1/22
KEBS- CERTIFICATION BODY
ISO 27001:2013 ISMS
INITIAL CERTIFICATION STAGE 2 AUDIT REPORT
FOR
UNIVERSITY OF EMBU (UoEm)
Audit No. KEBS/ISMS/SC/04/2/2018
19 June 2018
2/22
Table of Contents
1.0 Introduction …………………………………………………… 3
2.0 Audit summary …………………………………………..……… 4
3.0 Detailed report ………………………………………………….. 5
4.0 Other Information.................................................................... 19
5.0 Conclusion & Opinion……….. ………………………………… 19
6.0 Confirmation of Audit Objectives……………………………….. 19
Appendices………………………………………………………………. 21
Appendix 1: Audit Timetable/Scope
Appendix 2: Meetings Attendance Register (Opening/Closing Meetings)
Appendix 3: Corrective Action Request forms (CARs)
Appendix 4: Audit Program
3/22
SECTION 1: INTRODUCTION Audit client name: University of Embu (UoEm) Client Address: Along Embu-Meru Road, P.O. Box 6-60100, Embu Email: [email protected] ; [email protected] Tel: 0722347057 - Dr. Kerama Client Representative: Prof. Kotut Designation: Management Representative (M.R)
Audit date(s): 29 and 30/5/2018 No. of Audit Days: 2 Audit Basis/Criteria: ISO 27001:2013, UoEm ISMS documentation, Applicable Legal & Contractual requirements Audit Scope: Provision of Training, Research and Extension Audit Number: KEBS/ISMS/04/2/2018 Audit Type: Initial Certification Stage 2 Audit Team: Purity Wangai (PW) – Lead Auditor Evelyne Mirembo (EM) - Auditor Audit Objective(s):
i. Determination of the conformity of the client’s management system, or parts of it, with audit
criteria;
ii. Determination of the ability of the management system to ensure the client meets applicable statutory, regulatory and contractual requirements;
iii. Determination of the effectiveness of the management system to ensure the client can
reasonably expect to achieving its specified objectives;
iv. As applicable, identification of areas for potential improvement of the management system
4/22
SECTION 2: SUMMARY OF AUDIT FINDINGS ISO 27001:2013 Information Security Management System (ISMS) Initial Certification Stage 2 audit
was conducted on 29 and 30/5/2018 at University of Embu (UoEm). Opening and closing meetings
were conducted and the meeting attendance register is on Appendix 2.
It was confirmed interested parties and their needs and expectations were determined, Risk treatment
plan and selected controls were documented per department, actions taken to implement the selected
controls were recorded, staffs had signed oath of confidentiality, ISMS objectives and ISMS policy
were communicated at each department, staffs are aware of ISMS policy, internal ISMS audits and
management review were conducted, among other positive findings.
However, areas of improvement were identified e.g. Some of the risks discussed and confirmed with
auditee were not included in ISMS e.g ‘lack of integrity’ for research resource person(s)/supervisors
was not identified as a risk at research department. Risk levels have not been monitored after
implementation of the selected controls. Assets inventory is not available in some areas and where it
is documented, it is not comprehensive. There was no evidence of ISMS training for some staffs.
Opportunities were not determined for security office, among other weaknesses.
These areas of improvement have the potential to become nonconformities if nothing is done about
them.
A total of 3 minor non-conformities (NCs) were also identified as indicated on appendix 3. The NCs
were discussed during the closing meeting and agreed upon. Follow up on the NCs will be conducted
during the next audit should a decision to certify the client be made.
It is the opinion of the audit team that the implemented ISMS meets most of the requirements of the
audit criteria, the ISMS has ability to meet applicable legal and contractual requirements, the ISMS is
effective and the client can reasonably expect to achieve ISMS objectives, and the ISMS has weak
areas that need improvement.
The client having already forwarded appropriate corrective action and which has been approved,
recommendation for certification to ISO 27001:2013 is hereby made.
The audit objectives were achieved.
5/22
SECTION 3: DETAILED AUDIT FINDINGS 3.1 LIBRARY- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1
Positive Findings
1. Clause 4.2 – External and Internal interested parties include;
External parties (E.P) E.P needs & expectations
Internal parties (I.P)
I.P needs & expectations
Government bodies e.g. CUE, Min of Education, Public Health
compliance with applicable regulations e.g. CUE regulation requires an online portal through which any interested party can access library catalogue
Students and Staffs
Access to information
Members of public Information available at the library e.g. books
- -
2. Clause 5.1- Resources provided for ISMS include;
- Lockable Cabinets for keeping confidential files e.g. file with JDs for staffs
- Trained staffs on ISO 27001
- Computers to keep information like library catalogues
- Internet through which online portal for catalogues can be accessed by students, staffs and
members of public.
- Internet is also used to access electronic information like e-books and journals for which
the university has subscribed to other external information sources.
