analysis of internal audit conducted between 13th and 15th March, 2018 indicated that
there were 34 minor and 4 major non-conformities. Records documented in UOEM/ISMS/IA/01/2018.
Internal audit 9.2 Positive findings
i. There was evidence that internal audits are carried out at planned intervals.Audit program for 2018 indicated that the university undertook two internal audits in the months of March and August 2018.Audit program was approved on 9th January 2018.
ii. During March internal audits,47 areas were audited and audit findings including CAR forms maintained.
iii. Audit plan for the same audit demonstrated that none of the auditors audited their own departments.
iv. Audit criteria and audit scope was adequately defined as per March audit plan.
9.3 Management review Positive findings
i. There was evidence that management review meetings are held eg action plan from the 2nd combined management review meeting of 2019 was availed. ISMS issues were discussed, resolutions determined, responsibilities assigned and timeframe determined.
10.1 Nonconformity and corrective action
Positive findings
i. There was evidence that corrections and corrective actions for non-conformities raised
during internal and external audits are addressed as per requirements. Eg Corrective Action
14
Plan for the 1st Surveillance audit was effectively implemented. Records maintained by
QISMR.CAP for the internal audits were also sampled and found to have been
implemented.
3.6 DIRECTORATE OF EXAMINATIONS Clause 6.1 Actions to address risks and opportunities Positive Findings
i. The HOD was able to link the risks identified under QMS that may affect the ISMS and
cause it not to achieve the intended outcomes;
ii. For every information security risk identified the department had come up with a related
opportunity;
iii. Interested parties and their needs and expectations were considered as seen in the Minutes
of Meeting on methods for measurement, monitoring, analysis and evaluation performance
of QMS held on 30th Oct 2018 and Minutes of meeting to review risk register, controls and
risk treatment held on 2nd May 2018 in determination of risks and opportunities done during
a training for Process Owners– ISMS internal and external issues were discussed;
iv. At end of each semester a data analysis is conducted e.g. no. of cases of inaccurate
information - see Internal Memo Data Analysis for 2nd semester 2017/18 dated 18th April
2018.
v. Clear understanding of the information security risk assessment and treatment processes
as evidenced by the documented and maintained risk register No.
UoEm/EXAMS/EXRR/019 and risk treatment plan No. UoEm/EXAMS/EXRR/019;
vi. The HOD took the auditor through the statement of applicability (SOA) No
UoEm/QISMR/PD/016 and was able to link it to the risk treatment process;
Areas of improvement i. The department needs to clearly differentiate between the risks referred to in clause 6.1.1
and those referred to in clause 6.1.2 of the normative document;
Clause 6.2 Information security objectives and planning to achieve them Positive Findings
i. Information Security Objectives for the year 2019 were developed as seen in minutes of
meeting on Review of risk register, controls and risk treatment held on 31st October 2018;
Clause 7.2 Competence Positive Findings
i. Moses Baithili has been taken through an ISMS awareness training as seen on the “Report
on orientation to the operations in the directorate of examinations” which covered General
operations of the department, QMS and ISMS dated 29th March 2018;
15
Clause 7.3 Awareness Positive Findings i. Evidence of awareness of their contribution to the effectiveness of the information security
management system by staff including the benefits of improved information security
performance was demonstrated through interviewing Mercy Gatombu.
Creating and updating Clause 7.5.2 Positive findings
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. Examination attendance record form No. UoEm-F-Exams-003 Rev 1
Areas of Improvement i. Correct reference of the standard on the documented information i.e. ISO/IEC 27001:2013
instead of ISO 27001:2013 (missing /IEC);
Continual improvement Clause 10.2 Positive findings
i. Evidence of continual improvement arising from the ISMS through revision of Exam
Attendance Form no. UoEm-F-Exams-003 Rev 1 which was improved to capture the serial
number of the examination booklet and the exam card number.
3.7 ADMISSIONS SECTION (ACADEMICS DIVISION) Clause 6.1 Actions to address risks and opportunities Positive Findings i. The department has identified two opportunities (Committed staff and Automation);
ii. Good understanding of the Information Security Risk Assessment Process which has been
documented as the Admissions department risk register;
iii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement i. No clear understanding between 6.1.1 risks and 6.1.2 risks. Risk identified in 6.1.1 are the
ones taken through the risk assessment process;
16
Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through
Richard Muthakia’s certificate from Maier Consulting Ltd conducted 14th -16th February
2018;
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. Admission form Ref No. UoEm-F-ADMS-001;
Areas of Improvement i. Include identification number on the department’s risk register;
Clause 7.5.2 Control of documented information Positive findings
i. Documented information in the department is adequately controlled, available and suitable
for use, where and when it is needed and adequately protected from loss of confidentiality,
improper use, and loss of integrity;
Areas of Improvement
i. Include identification number on the department’s risk register;
Clause 8.1 Operational planning and control Positive findings
i. A plan for implementing Information Security Objectives was seen and is being monitored
through departmental meetings e.g. developing the university prospectus as observed in
minutes of departmental meeting held on 11th April 2019;
17
3.8 INTERNAL AUDIT
Clause 6.1 Actions to address risks and opportunities Positive Findings i. The department has determined internal and external issues that can affect the ISMS;
ii. Good understanding of the Information Security Risk Assessment Process which has been
documented as the department’s risk register;
iii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement ii. Residual risk needs to be determined in the risk treatment plan;
Clause 7.2 Competence Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through
the department’s ISMS champion training certificate from Maier Consulting Ltd conducted
14th -16th February 2018;
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. Meeting attendance form UoEm-F-CA-00 Rev 1
Areas of Improvement
i. Department’s risk register should indicate details of Issued by, Authorized by and Issue
date for consistency with other departmental risk registers;
3.9 PUBLIC HEALTH DEPARTMENT
Clause 6.1 Actions to address risks and opportunities Positive Findings i. Good understanding of the Information Security Risk Assessment Process which has been
documented as the department’s risk register;
ii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement
i. Ensure clear understanding between clause 6.1.1 risks and 6.1.2 information security risks.
