A request was made for GTS audit reports, managerial structures, and complaint statistics from 2016 onwards, resulting in the partial release of an internal ISO 20000-1:2011 audit report while other information was withheld.
Key Facts
The Cabinet Office responded to the FOI request on 2019-05-22 with a partial disclosure.
A 6-page internal audit report regarding Change Management procedures was released.
The audit was conducted by K Burnell on 7th June 2017.
The audit assessed conformity with BS ISO/IEC 20000-1:2011 standards.
The response included 21 documents totaling 366 pages.
Data Disclosed
2019-05-22
2019-03-26
366
21
7th June 2017
30th March 2015
17060701
11
4
102/002
1-18
9
1
5
Original Request
Dear FOI team
1. I would be most grateful if you would provide me, under the Freedom of Information act, copies of all externally commissioned reports, audits, or studies regarding GTS (ie. KPMG, PWC, etc) [clarification received - please provide copies from January 2016 to date].
2. Provide a managerial structure including named personnel and business contact details for GTS [clarification received please provide copy as of today's date].
3. Provide the total number of complaints from 2016 to date made against GTS broken down by category (ie. poor customer service etc).
Data Tables (310)
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 6 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Auditor(s) K Burnell (KTB)
Auditee(s) St Andrews House GTS
Markwell House GTS
Hanover House GTS
Observer Tana Wondergem (TW)
Audit Date 17th and 18th October 2017
Audit Times
9.45 – 10.40 12.15 - 12.40 and 11.40 – 12.40
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Belfry meeting room – large screen projector it was noted that flip chart information contained IP
addresses the wipe board was clear of information however the meeting room policy displayed on the
outside of the door which details correct use of the area lacks ISMS controls
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Key left in door and left open.
Keys in drawers and cabinets also a lot of paperwork left on desks.
Cleaning is contracted out therefore there is a risk of information being compromised.
Cleaners operate outside of normal hours but do overlap during times when staff is in the building.
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 5 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 8 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 4
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 4
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 4
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 3
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 3
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 5 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Reference
number
45398_COVJNY01
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 6.1.3 )
Grade
Minor NC
Issue Date
27-July-2015
Status
Closed
Process / Aspect
Risk Managment
Location(s)
Department of Economic Development,Douglas
Statement of Non Conformity
The risk register is a SharePoint library and whilst it tracks actions
taken and planned, it does not detail either target risk reductions
needed .
Requirement
Risks above the risk appetite need to be prioritized and a risk
treatment plan a need to be defined that identifies all of the controls
to be applied and the timescales for implementation to achieve the
targeted reduction in risk.
Evidence
Risk Register
Proposed correction, corrective action
and timescales
GTS accept this finding. As a result an overall Risk Appetite will be
presented to the Risk Management Board 21/8/15 establishing an
acceptable risk level of IMPORTANT as the highest level of risk to be
accepted within Appetite. SIGNIFICANT has to be individually
accepted above appetite by individual Senior Manager and MAJOR
can only be accepted by the Director &/or CEO in the business.
The process is expected to be accepted and implemented by end of
September 2015.
Correction
A risk appetite has been defined and agreed
Root Cause analysis
Requirement missed at transition
Corrective action
Evidence seen from corrective action.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
22-January-2016
Reference
number
45398_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 9.1 )
Grade
Minor NC
Issue Date
27-July-2015
Status
Closed
Process / Aspect
Information Security Objectives
Location(s)
Department of Economic Development,Douglas
Statement of Non Conformity
Whilst there is an impressive set of KPI’s defined and reviewed at the
“ManCom” meetings, a set of measurable information security
objectives have not been defined and a plan to achieve the objectives
has not been defined.
Requirement
Information security objectives need to be defined and a plan for
realising the objectives need to be developed.
Evidence
ManCom reports/presentation pack
Proposed correction, corrective action
and timescales
Whilst there were a set of Security Objectives implemented there was
no documented methods of measuring these to ensure they are
adequately monitored and tracked.
The Objectives will be retitled “Security Objectives / Goals” and each
will have a delivery plan to accompany it on the document. The
amended version is on the agenda for the ISMS Board 19/08/15 and
implementation is expected before end of September 2015.
Correction
Mancom presentation pack has been reduced in size and a
scorecard has been added at the start of the pack providing feedback
on key measures.
Root Cause analysis
Over-enthusiasm
Corrective action
Mancom presentation and metrics were reviewed.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
20-January-2016
Reference
number
45398_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 9.2 )
Grade
Minor NC
Issue Date
29-July-2015
Status
Closed
Process / Aspect
Internal Audit
Location(s)
Department of Economic Development,Douglas
Statement of Non Conformity
The internal audit schedule for ISO27001 needs to be updated to
adopt the 2013 version of the controls.
Requirement
Internal audits need to demonstrate coverage of all elements on
information security at least once in any certification cycle.
Evidence
The audit sechedule
Proposed correction, corrective action
and timescales
The ISO 27001:2013 audit schedule has been produced using the
SOA as the basis for the plan. It will be presented to the ISMS Board
19/08/2015 for approval and will be utilised for the October internal
audit.
Implementation expected before end of September 2015
Correction
The audit schedule has been updated.
Root Cause analysis
The audit schedule had not been updated
Corrective action
The revised audit schedule was reviewed.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
20-January-2016
Visit type
Focus Visit
Audit days
1
Visit start /
end dates
21-July-2016 / 22-July-
2016
Theme(s) for Next
Visit
Travel time is needed for this contract.
Locations
Department of
Economic
Development,
Douglas
Activity
codes
007802,007850,007851
Standard(s) /
Scheme(s)
ISO/IEC 27001:2013
Team
Visit Type
ITSMS
ISMS
2013
ITMS
CR
ISMS
SV1
ITSMS SV1
ISMS SV2
ITSMS SV2
ISMS SV3
ITSMS
SV3
ISMS SV4
ITSMS SV4
ISMS FV
ITSMS FV
ISMS CR
ITSMS
CR
ISMS
SV1
Due Date
Jan 15
Jun 15
Jan 16
Jun 16
Jan 17
Jun 17
Start Date
10/03/15
20/1/15
End Date
12/03/15
22/1/15
Audit Days
2
2+1
2+1
2+1
2+1
3+1
3+1
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
99
114
Y/N
N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
Y
Y
Change Management
Y
A12
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Am
Y
Y
Service Catalogue
Y
D2 Am
Y
Service Level management
Y
D2 Am
Y
Service Reporting
Y
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Service Delivery (Controls not
included in above):
Operational
Y
A8, A10,
D2 Pm
Y
Y
Date am/pm
Assessor 1
Assessor 2
Standard covered
Reference
number
44960_COVJNY01
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.5 )
Grade
Minor NC
Issue Date
22-January-2016
Status
New
Process / Aspect
Capacity Planning
Location(s)
Department of Economic Development,Douglas
Statement of Non Conformity
Whilst there is trending and alerting on capacity; and capacity is
reviewed when projects are being designed, capacity planning does
not meet the full requirements of clause 6.5. In particular:
6.5 a) forecasting is not formally reviewed with the customers on a
periodic basis
6.5 c) timescales and costs for capacity changes are difficult of
evidence
Requirement
The capacity plan is a required document under ISO20000-1:2011
and needs to be under change control.
Evidence
No document under change control detailing a capacity plan/forecast
and bearing costings was available at the time of the audit.
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Visit type
Surveillance 4
Audit days
1
Visit start /
end dates
20-July-2016 / 21-July-
2016
Theme(s) for Next
Visit
Locations
Department of
Economic
Development,
Douglas
Activity
codes
000801,000804,007850
Standard(s) /
Scheme(s)
ISO/IEC 20000-1:
2011
Team
Jeff Northam
Visit Type
ITSMS
ISMS
2013
ITMS
CR
ISMS
SV1
ITSMS SV1
ISMS SV2
ITSMS SV2
ISMS SV3
ITSMS
SV3
ISMS SV4
ITSMS SV4
ISMS FV
ITSMS FV
ISMS CR
ITSMS
CR
ISMS
SV1
Due Date
Jan 15
Jun 15
Jan 16
Jun 16
Jan 17
Jun 17
Start Date
10/03/15
20/1/15
End Date
12/03/15
22/1/15
Audit Days
2
2+1
2+1
2+1
2+1
3+1
3+1
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
99
114
Y/N
N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
Y
Y
Change Management
Y
A12
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Am
Y
Y
Service Catalogue
Y
D2 Am
Y
Service Level management
Y
D2 Am
Y
Service Reporting
Y
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Service Delivery (Controls not
included in above):
Operational
Y
A8, A10,
D2 Pm
Y
Y
Date am/pm
Assessor 1
Assessor 2
Standard covered
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Passed
Major NC
Minor NC
O F I
3
Summary and Results of Audit (tick appropriate box)
It would be advisable to review how the status of events are recorded as resolving an event does not
record status closed.
CMP section 3.2.3 details emergency change but does not document emergency release (9.3 Para 3) and
would be beneficial to add this to the documented process.
Consider R&D documented process. It would be advisable to consider documenting this process.
Signed (auditor) K Burnell Date 13th June 2017
Signed (auditee) Date
It would be advisable to review how the status of events are recorded as resolving an event does not
record status closed.
CMP section 3.2.3 details emergency change but does not document emergency release (9.3 Para 3) and
would be beneficial to add this to the documented process.
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 5 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Reference
number
388228_COVJNY01
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 4.5.2 )
Grade
Minor NC
Issue Date
28-June-2017
Status
Open
Process / Aspect
Service Management Plan
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
The service management plan has not been updated to reflect recent
organisation changes and sections 3.5 and the table of
responsibilities are our of date
Requirement
The service provider shall create, implement and maintain a service
management plan
Evidence
The service management plan does not reflect recent organisational
changes.