- Resources for physical security include security personnel/guards engaged on contract
basis
- Lockable doors at the library
3. Clause 6.1.1- Risks and opportunities
Risks Related Opportunities Actions to address opportunity
Denial of information due to power outage that makes electronic information unavailable, and due to wrong cataloguing.
-Marketing library services (it has not been done before)
Posting signage, introduction of online chatting on library website
4. There is a document identified as ‘monitoring template for interested parties &
Requirements/Internal & External issues/Risks/Opportunities’ which has information as follows;
Interested party & requirement/Issue/Risks/Opportunities
Activities (what will be done/is being done)
Responsibility
Timeframe when to implement activities
Monitoring frequency (when results shall be analyzed & evaluated)
Evidence/records required
Interested party Students- Up to date information resources (both print and e-resources
Involvement of users in selection
Librarian Last ¼ of Academic year when
annual Book selection forms
6/22
process for books
users make request
Requests
5. Clause 6.1.2- Information security risk assessment
- There is a soft copy of Library risk register accessed using password through university
website. The excel sheet has risk assessment results and is identified as ‘Risk Register’. It
has 3 risks identified and each scored 6 and therefore requires further action by urgency as
indicated on the scale. Risk owner is identified as ‘Librarian’.
- Risk criteria is indicated on the excel risk register which also indicates risk Likelihood and
consequences explained, and risk appetite on a scale of 1 to 5 with color codes and
interpretation of the colors.
6. 6.1.3 - Risk treatment plan is also on the same excel risk register. Auditee indicted that if the
document is on the university portal (accessed through website), it is an indication that it has
been approved.
7. 6.2 - ISMS Objectives. There are 3 objectives approved on 6/1/2018 with a plan to achieve
them. E.g;
Objective What will be done
When to complete
Resources required
Responsible How results will be evaluated
Achievement
Create awareness among staff in the library on all ISMS requirements relevant to the department
HOD sensitization for staff
Dec. 2018
Personnel, Information material
librarian Evaluation of awareness reports
Minutes of meeting held on 10/1/2018 discussed ISMS policies and objectives.
8. 10.1- No information security incident has occurred. However, and there is an incident register
UoEm-REG-LIB-VOL.01-021 from Jan. 2018.
- No situation that required improvement actions that had occurred.
Areas of Improvement
1. Clause 6.1.1- Risks and opportunities
- For the risk ‘loss of information by theft, mutilation’, opportunities identified are not suitable
in risk-based thinking (RBT) concept, e,g, back up, university stamp on physical information
like books, inventory for library stocks/resources. All these are old practices and therefore
not suitable in RBT.
- However, after discussion with auditee, suitable opportunities were identified but were not
considered in ISMS e,g. There is plan to install Integrated library security management
system that will enhance security of physical information like books, and the system can
detect any information at the exit that has not been properly issued as a control against
theft, planned to be installed by Dec. 2018 through Tender process . Procurement process
has been initiated as shown by memo dated 25/4/2018 and circulated to VC. For the risk
‘Denial of information’, there is a plan to install library self-issuing machine that will enable
users to self-issue and return books by themselves using university identification card and
7/22
this will be operationalized by Dec. 2018. However, these opportunities were not included
in ISMS.
2. Clause 6.1.2 and 7.5 - Information security risk assessment
There is a soft copy Library risk register. For the first 2 risks, it has color code
orange/yellow for auditee but for auditor has red color.
3.2 SCHOOL OF NURSING- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1
Positive Findings
1. 4.2 - Interested parties include students interested in correct information for exam results, staffs
interested in accurate information e.g. about teaching arrangement and how many lectures are
allocated/semester. The staffs also expect availability of other information they need to
operate.
2. 5.1 - ISMS resources needed and provided include lockable cabinets for confidential and
restricted information, computers for storing electronic information e.g. exams that are opened
by password, staffs to handle the information, and office space for exam scripts.
3. 6.1.1 - Risks and opportunities in relation to clauses 4.1 and 4.2
- For the risk ‘Unauthorised access to exam results’ actions to address it include existing
controls e.g. designated office of Exam Coordinator, and additional controls from ISO
27001 determined are A.13.2.1, A.7.2.3.
- The departmental risk register indicates that cryptography shall be applied to protect exam
results by Dec. 2018 as an opportunity.
4. 6.1.2 - Information security risk assessment results is documented. The risk ‘Unauthorized
access to exam results’ had a risk score of 4 and the risk treatment plan indicates that the
target is reduce it to 1 by Dec. 2018. Applicable controls are determined.
5. 6.1.3- The Information security risk treatment plan indicates existing controls and additional
controls from ISO 27001 Annex A.
6. 7.2 – Competence
- Responsibilities for staffs were indicated on a memo from the Dean dated 8/1/2018.
