certification body - university of embu

Certification Body

ISO/IEC 27001: 2013

1st SURVEILLANCE AUDIT REPORT FOR

UNIVERSITY OF EMBU

AUDIT NO.

KEBS/ISMS/SC/004/01/19

8TH May 2019

2

Table of Contents

1.0 INTRODUCTION..................................................................................................3

2.0 AUDIT SUMMARY ...............................................................................................4

3.0 DETAILED REPORT............................................................................................ 5

3.1 Department of Biological Science .................................................................... 5

3.2 ICT Department.………......................................................................................7

3.3 Website and E-Repository Committee ..............................................................9

3.4 Department of Land and Water………………...................................................10

3.5 Management Representative............................................................................11 3.6 Directorate of Examinations.…................................................................................14 3.7 Admissions…………...........................................................................................15 3.8 Internal Audit.....................................................................................................17 3.9 Procurement and Stores....................................................................................18 3.10 Department of Public Health............................................................................. 19

4.0 OTHER INFORMATION .................................................................................. ...20

5.0 AUDIT CONCLUSION/OVERALL OPINION OF THE AUDIT TEAM...............20

6.0 RECOMMENDATION...................................................................................... 20

APPENDICES..............................................................................................................21

3

1.0 INTRODUCTION

Organization : University of Embu

Representative : Prof. Kiplangat Kotut, DVC ARE & QISMR

Date(s) of audit : 24th & 25th April 2019. No of audit days – 2 Audit Basis/Criteria : ISO\IEC 27001, ISMS Documentations.

Audit Scope : Provision of training, research and extension

Audit No : KEBS/ISMS/SC/004/01/19

Previous audit no. : KEBS/ISMS/SC/004/18 Audit Type : Surveillance

No. of site audited : N/A

Audit Team : Elizabeth Kisilu - Lead Auditor

James Njuki - Auditor

Audit objective(s) -Determination of the conformity of the client’s management

system, or parts of it, with audit criteria;

-Determination of the ability of the management

system to ensure the client meets applicable statutory,

regulatory and contractual requirements;

-Determination of the effectiveness of the management

system to ensure the client can reasonably expect to

achieve its specified objectives;

-Identification of areas for potential improvement of

the management

4

2.0 AUDIT SUMMARY The purpose of the audit was to evaluate the continued fulfilment of the requirements of ISO

27001:2013 standard of the Information Security Management System implemented by University of Embu for the purpose of continued certification

The University’s information security management system (ISMS) was observed to be preserving the confidentiality, integrity and availability of information in the departments audited. There was evidence that by applying a risk management process information security risks are being adequately managed risks.

The audit was carried out as per the attached audit timetable, appendix A. The

opening and closing meetings were held on 24th and 25th April 2019 and attendance register is attached. During the audit, the auditors were accorded the necessary cooperation that enabled the gathering of the information and evaluation of the same to come up with the audit findings and conclusions in this report.

The auditors established that;

ISMS context has been established, communicated and understood by the auditees audited.

Needs and expectations of interested parties have been determined as well as the documented in ISMS context.

Risks assessment is done at planned intervals. Risk assessment reviewed between January and March 2019.

Implementation of controls is done through monitoring tool documented in risk register as evident in all areas audited.

There compliance to Legal requirements determined in the ISMS context.

There is demonstration o f commitment t o implementation of Information Security Management System.

However, it was noted that

There was no evidence that risks that can cause the system not to achieve its intended outcomes, prevent, or reduce, undesired effects and achieve continual improvement have been determined neither was there evidence of a plan of actions to address these actions.

No data is captured in incidence registers. During the audit, several positive findings and opportunities for improvement were recorded as in clause 3.0 of this report. In addition, three (3) minor non-conformities were identified. During the closing meeting, it was agreed that, an Acceptable Corrective Action Plan (CAP) for the non-conformities shall be submitted to the lead auditor within two (2) weeks.

Elizabeth Kisilu, Lead auditor, 8th May 2019

5

3.0 DETAILED REPORT 3.1 Dept. of Biological Sciences

6.1.1 Actions to address risks and opportunities

Positive findings

i. Risks have been determined based on the processes of the department ie Unit allocation,

Teaching and examination.

ii. There was evidence that needs and expectations of interested parties were considered

when determine the risks

iii. Risk register for biological sciences was reviewed in January 2019 and some of the risks

determined include;

falsification of information on teaching units

Falsified information on lecture/CAT/practical attendance/course coverage

Leakage of Draft examination

iv. Actions taken to address these risks are document in risk treatment plan indicating the

existing controls and additional controls selected from 27002.Effectiveness of these controls

selected is determined through the use of monitoring tool also documented in the biological

sciences risk register.