18
Competence Clause 7.2 Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through a
3-days ISMS Internal Auditor’s training based on ISO/IEC 27001 and ISO 19011:2011
conducted on 14 – 16 February 2018 by Maier Consulting Ltd for Risper Wanja.
Clause 7.5.2 Creating and updating Positive findings
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. risk register UoEm/PHS/PHSRR/0131
Areas of Improvement i. Department’s risk register should indicate details of Issued by, Authorized by and Issue
date for consistency with other departmental risk registers;
Clause 7.5.3 Control of documented information Area of improvement
i. Addition to the signed Public Health Information Security Objectives i.e. “to Institute disciplinary action” had not been validated.
3.10 PROCUREMENT AND STORES DEPARTMENT
Clause 6.1 Actions to address risks and opportunities Positive Findings
i. Good understanding of the Information Security Risk Assessment Process which has been
documented as the department’s risk register;
ii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement
i. Ensure clear understanding between clause 6.1.1 risks and 6.1.2 information security risks.
Clause 7.2 Competence Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through Certificate of Completion for ISO\IEC 27001:2013 ISMS Implementation Course 17 – 19
19
May 2017 by Maier Consulting Ltd for Mrs. Purity Chege and Ibrahim Ireri; Also observed certificates for ISMS Internal Audit Course for both conducted on 14 – 16 February 2018.
Clause 7.3 Awareness Positive Findings
i. Grace Mwende and John Toroitich were able to clearly explain importance of IS policy and their contribution to CIA of information;
Clause 7.5.2 Creating and updating Positive findings
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. internal memo UoEm/Proc/ISO/Vol.1/131
Control of documented information Clause 7.5.3 Positive findings i. Documented information is adequately controlled, available and suitable for use, where and
when it is needed and adequately protected (e.g. from loss of confidentiality, improper use, or
loss of integrity; e.g. Internal Memo ref UoEm/Proc/ISO/Vol.1/131 and Folio sheet on File
OuEm/Proc/A/Vol3 for control of documents.
Clause 8.1 Operational planning and control Positive findings
i. A plan for implementing three (3) Information Security Objectives was developed on 25th
February 2019 and is being monitored through departmental meetings;
Clause 9.1 Monitoring, measurement, analysis and evaluation Positive findings
i. The department is monitoring implementation of Information Security Objectives and Risk Controls.
ii. A good practice was observed of a survey done in September 2018 through a questionnaires Folio 152 – 159 in File No UoEm/Proc/ISO/Vol 1.
Clause 10.2 Continual improvement Positive findings
i. In the past office flash discs used to transfer documents to the scanner without proper control, however the department now has control register for the flash disc thus reducing loss;
ii. The department has also introduced coding of tender documents with a unique code during tender opening which has resulted in enhanced protection of the documents.
20
4.0 OTHER INFORMATION
4.1 No changes in the objectives of the audit. 4.2 There was no evidence of misuse of certification mark. 4.3 No issues were unresolved. 4.4 All the areas in the audit plan were audited. 4.5 The audit objectives were fulfilled.
5.0 AUDIT CONCLUSION/OVERALL OPINION OF THE AUDIT TEAM
Based on the findings above, it is the opinion of the auditors that;
The implemented Information Security Management System conforms to
the requirements of ISO\IEC 27001:2013 standard.
There was evidence to demonstrate continual improvement of the system as a whole
The system is able to meet the applicable statutory, regulatory & contractual requirements.
6.0 RECOMMENDATION
The auditors will recommend continued certification of the University of Embu ISMS to ISO\IEC 27001:2013 subject to submission of an agreeable corrective action plan (CAP).
Elizabeth Kisilu Lead Auditor - ISMS
8th May 2019
21
APPENDICES
1. Audit Timetable 2. CAR forms NB: A copy of attendance register and CAR forms was left with auditee. Audit Timetable
NO ASPECT DETAILS
2 Type of audit: 1st surveillance audit
3 Audit Number: KEBS/ISMS/SC/004/18
5. Date(s) of audit: 24th and 25th April 2019
6. Objectives of audit: i. Determination of the conformity of the client’s
management system, or parts of it, with audit
criteria;
management system to ensure the client
meets applicable statutory, regulatory and
contractual requirements;
iii. Determination of the effectiveness of the
management system to ensure the client can reasonably expect to achieving its specified
objectives;
potential improvement of the management
system.