- Staff PF No. 0122, his responsibility is ‘Updating ISMS documents and table reports in
meetings’. He signed oath of confidentiality in his employment in July 2017 and had ISMS
training in May 2017.
- PF No. 0095 has responsibility ‘Information transfer according to the information transfer
and handling guidelines’. Minutes of school meeting held on 3/11/2017 in which she
participated included staff sensitization on clear desk/screen policy.
7. 7.5.2 - Incident register is identified by title and also by code UoEm-REG-SoN-007/VOL1. Soft
copy file of risk register is identified as ‘SoN ISMS Risk register 18-5-2018’ and in the electronic
document it is identified as ‘Teaching Risk Register Doc. No. UoEM/TEACH/TRR/005 Version
A’.
- Electronic information on Deans’ computer is protected by SMADAV 2014 Free anti-virus
8. 7.5.3 - passwords are used to protect electronic information e.g. exams. Hard copies are in
lockable cabinets. Exam hard copies are reproduced by exam office. Deans office has a
lockable door
9. 10.1- There is no incidence of IS that has occurred. Auditee indicated that opportunity to
improve had not occurred.
8/22
10. During school board meetings, staffs are sensitized on ISMS e.g. In a meeting held on
20/3/2018.
Areas of Improvement
1. Auditee demonstrated passwords used to open computer and to open exams. There is
passwords guidelines and item (f) page 2 of the guidelines has criteria for passwords. But
auditee passwords did not meet the criteria.
2. 7.2 – There was no evidence of ISMS training for staffs Jacqueline and PF No. 0095
3. There is a file identified as EoEm/SoN/M-L-R/VOL1 that has list of records at the department.
This file was shown by auditee as the Information assets register.
3.3 ICT- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1
Positive Findings
1. 4.2 and 6.1.1
External Parties (EP)
Needs & Expectations of EP
Internal parties (IP)
Needs & Expectations of IP
Actions taken to address IP interests
Risks to IP interests
Opportunities
Suppliers e.g. ISP
Access to tender documents on website -Implementation of SLA in the case of ISP
Students Reliable Internet access with low downtime, functional computer labs
-quarterly maintenance schedules for computer labs -installation of UPS in server room -back up generator -Redundant fibre link
-Breakdown/ faulty equipment at computer lab -power loss
-close proximity to a variety of high speed fibre optic cable. So far 3 cables have been installed from 2014. -Introduction of SMS function, email function, and email alerts and knowledge base for users on OS ticketing system as from Jan, 2018. - Assessing students innovations in the projects they do to determine how they could benefit the university.
Public/ community
Courses offered to be posted on the website, enquires to be handled through website
staffs Reliable Internet access with low downtime, confidentiality of information in backup server, functional ICT equipment
- as above for students -Encryption of information in server back up for confidentiality
-leakage of back up information e.g. pay slips -ICT equipment malfunction -Malware attacks -Hacking -lack of passwords for computers
9/22
- Email address on website [email protected] was tested by auditor by sending an email. The email
was received at ICT office immediately after sending.
2. 5.1 - Resources determined for ISMS include personnel, funds, staff training. Training was done as
indicated on item 6 below.
3. 6.1.2- Information security risk assessment results are documented on the risk register. Risk
acceptance criteria is 2 as indicated on Risk Appetite matrix on the register.
4. 6.2- ISMS objectives are documented e.g. to enhance information security by encrypting the backed
up information by Dec.2018, installation of antivirus software on all university computers by Dec.
2019. So far, antivirus has been installed in 200 computers out of total about 320 computers at the
university.
5. 6.1.3 - Information security risk treatment plan is documented. It indicates controls selected for the
risks determined.
6. 7.2- ISMS Training:
Ag. ICT director – trained as ISMS internal auditor in February 2018.
PF/ No. 0426 and PF/No. 0337 – ISMS awareness was done for these staffs during staff
meeting on 21/11/2017 and again on 16/1/2018.
8. 7.5.3 - ISMS documents are on university website accessible by all staffs by use of password.
9. 10.1- Incidents register UoEm-REG-ICT-008-Vol1 is available and one incident was identified as
‘the meeting dashboard failed to send invitations for a meeting (Deans committee) reported on
17/5/2018’. Root cause and all actions taken were recorded on the register.
10. Business Continuity Plan- Licensed antivirus is expected to be purchased by 30/6/2018 for all
computers based on new computer inventory that is currently being developed at the various
departments.
11. ISMS Assets Register- there is an assets register for ICT department which includes assets in
server room, desktop computers, etc. Serial numbers and other pertinent information for the assets
are indicated on the register.
12. Signed ISMS policy is displayed at the office
13. Monitoring and measurement of implementation of risk treatment plan:
- There is a documented monitoring tool for actions to be taken to implement selected controls.
Results of actions taken are recorded and resultant status of the system is indicated.