Areas of improvement

i. Additional controls from ISO 27002 instead of ISO\IEC 27001 Annex A.

6.1.2 Information security risk assessment Positive findings i. There was evidence that risk assessment process was followed during risk assessment

done in January 2019.criteria followed if

Likelihood scale of 1-3

Consequence –High, Medium, Low, (1-3 scale)

Risk appetite 3*3 matrix ii. Risk assessment demonstrates loss of CIA on processes. Processes assessed are Unit

allocation, Teaching and Examination as documented in 2019 risk register.

iii. Risk levels determined 2,4 and 6 where Examination had the highest risk level of

6.1.3 Information security risk treatment Positive Findings

i. There was evidence that controls have been selected to address risks determined as documented in Biological sciences ISMS Risk register_2019.These controls are existing controls and controls selected from 27002

ii. Some of the controls sampled are

6

iii. There was evidence that statement of applicability (SOA) was formulated. Among

departments implanting controls in SOA is teaching departments. iv. Risk treatment plan has been formulated indicating the existing controls, additional controls

from annex A, Risk assessment levels as well as residual risk level.

Areas of improvement There was no evidence that risk treatment option was selected. 7.2 Competence Positive findings

i. Competencies are determined as per areas of specialization and acquired. Evidence of competencies is maintained in by human resource

ii. All members of staff in biological sciences have been trained on ISMS either implementation or awareness course.

8.1 Operational planning and control

Positive findings

i. Examination papers and results are controlled through controlled examination office,

lockable cabinets and classification of information.

8.2 Information security risk treatment

i. There was evidence that controls selected from annex A are being implemented.

Institute Disciplinary process -A.7.2.3; Implemented by human resource department procedure manual no UoEm/HR/HRPM/003

Create Information Security Awareness, Education and Training process owners training report on implementation of ISO 9001:2015 & ISO\IEC 27001:2013 dated March 29, 2019(A.7.2.2)

ii. Code of conduct is signed to ensure confidentiality by lecturers iii. Computer sampled had updated Kaspersky antivirus, Licensed software eg Windows 10

and Microsoft office 2016

Risk Existing Control Controls selected from 27002

Falsification of information on teaching units

Existing authority approvals, implementation of existing curriculum

Institute Disciplinary process -A.7.2.3;

Inaccurate information on class size

Existing authority approvals

Institute Disciplinary process A.7.2.3;

7

3.2 ICT Department

6.1.2 Information security risk assessment Positive findings

i. Risk assessment done in March 2019 followed the determined risk criteria Likelihood scale of 1-3 Consequence –High, Medium, Low, (1-3 scale) Risk appetite 3*3 matrix

ii. Risk register for 2018 risk level for denial of service is 6 residual risk is 2 same as the one for 2019 because of the criticality of the risk if it were to materialize.

iii. Risk assessment is done considering loss of Confidentiality, Integrity and availability of processes.

iv. ICT risks assessed include;

Denial of access to information

Loss of backed up information

Unauthorized access to information v. There was evidence that risk assessment process produced different risk levels between 2

and 9. vi. Risk prioritization is done as per risk appetite documented in the risk register.

6.1.3 Information security risk treatment Positive findings

i. There was evidence that ICT chose risk treatment option defined as “Strategy” in the risk register where the risk treatment options chosen are reduce for High & Medium and accept for low risks.

ii. There was evidence that existing controls are determined and additional controls selected from ISO\IEC 27002.

iii. Risk treatment plan for all risks has been formulated together with the monitoring tool documented in ICT ISMS risk register 2019.Time frame for all risks in the treatment plan is December 2020.

6.2 Information security objectives and planning to achieve them Positive findings

i. ICT has established two information security objectives as per the requirements. CT information security objectives dated 12th March 2019.

ii. There was evidence that plan to achieve the objectives has been established as documented on ICT information security objectives dated 12th March 2019.

7.2 Competence Positive findings

i. Competencies for ICT staff is determined and achieved through performance appraisal and training eg PC target for FY 2018/2019 indicating staff performance targets and appraisal

8

form UOEM-HRM-008 Competency /training needs assessment form for PF No 0143 was sampled. Evidence of training on system administration and server administration was availed.

ii. There was evidence that training is done to enhance competency of ICT staff eg On job training on ICT service delivery through knowledge base accessed through sup ort.embuni.ac.ke.

iii. There was evidence that ICT staff are competent in their roles eg sampled staf were able to demonstrate how segregation of network and on site back up is done.