Proposed correction, corrective action
and timescales
The service management plan updated to show the recent
organisational changes by the next ISO20000-1 visit. On an ongoing
basis there will be an annual to ensure that changes are identified
and the document duly updated.
Correction
Root Cause analysis
Corrective action
Given the current ongoing re-organisation the service managment
plan will require updating again and therefore this finding remains
open.
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
388228_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.3.3 )
Grade
Minor NC
Issue Date
29-June-2017
Status
Open
Process / Aspect
Service Continuity
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
Testing and exercising of service continuity plans is not clearly
evidenced and neither is the the requirement to have both CMDB and
contact lists available during continuity events.
Requirement
1. Service continuity plans shall be tested against the service
continuity requirements. Availability plans shall be tested against the
availability requirements. Service continuity and availability plans
shall be re-tested after major changes to the service environment in
which the service provider operates.
And
2. The service continuity plan(s), contact lists and the CMDB shall be
accessible when access to normal service locations is prevented.
Evidence
Lack of testing schedule and result of testing.
Proposed correction, corrective action
and timescales
A test schedule will be documented and test reports will be produced
by end September 2017.
Correction
Root Cause analysis
Corrective action
Due to the delay in commencement of the audit this finding was not
full reviewed on this occasion and therefore the finding remains open.
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
155400_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 7.5.3 )
Grade
Minor NC
Issue Date
09-January-2017
Status
Open
Process / Aspect
Document Control
Location(s)
4th Floor Markwell House,Douglas,IM::Isle of Man Government
Technology Services
Statement of Non Conformity
Some of the ISMS documents stored in SharePoint have incorrect
document properties set that result in ambiguity of status and in the
next planned review date.
In addition there is a conflict between the IoM Government document
classification system and the GTS information Security Policy.
Requirement
Documented information shall be controlled to ensure control of
changes (e.g. version control)
Evidence
Information Security Policy version2 ( part 1) SharePoint version 2 –
review date has not been updated, document properties indicate draft
and the workflow indicates approved.
Information Security Policy part 2 version 3 same issues as above.
Risk management policy 23/7/15 review due 27/2/16 has not been
reviewed
IoM Government document classification system and the GTS
information Security Policy are not using the same classification
system.
Proposed correction, corrective action
and timescales
GTS to review the SharePoint site and resolve the issues relating to
document properties as well as update the GTS and ISP so they
match.
Proposed Implementation Date 03/04/2017
1709 TW All ISMS documents to be reviewed for any changes
necessary, plus any properties corrected. Target 17/10/11
Correction Target date should have been 11/10/17 in UK date format.
Correction
Assessor Name: Northam, Jeff
Work is ongoing, but has been delayed due to illness.
Root Cause analysis
Corrective action
Assessor Name: Northam, Jeff
13/2/18 This finding remains open pending review.
Corrective action
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
155400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 6.2 )
Grade
Minor NC
Issue Date
09-January-2017
Status
Closed
Process / Aspect
Information Security Objectives
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
Objectives for the ISMS should be SMART, only 1 of 5 information
security objectives is measurable, and for this no target has been set.
For all of the objectives there is no clear definition of how clause 6.2
f) to j) are defined.
Requirement
Objectives need to describe who has what action, when they are to
be achieved and how they are measured.
Evidence
Objectives 1 to 4 (of 5) have no definition of what will be done, by
whom or by when and how success will be assessed.
Proposed correction, corrective action
and timescales
GTS to review the ISMS Objectives and update them to SMART
objectives.
Proposed Implementation Date 20/04/2017
1709TW Objectives to be reviewed now new director in post –
Currently one objective of the original five has been removed.
Target11/10/17
Correction
Assessor Name: Northam, Jeff
Objectives have been reviewed and worded to make them SMART.
Root Cause analysis
Assessor Name: Northam, Jeff
Misinterpretation of the standard.
Corrective action
Assessor Name: Northam, Jeff
This finding has now been addressed and can be closed.
Corrective action
LR has reviewed and verified the
implementation of actions taken.
The audit schedules for ISO2000-1 and ISO27001 do not
demonstrate coverage of the standards over the full audit cycle and
do not appear to recognize the importance of relevant controls and
processes.
Assessor Name: Northam, Jeff
13/02/18: Clarification: Whilst the audit programme has now been
extended to the full audit cycle the plans for ISO27001 and ISO2000-
1 are separated and therefore the ISO27001 plan needs to include
the main clauses in addition to the annex A controls.
Requirement
Internal audit must demonstrate full coverage of the standards and
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
This finding remains open to evaluate the effectiveness of the audit
plan.
Assessor Name: Northam, Jeff
The audit schedule for ISO27001 will be updated to include the main
clauses of the standard by end of March 2018.
Correction
An audit plan has now been developed.
Assessor Name: Northam, Jeff
The audit plan has now been extended to show the full audit cycle,
Correction
but further extension is needed.
Root Cause analysis
Lack of appropriate resource.
Corrective action
There has been an attempt to re-structure the audit schedule by
process but the result was unsatisfactory and so this finding remains
open. JN 12/1/17
29/6/2017 An initial audit plan has been produced, but only on the
last day of the audit and therefore this finding remains open to assess
if it has been effectively applied.
Assessor Name: Northam, Jeff
13/02/2018: this finding remains open as a minor non-conformance.
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
388202_SBCJHS01
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 4.2 )
Grade
Minor NC
Issue Date
30-August-2017
Status
Closed
Process / Aspect
Client requirements
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
While GTS administers an AD access management system on behalf
of government departments, there is no clear understanding with the
departments as to which party is responsible for regular review of
access rights, as required by control A.9.2.5/
Requirement
Clause 4.2
The organization shall determine:
a) interested parties that are relevant to the information security
management system; and
b) the requirements of these interested parties relevant to information
security
Evidence
Conversation with Tana Wondergem
Proposed correction, corrective action
and timescales
1709TW GTS is a service provider of technology and access to
systems. GTS is not the data controllers of Departmental Data, and
therefore cannot be responsible for access regular rights reviews or
the access rights which have been granted. GTS conducts regular
Joiners Movers Leavers (JML) processes as part of its staff
maintenance work. GTS Admin accounts are policed to ensure
robust management of access and permissions.
To be discussed with LRQA at the next review.
Correction
Assessor Name: Northam, Jeff
See below
Root Cause analysis
Assessor Name: Northam, Jeff
Incorrectly raised
Corrective action
This finding can now be closed
Reference
number
388202_SBCJHS03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( A.12.1.1 )
Grade
Minor NC
Issue Date
30-August-2017
Status
Closed
Process / Aspect
Change management
Location(s)
4th Floor Markwell House,Douglas,IM::Isle of Man Government
Technology Services
Statement of Non Conformity
While GTS has a change management process description, the
process used in practice does not match the description.
Requirement
A.12.2.1.Operating procedures shall be documented and made
available to all users who need them (and the implication that the
procedures be fit for purpose and followed)
Evidence
Conversation with Tana Wondergem
F - Change Management Process - last modified by Nick Leece 29
July 16
A - Webhelpdesk ticketing system - for change management
Proposed correction, corrective action
and timescales
1709TW Previous LRQA auditor asked for all product names to be
removed from processes (as these were in previous documents) so
that technology could be updated without the need to update process
(if it’s not linked). Also unknown to the auditee, a regular CAB also
takes place.
Therefore GTS does not accept this NC, as control A.12.1.1 is being
carried out; documented and made available to all who need it.
Correction
Assessor Name: Northam, Jeff
The change management process was reviewed during this audit and
it is clear that all the requirements of the standard are being met.
Root Cause analysis
Assessor Name: Northam, Jeff
Lack of evidence seen by the previous assessor.
Corrective action
Assessor Name: Northam, Jeff
This finding can now be closed.
Reference
number
388202_SBCJHS04
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( A.14.1.1 )
Grade
Minor NC
Issue Date
30-August-2017
Status
Closed
Process / Aspect
System acquisition, development and
maintenance
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
While GTS has a formal project management process, which
includes a Production Compliance Acceptance (PCA) step which is
designed to address security, the step does not require or produce a
formal statement of security requirements for each project.
Requirement
A.14.1.1 The information security related requirements shall be
included in the requirements for new information systems or
enhancements to existing information systems.
Evidence
Conversation with Steve Parker and TW
A - High Level Project LIfecycle - issued
B - Infosec Business Impact Assessment - for Gladstone Payment &
Card System project
C - High level overview of PCA process
F - PCA online forms for Demand Responsive Transport project
G - ISBIA for above project - showing impact assessment for loss of
C I A of project data and systems
Proposed correction, corrective action
and timescales
1709TW Unknown to the auditee, this is already covered in the PCA.
A demo will be provided to LRQA at the next review.
Correction
Assessor Name: Northam, Jeff
The PCA process adequately documents the information security
requirements of projects.
Root Cause analysis
Assessor Name: Northam, Jeff
PCA process not evidenced to the previous auditor.
Corrective action
Assessor Name: Northam, Jeff
This finding can now be closed.
Reference
number
1541856_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.2 )
Grade
Minor NC
Issue Date
15-February-2018
Status
New
Process / Aspect
Complaint Managment
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
The existing complains procedure calls for trend analysis of
complaints, but no complaint records, or trend information could be
located at the time of the audit.
Requirement
Service reporting will include...
f) customer satisfaction measurements, service complaints and
results of the analysis of satisfaction measurements and complaints.
Evidence
Not able to locate complaint records or trend information at the time
of the audit.
Proposed correction, corrective action
and timescales
The tend analysis will be available at the next visit.