10/22
Areas of Improvement
1. 7.5.2- Auditee has a soft copy of risk register from the website identified as
UoEm/ICT/ICTRR/009 Version A Revision 1 dated 23/5/2018. Auditors’ copy of the same
document is Revision 0 dated 5/12/2017. Auditee indicated that the register was recently
amended. A memo dated 16/5/2018 required ISO documentation to be reviewed and finalized
by 21/5/2018 and so ICT risk register was amended. However, Document amendment form
for the register was not filled.
2. There is a documented monitoring tool for actions taken to implement selected controls.
However, risk level has not been monitored after implementation of the controls.
3.4 DIRECTORATE OF RESEARCH & EXTENSION- clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4,
7.5.2, 7.5.3
Positive Findings
1. At the Directors’ office, no information was on the desk and computer had a clear screen.
2. Approved ISMS objectives and ISMS policy are displayed.
3. 7.3- Interviewed person (administrative assistant) is aware of the ISMS policy and his
contribution towards confidentiality of information. He’s also aware of consequences of not
implementing ISMS requirements.
4. There was power outage around 8.51am during the audit. The power generator automatically
switched on within few seconds.
5. There is UPS for computer power back up at Directors’ office.
6. 4.2 - External interested parties include community interested in research output and outreach,
government interested in whether the research at the university is aligned to the national
agenda, Regulators like CUE are interested in quality of research. NACOSTI is interested in
the types of research. ISMS interests of these parties include;
Community- interested in integrity and availability of information
Government bodies- interested in integrity and availability of information
7. 6.1.1 - Risks determined are on the risk register accessed from website using password. Risks
e.g. Leakage of confidential research information, Acceptance of falsified research information.
8. 5.1- Resources determined include fireproof cabinets.
9. 6.1.2 and 6.1.3 - Risk assessment results are indicated on the risk register on excel sheet
identified ‘Risk Register’. The register also has ‘Risk Treatment Plan’ which indicates the
planned treatment results.
10. Results of implementing the risk treatment plan are indicated on a monitoring tool on the risk
register which indicates controls applied, Responsibility, time-frame to implement controls,
evidence for implementation required, results of controls implementation and status of actions
(done or continuous).
11. 7.1 - Resources provided include, Office for physical security, computer for information
processing, storage and communication by email, and lockable file cabinets.
12. Copies of research reports are sent to DVC- Academics Research, while copies are retained at
office as back up.
13. 7.4- Communication about ISMS
11/22
- This is done during meetings e.g. minutes of meeting held on 6/2/2018 in which ISMS
objectives, clear desk clear screen policy, etc. were discussed.
- Director determines what is to be communicated e.g. agenda for meetings.
14. 7.5.2, 7.5.3 – Documents are uniquely identified e.g. File with research reports is identified as
UoEm/DRE/RESEARCH/VOL.2.
15. Personal desktop Computer for director is protected by licensed Kaspersky antivirus
16. A.8.1.1 Assets inventory- There is electronic register of ICT devices which indicates one
computer for the office Administrator.
- There is ‘Information and Information Assets Register’ that has classification of information
and a list of information and information assets e.g. Research reports.
17. There is incident register opened on 8/3/2018 but has no record because no incident had
occurred.
Areas of Improvement
1. ‘Lack of integrity’ on the part of resource person(s)/supervisors was identified as a risk during
auditor discussion with auditee. But this risk was not considered in ISMS.
2. Interviewed person (administrator) does not clearly understand about integrity and availability
of information.
3. 6.1.1- Opportunity determined was not clearly relevant to ISMS i.e. ‘establishment of
collaboration with different institutions e.g. universities, research institutions, etc., as required
by the National Research Fund in Feb. 2018’.
4. Residual risk levels have not been determined/monitored after implementation of the controls
(i.e. from risk level 9 towards level 1).
5. There is only one key for the lockable metal cabinet at Directors’ office.
6. Administration Officer has both original keys held together for a file cabinet. This situation does
not provide key back up.
7. 7.5.2, 7.5.3 – Auditee has Risk register Version A Rev. 1 dated 23/5/2018, while auditors’
edition is Version A Rev. 0 dated 5/12/2017. Document amendment form was not filled for
amendment of the register.
- The metallic and wooden file cabinets are not fire proof as required by business continuity
plan (BCP).
8. No CCTV installed according to BCP
9. A.8.1.1 Asset Register- The personal computer privately owned by the director is not included
as an asset yet it contains research information for the university. The asset register also does
not include personnel as information as assets.
10. Clear desk and clear screen policy item 3.2 requires HODs/Sections to conduct regular
monitoring and evaluation of the policy. But there is no evidence of implementation of this
requirement.