8.2 Information security risk assessment

Positive findings

i. There was evidence that risk assessment is done at planned interval and evidence

maintained. Eg risk assessment is done annually. Risk registers for 2018 and 2019 were

evident.

8.3 Information security risk treatment

Positive findings

i. Risk treatment plan has been formulated and documented in ICT ISMS risk

ii. There was evidence that controls selected are effectively implemented. some of the controls selected are;

Network segregation done through Vlans (Virtual Local Area Network) these VLANS include WAN, VOICE, administrators, Wireless, management and labs done through firewall.

iii. VLAN for staff has resources only authorized to be accessed by staff only. Traffic graphs for different vlans was demonstrated in the firewall.

iv. There are two types of back up for university information, onsite back up and offsite back up. Onsite for biological sciences was sampled.

v. Onsite back up logs were available, indicating that the last back up was done on 24th April 2019 at 12.15pm next back up scheduled for 25th April 2019 at 11.40 am. Back up retention form is used to communicate to ICT on information that they need to be backed up.

vi. Users can also back up their data on once drive. vii. ICT support system is used to manage user requests/Repairs/accessory replacement using

request form ICT-002 1219.All tickets had been closed at the time of audit.

10.1 Nonconformity and corrective action

Positive findings

There was evidence that ICT addressed the non-conformity raised during certification audit CAR 2 of 3. This was done by developing a form that is signed by all risk owners as an evidence of approval for residual risk. Records maintained by QISMR.

9

3.3 WEBSITE

4.2 Understanding the needs and expectations of interested parties Positive findings

i. Website has determined its Interested parties that include; students, university management, suppliers, parents etc

ii. Some of the needs for the interested parties are

Students -Accurate and timely information on website

University Management-Timely uploading of information on the website, procedure to be followed when uploading information on the website

iii. There was evidence that information about interested parties is monitored for realization as documented in monitoring template for interested partied & requirements /internal and external issues /risks and opportunities.

iv. Risks and opportunities have been determined and documented in monitoring template for interested partied & requirements /internal and external issues /risks and opportunities

6.1.2 Information security risk assessment Positive findings

i. Risk assessment done in March 2019 followed the determined risk criteria Likelihood scale of 1-3 Consequence –High, Medium, Low, (1-3 scale) Risk appetite 3*3 matrix

ii. Risk assessment is done considering loss of Confidentiality, Integrity and availability of processes.

iii. ICT risks assessed are;

Denial of service

Uploading inaccurate content

iv. There was evidence that risk assessment process produced different risk levels is 6 and 9 which is high in risk matrix.

v. Risk prioritization is done as per risk appetite documented in the risk register. 8.3 Information security risk treatment Positive findings

i. There was evidence that controls selected in risk treatment plan are being implemented. Some of the controls sampled are; Firewall (PFsence) is regularly updated once the updates are released

Training is done to website and repository team eg secure systems management KENET by KLISC/EIFL training for repository managers and library ICT PERSONS and IBM DATA Engineer done between 11th and15th March 2019 member of website committee attended.

ii. There was evidence that documents are approved by registrar before being uploaded on the website eg Contract award document for February 2019 was approved by Timothy authorized by registrar to approve for uploading.

10

iii. Incoming document register UoEm-Reg-WNR-001 vol.2 is used to monitor website contents being uploaded.

iv. Web content is backed onsite and offsite

3.4 Department of Land and Water 6.1.2 Information security risk assessment Positive findings

i. There was evidence that risk assessment was done following the defined criteria. ii. Some of the risks in the department are;

Acceptance of falsified academic credentials for the part time lecturers

Leakage of Examination during submission and Moderation of Examinations drafts

Falsification of information on lecture/CAT/practical attendance/course coverage iii. Opportunities Attachment for students in industry

6.2 Information security objectives and planning to achieve them Positive findings

i. The department has established information security objectives and a plan to achieve them Information Security objectives

ii. have been determined considering results of risk assessment and risk treatment they are measurable. plan to achieve them

8.3 Information security risk treatment Positive findings

i. There was evidence that existing controls and controls selected form Annex A are being implemented. The following controls were tested for implementation;

Draft examinations are protected by password and backed up in an external hard disk.