Correction
Root Cause analysis
Corrective action
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
1541856_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( A.8.2 )
Grade
Minor NC
Issue Date
15-February-2018
Status
New
Process / Aspect
Document Classification
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
Where non-GTS staff are given access to the Sharepoint project
libraries there is no evidence that they have been informed of the
document classification system and it's implications for them
Requirement
To ensure that information receives an appropriate level of protection
in accordance with its importance to the organization.
Evidence
Non GTS staff were given access to the Digital Health Record project
can only access the Government classification system (e.g. Official,
Secret etc) and not the GTS classisication system.
Proposed correction, corrective action
and timescales
The classification system is to be reviewed and clarified by the next
visit.
Correction
Root Cause analysis
Corrective action
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
1541856_COVJNY04
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 7.5 )
Grade
Minor NC
Issue Date
15-February-2018
Status
New
Process / Aspect
Document Control
Location(s)
Cabinet Office,Douglas,GB
Statement of Non Conformity
Document control in the Digital Health Record Project has not been
correctly implemented.
Requirement
Documented information required by the information security
management system and by this International Standard shall be
controlled to ensure: [...]
e) control of changes (e.g. version control);
Evidence
Digital Health Record Project:
1. PID Sharepoint version indicates it is version 0.5 the document
itself indicates indicate 0.6, the document is still marked draft;
therefore there is an inadequate record of its status as it is
understood that this document has been approved.
2. The Full business cases, and the risk register also seemingly are
still draft documents.
Proposed correction, corrective action
and timescales
The document control is it be reviewed and an appropriate solution
applied by the next visit.
Correction
Root Cause analysis
Corrective action
LR has reviewed and verified the
implementation of actions taken.
Date of closure
Visit Type
ITSMS
ISMS
2013
ITMS
CR
ISMS
SV1
ITSMS SV1
ISMS SV2
ITSMS SV2
ISMS SV3
ITSMS
SV3
ISMS SV4
ITSMS SV4
ISMS FV
ITSMS FV
ISMS CR
ITSMS
CR
ISMS
SV1
Due Date
Jan 15
Jun 15
Jan 16
Jun 16
Jan 17
Jun 17
Start Date
10/03/15
20/1/15
End Date
12/03/15
22/1/15
Audit Days
2
2+1
2+1
2+1
2+1
3+1
3+1
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
99
114
105
N
Y/N
105
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
Y
Y
Change Management
Y
A12
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Am
Y
Y
Service Catalogue
Y
D2 Am
Y
Service Level management
Y
D2 Am
Y
Service Reporting
Y
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Service Delivery (Controls not
included in above):
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SV4
FV
CR
SV1
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
CR
Due Date
July 17
Jan 18
July 18
Jan 19
July 19
Jan 20
July 20
Start Date
End Date
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
2*
ISO20000-1 Audit Days
2
1
1
1
1
1
3
Travel Days
1
1
1
1
1
2
1
Total Visit Time
4
4
4
4
4
11
6
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Am
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
D2 Pm
D3 Pm
Y
Y
Change Management
Y
A12
D2 Pm
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Pm
D2 Am
D3 Pm
Y
Y
Service Catalogue
Y
D1 Am
D2 Am
D4 Am
Y
Service Level management
Y
D2 Am
D2 Am
Y
Service Reporting
Y
D2 Am
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D3 Am
D4 Am
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
D2 Pm
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
D2 Am
D3 Pm
Y
Y
Capacity Management
Y
A12
D3 Am
D3 Pm
D2 Am
Y
Y
Information Security Incidents
Y
A16
D1 Am
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Supplier Management
Y
A15
D4 Am
D3 Am
D2 Pm
Y
Y
Budgeting & Accounting for IT
Services
Y
D3 Pm
D4 Am
Y
Scope of the
management
system
ISO/IEC 20000-1:2011: The provision, to Isle of Man government departments, of
managed IT services denoted as 'ISO20000' in the Service Catalogue.
ISO27001:2013: Management and delivery of infrastructure and services and the
provision of a secure portal. The provision of desktop services; electronic office, email
and internet to the Isle Of Man Government. . In accordance with Statement of
Applicability Version 6
Exclusion
Date am/pm
Assessor 1
Assessor 2
Standard covered
Reference
number
45400_COVJNY01
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 9.2 )
Grade
Minor NC
Issue Date
20-July-2016
Status
Open
Process / Aspect
Management Elements
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
The audit schedules for ISO2000-1 and ISO27001 do not
demonstrate coverage of the standards over the full audit cycle and
do not appear to recognize the importance of relevant controls and
processes.
Requirement
Internal audit must demonstrate full coverage of the standards and
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
GTS to review the audit schedule to ensure full coverage of the
standards over the full audit cycle taking into account areas of higher
risk to be audited as appropriate. Also to implement an annual review
and possible change to the schedule taking into account any previous
audit findings.
Proposed Implementation Date 03/04/2017
Correction
Root Cause analysis
Corrective action
There has been an attempt to re-structure the audit schedule by
process but the result was unsatisfactory and so this finding remains
open. JN 12/1/17
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.1 )
Grade
Minor NC
Issue Date
21-July-2016
Status
Closed
Process / Aspect
Incident Managment
Location(s)
4th Floor Markwell House,Douglas
Statement of Non Conformity
Three members of GTS staff were unable to locate the incident
management process
Requirement
The incident management process is a mandatory document required
by the standard.
Evidence
The service desk manager was not aware of the existence of the
document and two other members of staff were unable to locate the
document.
Proposed correction, corrective action
and timescales
Correction
N/A
Root Cause analysis
N/A
Corrective action
This finding is not relevant to ISO27001 and is therefore closed.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
12-January-2017
Reference
number
45400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.2 )
Grade
Minor NC
Issue Date
21-July-2016
Status
Closed
Process / Aspect
Problem Managment
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
There is no identifiable analysis of incident trend data to identify
problems.
Requirement
Incident data and trends need to be analyzed to identify problems.
Evidence
Lack of evidence of analysis on incident data and trends.
Proposed correction, corrective action
and timescales
Correction
The incident process had not been published to the correct
SharePoint library and so could not be located by staff
Root Cause analysis
Error
Corrective action
This procedure is now available and and therefore this finding can be
closed.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
12-January-2017
Reference
number
45400_COVJNY04
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.5 )
Grade
Minor NC
Issue Date
22-January-2016
Status
Closed
Process / Aspect
Capacity Planning
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Previous audit Ref: 44960_COVJNY01
Whilst there is trending and alerting on capacity; and capacity is
reviewed when projects are being designed, capacity planning does
not meet the full requirements of clause 6.5. In particular:
6.5 a) forecasting is not formally reviewed with the customers on a
periodic basis
6.5 c) timescales and costs for capacity changes are difficult of
evidence
Requirement
The capacity plan is a required document under ISO20000-1:2011
and needs to be under change control.
Evidence
No document under change control detailing a capacity plan/forecast
and bearing costings was available at the time of the audit.
Proposed correction, corrective action
and timescales
Correction
N/A
Root Cause analysis
N/A
Corrective action
22/7/2016 Update JVN: There has been little progress on developing
a capacity plan as yet. As a minimum a plan to address this non-
conformance needs to be in place at the next visit to prevent
escalation to a major non-conformance.
This finding does not relate to ISO27001 and is therefore closed.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
12-January-2017
Reference
number
155400_COVJNY01
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 6.1.3 )
Grade
Minor NC
Issue Date
09-January-2017
Status
Closed
Process / Aspect
SoA
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
The SoA does not accurately reflect the controls that have been
implemented in addition the SoA does not provide reasons for
inclusion of selected controls.
Requirement
The organization shall define and apply an information security risk
treatment process to produce a Statement of Applicability that
contains the necessary controls and justification for inclusions,
whether they are implemented or not, and the justification for
exclusions of controls from Annex A;
Evidence
SoA omitting controls A6.1.5 A10.1.1, A10.1.2, A11.1.1, A11.1.2,
A13.2.4, A15.2.2 many of which are defined in information security
policies and for which none of the selected controls are justified.
Proposed correction, corrective action
and timescales
Update the SoA by the end of the visit
Correction
The SoA has been updated to version (Alan - Please supply the new
version number)
Root Cause analysis
Lack of "tidy up" following the transition to ISO27001:2013
Corrective action
The document now correctly identifies the implemented controls.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
12-January-2017
Reference
number
155400_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 7.5.3 )
Grade
Minor NC
Issue Date
09-January-2017
Status
New
Process / Aspect
Document Control
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Some of the ISMS documents stored in SharePoint have incorrect
document properties set that result in ambiguity of status and in the
next planned review date.
In addition there is a conflict between the IoM Government document
classification system and the GTS information Security Policy.
Requirement
Documented information shall be controlled to ensure control of
changes (e.g. version control)
Evidence
Information Security Policy version2 ( part 1) SharePoint version 2 –
review date has not been updated, document properties indicate draft
and the workflow indicates approved.
Information Security Policy part 2 version 3 same issues as above.
Risk management policy 23/7/15 review due 27/2/16 has not been
reviewed
IoM Government document classification system and the GTS
information Security Policy are not using the same classification
system.
Proposed correction, corrective action
and timescales
GTS to review the SharePoint site and resolve the issues relating to
document properties as well as update the GTS and ISP so they
match.
Proposed Implementation Date 03/04/2017
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
155400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 6.2 )
Grade
Minor NC
Issue Date
09-January-2017
Status
New
Process / Aspect
Information Security Objectives
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Objectives for the ISMS should be SMART, only 1 of 5 information
security objectives is measurable, and for this no target has been set.
For all of the objectives there is no clear definition of how clause 6.2
f) to j) are defined.
Requirement
Objectives need to describe who has what action, when they are to
be achieved and how they are measured.