12/22
3.5 MANAGEMENT REPRESENTATIVE (QISMR) -4.1, 4.2, 4.3, 7.5, 6.1.3, 9.3
Positive Findings
1. 4.2- Interested parties include external providers, community, government bodies,
parents/guardians/ sponsors, industry, professional/regulatory bodies, Financial intuitions.
2. 7.5- Statement of Applicability (SOA)- Auditees’ copy is accessed from website by use of
password. It is Version A revision 1 dated 23/5/2018. A request to review various documents
was approved by M.R on a memo on 10/5/2018.
3. 6.1.3- SOA has selected controls indicated with justification. Controls not selected are also
justified e.g. 6.2.2- Teleworking is not selected with acceptable justification.
- Control A.7.2.2 selected on Procurement Risk register is on SOA with justification for RRA.
A.11.2.9 selected on the same register based on risk assessment results is justified on SOA.
Justification is also given for exclusion of A.14.1.3 on SOA.
- A. 11.2.9 selected by procurement department based on risk assessment results is justified
on SOA.
4. 9.2 Internals audits for ISMS
a) ISMS internal auditors were appointed by M.R by a memo dated 26/2/2018 to conduct audit
from 13 to 15/3/2018. Auditors and audit team leader were indicated on the memo.
b) Report for audits conducted in March 2018 is documented for every department.
Nonconformities (NCs) were also included in the report.
c) Security office had a major NC about lack of awareness of information security policy and
correct clause of the standard which was contravened was identified on the NC report. The NC
report also indicates adequate root cause and corrective action (CA), and follow up on
implementation of the CA was done on 9/4/2018.
d) At Health Services department, NC was recorded that ‘No evidence of development of Rules
and Regulations on the use of information assets’. Root cause was indicated that nobody was
assigned the responsibility to develop ISO documents. Correction was indicated ‘to develop the
rules and regulations’. CA was also adequate. Evidence of the developed rules and regulations
was available dated 20/3/2018.
5. 9.3 Management Review is planned to be conducted twice/year
a) A meeting was conducted on 16/4/2018 and minutes were documented
b) Minutes indicate that some 5 departments provided details of achievement of information
security objectives and other members were urged to emulate. Fulfilment of information
security objectives was also discussed for the same departments.
c) The outputs of the management review which included decisions related to continual
improvement opportunities were recorded on Appendix 6 of the minutes.
6. 4.1 and 4.3: ISMS Context & Scope are documented.
Areas of Improvement
1. SOA- Auditees’ copy is Version A Revision 1 dated 23/5/2018 while auditors’ copy is Revision
0. Document change request form was not filled (but M.R approved for the change on a memo
on 10/5/2018).
2. ICT department Risk Register has the risk of ‘Denial of access to information’ that has risk level
of 6 and selected control A.7.2.3. However, SOA has not indicated justification to include the
13/22
control based on Results of Risk Assessment (RRA). The same case with A.11.2.2 and
A.11.2.4 for the department.
- On Procurement department Risk Register, risk identified ‘Leakage of supplier information
to a competitor’ has risk level 6. Control A.16 is selected for the risk but justification for
inclusion based on the risk assessment results is not indicated on the SOA.
3. 9.2- Internals audits for ISMS
a) At Health Services department, NC was recorded that ‘No evidence of development of Rules
and Regulations on the use of information assets’. Document UoEm/QISMR/PD/008 section
2.1 (3) was identified as the relevant criteria document violated. However, the criteria document
does not have section 2.1 (3) but the requirement violated is on the document.
b) At VCs office, it was reported by internal auditor as ‘observations’ that there was no evidence
that the office had an inventory/ information assets register, and also that one of the 2
computers had a password of 4 characters. The same weaknesses were detected elsewhere
by the external auditor in May 2018; the weaknesses had not been addressed at the time of
external audit.
4. 9.3- Management review was conducted on 16/4/2018
a) Client indicated that there were no changes in ISMS but this was not recorded on the minutes.
b) There was no evidence that monitoring and measurement results were discussed.
3.6 TOP MANAGEMENT COMMITMENT- ISO 27001 clause 5.1
1. 5.1 - Resources determined and provided for maintenance of both ISMS and QMS include
Kshs 4 million for 2017/2018, there is M.R office with 3 staffs dedicated for QMS/ISMS, there
are ISO Champions.
- Other resources to be provided according to Business Continuity Plan include CCTV
Cameras to be installed in 2018/2019 and fire proof cabinets will also be provided within
the same year.
- Staffs have been trained on ISMS
3.7 DIRECTORATE OF POST GRADUATE STUDIES- ISO 27001 clauses 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1,
10.1
Positive Findings
1. Clause 6.1.1- Actions to address risks and opportunities
Risks and opportunities for the department have been determined.
Mitigations and controls for the risks identified had been determined.
The plan for actions to address the risks and opportunities identified had been drawn, for
example, capacity building and implementation follow up committees.
The actions to address the risks were being implemented, for example, risk 6, 9 and 7.