7. Scope of audit ‘Provision of training, research and extension’
8. Audit Criteria: i. ISO\IEC 27001:2013 Standard
ii. UoE ISMS Documentation
9. Audit Team: Elizabeth Kisilu (EK)-Lead Auditor
James Njuki (JN)- Auditor
Date/Day Time Activity/process/shift to
management,
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 10.1, 10.2
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
TH U
Water 6.1.1, 6.1.2, 6.1.3,
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
10.1, 10.2
EK, Departmental
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
1500-1530 CLOSING MEETING
Note: The time table will be discussed at the opening meeting and may be altered if considered
necessary
11. Elements of the MS standard to be audited as appropriate during the audits e.g. for ISO
27001 these may include:
Statement of applicability
Communication (7.4)
Corrective and preventive action (10.2) Compliance with legal and statutory requirements
12. Requirements: Shall include as applicable:
Room(s) for the opening and closing meeting
Room for the auditors’ meeting
Photocopying/printing facilities as necessary
25
CAR NO._____1____ OF ____3__
ORGANIZATION: University of Embu
AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/004/18
Area under review:
clause 6.1.2 (b)
Requirement:
The organization shall define and apply an information security risk assessment process that:
b) ensures that repeated information security risk assessments produce consistent, valid and
comparable results;
Nonconformity
Results of the risks assessment did not produce consistent, valid and comparable results in biological
sciences
evidence:
In biological sciences Falsification of information on teaching units in risk register shows risk level of 4
however in the risk treatment plan it has a risk level of 2.
Falsified information on lecture/CAT/practical attendance/course coverage has a risk level of 4 in risk
register ,2 in risk treatment plan and residual risk is 2 respectively
In internal audit, Residual risk had not been calculated at the time of audit.
The column of strategy in the risk register in completed in some departments eg Procurement LWM, and
public health while others have not completed eg Internal audit, directorate admissions of examination.
27
The strategies in risk register in some departments eg LWM do not match controls selected in risk
treatment plan.
Signed: Auditee____________________ Date of completion __________________________
Signed: Auditor ____________________Auditor’s Name ______________________________
28
Action fully completed
Action partially completed
No action taken
Auditor Name Date
Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit
for Minor NCs):
Details:
Signed……………… …………………… ……………………….
CAR NO._____2_____ OF ____3___
ORGANIZATION: University of Embu
AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/004/18
Area under review Actions to address risks and opportunities
Clause of criteria document:
Requirement:
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
The organization shall plan:
e) how to
1) integrate and implement the actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
Nonconformity/evidence:
There was no evidence that risks are determined to ensure the information security management system
can achieve its intended outcome(s)
From the context opportunities have been determined however there was no actions to address them.
Signed: Auditor_______________________ Auditee _________________________
Signed: Auditee____________________ Date of completion __________________________
Signed: Auditor ___________________ Auditor’s Name ______________________________
31
Action fully completed
Action partially completed
No action taken
Auditor Name Date
Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit
for Minor NCs):
Details:
Signed……………… …………………… ……………………….
CAR NO._____3_____ OF ____3____
ORGANIZATION: University of Embu
AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/02/2015
Area under review: Creating and updating Clause of criteria document: ISO/IEC 27001:2013
clause 7.5.2
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy
Nonconformity/evidence:
Document control for risk registers in ICT, procurement and Website Were not updated after performing
risk assessment in January 2019.
Signed: Auditor_______________________ Auditee _________________________
Signed: Auditee____________________ Date of completion __________________________
34
Follow up (to be completed by the auditor):
Action fully completed
Action partially completed
No action taken
Auditor Name Date
Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit
for Minor NCs):
Details:
Signed……………… …………………… ……………………….
35
3.2 ICT Department.………......................................................................................7
3.4 Department of Land and Water………………...................................................10
3.5 Management Representative............................................................................11 3.6 Directorate of Examinations.…................................................................................14 3.7 Admissions…………...........................................................................................15 3.8 Internal Audit.....................................................................................................17 3.9 Procurement and Stores....................................................................................18 3.10 Department of Public Health............................................................................. 19
6.0 RECOMMENDATION...................................................................................... 20
APPENDICES..............................................................................................................21
3
Representative : Prof. Kiplangat Kotut, DVC ARE & QISMR
Date(s) of audit : 24th & 25th April 2019. No of audit days – 2 Audit Basis/Criteria : ISO\IEC 27001, ISMS Documentations.
Audit Scope : Provision of training, research and extension
Audit No : KEBS/ISMS/SC/004/01/19
No. of site audited : N/A
Audit Team : Elizabeth Kisilu - Lead Auditor
James Njuki - Auditor
Audit objective(s) -Determination of the conformity of the client’s management
system, or parts of it, with audit criteria;
-Determination of the ability of the management
system to ensure the client meets applicable statutory,
regulatory and contractual requirements;
system to ensure the client can reasonably expect to
achieve its specified objectives;
the management
4
2.0 AUDIT SUMMARY The purpose of the audit was to evaluate the continued fulfilment of the requirements of ISO
27001:2013 standard of the Information Security Management System implemented by University of Embu for the purpose of continued certification
The University’s information security management system (ISMS) was observed to be preserving the confidentiality, integrity and availability of information in the departments audited. There was evidence that by applying a risk management process information security risks are being adequately managed risks.
The audit was carried out as per the attached audit timetable, appendix A. The
opening and closing meetings were held on 24th and 25th April 2019 and attendance register is attached. During the audit, the auditors were accorded the necessary cooperation that enabled the gathering of the information and evaluation of the same to come up with the audit findings and conclusions in this report.
The auditors established that;
ISMS context has been established, communicated and understood by the auditees audited.
Needs and expectations of interested parties have been determined as well as the documented in ISMS context.
Risks assessment is done at planned intervals. Risk assessment reviewed between January and March 2019.
Implementation of controls is done through monitoring tool documented in risk register as evident in all areas audited.
There compliance to Legal requirements determined in the ISMS context.
There is demonstration o f commitment t o implementation of Information Security Management System.
However, it was noted that
There was no evidence that risks that can cause the system not to achieve its intended outcomes, prevent, or reduce, undesired effects and achieve continual improvement have been determined neither was there evidence of a plan of actions to address these actions.