There is 1 Lockable well labelled cabinet for storing controlled documents

Information contained in this lockable cabinet was classified as per Information Classification, Handling & Transfer policy eg Individual mark sheet UoEm/LWM/IM/Vol.3 was classified as confidential

genuine software are installed in the sampled PC eg Win 7 ultimate and MS office 2007

Kaspersky antivirus was updated at the time of audit.

Information assets are identified CPU in the department is identified as UoEm/LWM/CPU/01

Network computers cannot be accessed by unauthorized staff / person .Auditor tried to access desktop-479tnh0 and it requested for authentication password.

Clear screen/desk policy is being observed.

11

ii. Risk treatment plan has been formulated and is being implemented as documented eg control for incompleteness of examination results leading to missing marks is to sensitize students to correctly register for units in ERP

SOA

Positive findings

A.11.1.3 Securing offices, rooms and facilities

The offices have lockable doors and windows A.11.2.4 Equipment shall be correctly maintained to ensure its continued availability and integrity. Computer were maintained by ICT department; all software’s were up to date at the time of audit.

3.5 Management Representative

4.1 Understanding the organization and its context

Positive findings

i. There was evidence that the university has established its ISMS context as documented in

UoEm ISMS context UoEm/QISMR/PD/005 dated 05-December-2017.

ii. Some of the internal issues are;

Lack of enough capacity to secure information

Use of inaccurate/incomplete information

Loss/destruction of information

iii. Some of the external issues determined are;

Legal requirements to divulge confidential information

Inaccurate or incomplete information from external organisations

Counterfeit IT resources

iv. Document containing the context has been classified as restricted information.

4.2 Understanding the needs and expectations of interested parties

Positive findings

i. 14 interested parties relevant to Information Security Management System have been

determined as documented in ISMS context UoEm/QISMR/PD/005.

ii. There was evidence that needs and expectations of these interested parties have also been

established including legal requirements. They include;

Interested Party Expectation or requirement

Students a) Availability and accuracy of results

12

b) Availability of complete feedback

c) Availability of teaching-learning resources

d) Confidentiality of personal record

e) Accuracy of information passed to them

iii. Some of the legal requirements relevant to interested parties are

Constitution of Kenya chapter 4 Article 35- Availability – every Kenyan have the right

to access to information held by another person and every person has the right to

correction or deletion of misleading information.

Public Procurement and Asset Disposal Act 2015 section 67- Confidentiality-no

procuring entity, employee or agent shall disclose information on procurement whose

disclosure will impede law enforcement or which will be the interest of the public,

information relating to procurement whose disclosure would prejudice legimate

commercial interest intellectual property right or inhibit fair competition, information

relating to evaluation comparison, or clarification of tenders, proposals or quotations,

the contents of tender proposals or quotations.

4.4 Information security management system

Positive findings

i. There was evidence that the university has established an ISMS that is implemented at all relevant functional areas, levels and processes as per Information Security Policy UoEm/QISMR/PD/002

ii. There was evidence that ISMS is improved through review of ISMS documents eg risk assessment. Monitoring of ISMS processes such as monitoring tool for risk treatment plan. Internal and external audits carried out at planned intervals.

6.2 areas of improvement

There are no determined information security objectives determined in QISMR’s office.

7.1 Resources

Positive findings

i. There was evidence that resources required for information security management system have been determined and provided eg Approved Budget budgetary allocation for FY 2018/2019 UoEm/fin/budgets/voll.3/243

ii. Other resources provided include competent personnel, IT infrastructure, security services

etc

7.2 Competence

Positive findings

i. Competence for internal auditors has been determined and acquired through training

undertaken in February 2018.

13

ii. IQA certificates for the following auditors who audited during internal audits of 13th to 14th

November 2018 were availed.

Caroline Wambui Ndiri

Beatrice Wanjiru Gitonga

Kelvin Muchunga Ndaru

iii. Audit reports for the internal audit reports and CAR forms were availed. The report reflected

quality audit finding and CAR forms. Records maintained in

UoEM/MR/NCQRF(ISMS)/VOL.1.

9.1 Monitoring, measurement, analysis and evaluation Positive findings

i. The university has established several methods for monitoring ISMS performance eg

Monitoring of Risk Treatment Plan

Monitoring and evaluation of information security objectives

Analysis of internal audits. ii. Analysis of internal audit conducted between 13th and 15th March, 2018 indicated that

there were 34 minor and 4 major non-conformities. Records documented in UOEM/ISMS/IA/01/2018.