Review of the actions to address the risks was being done, for example, the actions to be
implemented in 3 months effective December 2017 had been reviewed, previous levels for the
risks sampled were 6 and reviewed over 3 months to capture a risk level of 1 and 2 for an initial
risk level of 9.
2. Clause 6.1.2 – Information security risk assessment
14/22
A risk criterion and the acceptance levels for the risks have been established.
3. Clause 6.1.3 – Information security risk treatment
Controls to be applied on the risks identified have been determined and a risk treatment plan
formulated, they included capacity building, awareness creation and disciplinary actions,
allocation of cabinets and passwords to the members of staff in the department.
4. Clause 6.2 – Information security objectives and planning to achieve them
ISMS objectives for the department have been established in line with the requirements of the
standard; they included, ‘to check all thesis and project reports for plagiarism’.
Monitoring of the implementation of the objectives was being done, 10 projects were evaluated
in the period July to September 2017 and an analysis of the hand deliveries, courier delivered
done on 30th September 2017.
5. Clause 9.1 –Monitoring, measurement, analysis and evaluation
The department has determined similarity levels in the projects in the university and the global
world as data to be collected, monitored and analysed for decision making in the department.
The results from monitoring are to be analysed every quarter of the academic year.
6. Clause 10.1 – Non conformity and corrective action
The department has a mechanism for capturing customer feedback, complaints and non-
conformities.
Registers like UoEm-REG-BPS-005 for compliments and UoEm-REG-BPS-006 for complaints
are maintained and used by the customers in the department.
Complaints are captured and resolved, for example, complaint on scholarship stipends taking
too long recorded on 3rd May 2018.
Areas of Improvement
1. The complaints record does not address root cause analysis adequately, for example, the
complaint on stipends delay had the root cause as ‘there was no delay as per finance voucher’.
3.8 DEPARTMENT OF BUSINESS AND ECONOMICS- ISO 27001 clauses 4.2, 5.1, 6.1.2, 6.1.3, 6.2,
9.1, 10.1
Positive Findings
1. Clause 5.1 – Leadership commitment
The information security policy has been shared within the department; the policy was
understood by the sampled staff in the department.
The procurement plan and the approved budget for the department’s needs were available,
approved on 19th September 2017.
2. Clause 4.2 –Understanding the needs and expectations of interested parties
Interested parties relevant to ISMS had been determined.
Relevant requirements of the interested parties have been determined – they included
accurate and timely feedback on exam and results for the students.
15/22
The needs and expectations of interested parties have been used to come up with some of the
risks, for example, examination delay by the department.
3. Clause 6.1.3 – Information security risk treatment
Controls for the risks identified have been determined, they included lock and keys for exam
papers, use of examination policies.
A risk treatment plan had been formulated and the plan approved by the identified owners.
Analysis of the risks identified for the department was being done; the risks identified on 4th
December 2017 will be reviewed in the month of June 2018 to come up with the
implementation status.
4. Clause 6.1.2 – Information security risk assessment
Risk owners within the department have been identified.
The risk acceptance criteria has been developed in the department with the likelihoods and the
risks appetites.
Opportunities for the department have also been identified.
A plan for implementation of the actions to address opportunities has been drawn, for example,
a proposal for establishing a business wing for the department had been drawn in May 2018.
5. Clause 6.2 – Information security objectives and planning to achieve them
Information security objectives for the department have been developed and shared within the
department, approved on 2nd March 2018.
The plan for achieving the information security objectives had been drawn in line with the
requirement of the Standard.
6. Clause 9.1 –Monitoring, measurement, analysis and evaluation
Fabrication of marks incidences has been determined by the department as data to be
collected and analysed, external examiners reports are also analyzed for malpractices.
7. Clause 10.1 – No conformity and corrective action
Customer feedback is captured using registers like UoEm-REG-DBE-011-VOL. 1 for
incidences, UoEm –REG-DBE-004-VOL.1 for complaints and compliments register UoEm –
REG-DBE-005-VOL.1.
3.9 DEPARTMENT OF LAND AND WATER MANAGEMENT- ISO 27001 clauses 4.2, 6.1.1,7.2, 7.5.2,
7.5.3, 10.1
Positive Findings
1. Clause 5.3 – Organisational roles, responsibilities and authorities
Responsibilities for the staff implementing ISMS in the department have been defined and
communicated.
There was an ISMS policy in the department, approved on 4th December 2017.
2. Clause 7.2 – Competence
Competences required by the staff in the department for ISMS have been determined, for
example, IT knowledge, knowledge in record keeping and good communication skills, minute
09/01/2018 of the meeting held on 16th January 2018.
16/22
3. Clause 7.5.2 – Creating and updating
Files in the department have been created and referenced in line with the requirements of the
standard for example, UoEm-REG-LWM-003-VOL.1
4. Clause 7.5.3 – Control of documented information
Retention periods for information within the department have been determined, for example,
past exam papers-6 years, class attendance registers-6 years and staff leaves and offs – 6
years.