Evidence
Objectives 1 to 4 (of 5) have no definition of what will be done, by
whom or by when and how success will be assessed.
Proposed correction, corrective action
and timescales
GTS to review the ISMS Objectives and update them to SMART
objectives.
Proposed Implementation Date 20/04/2017
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Visit type
Surveillance 1
Audit days
1
Due date
Jul, 2017
Theme(s) for Next
Visit
Activity codes
007801,007850,007
851
Locations
Cabinet Office,Douglas
Standard(s) /
Scheme(s)
ISO/IEC 27001:
2013
Team
Jeff Northam
Visit Type
ITSMS
ISMS
2013
ITMS
CR
ISMS
SV1
ITSMS SV1
ISMS SV2
ITSMS SV2
ISMS SV3
ITSMS
SV3
ISMS SV4
ITSMS SV4
ISMS FV
ITSMS FV
ISMS CR
ITSMS
CR
ISMS
SV1
Due Date
Jan 15
Jun 15
Jan 16
Jun 16
Jan 17
Jun 17
Start Date
10/03/15
20/1/15
End Date
12/03/15
22/1/15
Audit Days
2
2+1
2+1
2+1
2+1
3+1
3+1
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
99
114
105
N
Y/N
105
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
Y
Y
Change Management
Y
A12
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Am
Y
Y
Service Catalogue
Y
D2 Am
Y
Service Level management
Y
D2 Am
Y
Service Reporting
Y
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Service Delivery (Controls not
included in above):
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SV4
FV
CR
SV1
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
CR
Due Date
July 17
Jan 18
July 18
Jan 19
July 19
Jan 20
July 20
Start Date
End Date
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
2*
ISO20000-1 Audit Days
2
1
1
1
1
1
3
Travel Days
1
1
1
1
1
2
1
Total Visit Time
4
4
4
4
4
11
6
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Am
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
D2 Pm
D3 Pm
Y
Y
Change Management
Y
A12
D2 Pm
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Pm
D2 Am
D3 Pm
Y
Y
Service Catalogue
Y
D1 Am
D2 Am
D4 Am
Y
Service Level management
Y
D2 Am
D2 Am
Y
Service Reporting
Y
D2 Am
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D3 Am
D4 Am
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
D2 Pm
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
D2 Am
D3 Pm
Y
Y
Capacity Management
Y
A12
D3 Am
D3 Pm
D2 Am
Y
Y
Information Security Incidents
Y
A16
D1 Am
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Supplier Management
Y
A15
D4 Am
D3 Am
D2 Pm
Y
Y
Budgeting & Accounting for IT
Services
Y
D3 Pm
D4 Am
Y
Scope of the
management
system
ISO/IEC 20000-1:2011: The provision, to Isle of Man government departments, of
managed IT services denoted as 'ISO20000' in the Service Catalogue.
ISO27001:2013: Management and delivery of infrastructure and services and the
provision of a secure portal. The provision of desktop services; electronic office, email
and internet to the Isle Of Man Government. . In accordance with Statement of
Applicability Version 6
The service management plan has not been updated to reflect recent
organisation changes and sections 3.5 and the table of
responsibilities are our of date
Requirement
The service provider shall create, implement and maintain a service
management plan
Evidence
The service management plan does not reflect recent organisational
changes.
Proposed correction, corrective action
and timescales
The service management plan updated to show the recent
organisational changes by the next ISO20000-1 visit. On an ongoing
basis there will be an annual to ensure that changes are identified
and the document duly updated.
Correction
Root Cause analysis
Corrective action
Given the current ongoing re-organisation the service managment
plan will require updating again and therefore this finding remains
open.
20/8/18. The service management plan has not been updated since
the minor non-conformance was raised last June. Therefore, this
finding is now escalated to a major non-conformance.
LR has reviewed and verified the
implementation of actions taken.
Some of the ISMS documents stored in SharePoint have incorrect
document properties set that result in ambiguity of status and in the
next planned review date.
In addition there is a conflict between the IoM Government document
classification system and the GTS information Security Policy.
Requirement
Documented information shall be controlled to ensure control of
changes (e.g. version control)
Evidence
Information Security Policy version2 ( part 1) SharePoint version 2 –
review date has not been updated, document properties indicate draft
and the workflow indicates approved.
Information Security Policy part 2 version 3 same issues as above.
Risk management policy 23/7/15 review due 27/2/16 has not been
reviewed
IoM Government document classification system and the GTS
information Security Policy are not using the same classification
system.
Proposed correction, corrective action
and timescales
GTS to review the SharePoint site and resolve the issues relating to
document properties as well as update the GTS and ISP so they
match.
Proposed Implementation Date 03/04/2017
1709 TW All ISMS documents to be reviewed for any changes
necessary, plus any properties corrected. Target 17/10/11
Correction Target date should have been 11/10/17 in UK date format.
Correction
Assessor Name: Northam, Jeff
Work is ongoing, but has been delayed due to illness.
The documents identified in the finding have been corrected, but a
review of published management system documentation identified a
number of documents that have not been reviewed in the time scales
Correction
set. In addition, and by way of example the documents entitled "R 2
New Account" and "IM Domain" are no longer used and should be
withdrawn.
Root Cause analysis
Corrective action
Assessor Name: Northam, Jeff
13/2/18 This finding remains open pending review.
21/8/18 Whilst progress made and correction has been performed on
the documents identified in this finding, there is further evidence that
documents are not being controlled effectively and therefore this
finding remains open as a minor non-conformance.
LR has reviewed and verified the
implementation of actions taken.
Testing and exercising of service continuity plans is not clearly
evidenced and neither is the the requirement to have both CMDB and
contact lists available during continuity events.
Requirement
1. Service continuity plans shall be tested against the service
continuity requirements. Availability plans shall be tested against the
availability requirements. Service continuity and availability plans
shall be re-tested after major changes to the service environment in
which the service provider operates.
And
2. The service continuity plan(s), contact lists and the CMDB shall be
accessible when access to normal service locations is prevented.
Requirement
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
This finding remains open to evaluate the effectiveness of the audit
plan.
Assessor Name: Northam, Jeff
The audit schedule for ISO27001 will be updated to include the main
clauses of the standard by end of March 2018.
Correction
An audit plan has now been developed.
Assessor Name: Northam, Jeff
The audit plan has now been extended to show the full audit cycle,
but further extension is needed.
The internal audit plan now addresses the full standard.
Root Cause analysis
Lack of appropriate resource.
Lack of appropriate resource.
Corrective action
There has been an attempt to re-structure the audit schedule by
process but the result was unsatisfactory and so this finding remains
open. JN 12/1/17
29/6/2017 An initial audit plan has been produced, but only on the
last day of the audit and therefore this finding remains open to assess
if it has been effectively applied.
Assessor Name: Northam, Jeff
13/02/2018: this finding remains open as a minor non-conformance.
20/8/2018 This finding can now be closed.
LR has reviewed and verified the
implementation of actions taken.
The existing complains procedure calls for trend analysis of
complaints, but no complaint records, or trend information could be
located at the time of the audit.
Requirement
Service reporting will include...
f) customer satisfaction measurements, service complaints and
results of the analysis of satisfaction measurements and complaints.
Evidence
Not able to locate complaint records or trend information at the time
of the audit.
Proposed correction, corrective action
and timescales
The tend analysis will be available at the next visit.
Correction
The complaint documentation has been reviewed and the team are
currently in the process of creating a retrospective log from history
records. However, there are no records after 2014 as it was at this
point that the process is clearly not being implemented.
Root Cause analysis
Staff not following procedure.
Corrective action
The complaint management process requires a more fundament a
review to see how a complaints can be identified. This finding
remains open as a minor non-conformance.
LR has reviewed and verified the
implementation of actions taken.
Where non-GTS staff are given access to the Sharepoint project
libraries there is no evidence that they have been informed of the
document classification system and it's implications for them
Requirement
To ensure that information receives an appropriate level of protection
in accordance with its importance to the organization.
Evidence
Non GTS staff were given access to the Digital Health Record project
can only access the Government classification system (e.g. Official,
Secret etc) and not the GTS classisication system.
Proposed correction, corrective action
and timescales
The classification system is to be reviewed and clarified by the next
visit.
Correction
This issue was addressed at the PMO forum and it was agreed that
all documents should use the Government document classification
system.
Root Cause analysis
The government document classification system is more recent than
the GTS system, but had not been adopted for these shared
documents.
Corrective action
23/8/18 This finding can now be closed
LR has reviewed and verified the
implementation of actions taken.
Document control in the Digital Health Record Project has not been
correctly implemented.
Requirement
Documented information required by the information security
management system and by this International Standard shall be
controlled to ensure: [...]
e) control of changes (e.g. version control);
Evidence
Digital Health Record Project:
1. PID Sharepoint version indicates it is version 0.5 the document
itself indicates indicate 0.6, the document is still marked draft;
therefore there is an inadequate record of its status as it is
understood that this document has been approved.
2. The Full business cases, and the risk register also seemingly are
still draft documents.
Proposed correction, corrective action
and timescales
The document control is it be reviewed and an appropriate solution
applied by the next visit.
Correction
A review of a sample of projects identified that this was an isolated
incident and this project has now been corrected.
Root Cause analysis
Human error
Corrective action
23/8/18 This finding can now be closed.
LR has reviewed and verified the
implementation of actions taken.
The context statement for GTS is out of date with respect the internal
context and does not fully describe the external context.
Requirement
The organization shall determine external and internal issues that are
relevant to its purpose and that affect its ability to achieve the
intended outcome(s) of its information security management system.
Evidence
GTS Context statement version 3
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
LR has reviewed and verified the
implementation of actions taken.