No data is captured in incidence registers. During the audit, several positive findings and opportunities for improvement were recorded as in clause 3.0 of this report. In addition, three (3) minor non-conformities were identified. During the closing meeting, it was agreed that, an Acceptable Corrective Action Plan (CAP) for the non-conformities shall be submitted to the lead auditor within two (2) weeks.
Elizabeth Kisilu, Lead auditor, 8th May 2019
5
6.1.1 Actions to address risks and opportunities
Positive findings
i. Risks have been determined based on the processes of the department ie Unit allocation,
Teaching and examination.
ii. There was evidence that needs and expectations of interested parties were considered
when determine the risks
iii. Risk register for biological sciences was reviewed in January 2019 and some of the risks
determined include;
Leakage of Draft examination
iv. Actions taken to address these risks are document in risk treatment plan indicating the
existing controls and additional controls selected from 27002.Effectiveness of these controls
selected is determined through the use of monitoring tool also documented in the biological
sciences risk register.
Areas of improvement
i. Additional controls from ISO 27002 instead of ISO\IEC 27001 Annex A.
6.1.2 Information security risk assessment Positive findings i. There was evidence that risk assessment process was followed during risk assessment
done in January 2019.criteria followed if
Likelihood scale of 1-3
Consequence –High, Medium, Low, (1-3 scale)
Risk appetite 3*3 matrix ii. Risk assessment demonstrates loss of CIA on processes. Processes assessed are Unit
allocation, Teaching and Examination as documented in 2019 risk register.
iii. Risk levels determined 2,4 and 6 where Examination had the highest risk level of
6.1.3 Information security risk treatment Positive Findings
i. There was evidence that controls have been selected to address risks determined as documented in Biological sciences ISMS Risk register_2019.These controls are existing controls and controls selected from 27002
ii. Some of the controls sampled are
6
iii. There was evidence that statement of applicability (SOA) was formulated. Among
departments implanting controls in SOA is teaching departments. iv. Risk treatment plan has been formulated indicating the existing controls, additional controls
from annex A, Risk assessment levels as well as residual risk level.
Areas of improvement There was no evidence that risk treatment option was selected. 7.2 Competence Positive findings
i. Competencies are determined as per areas of specialization and acquired. Evidence of competencies is maintained in by human resource
ii. All members of staff in biological sciences have been trained on ISMS either implementation or awareness course.
8.1 Operational planning and control
Positive findings
i. Examination papers and results are controlled through controlled examination office,
lockable cabinets and classification of information.
8.2 Information security risk treatment
i. There was evidence that controls selected from annex A are being implemented.
Institute Disciplinary process -A.7.2.3; Implemented by human resource department procedure manual no UoEm/HR/HRPM/003
Create Information Security Awareness, Education and Training process owners training report on implementation of ISO 9001:2015 & ISO\IEC 27001:2013 dated March 29, 2019(A.7.2.2)
ii. Code of conduct is signed to ensure confidentiality by lecturers iii. Computer sampled had updated Kaspersky antivirus, Licensed software eg Windows 10
and Microsoft office 2016
Falsification of information on teaching units
Existing authority approvals, implementation of existing curriculum
Institute Disciplinary process - A.7.2.3;
Existing authority approvals
6.1.2 Information security risk assessment Positive findings
i. Risk assessment done in March 2019 followed the determined risk criteria Likelihood scale of 1-3 Consequence –High, Medium, Low, (1-3 scale) Risk appetite 3*3 matrix
ii. Risk register for 2018 risk level for denial of service is 6 residual risk is 2 same as the one for 2019 because of the criticality of the risk if it were to materialize.
iii. Risk assessment is done considering loss of Confidentiality, Integrity and availability of processes.
iv. ICT risks assessed include;
Denial of access to information
Loss of backed up information
Unauthorized access to information v. There was evidence that risk assessment process produced different risk levels between 2
and 9. vi. Risk prioritization is done as per risk appetite documented in the risk register.
6.1.3 Information security risk treatment Positive findings
i. There was evidence that ICT chose risk treatment option defined as “Strategy” in the risk register where the risk treatment options chosen are reduce for High & Medium and accept for low risks.
ii. There was evidence that existing controls are determined and additional controls selected from ISO\IEC 27002.
iii. Risk treatment plan for all risks has been formulated together with the monitoring tool documented in ICT ISMS risk register 2019.Time frame for all risks in the treatment plan is December 2020.
6.2 Information security objectives and planning to achieve them Positive findings
i. ICT has established two information security objectives as per the requirements. CT information security objectives dated 12th March 2019.
ii. There was evidence that plan to achieve the objectives has been established as documented on ICT information security objectives dated 12th March 2019.
7.2 Competence Positive findings
i. Competencies for ICT staff is determined and achieved through performance appraisal and training eg PC target for FY 2018/2019 indicating staff performance targets and appraisal
8
form UOEM-HRM-008 Competency /training needs assessment form for PF No 0143 was sampled. Evidence of training on system administration and server administration was availed.
ii. There was evidence that training is done to enhance competency of ICT staff eg On job training on ICT service delivery through knowledge base accessed through sup ort.embuni.ac.ke.
iii. There was evidence that ICT staff are competent in their roles eg sampled staf were able to demonstrate how segregation of network and on site back up is done.
8.2 Information security risk assessment
Positive findings
i. There was evidence that risk assessment is done at planned interval and evidence
maintained. Eg risk assessment is done annually. Risk registers for 2018 and 2019 were
evident.