Internal audit 9.2 Positive findings

i. There was evidence that internal audits are carried out at planned intervals.Audit program for 2018 indicated that the university undertook two internal audits in the months of March and August 2018.Audit program was approved on 9th January 2018.

ii. During March internal audits,47 areas were audited and audit findings including CAR forms maintained.

iii. Audit plan for the same audit demonstrated that none of the auditors audited their own departments.

iv. Audit criteria and audit scope was adequately defined as per March audit plan.

9.3 Management review Positive findings

i. There was evidence that management review meetings are held eg action plan from the 2nd combined management review meeting of 2019 was availed. ISMS issues were discussed, resolutions determined, responsibilities assigned and timeframe determined.

10.1 Nonconformity and corrective action

Positive findings

i. There was evidence that corrections and corrective actions for non-conformities raised

during internal and external audits are addressed as per requirements. Eg Corrective Action

14

Plan for the 1st Surveillance audit was effectively implemented. Records maintained by

QISMR.CAP for the internal audits were also sampled and found to have been

implemented.

3.6 DIRECTORATE OF EXAMINATIONS Clause 6.1 Actions to address risks and opportunities Positive Findings

i. The HOD was able to link the risks identified under QMS that may affect the ISMS and

cause it not to achieve the intended outcomes;

ii. For every information security risk identified the department had come up with a related

opportunity;

iii. Interested parties and their needs and expectations were considered as seen in the Minutes

of Meeting on methods for measurement, monitoring, analysis and evaluation performance

of QMS held on 30th Oct 2018 and Minutes of meeting to review risk register, controls and

risk treatment held on 2nd May 2018 in determination of risks and opportunities done during

a training for Process Owners– ISMS internal and external issues were discussed;

iv. At end of each semester a data analysis is conducted e.g. no. of cases of inaccurate

information - see Internal Memo Data Analysis for 2nd semester 2017/18 dated 18th April

2018.

v. Clear understanding of the information security risk assessment and treatment processes

as evidenced by the documented and maintained risk register No.

UoEm/EXAMS/EXRR/019 and risk treatment plan No. UoEm/EXAMS/EXRR/019;

vi. The HOD took the auditor through the statement of applicability (SOA) No

UoEm/QISMR/PD/016 and was able to link it to the risk treatment process;

Areas of improvement i. The department needs to clearly differentiate between the risks referred to in clause 6.1.1

and those referred to in clause 6.1.2 of the normative document;

Clause 6.2 Information security objectives and planning to achieve them Positive Findings

i. Information Security Objectives for the year 2019 were developed as seen in minutes of

meeting on Review of risk register, controls and risk treatment held on 31st October 2018;

Clause 7.2 Competence Positive Findings

i. Moses Baithili has been taken through an ISMS awareness training as seen on the “Report

on orientation to the operations in the directorate of examinations” which covered General

operations of the department, QMS and ISMS dated 29th March 2018;

15

Clause 7.3 Awareness Positive Findings i. Evidence of awareness of their contribution to the effectiveness of the information security

management system by staff including the benefits of improved information security

performance was demonstrated through interviewing Mercy Gatombu.

Creating and updating Clause 7.5.2 Positive findings

i. Documented information was observed to have identification numbers, title, date, author,

version, review and approval during document review and by sampling departmental

documents e.g. Examination attendance record form No. UoEm-F-Exams-003 Rev 1

Areas of Improvement i. Correct reference of the standard on the documented information i.e. ISO/IEC 27001:2013

instead of ISO 27001:2013 (missing /IEC);

Continual improvement Clause 10.2 Positive findings

i. Evidence of continual improvement arising from the ISMS through revision of Exam

Attendance Form no. UoEm-F-Exams-003 Rev 1 which was improved to capture the serial

number of the examination booklet and the exam card number.