The service desk have no access to the prioritisation logic for various
types of calls and there is no definition of who and how priorities set
by WebHelpDesk can be over-written.
Requirement
Top management shall ensure that:
a) service management authorities and responsibilities are defined
and maintained;
Evidence
Lack of awareness of the service management plan and lack of
access to it.
Proposed correction, corrective action
and timescales
The priority criteria is defined in the Service Management Plan. As a
quick reference, the same information is also in the Service Desk
operations manual SOP.
Correction
An updated Service Management Policy was provided on 13/09/2018
Root Cause analysis
Out of date documentation
Corrective action
Subsequent to the visit, updated documentation has been provided
and will now be maintained, therefore this finding can now be closed.
LR has reviewed and verified the
implementation of actions taken.
There is no evidence to establish that Sure telecom has been
provided with GTS' information security policy as required in the
contract and there is no evidence that Sure holds a valid ISO27001
certificate as required by the contract.
Requirement
ISO20000-1
6.6.1 Information security policy
Management with appropriate authority shall approve an information
security policy taking into consideration the service requirements,
statutory and regulatory requirements and contractual obligations.
Management shall:
a) communicate the information security policy and the importance of
conforming to the policy to appropriate personnel within the service
provider, customer and suppliers;
ISO27001
A.15.1.1 : Information security policy for supplier relationships
Control
Information security requirements for mitigating the risks associated
with supplier’s access to the organization’s assets shall be agreed
with the supplier and documented.
A.15.1.2 : Addressing security within supplier agreements
Control
All relevant information security requirements shall be established
and agreed with each supplier that may access, process, store,
communicate, or provide IT infrastructure components for, the
organization’s information.
Evidence
Lack of evidence in the contract folder.
Proposed correction, corrective action
and timescales
The contracts section of GTS were contacted to confirm the GTS
Security Policy for third parties was supplied. This occurred on
29/09/17, with the email confirming said and now uploaded to the
Proposed correction, corrective action
and timescales
same SharePoint location as the other supplier’s communication
emails. It has also been confirmed the Sure contract agreement
does not require them to be or achieve ISO 27,001 certification, but
to have due regard for the principles and standards of ISO 27,001 in
their procedures.
Correction
Further information (not available at the time of the audit has
established that the supplier controls were sufficient).
Root Cause analysis
Lack of access to documentation at the time of the audit
Corrective action
Given that the information was held by purchasing this finding is
hereby closed.
LR has reviewed and verified the
implementation of actions taken.
The service catalogue has been inconsistently maintained with some
services not being assigned to an SLA and some not having a
Business Continuity level identified.
Requirement
Changes to the documented service requirements, catalogue of
services, SLAs and other documented agreements shall be controlled
by the change management process. The catalogue of services shall
be maintained following changes to services and SLAs to ensure that
they are aligned.
Evidence
Review of the service catalogue
Proposed correction, corrective action
and timescales
To be reviewed if the best format, and if so, to fully update. The
planned completion date is before 24th February 2019.
The GTS clear desk policy has been ineffectually implemented in the
top floor of the Lord Street office.
Requirement
A clear desk policy for papers and removable storage media and a
clear screen policy for information processing facilities shall be
adopted.
Evidence
Documentation found on desks in room 1 ad 2, included a PMO
summary report, copies of emails, project reports and financial data
for projects.
Proposed correction, corrective action
and timescales
Staff to be reminded of the clear desk policy, and checked following.
The planned completion date is before 24th November 2018, i.e. the
communication and at least one check.
Correction
Root Cause analysis
Corrective action
LR has reviewed and verified the
implementation of actions taken.
There does not seem to be a fully defined secure development policy,
elements are in place such as the definition of "done" but other
elements do not seem to be covered by any documentation.
Requirement
Rules for the development of software and systems shall be
established and applied to developments within the organization.
Guidance from ISO27002 indicates that this should include the
following:
a) security of the development environment;
b) guidance on the security in the software development lifecycle:
1) security in the software development methodology;
2) secure coding guidelines for each programming language used;
c) security requirements in the design phase;
d) security checkpoints within the project milestones;
e) secure repositories;
f) security in the version control;
g) required application security knowledge;
h) developers’ capability of avoiding, finding and fixing vulnerabilities.
Secure programming techniques should be used both for new
developments and in code re-use scenarios where the standards
applied to development may not be known or were not consistent
with current best practices. Secure coding standards should be
considered and where relevant mandated for use. Developers should
be trained in their use and testing and code review should verify their
use.
Evidence
Lack of documentation covering all of the aspects of a secure
development policy
Proposed correction, corrective action
and timescales
The original Secure Development Policy has been located, but is
being fully reviewed. The planned completion date is before 24th
November 2018.
Correction
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SP SV
SV4
FV
CR
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
Due Date
July 17
Aug 17
Jan 18
July 18
Nov 18
Jan 19
July 19
Jan 20
Start Date
End Date
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
ISO20000-1 Audit Days
3
1
1
1
1
1
1
Travel Days
1
1
1
1
0
1
1
2
Separate assessment plan?
Y
N
Y/N
Y/N
N
Y/N
Y/N
Y/N
Total Visit Time
4
2
3
5
1
4
4
11
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
N
N
N
N
N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Opening meeting
D1 Pm
Closing meeting
D2 Am
Management Review
Y
A5, A6
D1 Pm
Internal Audits
Y
9.2
D1 Pm
Continual Improvement
Y
10.2
D1 Pm
Management of change
Y
A12
D1 Pm
Corrective action
Y
10
D1 Pm
Preventive action
Y
D1 Pm
Complaint Management
Y
D1 Pm
Use of Logo
Y
Y
D1 Pm
Performance against the client
management system objectives
Y
5.2
D1 Pm
Top Management
Y
5
D1 Pm
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Risk Assessment RTP & SoA
6.1
Support desk / incident
management
Y
A16,
A18
D2 Am
Support desk / problem
management
Y
A16
D2 Pm
Change Management
Y
A12
D2 Pm
Configuration & Release
management
Y
A12
D2 Pm
Service Catalogue
Y
D1 Am
Service Level management
Y
D2 Am
Service Reporting
Y
D2 Am
Business Relationship
Management
Y
D3 Am
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
IT Project Management
D2 Am
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
Capacity Management
Y
A12
D3 Am
Information Security Incidents
Y
A16
D1 Am
Supplier Management
Y
A15
D4 Am
LRQA Report considerations
Have there been any deviation from the original
assessment plan:
No
If yes detail these in the introduction section of the report
along with the reasons for the deviations
Have there been any significant issues impacting
on the audit programme:
No
If yes detail these in the introduction of the report and
amend the APP
Have there been any significant changes that
affect the management system of the client since
the last audit took place:
No
If yes detail these within the executive summary section
of the report
Have any unresolved issues been identified during
the assessment:
No
If yes detail these within the executive summary section
of the report
Was the audit undertaken a combined or
integrated audit:
No
If yes confirm what type of audit and the standards
covered in the introduction to the report.
Was the organisation effectively controlling the
use of the certification documents and marks:
Yes
If no document within the reporting table covering the
mandatory elements
If applicable has the organisation taken effective
corrective action regarding previously identified
nonconformities:,
No
Record outcome in the findings log against the relevant
findings.
Does the management system of the organisation
continue to meet the applicable requirements and
meet the expected outcomes:
Yes
If no details reasons within the executive summary of the
report
Does the scope of certification continue to be
appropriate to the activities/products/services of
organisation:
Yes
If no then document the actions necessary in relation to
the scope in the executive summary of the report and
amend the APP as required.
Were the objectives of the visit as defined in the
APP fulfilled during the visit:
Yes
If no detail the reasons and any necessary actions in the
executive summary of the report and amend/update the
APP
The service management plan has not been updated to reflect recent
organisation changes and sections 3.5 and the table of
responsibilities are our of date
Requirement
The service provider shall create, implement and maintain a service
management plan
Evidence
The service management plan does not reflect recent organisational
changes.
Proposed correction, corrective action
and timescales
The service management plan updated to show the recent
organisational changes by the next ISO20000-1 visit. On an ongoing
basis there will be an annual to ensure that changes are identified
and the document duly updated.
Correction
Correction
90/11/18 The Service management plan has now updated to version
4 and meets the requirements of the standard.
Root Cause analysis
The documentation fell behind organisation changes and ownership
was not re-assigned.
Corrective action
Given the current ongoing re-organisation the service managment
plan will require updating again and therefore this finding remains
open.
20/8/18. The service management plan has not been updated since
the minor non-conformance was raised last June. Therefore, this
finding is now escalated to a major non-conformance.
09/1/18 The document has now been updated and it now addresses
all of the mandatory requirements. In addition the ownership of the
document has now been identified and therefore it will henceforth be
maintained thus this finding can now be closed.
LR has reviewed and verified the
implementation of actions taken.
The existing complains procedure calls for trend analysis of
complaints, but no complaint records, or trend information could be
located at the time of the audit.
Requirement
Service reporting will include...
f) customer satisfaction measurements, service complaints and
results of the analysis of satisfaction measurements and complaints.
Evidence
Not able to locate complaint records or trend information at the time
of the audit.
Proposed correction, corrective action
and timescales
The tend analysis will be available at the next visit.
Correction
The complaint documentation has been reviewed and the team are
currently in the process of creating a retrospective log from history
records. However, there are no records after 2014 as it was at this
point that the process is clearly not being implemented.
Root Cause analysis
Staff not following procedure.
Corrective action
The complaint management process requires a more fundament a
review to see how a complaints can be identified. This finding
Corrective action
remains open as a minor non-conformance.
LR has reviewed and verified the
implementation of actions taken.