5. Clause 10.1 – Non conformity and corrective action
Customer feedback is captured within the department; registers like UoEm-REG-LWM-003-
VOL.1 are maintained.
Complaints are recorded and resolved, for example, complaint on little time spent with the
assesse on attachment.
6. Clause 4.2 –Understanding the needs and expectation of interested parties.
Interested parties, their needs and expectations have been determined in the department; they
included students, University council and the government with requirements for accurate and
complete information.
7. Clause 6.1.1 – Actions to address risks and opportunities
Risks and opportunities have been determined for the departments’ processes.
Actions to address risks and opportunities have been planned for, for example, the risk
treatment plan with activities to be undertaken – folio 69 UoEm/LWM/ISO PC/ VOL. 2.
Areas of Improvement
1. Root cause analysis is not adequately performed for the complaints recorded, for example, for
little time spent with the assessor and insufficient funds given to the assessor complaint, the
root cause was indicated as ‘no basis provided’ and corrective action indicated as ‘not
applicable’.
3.10 FINANCE- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4
Positive Findings
1. Clause 4.2 – Understanding the needs and expectations of interested parties
Interested parties have been determined in the department.
Relevant needs and expectations of interested parties have also been determined.
2. Clause 5.1 – Leadership and commitment
ISMS objectives have been established in the department.
The policy has been shared in the department and sampled staff understood their ISMS roles
and responsibilities.
17/22
An approved budget and procurement plan capturing the department’s activities was available
and being implemented, the budget was approved on 29th June 2017.
Duties and responsibilities of staff in line with ISMS have been defined; the department has 2
ISMS/QMS champions.
3. Clause 6.1.1 – Actions to address risks and opportunities
The risk register implementation monitoring matrix has been developed, UoEm/FIN/DATA
ANALYSIS/VOL. 1.
4. Clause 6.1.2 – Information security risk assessment
Risk assessment has been carried out in the department, the risk criteria and levels have been
defined.
The risk treatment plan has been developed; controls have been identified, for example,
A.7.2.2, A.16.1 and A.18.2.2 from ISO IEC 27001:2013 annex A.
Reviews for the risks had been determined to be carried out once every year.
5. Clause 6.1.3 – Information security risk treatment
Control measures and a plan for treatment of the risks had been drawn and being
implemented.
Analysis of the risks is also done on a quarterly basis.
6. Clause 7.1 – Resources
Resources needed in the department have been determined; the department has 18 members
of staff and 2 interns.
The department has a schedule for monitoring the implementation and adherence to the
requirements of ISMS – ISO audit rota for 2017/2018 sampled with reports on implementation
of the clauses of the standard.
Staff training on ISMS had been carried out, training and sensitization carried out on 12th
February 2018.
7. Clause 7.4 – Communication
External communication is done from the VCs office, the department communicates internally
on ISMS procedures and process performance.
Information security guidelines have been developed to guide the department in ISMS
implementation, for example, for portable/mobile devices and handling confidential information.
The staff in the department have signed codes of conduct which includes requirements for
confidentiality and protection of university information – Institutional Code of conduct clause 18
a-c.
Physical security is performed in the department where access to the office is controlled, staff
register and sign before access into the offices.
18/22
3.11 SECURITY- ISO 27001 clauses 4.2, 5.1, 6.1.1, 7.1, 7.3, 8.1, 9.1
Positive Findings
1. Clause 4.2 – Understanding the needs and expectations of interested parties
The department has identified interested parties such students, the general university
management, the community and site forces.
Needs and expectations of the interested parties have also been determined.
2. Clause 5.1 – Leadership and commitment
Awareness creation on the ISMS policy to the security guards is done, the last meeting held
was on 20th April 2018, minute3/2018 on QMS and ISMS – UoEm/SEC/MEETINGS/VOL. 1.
3. Clause 6.1.1 – Actions to address risks and opportunities
Risks have been identified for the departments. The actions to address the risks identified
have been documented.
The department has a risk criteria including acceptance, controls and mitigation measures
have been identified for the medium and high identified risks while the low ones are to be
monitored within the system.
4. Clause 7.1 – Resources
Contracts for the contracted security services, Mocam security services limited were available;
the current contract was signed in January 2018.
The contract includes CIA aspects, for example, contract number UoEm/17/2017-2018 clause
1.11 on confidentiality.
5. Clause 7.3 – Awareness
Awareness on the staff for the requirements of ISMS has been done for the staff in the
University and the outsourced security.
Monthly reports on implementation and progress of the system are generated, report for
quarter 3 of FY 2017/2018. The scores given for Integrity in CIA were 60% for all the 3
months.