3.7 ADMISSIONS SECTION (ACADEMICS DIVISION) Clause 6.1 Actions to address risks and opportunities Positive Findings i. The department has identified two opportunities (Committed staff and Automation);

ii. Good understanding of the Information Security Risk Assessment Process which has been

documented as the Admissions department risk register;

iii. Good understanding of the Information Security Risk Treatment Process documented as the

department’s Risk Treatment plan;

Areas of Improvement i. No clear understanding between 6.1.1 risks and 6.1.2 risks. Risk identified in 6.1.1 are the

ones taken through the risk assessment process;

16

Clause 7.2 Competence

Positive Findings

i. Department has ensured staff are competent on the basis of training as observed through

Richard Muthakia’s certificate from Maier Consulting Ltd conducted 14th -16th February

2018;

Clause 7.5.2 Creating and updating Positive findings



documents e.g. Admission form Ref No. UoEm-F-ADMS-001;

Areas of Improvement i. Include identification number on the department’s risk register;

Clause 7.5.2 Control of documented information Positive findings

i. Documented information in the department is adequately controlled, available and suitable

for use, where and when it is needed and adequately protected from loss of confidentiality,

improper use, and loss of integrity;

Areas of Improvement

i. Include identification number on the department’s risk register;

Clause 8.1 Operational planning and control Positive findings

i. A plan for implementing Information Security Objectives was seen and is being monitored

through departmental meetings e.g. developing the university prospectus as observed in

minutes of departmental meeting held on 11th April 2019;

17

3.8 INTERNAL AUDIT

Clause 6.1 Actions to address risks and opportunities Positive Findings i. The department has determined internal and external issues that can affect the ISMS;

ii. Good understanding of the Information Security Risk Assessment Process which has been

documented as the department’s risk register;

iii. Good understanding of the Information Security Risk Treatment Process documented as the


Areas of Improvement ii. Residual risk needs to be determined in the risk treatment plan;


i. Department has ensured staff are competent on the basis of training as observed through

the department’s ISMS champion training certificate from Maier Consulting Ltd conducted

14th -16th February 2018;




documents e.g. Meeting attendance form UoEm-F-CA-00 Rev 1


i. Department’s risk register should indicate details of Issued by, Authorized by and Issue

date for consistency with other departmental risk registers;

3.9 PUBLIC HEALTH DEPARTMENT

Clause 6.1 Actions to address risks and opportunities Positive Findings i. Good understanding of the Information Security Risk Assessment Process which has been


ii. Good understanding of the Information Security Risk Treatment Process documented as the



i. Ensure clear understanding between clause 6.1.1 risks and 6.1.2 information security risks.

18

Competence Clause 7.2 Positive Findings

i. Department has ensured staff are competent on the basis of training as observed through a

3-days ISMS Internal Auditor’s training based on ISO/IEC 27001 and ISO 19011:2011

conducted on 14 – 16 February 2018 by Maier Consulting Ltd for Risper Wanja.




documents e.g. risk register UoEm/PHS/PHSRR/0131

Areas of Improvement i. Department’s risk register should indicate details of Issued by, Authorized by and Issue

date for consistency with other departmental risk registers;

Clause 7.5.3 Control of documented information Area of improvement

i. Addition to the signed Public Health Information Security Objectives i.e. “to Institute disciplinary action” had not been validated.

3.10 PROCUREMENT AND STORES DEPARTMENT

Clause 6.1 Actions to address risks and opportunities Positive Findings

i. Good understanding of the Information Security Risk Assessment Process which has been


ii. Good understanding of the Information Security Risk Treatment Process documented as the



i. Ensure clear understanding between clause 6.1.1 risks and 6.1.2 information security risks.


i. Department has ensured staff are competent on the basis of training as observed through Certificate of Completion for ISO\IEC 27001:2013 ISMS Implementation Course 17 – 19

19

May 2017 by Maier Consulting Ltd for Mrs. Purity Chege and Ibrahim Ireri; Also observed certificates for ISMS Internal Audit Course for both conducted on 14 – 16 February 2018.

Clause 7.3 Awareness Positive Findings

i. Grace Mwende and John Toroitich were able to clearly explain importance of IS policy and their contribution to CIA of information;




documents e.g. internal memo UoEm/Proc/ISO/Vol.1/131

Control of documented information Clause 7.5.3 Positive findings i. Documented information is adequately controlled, available and suitable for use, where and

when it is needed and adequately protected (e.g. from loss of confidentiality, improper use, or

loss of integrity; e.g. Internal Memo ref UoEm/Proc/ISO/Vol.1/131 and Folio sheet on File

OuEm/Proc/A/Vol3 for control of documents.

Clause 8.1 Operational planning and control Positive findings

i. A plan for implementing three (3) Information Security Objectives was developed on 25th

February 2019 and is being monitored through departmental meetings;

Clause 9.1 Monitoring, measurement, analysis and evaluation Positive findings

i. The department is monitoring implementation of Information Security Objectives and Risk Controls.

ii. A good practice was observed of a survey done in September 2018 through a questionnaires Folio 152 – 159 in File No UoEm/Proc/ISO/Vol 1.