The service catalogue has been inconsistently maintained with some
services not being assigned to an SLA and some not having a
Business Continuity level identified.
Requirement
Changes to the documented service requirements, catalogue of
services, SLAs and other documented agreements shall be controlled
by the change management process. The catalogue of services shall
be maintained following changes to services and SLAs to ensure that
they are aligned.
Evidence
Review of the service catalogue
Proposed correction, corrective action
and timescales
To be reviewed if the best format, and if so, to fully update. The
planned completion date is before 24th February 2019.
Correction
Root Cause analysis
Corrective action
LR has reviewed and verified the
implementation of actions taken.
Date of closure
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SP SV
SV4
FV
CR
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
Due Date
July 17
Aug 17
Jan 18
July 18
Nov 18
Jan 19
July 19
Jan 20
Start Date
07/11/2018
End Date
07/11/2018
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
ISO20000-1 Audit Days
3
1
1
1
1
1
1
Travel Days
1
1
1
1
0
1
1
2
Separate assessment plan?
Y
N
Y/N
Y/N
N
Y/N
Y/N
Y/N
Total Visit Time
4
2
3
5
1
4
4
11
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
N
N
N
N
N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Opening meeting
D1 Pm
Closing meeting
D2 Am
Management Review
Y
A5, A6
D1 Pm
Internal Audits
Y
9.2
D1 Pm
Continual Improvement
Y
10.2
D1 Pm
Management of change
Y
A12
D1 Pm
Corrective action
Y
10
D1 Pm
Preventive action
Y
D1 Pm
Complaint Management
Y
D1 Pm
Use of Logo
Y
Y
D1 Pm
Performance against the client
management system objectives
Y
5.2
D1 Pm
Top Management
Y
5
D1 Pm
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Risk Assessment RTP & SoA
6.1
Support desk / incident
management
Y
A16,
A18
D2 Am
Support desk / problem
management
Y
A16
D2 Pm
Change Management
Y
A12
D2 Pm
Configuration & Release
management
Y
A12
D2 Pm
Service Catalogue
Y
D1 Am
Service Level management
Y
D2 Am
Service Reporting
Y
D2 Am
Business Relationship
Management
Y
D3 Am
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
IT Project Management
Y
A.14
D2 Am
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
Capacity Management
Y
A12
D3 Am
Information Security Incidents
Y
A16
D1 Am
(Date <<TBA>> , Day 1) Assessor: <<TBA>> Venue: Markwell House
AM travel
12:30
Introductory meeting with management to explain the scope of the visit, assessment
methodology, method of reporting and to discuss the company's organisation
(approximately 30 minutes).
13:00
Core Management System:
Changes in Context
Management Review
Internal Audits
Corrective Action
Performance against the client management system objective
Risk Management
Security Incidents
Customer Satisfaction
Use of Logo
15:30
Report writing
16.30
Close
(Date <<TBA>>, Day 2) Assessor: <<TBA>> Venue: Markwell Ho
09:30
Review of previous day’s findings & plan for the day
10:00
Service Desk
11:00
Configuration & Release management
12:00
Lunch
13:00
Design & Transition of new & changed services
14:00
Capacity Management
15:00
IT Project Management (infrastructure / software upgrades)
16:00
Report writing
17.00
Close
(Date <<TBA>>, Day 3) Assessor: <<TBA>> Venue: Markwell Ho
09:30
Review of previous day’s findings & plan for the day
The audit schedules for ISO2000-1 and ISO27001 do not
demonstrate coverage of the standards over the full audit cycle and
do not appear to recognize the importance of relevant controls and
processes.
Requirement
Internal audit must demonstrate full coverage of the standards and
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
There has been an attempt to re-structure the audit schedule by
process but the result was unsatisfactory and so this finding remains
open. JN 12/1/17
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.1 )
Grade
Minor NC
Issue Date
21-July-2016
Status
Closed
Process / Aspect
Incident Managment
Location(s)
4th Floor Markwell House,Douglas
Statement of Non Conformity
Three members of GTS staff were unable to locate the incident
management process
Requirement
The incident management process is a mandatory document required
by the standard.
Evidence
The service desk manager was not aware of the existence of the
document and two other members of staff were unable to locate the
document.
Proposed correction, corrective action
and timescales
Correction
The incident management process had been published into the
wrong sharepoint library and hence staff wer not able to locate the
procedure. This has now been corrected and staff have been
informed.
Root Cause analysis
Human Error
Corrective action
This finding can now be closed JN 12/1/17
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
12-January-2017
Reference
number
45400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.2 )
Grade
Minor NC
Issue Date
21-July-2016
Status
Open
Process / Aspect
Problem Managment
Location(s)
4th Floor Markwell House,Douglas
Statement of Non Conformity
There is no identifiable analysis of incident trend data to identify
problems.
Requirement
Incident data and trends need to be analyzed to identify problems.
Evidence
Lack of evidence of analysis on incident data and trends.
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
This corrective action has not yet been addressed due to the current
reorganisation. Failure to progress this finding by the next visit is
likely to result in escalation of the finding. JN 12/1/17
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY04
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.5 )
Grade
Minor NC
Issue Date
22-January-2016
Status
Open
Process / Aspect
Capacity Planning
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Previous audit Ref: 44960_COVJNY01
Whilst there is trending and alerting on capacity; and capacity is
reviewed when projects are being designed, capacity planning does
not meet the full requirements of clause 6.5. In particular:
6.5 a) forecasting is not formally reviewed with the customers on a
periodic basis
6.5 c) timescales and costs for capacity changes are difficult of
evidence
Requirement
The capacity plan is a required document under ISO20000-1:2011
and needs to be under change control.
Evidence
No document under change control detailing a capacity plan/forecast
and bearing costings was available at the time of the audit.
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
22/7/2016 Update JVN: There has been little progress on developing
a capacity plan as yet. As a minimum a plan to address this non-
conformance needs to be in place at the next visit to prevent
escalation to a major non-conformance.
This corrective action has not yet been addressed due to the current
reorganisation. Failure to progress this finding by the next visit is
likely to result in escalation of the finding. JN 12/1/17
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Visit type
Certificate Renewal
Audit days
3
Due date
Jul, 2017
Theme(s) for Next
Visit
Activity codes
000801,000804,007
850
Locations
Cabinet Office,Douglas
Standard(s) /
Scheme(s)
ISO/IEC 20000-1:
2011
Team
Jeff Northam
Visit Type
ITSMS
ISMS
2013
ITMS
CR
ISMS
SV1
ITSMS SV1
ISMS SV2
ITSMS SV2
ISMS SV3
ITSMS
SV3
ISMS SV4
ITSMS SV4
ISMS FV
ITSMS FV
ISMS CR
ITSMS
CR
ISMS
SV1
Due Date
Jan 15
Jun 15
Jan 16
Jun 16
Jan 17
Jun 17
Start Date
10/03/15
20/1/15
End Date
12/03/15
22/1/15
Audit Days
2
2+1
2+1
2+1
2+1
3+1
3+1
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
99
114
105
N
Y/N
105
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
Y
Y
Change Management
Y
A12
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Am
Y
Y
Service Catalogue
Y
D2 Am
Y
Service Level management
Y
D2 Am
Y
Service Reporting
Y
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Service Delivery (Controls not
included in above):
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SV4
FV
CR
SV1
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
CR
Due Date
July 17
Jan 18
July 18
Jan 19
July 19
Jan 20
July 20
Start Date
End Date
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
2*
ISO20000-1 Audit Days
2
1
1
1
1
1
3
Travel Days
1
1
1
1
1
2
1
Total Visit Time
4
4
4
4
4
11
6
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Am
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
D2 Pm
D3 Pm
Y
Y
Change Management
Y
A12
D2 Pm
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Pm
D2 Am
D3 Pm
Y
Y
Service Catalogue
Y
D1 Am
D2 Am
D4 Am
Y
Service Level management
Y
D2 Am
D2 Am
Y
Service Reporting
Y
D2 Am
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D3 Am
D4 Am
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
D2 Pm
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
D2 Am
D3 Pm
Y
Y
Capacity Management
Y
A12
D3 Am
D3 Pm
D2 Am
Y
Y
Information Security Incidents
Y
A16
D1 Am
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Supplier Management
Y
A15
D4 Am
D3 Am
D2 Pm
Y
Y
Budgeting & Accounting for IT
Services
Y
D3 Pm
D4 Am
Y
Scope of the
management
system
ISO/IEC 20000-1:2011: The provision, to Isle of Man government departments, of
managed IT services denoted as 'ISO20000' in the Service Catalogue.
ISO27001:2013: Management and delivery of infrastructure and services and the
provision of a secure portal. The provision of desktop services; electronic office, email
and internet to the Isle Of Man Government. . In accordance with Statement of
Applicability Version 6
The audit schedules for ISO2000-1 and ISO27001 do not
demonstrate coverage of the standards over the full audit cycle and
do not appear to recognize the importance of relevant controls and
processes.
Requirement
Internal audit must demonstrate full coverage of the standards and
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
This finding remains open to evaluate the effectiveness of the audit
plan.
Correction
An audit plan has now been developed.
Root Cause analysis
Lack of appropriate resource.
Corrective action
There has been an attempt to re-structure the audit schedule by
process but the result was unsatisfactory and so this finding remains
open. JN 12/1/17
29/6/2017 An initial audit plan has been produced, but only on the
last day of the audit and therefore this finding remains open to assess
if it has been effectively applied.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.2 )
Grade
Minor NC
Issue Date
21-July-2016
Status
Closed
Process / Aspect
Problem Managment
Location(s)
4th Floor Markwell House,Douglas
Statement of Non Conformity
There is no identifiable analysis of incident trend data to identify
problems.