Positive findings
i. Risk treatment plan has been formulated and documented in ICT ISMS risk
ii. There was evidence that controls selected are effectively implemented. some of the controls selected are;
Network segregation done through Vlans (Virtual Local Area Network) these VLANS include WAN, VOICE, administrators, Wireless, management and labs done through firewall.
iii. VLAN for staff has resources only authorized to be accessed by staff only. Traffic graphs for different vlans was demonstrated in the firewall.
iv. There are two types of back up for university information, onsite back up and offsite back up. Onsite for biological sciences was sampled.
v. Onsite back up logs were available, indicating that the last back up was done on 24th April 2019 at 12.15pm next back up scheduled for 25th April 2019 at 11.40 am. Back up retention form is used to communicate to ICT on information that they need to be backed up.
vi. Users can also back up their data on once drive. vii. ICT support system is used to manage user requests/Repairs/accessory replacement using
request form ICT-002 1219.All tickets had been closed at the time of audit.
10.1 Nonconformity and corrective action
Positive findings
There was evidence that ICT addressed the non-conformity raised during certification audit CAR 2 of 3. This was done by developing a form that is signed by all risk owners as an evidence of approval for residual risk. Records maintained by QISMR.
9
4.2 Understanding the needs and expectations of interested parties Positive findings
i. Website has determined its Interested parties that include; students, university management, suppliers, parents etc
ii. Some of the needs for the interested parties are
Students -Accurate and timely information on website
University Management-Timely uploading of information on the website, procedure to be followed when uploading information on the website
iii. There was evidence that information about interested parties is monitored for realization as documented in monitoring template for interested partied & requirements /internal and external issues /risks and opportunities.
iv. Risks and opportunities have been determined and documented in monitoring template for interested partied & requirements /internal and external issues /risks and opportunities
6.1.2 Information security risk assessment Positive findings
i. Risk assessment done in March 2019 followed the determined risk criteria Likelihood scale of 1-3 Consequence –High, Medium, Low, (1-3 scale) Risk appetite 3*3 matrix
ii. Risk assessment is done considering loss of Confidentiality, Integrity and availability of processes.
iii. ICT risks assessed are;
Denial of service
Uploading inaccurate content
iv. There was evidence that risk assessment process produced different risk levels is 6 and 9 which is high in risk matrix.
v. Risk prioritization is done as per risk appetite documented in the risk register. 8.3 Information security risk treatment Positive findings
i. There was evidence that controls selected in risk treatment plan are being implemented. Some of the controls sampled are; Firewall (PFsence) is regularly updated once the updates are released
Training is done to website and repository team eg secure systems management KENET by KLISC/EIFL training for repository managers and library ICT PERSONS and IBM DATA Engineer done between 11th and15th March 2019 member of website committee attended.
ii. There was evidence that documents are approved by registrar before being uploaded on the website eg Contract award document for February 2019 was approved by Timothy authorized by registrar to approve for uploading.
10
iii. Incoming document register UoEm-Reg-WNR-001 vol.2 is used to monitor website contents being uploaded.
iv. Web content is backed onsite and offsite
3.4 Department of Land and Water 6.1.2 Information security risk assessment Positive findings
i. There was evidence that risk assessment was done following the defined criteria. ii. Some of the risks in the department are;
Acceptance of falsified academic credentials for the part time lecturers
Leakage of Examination during submission and Moderation of Examinations drafts
Falsification of information on lecture/CAT/practical attendance/course coverage iii. Opportunities Attachment for students in industry
6.2 Information security objectives and planning to achieve them Positive findings
i. The department has established information security objectives and a plan to achieve them Information Security objectives
ii. have been determined considering results of risk assessment and risk treatment they are measurable. plan to achieve them
8.3 Information security risk treatment Positive findings
i. There was evidence that existing controls and controls selected form Annex A are being implemented. The following controls were tested for implementation;
Draft examinations are protected by password and backed up in an external hard disk.
There is 1 Lockable well labelled cabinet for storing controlled documents
Information contained in this lockable cabinet was classified as per Information Classification, Handling & Transfer policy eg Individual mark sheet UoEm/LWM/IM/Vol.3 was classified as confidential
genuine software are installed in the sampled PC eg Win 7 ultimate and MS office 2007
Kaspersky antivirus was updated at the time of audit.
Information assets are identified CPU in the department is identified as UoEm/LWM/CPU/01
Network computers cannot be accessed by unauthorized staff / person .Auditor tried to access desktop-479tnh0 and it requested for authentication password.
Clear screen/desk policy is being observed.
11
ii. Risk treatment plan has been formulated and is being implemented as documented eg control for incompleteness of examination results leading to missing marks is to sensitize students to correctly register for units in ERP
SOA
A.11.1.3 Securing offices, rooms and facilities
The offices have lockable doors and windows A.11.2.4 Equipment shall be correctly maintained to ensure its continued availability and integrity. Computer were maintained by ICT department; all software’s were up to date at the time of audit.
3.5 Management Representative
Positive findings
i. There was evidence that the university has established its ISMS context as documented in
UoEm ISMS context UoEm/QISMR/PD/005 dated 05-December-2017.
ii. Some of the internal issues are;
Lack of enough capacity to secure information
Use of inaccurate/incomplete information
Legal requirements to divulge confidential information
Inaccurate or incomplete information from external organisations
Counterfeit IT resources
iv. Document containing the context has been classified as restricted information.
4.2 Understanding the needs and expectations of interested parties
Positive findings
i. 14 interested parties relevant to Information Security Management System have been
determined as documented in ISMS context UoEm/QISMR/PD/005.
ii. There was evidence that needs and expectations of these interested parties have also been
established including legal requirements. They include;
Interested Party Expectation or requirement
Students a) Availability and accuracy of results
12
e) Accuracy of information passed to them
iii. Some of the legal requirements relevant to interested parties are
Constitution of Kenya chapter 4 Article 35- Availability – every Kenyan have the right
to access to information held by another person and every person has the right to
correction or deletion of misleading information.