6. Clause 8.1 – Operational planning and control
Plans for implementing and achieving Information security objectives had been developed, for
example, meeting held on 12th April 2018 to discuss installation of the CCTV and a report for
the exercise tabled in the meeting held on 3rd May 2018 and fencing of the perimeter wall-
initiation memo done on 23rd April 2018 and the assignment forwarded to Estates department
for coordination.
7. Clause 9.1 – Monitoring, measurement, analysis and evaluation
Monitoring and evaluation of the risks and processes is planned to be undertaken in the month
of June 2018 and October 2019.
Areas of Improvement
1. No opportunities have been identified for the department.
2. There was no evidence of the action taken after the analysis report on integrity of the guards;
the risk matrix is yet to be updated.
19/22
SECTION 4: OTHER INFORMATION
4.1 Comments on any effected changes to audit scope/audit plan, audit objectives and any proposed changes to the surveillance audit programme, etc.
4.1.1 Changes effected on audit plan
Audit area ISO 27001 clauses ISO 27001 clauses
Not audited as planned Reasons New audited
Management
5.1, 6.1.1, 7.3, 8.1, 8.2, 9.2, 10.1, 10.2
Time constraints
4.2, 7.5, 6.1.3, 9.3
Top Management 4.1, 4.2, 5.2, 5.3, 7.1, 9.3, 10 -
Directorate of Post Graduate Studies 4.2 -
Department of Business and Economics 6.1.1 -
Department of Land and Water Management 5.1, 6.1.2, 6.1.3, -
Finance 7.5.2, 7.5.3 -
Security 7.2, 8.2 -
4.2 Record of unresolved issues None 4.3 Scope of certification Provision of Training, Research and Extension
4.4 Disclaimer statement This report is based only on areas sampled during the audit. There is therefore an element of uncertainty about performance in other areas not sampled during the audit. Therefore, this report may not be a representative for the whole scope.
4.5 Any other information The audit was combined with ISO 9001:2015 Recertification audit which was conducted by a different team (Netty and Maru).
SECTION 5: AUDIT CONCLUSION/OVERALL OPINION OF AUDIT TEAM It is the opinion of the audit team that the implemented ISMS meets most of the requirements of the
audit criteria, the ISMS has ability to meet applicable legal and contractual requirements, the ISMS is
effective and the client can reasonably expect to achieve ISMS objectives, and the ISMS has weak
areas that need improvement.
The client having already forwarded appropriate corrective action and which has been approved,
recommendation for certification to ISO 27001:2013 is hereby made.
SECTION 6: CONFIRMATION WHETHER AUDIT OBJECTIVE(S) HAVE BEEN FULFILLED
The audit objectives were fulfilled.
20/22
Appendices
1. Audit timetable 2. Meetings attendance register 3. Corrective Action Request forms (CARs) 4. Audit program
Name:_Purity Wangai_____ Sign: Date: 19 June 2018 Lead Auditor
21/22
Appendix 1: Audit Plan/Time table
Day/Date : TUESDAY 29TH MAY 2018
Time Activity Elements of Normative Document Key Participants
0900-0930 Opening meeting
N/A Auditors, top management , sectional heads, any other persons as determined by QISMR.
0930-1130
Directorate of Postgraduate studies
ISO/IEC 27001 Cl. 4.2, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1
EM, section head
Library ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1
PW, section head
1130-1300
Department of business & economics
ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1
EM, section head
School of nursing
ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1
PW, section head
1300-1400 LUNCH BREAK
1400-1600
Department of land & water management
ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1
EM, section head
ICT ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1
PW, section head
1600 - 1700 Auditors Meeting
N/A Auditors
Day/Date: WEDNESDAY 30TH MAY 2018
0900 - 1030
Finance ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4, 7.5.2, 7.5.3
EM, section head
Directorate of research & extension
ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4, 7.5.2, 7.5.3
PW, section head
1030 - 1230
Security ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 7.1, 7.2, 7.3, 8.1, 8.2, 9.1
EM, section head
QISMR ISO/IEC 27001 Cl. 4.1, 4.3, 5.1, 6.1.1, 7.3, 8.1, 8.2, 9.2, 10.1, 10.2
PW, QISMR
1230 - 1300 Top Management
ISO/IEC 27001 Cl. 4.1, 4.2, 5.1, 5.2, 5.3, 7.1, 9.3, 10.2
CM, EM, PW, NK
1300 - 1400 LUNCH BREAK
1400 – 1600 Auditors review meeting
N/A Auditors
1600 Closing Meeting
N/A All
22/22
Appendix 2: Opening and Closing meeting attendance register
The register is in client file at KEBS-CB as a hard copy.
Appendix 3: Corrective Action Request forms (CARs)
The CARs are in client file at KEBS-CB as hard copies.
Appendix 4: Audit Program
A combined ISMS and QMS audit program will be sent to client once it is developed.