Requirement
Incident data and trends need to be analyzed to identify problems.
Evidence
Lack of evidence of analysis on incident data and trends.
Proposed correction, corrective action
and timescales
Correction
Capacity trend anaysis is now performed by the Head of Service
Delivery on a monthly basis
Root Cause analysis
Omitted requirement
Corrective action
This corrective action has not yet been addressed due to the current
reorganisation. Failure to progress this finding by the next visit is
likely to result in escalation of the finding. JN 12/1/17
27/6/17: Reviewed problem management report ; Trend analysis is
performed on a month basis by Head of Service Delivery reviewing
the call dashboards. This finding can now be closed.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
27-June-2017
Reference
number
45400_COVJNY04
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.5 )
Grade
Minor NC
Issue Date
22-January-2016
Status
Closed
Process / Aspect
Capacity Planning
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Previous audit Ref: 44960_COVJNY01
Whilst there is trending and alerting on capacity; and capacity is
reviewed when projects are being designed, capacity planning does
not meet the full requirements of clause 6.5. In particular:
6.5 a) forecasting is not formally reviewed with the customers on a
periodic basis
6.5 c) timescales and costs for capacity changes are difficult of
evidence
Requirement
The capacity plan is a required document under ISO20000-1:2011
and needs to be under change control.
Evidence
No document under change control detailing a capacity plan/forecast
and bearing costings was available at the time of the audit.
Proposed correction, corrective action
and timescales
Correction
Capacity planning is and has been performed but the methodology is
not to build a plan as such; rather capacity is dealt with extensively
within the service delivery process (projects) and in an ongoing
review of capacity.
Root Cause analysis
As capacity planning has been performed for some time however the
evidence has not been evident in previous visits.
Corrective action
22/7/2016 Update JVN: There has been little progress on developing
a capacity plan as yet. As a minimum a plan to address this non-
conformance needs to be in place at the next visit to prevent
escalation to a major non-conformance.
This corrective action has not yet been addressed due to the current
reorganisation. Failure to progress this finding by the next visit is
likely to result in escalation of the finding. JN 12/1/17
29/7/2017 This finding can now be closed.
Reference
number
388228_COVJNY01
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 4.5.2 )
Grade
Minor NC
Issue Date
28-June-2017
Status
New
Process / Aspect
Service Management Plan
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
The service management plan has not been updated to reflect recent
organisation changes and sections 3.5 and the table of
responsibilities are our of date
Requirement
The service provider shall create, implement and maintain a service
management plan
Evidence
The service management plan does not reflect recent organisational
changes.
Proposed correction, corrective action
and timescales
The service management plan updated to show the recent
organisational changes by the next ISO20000-1 visit. On an ongoing
basis there will be an annual to ensure that changes are identified
and the document duly updated.
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
388228_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.3.3 )
Grade
Minor NC
Issue Date
29-June-2017
Status
New
Process / Aspect
Service Continuity
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Testing and exercising of service continuity plans is not clearly
evidenced and neither is the the requirement to have both CMDB and
contact lists available during continuity events.
Requirement
1. Service continuity plans shall be tested against the service
continuity requirements. Availability plans shall be tested against the
availability requirements. Service continuity and availability plans
shall be re-tested after major changes to the service environment in
which the service provider operates.
And
2. The service continuity plan(s), contact lists and the CMDB shall be
accessible when access to normal service locations is prevented.
Evidence
Lack of testing schedule and result of testing.
Proposed correction, corrective action
and timescales
A test schedule will be documented and test reports will be produced
by end September 2017.
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Visit type
Surveillance 1
Audit days
2
Due date
January, 2018
Theme(s) for Next
Visit
Activity codes
000801,000804,007
850
Locations
Cabinet Office,Douglas
Standard(s) /
Scheme(s)
ISO/IEC 20000-1:
2011
Team
Jeff Northam
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SV4
FV
CR
SV1
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
CR
Due Date
July 17
Aug 17
Jan 18
July 18
Jan 19
July 19
Jan 20
July 20
Start Date
End Date
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
2*
ISO20000-1 Audit Days
3
1
1
1
1
1
3
Travel Days
1
1
1
1
1
1
2
1
Separate assessment plan?
Y
N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Total Visit Time
4
2
4
4
4
4
11
6
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
N
N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Opening meeting
D1 Pm
Closing meeting
D2 Am
Management Review
Y
A5, A6
D1 Pm
Internal Audits
Y
9.2
D1 Pm
Continual Improvement
Y
10.2
D1 Pm
Management of change
Y
A12
D1 Pm
Corrective action
Y
10
D1 Pm
Preventive action
Y
D1 Pm
Complaint Management
Y
D1 Pm
Use of Logo
Y
Y
D1 Pm
Performance against the client
management system objectives
Y
5.2
D1 Pm
Top Management
Y
5
D1 Pm
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Risk Assessment RTP & SoA
6.1
Support desk / incident
management
Y
A16,
A18
D2 Am
Support desk / problem
management
Y
A16
D2 Pm
Change Management
Y
A12
D2 Pm
Configuration & Release
management
Y
A12
D2 Pm
Service Catalogue
Y
D1 Am
Service Level management
Y
D2 Am
Service Reporting
Y
D2 Am
Business Relationship
Management
Y
D3 Am
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
IT Project Management
D2 Am
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
Capacity Management
Y
A12
D3 Am
Information Security Incidents
Y
A16
D1 Am
Supplier Management
Y
A15
D4 Am
LRQA Report considerations
Have there been any deviation from the original
assessment plan:
Yes
If yes detail these in the introduction section of the report
along with the reasons for the deviations
Have there been any significant issues impacting
on the audit programme:
No
If yes detail these in the introduction of the report and
amend the APP
Have there been any significant changes that
affect the management system of the client since
the last audit took place:
No
If yes detail these within the executive summary section
of the report
Have any unresolved issues been identified during
the assessment:
No
If yes detail these within the executive summary section
of the report
Was the audit undertaken a combined or
integrated audit:
No
If yes confirm what type of audit and the standards
covered in the introduction to the report.
Was the organisation effectively controlling the
use of the certification documents and marks:
Yes
If no document within the reporting table covering the
mandatory elements
If applicable has the organisation taken effective
corrective action regarding previously identified
nonconformities:,
No
Record outcome in the findings log against the relevant
findings.
Does the management system of the organisation
continue to meet the applicable requirements and
meet the expected outcomes:
Yes
If no details reasons within the executive summary of the
report
Does the scope of certification continue to be
appropriate to the activities/products/services of
organisation:
Yes
If no then document the actions necessary in relation to
the scope in the executive summary of the report and
amend the APP as required.
Were the objectives of the visit as defined in the
APP fulfilled during the visit:
Yes
If no detail the reasons and any necessary actions in the
executive summary of the report and amend/update the
APP
The audit schedules for ISO2000-1 and ISO27001 do not
demonstrate coverage of the standards over the full audit cycle and
do not appear to recognize the importance of relevant controls and
processes.
Requirement
Internal audit must demonstrate full coverage of the standards and
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.1 )
Grade
Minor NC
Issue Date
21-July-2016
Status
New
Process / Aspect
Incident Managment
Location(s)
4th Floor Markwell House,Douglas
Statement of Non Conformity
Three members of GTS staff were unable to locate the incident
management process
Requirement
The incident management process is a mandatory document required
by the standard.
Evidence
The service desk manager was not aware of the existence of the
document and two other members of staff were unable to locate the
document.
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 8.2 )
Grade
Minor NC
Issue Date
21-July-2016
Status
New
Process / Aspect
Problem Managment
Location(s)
4th Floor Markwell House,Douglas
Statement of Non Conformity
There is no identifiable analysis of incident trend data to identify
problems.
Requirement
Incident data and trends need to be analyzed to identify problems.
Evidence
Lack of evidence of analysis on incident data and trends.
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
45400_COVJNY04
Assessment Criteria
(Clause)
ISO/IEC 20000-1:2011 ( 6.5 )
Grade
Minor NC
Issue Date
22-January-2016
Status
Open
Process / Aspect
Capacity Planning
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Previous audit Ref: 44960_COVJNY01
Whilst there is trending and alerting on capacity; and capacity is
reviewed when projects are being designed, capacity planning does
not meet the full requirements of clause 6.5. In particular:
6.5 a) forecasting is not formally reviewed with the customers on a
periodic basis
6.5 c) timescales and costs for capacity changes are difficult of
evidence
Requirement
The capacity plan is a required document under ISO20000-1:2011
and needs to be under change control.
Evidence
No document under change control detailing a capacity plan/forecast
and bearing costings was available at the time of the audit.