Public Procurement and Asset Disposal Act 2015 section 67- Confidentiality-no
procuring entity, employee or agent shall disclose information on procurement whose
disclosure will impede law enforcement or which will be the interest of the public,
information relating to procurement whose disclosure would prejudice legimate
commercial interest intellectual property right or inhibit fair competition, information
relating to evaluation comparison, or clarification of tenders, proposals or quotations,
the contents of tender proposals or quotations.
4.4 Information security management system
Positive findings
i. There was evidence that the university has established an ISMS that is implemented at all relevant functional areas, levels and processes as per Information Security Policy UoEm/QISMR/PD/002
ii. There was evidence that ISMS is improved through review of ISMS documents eg risk assessment. Monitoring of ISMS processes such as monitoring tool for risk treatment plan. Internal and external audits carried out at planned intervals.
6.2 areas of improvement
There are no determined information security objectives determined in QISMR’s office.
7.1 Resources
Positive findings
i. There was evidence that resources required for information security management system have been determined and provided eg Approved Budget budgetary allocation for FY 2018/2019 UoEm/fin/budgets/voll.3/243
ii. Other resources provided include competent personnel, IT infrastructure, security services
etc
7.2 Competence
Positive findings
i. Competence for internal auditors has been determined and acquired through training
undertaken in February 2018.
13
ii. IQA certificates for the following auditors who audited during internal audits of 13th to 14th
November 2018 were availed.
Caroline Wambui Ndiri
Beatrice Wanjiru Gitonga
Kelvin Muchunga Ndaru
iii. Audit reports for the internal audit reports and CAR forms were availed. The report reflected
quality audit finding and CAR forms. Records maintained in
UoEM/MR/NCQRF(ISMS)/VOL.1.
i. The university has established several methods for monitoring ISMS performance eg
Monitoring of Risk Treatment Plan
Monitoring and evaluation of information security objectives
Analysis of internal audits. ii. Analysis of internal audit conducted between 13th and 15th March, 2018 indicated that
there were 34 minor and 4 major non-conformities. Records documented in UOEM/ISMS/IA/01/2018.
Internal audit 9.2 Positive findings
i. There was evidence that internal audits are carried out at planned intervals.Audit program for 2018 indicated that the university undertook two internal audits in the months of March and August 2018.Audit program was approved on 9th January 2018.
ii. During March internal audits,47 areas were audited and audit findings including CAR forms maintained.
iii. Audit plan for the same audit demonstrated that none of the auditors audited their own departments.
iv. Audit criteria and audit scope was adequately defined as per March audit plan.
9.3 Management review Positive findings
i. There was evidence that management review meetings are held eg action plan from the 2nd combined management review meeting of 2019 was availed. ISMS issues were discussed, resolutions determined, responsibilities assigned and timeframe determined.
10.1 Nonconformity and corrective action
Positive findings
i. There was evidence that corrections and corrective actions for non-conformities raised
during internal and external audits are addressed as per requirements. Eg Corrective Action
14
Plan for the 1st Surveillance audit was effectively implemented. Records maintained by
QISMR.CAP for the internal audits were also sampled and found to have been
implemented.
3.6 DIRECTORATE OF EXAMINATIONS Clause 6.1 Actions to address risks and opportunities Positive Findings
i. The HOD was able to link the risks identified under QMS that may affect the ISMS and
cause it not to achieve the intended outcomes;
ii. For every information security risk identified the department had come up with a related
opportunity;
iii. Interested parties and their needs and expectations were considered as seen in the Minutes
of Meeting on methods for measurement, monitoring, analysis and evaluation performance
of QMS held on 30th Oct 2018 and Minutes of meeting to review risk register, controls and
risk treatment held on 2nd May 2018 in determination of risks and opportunities done during
a training for Process Owners– ISMS internal and external issues were discussed;
iv. At end of each semester a data analysis is conducted e.g. no. of cases of inaccurate
information - see Internal Memo Data Analysis for 2nd semester 2017/18 dated 18th April
2018.
v. Clear understanding of the information security risk assessment and treatment processes
as evidenced by the documented and maintained risk register No.
UoEm/EXAMS/EXRR/019 and risk treatment plan No. UoEm/EXAMS/EXRR/019;
vi. The HOD took the auditor through the statement of applicability (SOA) No
UoEm/QISMR/PD/016 and was able to link it to the risk treatment process;
Areas of improvement i. The department needs to clearly differentiate between the risks referred to in clause 6.1.1
and those referred to in clause 6.1.2 of the normative document;
Clause 6.2 Information security objectives and planning to achieve them Positive Findings
i. Information Security Objectives for the year 2019 were developed as seen in minutes of
meeting on Review of risk register, controls and risk treatment held on 31st October 2018;
Clause 7.2 Competence Positive Findings
i. Moses Baithili has been taken through an ISMS awareness training as seen on the “Report
on orientation to the operations in the directorate of examinations” which covered General
operations of the department, QMS and ISMS dated 29th March 2018;
15
Clause 7.3 Awareness Positive Findings i. Evidence of awareness of their contribution to the effectiveness of the information security
management system by staff including the benefits of improved information security
performance was demonstrated through interviewing Mercy Gatombu.