Clause 10.2 Continual improvement Positive findings

i. In the past office flash discs used to transfer documents to the scanner without proper control, however the department now has control register for the flash disc thus reducing loss;

ii. The department has also introduced coding of tender documents with a unique code during tender opening which has resulted in enhanced protection of the documents.

20

4.0 OTHER INFORMATION

4.1 No changes in the objectives of the audit. 4.2 There was no evidence of misuse of certification mark. 4.3 No issues were unresolved. 4.4 All the areas in the audit plan were audited. 4.5 The audit objectives were fulfilled.

5.0 AUDIT CONCLUSION/OVERALL OPINION OF THE AUDIT TEAM

Based on the findings above, it is the opinion of the auditors that;

The implemented Information Security Management System conforms to

the requirements of ISO\IEC 27001:2013 standard.

There was evidence to demonstrate continual improvement of the system as a whole

The system is able to meet the applicable statutory, regulatory & contractual requirements.

6.0 RECOMMENDATION

The auditors will recommend continued certification of the University of Embu ISMS to ISO\IEC 27001:2013 subject to submission of an agreeable corrective action plan (CAP).

Elizabeth Kisilu Lead Auditor - ISMS

8th May 2019

21

APPENDICES

1. Audit Timetable 2. CAR forms NB: A copy of attendance register and CAR forms was left with auditee. Audit Timetable

NO ASPECT DETAILS

1 Organization to be audited: UNIVERSITY OF EMBU

2 Type of audit: 1st surveillance audit

3 Audit Number: KEBS/ISMS/SC/004/18

4. Date of notification: 17th April 2019

5. Date(s) of audit: 24th and 25th April 2019

6. Objectives of audit: i. Determination of the conformity of the client’s

management system, or parts of it, with audit

criteria;

ii. Determination of the ability of the

management system to ensure the client

meets applicable statutory, regulatory and

contractual requirements;

iii. Determination of the effectiveness of the

management system to ensure the client can reasonably expect to achieving its specified

objectives;

iv. As applicable, identification of areas for

potential improvement of the management

system.

7. Scope of audit ‘Provision of training, research and extension’

8. Audit Criteria: i. ISO\IEC 27001:2013 Standard

ii. UoE ISMS Documentation

iii. Relevant legal and statutory requirements.

9. Audit Team: Elizabeth Kisilu (EK)-Lead Auditor

James Njuki (JN)- Auditor

22

DAY ONE -24TH APRIL 2019

Date/Day Time Activity/process/shift to

be audited as

applicable

Element of MS

standard

Auditee

Participant(s)

WED

NESD

AY

0900-0930 Opening Meeting N/A Auditors,

management,

sectional heads,

any other persons

as determined by

MR.

0930-1100 Dept. of Biological

Sciences

6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 10.1, 10.2

EK, Departmental

representative

Directorate of

Examinations

6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 10.1, 10.2

JN, Departmental

representative

1100-1300 ICT 6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 10.1, 10.2

EK, Departmental

representative

Admissions 6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 10.1, 10.2

JN, Departmental

representative

1300-1400 LUNCH BREAK

1400-1600 Website and e-

repository committee

4.2, 6.1.1, 6.1.2,

6.1.3, 7.2, 7.5.2,

7.5.3, 8.1, 8.2, 8.3,

10.1, 10.2

EK, Departmental

representative

Internal Audit 6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 9.1, 10.1,

10.2

JN, Departmental

Representative

1600-1700 AUDITORS REVIEW

DAY TWO – 25TH APRIL 2019

THU

R

SD

A

Y

0900-1100 Dept. of Land and

Water 6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 9.1, 10.1,

10.2

EK, Departmental

representative

23

Dept. of Public Health 6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 9.1, 10.1,

10.2

JN, Departmental

representative

24

1100-1300 Management

Representative

4.1, 4.2, 4.4, 6.1.1,

6.1.2, 6.1.3, 6.2, 7.1,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 9.1, 9.2, 9.3,

10.1, 10.2

EK, Departmental

representative

Procurement and Stores 6.1.1, 6.1.2, 6.1.3,

7.2, 7.5.2, 7.5.3, 8.1,

8.2, 8.3, 9.1, 10.1,

10.2

JN, Departmental

representative

1300-1400 LUNCH BREAK

1400-1500 AUDITORS REVIEW MEETING

1500-1530 CLOSING MEETING

Note: The time table will be discussed at the opening meeting and may be altered if considered

necessary

11. Elements of the MS standard to be audited as appropriate during the audits e.g. for ISO

27001 these may include:

Implementation of controls (A.5 – A.18)

Statement of applicability

Control of documents (7.5.3)

Awareness of Quality Policy (7.3)

Communication (7.4)

Analysis and Evaluation (9.1.3)

Control of non-conforming product (8.7)

Corrective and preventive action (10.2) Compliance with legal and statutory requirements

12. Requirements: Shall include as applicable:

Room(s) for the opening and closing meeting

Room for the auditors’ meeting

Photocopying/printing facilities as necessary

A Guide for each of the audit teams

25

Elizabeth Kisilu Sign:

Lead Auditor

Date: _17/04/2019

26

CAR forms

CER/F/06: CORRECTIVE ACTION REQUEST (CAR) FORM

CAR NO._____1____ OF ____3__

ORGANIZATION: University of Embu

AUDIT DATE: 24th and 25th April 2019 AUDIT NO: KEBS/ISMS/SC/004/18

Area under review:

Information security risks assessment

Clause of criteria document: ISO/IEC 27001:2013

clause 6.1.2 (b)

Requirement:

The organization shall define and apply an information security risk assessment process that:

b) ensures that repeated information security risk assessments produce consistent, valid and

comparable results;

Nonconformity

Results of the risks assessment did not produce consistent, valid and comparable results in biological

sciences

evidence:

In biological sciences Falsification of information on teaching units in risk register shows risk level of 4

however in the risk treatment plan it has a risk level of 2.

Falsified information on lecture/CAT/practical attendance/course coverage has a risk level of 4 in risk

register ,2 in risk treatment plan and residual risk is 2 respectively

In internal audit, Residual risk had not been calculated at the time of audit.

The column of strategy in the risk register in completed in some departments eg Procurement LWM, and

public health while others have not completed eg Internal audit, directorate admissions of examination.

27

The strategies in risk register in some departments eg LWM do not match controls selected in risk

treatment plan.

Signed: Auditor_______________________ Auditee _________________________

Category: MAJOR MINOR

Root Cause:

Correction (as applicable):

Corrective action to be taken to prevent recurrence:

Signed: Auditee____________________ Date of completion __________________________

Signed: Auditor ____________________Auditor’s Name ______________________________

28

Follow up (to be completed by the auditor):

Action fully completed

Action partially completed

No action taken

Details:

Signed……………… …………………… ……………………….

Auditor Name Date

Effectiveness of corrective action (to be completed at follow up for Major NCs and during the next audit

for Minor NCs):

Was the corrective action taken effective? YES NO

Details:

Signed……………… …………………… ……………………….

Auditor Name Date

29


CAR NO._____2_____ OF ____3___



Area under review Actions to address risks and opportunities

Clause of criteria document:

ISO/IEC 27001:2013 clause 6.1.1 a, d, e

Requirement:

When planning for the information security management system, the organization shall consider the

issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities

that need to be addressed to:

a) ensure the information security management system can achieve its intended outcome(s);

The organization shall plan:

d) actions to address these risks and opportunities; and

e) how to

1) integrate and implement the actions into its information security management system processes; and

2) evaluate the effectiveness of these actions.

Nonconformity/evidence:

There was no evidence that risks are determined to ensure the information security management system

can achieve its intended outcome(s)

From the context opportunities have been determined however there was no actions to address them.


30


Root Cause:




Signed: Auditor ___________________ Auditor’s Name ______________________________

31




No action taken

Details:

Signed……………… …………………… ……………………….

Auditor Name Date


for Minor NCs):


Details:

Signed……………… …………………… ……………………….

Auditor Name Date

32


CAR NO._____3_____ OF ____3____



Area under review: Creating and updating Clause of criteria document: ISO/IEC 27001:2013

clause 7.5.2

Requirement:

When creating and updating documented information the organization shall ensure appropriate:

a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and

c) review and approval for suitability and adequacy

Nonconformity/evidence:

Document control for risk registers in ICT, procurement and Website Were not updated after performing

risk assessment in January 2019.


33


Root Cause:




34

Signed: Auditor ____________________Auditor’s Name ______________________________




No action taken

Details:

Signed……………… …………………… ……………………….

Auditor Name Date


for Minor NCs):


Details:

Signed……………… …………………… ……………………….

35

Auditor Name Date

certification body - university of embu

Documents