Creating and updating Clause 7.5.2 Positive findings
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. Examination attendance record form No. UoEm-F-Exams-003 Rev 1
Areas of Improvement i. Correct reference of the standard on the documented information i.e. ISO/IEC 27001:2013
instead of ISO 27001:2013 (missing /IEC);
Continual improvement Clause 10.2 Positive findings
i. Evidence of continual improvement arising from the ISMS through revision of Exam
Attendance Form no. UoEm-F-Exams-003 Rev 1 which was improved to capture the serial
number of the examination booklet and the exam card number.
3.7 ADMISSIONS SECTION (ACADEMICS DIVISION) Clause 6.1 Actions to address risks and opportunities Positive Findings i. The department has identified two opportunities (Committed staff and Automation);
ii. Good understanding of the Information Security Risk Assessment Process which has been
documented as the Admissions department risk register;
iii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement i. No clear understanding between 6.1.1 risks and 6.1.2 risks. Risk identified in 6.1.1 are the
ones taken through the risk assessment process;
16
Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through
Richard Muthakia’s certificate from Maier Consulting Ltd conducted 14th -16th February
2018;
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. Admission form Ref No. UoEm-F-ADMS-001;
Areas of Improvement i. Include identification number on the department’s risk register;
Clause 7.5.2 Control of documented information Positive findings
i. Documented information in the department is adequately controlled, available and suitable
for use, where and when it is needed and adequately protected from loss of confidentiality,
improper use, and loss of integrity;
Areas of Improvement
i. Include identification number on the department’s risk register;
Clause 8.1 Operational planning and control Positive findings
i. A plan for implementing Information Security Objectives was seen and is being monitored
through departmental meetings e.g. developing the university prospectus as observed in
minutes of departmental meeting held on 11th April 2019;
17
3.8 INTERNAL AUDIT
Clause 6.1 Actions to address risks and opportunities Positive Findings i. The department has determined internal and external issues that can affect the ISMS;
ii. Good understanding of the Information Security Risk Assessment Process which has been
documented as the department’s risk register;
iii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement ii. Residual risk needs to be determined in the risk treatment plan;
Clause 7.2 Competence Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through
the department’s ISMS champion training certificate from Maier Consulting Ltd conducted
14th -16th February 2018;
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. Meeting attendance form UoEm-F-CA-00 Rev 1
Areas of Improvement
i. Department’s risk register should indicate details of Issued by, Authorized by and Issue
date for consistency with other departmental risk registers;
3.9 PUBLIC HEALTH DEPARTMENT
Clause 6.1 Actions to address risks and opportunities Positive Findings i. Good understanding of the Information Security Risk Assessment Process which has been
documented as the department’s risk register;
ii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement
i. Ensure clear understanding between clause 6.1.1 risks and 6.1.2 information security risks.
18
Competence Clause 7.2 Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through a
3-days ISMS Internal Auditor’s training based on ISO/IEC 27001 and ISO 19011:2011
conducted on 14 – 16 February 2018 by Maier Consulting Ltd for Risper Wanja.
Clause 7.5.2 Creating and updating Positive findings
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. risk register UoEm/PHS/PHSRR/0131
Areas of Improvement i. Department’s risk register should indicate details of Issued by, Authorized by and Issue
date for consistency with other departmental risk registers;
Clause 7.5.3 Control of documented information Area of improvement
i. Addition to the signed Public Health Information Security Objectives i.e. “to Institute disciplinary action” had not been validated.
3.10 PROCUREMENT AND STORES DEPARTMENT
Clause 6.1 Actions to address risks and opportunities Positive Findings
i. Good understanding of the Information Security Risk Assessment Process which has been
documented as the department’s risk register;
ii. Good understanding of the Information Security Risk Treatment Process documented as the
department’s Risk Treatment plan;
Areas of Improvement
i. Ensure clear understanding between clause 6.1.1 risks and 6.1.2 information security risks.
Clause 7.2 Competence Positive Findings
i. Department has ensured staff are competent on the basis of training as observed through Certificate of Completion for ISO\IEC 27001:2013 ISMS Implementation Course 17 – 19
19
May 2017 by Maier Consulting Ltd for Mrs. Purity Chege and Ibrahim Ireri; Also observed certificates for ISMS Internal Audit Course for both conducted on 14 – 16 February 2018.
Clause 7.3 Awareness Positive Findings
i. Grace Mwende and John Toroitich were able to clearly explain importance of IS policy and their contribution to CIA of information;
Clause 7.5.2 Creating and updating Positive findings
i. Documented information was observed to have identification numbers, title, date, author,
version, review and approval during document review and by sampling departmental
documents e.g. internal memo UoEm/Proc/ISO/Vol.1/131
Control of documented information Clause 7.5.3 Positive findings i. Documented information is adequately controlled, available and suitable for use, where and
when it is needed and adequately protected (e.g. from loss of confidentiality, improper use, or
loss of integrity; e.g. Internal Memo ref UoEm/Proc/ISO/Vol.1/131 and Folio sheet on File
OuEm/Proc/A/Vol3 for control of documents.
Clause 8.1 Operational planning and control Positive findings
i. A plan for implementing three (3) Information Security Objectives was developed on 25th
February 2019 and is being monitored through departmental meetings;
Clause 9.1 Monitoring, measurement, analysis and evaluation Positive findings
i. The department is monitoring implementation of Information Security Objectives and Risk Controls.
ii. A good practice was observed of a survey done in September 2018 through a questionnaires Folio 152 – 159 in File No UoEm/Proc/ISO/Vol 1.
Clause 10.2 Continual improvement Positive findings
i. In the past office flash discs used to transfer documents to the scanner without proper control, however the department now has control register for the flash disc thus reducing loss;
ii. The department has also introduced coding of tender documents with a unique code during tender opening which has resulted in enhanced protection of the documents.
20
4.0 OTHER INFORMATION
4.1 No changes in the objectives of the audit. 4.2 There was no evidence of misuse of certification mark. 4.3 No issues were unresolved. 4.4 All the areas in the audit plan were audited. 4.5 The audit objectives were fulfilled.
5.0 AUDIT CONCLUSION/OVERALL OPINION OF THE AUDIT TEAM
Based on the findings above, it is the opinion of the auditors that;
The implemented Information Security Management System conforms to
the requirements of ISO\IEC 27001:2013 standard.
There was evidence to demonstrate continual improvement of the system as a whole
The system is able to meet the applicable statutory, regulatory & contractual requirements.
6.0 RECOMMENDATION
The auditors will recommend continued certification of the University of Embu ISMS to ISO\IEC 27001:2013 subject to submission of an agreeable corrective action plan (CAP).
Elizabeth Kisilu Lead Auditor - ISMS
8th May 2019
21
APPENDICES
1. Audit Timetable 2. CAR forms NB: A copy of attendance register and CAR forms was left with auditee. Audit Timetable
NO ASPECT DETAILS
2 Type of audit: 1st surveillance audit
3 Audit Number: KEBS/ISMS/SC/004/18
5. Date(s) of audit: 24th and 25th April 2019
6. Objectives of audit: i. Determination of the conformity of the client’s
management system, or parts of it, with audit
criteria;
management system to ensure the client
meets applicable statutory, regulatory and
contractual requirements;
iii. Determination of the effectiveness of the
management system to ensure the client can reasonably expect to achieving its specified
objectives;
potential improvement of the management
system.
7. Scope of audit ‘Provision of training, research and extension’
8. Audit Criteria: i. ISO\IEC 27001:2013 Standard
ii. UoE ISMS Documentation
9. Audit Team: Elizabeth Kisilu (EK)-Lead Auditor
James Njuki (JN)- Auditor
Date/Day Time Activity/process/shift to
management,
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 10.1, 10.2
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
TH U
Water 6.1.1, 6.1.2, 6.1.3,
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
10.1, 10.2
EK, Departmental
7.2, 7.5.2, 7.5.3, 8.1,
8.2, 8.3, 9.1, 10.1,
1500-1530 CLOSING MEETING
Note: The time table will be discussed at the opening meeting and may be altered if considered
necessary
11. Elements of the MS standard to be audited as appropriate during the audits e.g. for ISO
27001 these may include:
Statement of applicability
Communication (7.4)
Corrective and preventive action (10.2) Compliance with legal and statutory requirements
12. Requirements: Shall include as applicable:
Room(s) for the opening and closing meeting
Room for the auditors’ meeting
Photocopying/printing facilities as necessary
25
CAR NO._____1____ OF ____3__
ORGANIZATION: University of Embu
AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/004/18
Area under review:
clause 6.1.2 (b)
Requirement:
The organization shall define and apply an information security risk assessment process that:
b) ensures that repeated information security risk assessments produce consistent, valid and
comparable results;
Nonconformity
Results of the risks assessment did not produce consistent, valid and comparable results in biological
sciences
evidence:
In biological sciences Falsification of information on teaching units in risk register shows risk level of 4
however in the risk treatment plan it has a risk level of 2.
Falsified information on lecture/CAT/practical attendance/course coverage has a risk level of 4 in risk
register ,2 in risk treatment plan and residual risk is 2 respectively
In internal audit, Residual risk had not been calculated at the time of audit.
The column of strategy in the risk register in completed in some departments eg Procurement LWM, and
public health while others have not completed eg Internal audit, directorate admissions of examination.
27
The strategies in risk register in some departments eg LWM do not match controls selected in risk
treatment plan.
Signed: Auditee____________________ Date of completion __________________________
Signed: Auditor ____________________Auditor’s Name ______________________________
28
Action fully completed
Action partially completed
No action taken
Auditor Name Date
Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit
for Minor NCs):
Details:
Signed……………… …………………… ……………………….
CAR NO._____2_____ OF ____3___
ORGANIZATION: University of Embu
AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/004/18
Area under review Actions to address risks and opportunities
Clause of criteria document:
Requirement:
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
The organization shall plan:
e) how to
1) integrate and implement the actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.
Nonconformity/evidence:
There was no evidence that risks are determined to ensure the information security management system
can achieve its intended outcome(s)
From the context opportunities have been determined however there was no actions to address them.
Signed: Auditor_______________________ Auditee _________________________
Signed: Auditee____________________ Date of completion __________________________
Signed: Auditor ___________________ Auditor’s Name ______________________________
31
Action fully completed
Action partially completed
No action taken
Auditor Name Date
Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit
for Minor NCs):
Details:
Signed……………… …………………… ……………………….
CAR NO._____3_____ OF ____3____
ORGANIZATION: University of Embu
AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/02/2015
Area under review: Creating and updating Clause of criteria document: ISO/IEC 27001:2013
clause 7.5.2
When creating and updating documented information the organization shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy
Nonconformity/evidence:
Document control for risk registers in ICT, procurement and Website Were not updated after performing
risk assessment in January 2019.
Signed: Auditor_______________________ Auditee _________________________
Signed: Auditee____________________ Date of completion __________________________
34
Follow up (to be completed by the auditor):
Action fully completed
Action partially completed
No action taken
Auditor Name Date
Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit
for Minor NCs):
Details:
Signed……………… …………………… ……………………….
35