Proposed correction, corrective action
and timescales
Correction
Root Cause analysis
Corrective action
22/7/2016 Update JVN: There has been little progress on developing
a capacity plan as yet. As a minimum a plan to address this non-
conformance needs to be in place at the next visit to prevent
escalation to a major non-conformance.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Visit type
Certificate Renewal
Audit days
2.5
Due date
Jan, 2017
Theme(s) for Next
Visit
Activity codes
007801,007850,007
851
Locations
4th Floor Markwell House,Douglas
Standard(s) /
Scheme(s)
ISO/IEC 27001:
2013
Team
Jeff Northam
Visit type
Focus Visit
Audit days
.5
Due date
Jan, 2017
Theme(s) for Next
Visit
Activity codes
007801,007850,007
851
Locations
4th Floor Markwell House,Douglas
Standard(s) /
Scheme(s)
ISO/IEC 20000-1:
2011
Team
Visit Type
ITSMS
ISMS
2013
ITMS
CR
ISMS
SV1
ITSMS SV1
ISMS SV2
ITSMS SV2
ISMS SV3
ITSMS
SV3
ISMS SV4
ITSMS SV4
ISMS FV
ITSMS FV
ISMS CR
ITSMS
CR
ISMS
SV1
Due Date
Jan 15
Jun 15
Jan 16
Jun 16
Jan 17
Jun 17
Start Date
10/03/15
20/1/15
End Date
12/03/15
22/1/15
Audit Days
2
2+1
2+1
2+1
2+1
3+1
3+1
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
99
114
Y/N
N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Management Review
Y
A5, A6
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Internal Audits
Y
9.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Continual Improvement
Y
10.2
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Management of change
Y
A12
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Corrective action
Y
10
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Preventive action
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Complaint Management
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Use of Logo
Y
Y
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Performance against the client
management system objectives
Y
5.2
D1 Pm
D1 Pm
D1 Pm
D1 Pm
Y
Y
Top Management
Y
5
D1 Pm
Y
Y
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Y
Y
Risk Assessment RTP & SoA
6.1
D1 Pm
D1 Pm
Support desk / incident
management
Y
A16,
A18
D2 Pm
D2 Am
Y
Y
Support desk / problem
management
Y
A16
D2 Pm
Y
Y
Change Management
Y
A12
D2 Am
D2 Am
Y
Y
Configuration & Release
management
Y
A12
D2 Am
Y
Y
Service Catalogue
Y
D2 Am
Y
Service Level management
Y
D2 Am
Y
Service Reporting
Y
D3 Am
D2 Am
Y
Business Relationship
Management
Y
D2 Pm
Y
Design & Transition of new &
changed services
Y
A6, A14
D2 Am
Y
Y
Service continuity & availability
management; business
continuity
Service Delivery (Controls not
included in above):
Scope of the
management
system
ISO/IEC 20000-1:2011: The provision, to Isle of Man government departments, of
managed IT services denoted as 'ISO20000' in the Service Catalogue.
ISO27001:2013: Management and delivery of infrastructure and services and the
provision of a secure portal. The provision of desktop services; electronic office, email
and internet to the Isle Of Man Government. . In accordance with Statement of
Applicability Version 5.n.
Exclusion
Date am/pm
Assessor 1
Assessor 2
Standard covered
Reference
number
155400_COVJNY02
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 7.5.3 )
Grade
Minor NC
Issue Date
09-January-2017
Status
Open
Process / Aspect
Document Control
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Some of the ISMS documents stored in SharePoint have incorrect
document properties set that result in ambiguity of status and in the
next planned review date.
In addition there is a conflict between the IoM Government document
classification system and the GTS information Security Policy.
Requirement
Documented information shall be controlled to ensure control of
changes (e.g. version control)
Evidence
Information Security Policy version2 ( part 1) SharePoint version 2 –
review date has not been updated, document properties indicate draft
and the workflow indicates approved.
Information Security Policy part 2 version 3 same issues as above.
Risk management policy 23/7/15 review due 27/2/16 has not been
reviewed
IoM Government document classification system and the GTS
information Security Policy are not using the same classification
system.
Proposed correction, corrective action
and timescales
GTS to review the SharePoint site and resolve the issues relating to
document properties as well as update the GTS and ISP so they
match.
Proposed Implementation Date 03/04/2017
1709 TW All ISMS documents to be reviewed for any changes
necessary, plus any properties corrected. Target 17/10/11
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
Date of closure
Reference
number
155400_COVJNY03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 6.2 )
Grade
Minor NC
Issue Date
09-January-2017
Status
Open
Process / Aspect
Information Security Objectives
Location(s)
Cabinet Office,Douglas
Statement of Non Conformity
Objectives for the ISMS should be SMART, only 1 of 5 information
security objectives is measurable, and for this no target has been set.
For all of the objectives there is no clear definition of how clause 6.2
f) to j) are defined.
Requirement
Objectives need to describe who has what action, when they are to
be achieved and how they are measured.
Evidence
Objectives 1 to 4 (of 5) have no definition of what will be done, by
whom or by when and how success will be assessed.
Proposed correction, corrective action
and timescales
GTS to review the ISMS Objectives and update them to SMART
objectives.
Proposed Implementation Date 20/04/2017
1709TW Objectives to be reviewed now new director in post –
Currently one objective of the original five has been removed.
Target11/10/17
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
4th Floor Markwell House,Douglas::Isle of Man Government
Technology Services
Statement of Non Conformity
The audit schedules for ISO2000-1 and ISO27001 do not
demonstrate coverage of the standards over the full audit cycle and
do not appear to recognize the importance of relevant controls and
processes.
Requirement
Internal audit must demonstrate full coverage of the standards and
appropriate weight must be given to areas of risk and previous
weakness.
Evidence
Presented internal audit schedules for ISO2000-1 and ISO27001
Proposed correction, corrective action
and timescales
This finding remains open to evaluate the effectiveness of the audit
plan.
Correction
An audit plan has now been developed.
Root Cause analysis
Lack of appropriate resource.
Corrective action
There has been an attempt to re-structure the audit schedule by
process but the result was unsatisfactory and so this finding remains
open. JN 12/1/17
29/6/2017 An initial audit plan has been produced, but only on the
last day of the audit and therefore this finding remains open to assess
if it has been effectively applied.
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
388202_SBCJHS01
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( 4.2 )
Grade
Minor NC
Issue Date
30-August-2017
Status
New
Process / Aspect
Client requirements
Location(s)
4th Floor Markwell House,Douglas::Isle of Man Government
Technology Services
Statement of Non Conformity
While GTS administers an AD access management system on behalf
of government departments, there is no clear understanding with the
departments as to which party is responsible for regular review of
access rights, as required by control A.9.2.5/
Requirement
Clause 4.2
The organization shall determine:
a) interested parties that are relevant to the information security
management system; and
b) the requirements of these interested parties relevant to information
security
Evidence
Conversation with Tana Wondergem
Proposed correction, corrective action
and timescales
1709TW GTS is a service provider of technology and access to
systems. GTS is not the data controllers of Departmental Data, and
therefore cannot be responsible for access regular rights reviews or
the access rights which have been granted. GTS conducts regular
Joiners Movers Leavers (JML) processes as part of its staff
maintenance work. GTS Admin accounts are policed to ensure
robust management of access and permissions.
To be discussed with LRQA at the next review.
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
388202_SBCJHS03
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( A.12.1.1 )
Grade
Minor NC
Issue Date
30-August-2017
Status
New
Process / Aspect
Change management
Location(s)
4th Floor Markwell House,Douglas::Isle of Man Government
Technology Services
Statement of Non Conformity
While GTS has a change management process description, the
process used in practice does not match the description.
Requirement
A.12.2.1.Operating procedures shall be documented and made
available to all users who need them (and the implication that the
procedures be fit for purpose and followed)
Evidence
Conversation with Tana Wondergem
F - Change Management Process - last modified by Nick Leece 29
July 16
A - Webhelpdesk ticketing system - for change management
Proposed correction, corrective action
and timescales
1709TW Previous LRQA auditor asked for all product names to be
removed from processes (as these were in previous documents) so
that technology could be updated without the need to update process
(if it’s not linked). Also unknown to the auditee, a regular CAB also
takes place.
Therefore GTS does not accept this NC, as control A.12.1.1 is being
carried out; documented and made available to all who need it.
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Reference
number
388202_SBCJHS04
Assessment Criteria
(Clause)
ISO/IEC 27001:2013 ( A.14.1.1 )
Grade
Minor NC
Issue Date
30-August-2017
Status
New
Process / Aspect
System acquisition, development and
maintenance
Location(s)
4th Floor Markwell House,Douglas::Isle of Man Government
Technology Services
Statement of Non Conformity
While GTS has a formal project management process, which
includes a Production Compliance Acceptance (PCA) step which is
designed to address security, the step does not require or produce a
formal statement of security requirements for each project.
Requirement
A.14.1.1 The information security related requirements shall be
included in the requirements for new information systems or
enhancements to existing information systems.
Evidence
Conversation with Steve Parker and TW
A - High Level Project LIfecycle - issued
B - Infosec Business Impact Assessment - for Gladstone Payment &
Card System project
C - High level overview of PCA process
F - PCA online forms for Demand Responsive Transport project
G - ISBIA for above project - showing impact assessment for loss of
C I A of project data and systems
Proposed correction, corrective action
and timescales
1709TW Unknown to the auditee, this is already covered in the PCA.
A demo will be provided to LRQA at the next review.
Correction
Root Cause analysis
Corrective action
LRQA has reviewed and verified the
implementation of actions taken.
Date of closure
Visit type
Surveillance 2
Audit days
3W + 1T
Due date
January, 2018
Theme(s) for Next
Visit
Compliance
Activity codes
007801,007850,007
851
Locations
Cabinet Office,Douglas
Standard(s) /
Scheme(s)
ISO/IEC 27001:
2013
Team
Jeff Northam
ISO27001 Visit Type
ITSMS
ISMS
2013
SV1
SV2
SV3
SV4
FV
CR
SV1
ISO20000-1 Visit Type
CR
SV1
SV2
SV3
SV4
FV
CR
Due Date
July 17
Aug 17
Jan 18
July 18
Jan 19
July 19
Jan 20
July 20
Start Date
End Date
ISO27001 Audit Days
1
2*
2*
2*
2*
8*
2*
ISO20000-1 Audit Days
3
1
1
1
1
1
3
Travel Days
1
1
1
1
1
1
2
1
Separate assessment plan?
Y
N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Total Visit Time
4
2
4
4
4
4
11
6
Any change in workforce
numbers That may impact visit
duration (if yes add new
number)
N
N
Y/N
Y/N
Y/N
Y/N
Y/N
Y/N
Process / aspect / location
Final selection will be determined after review of management elements and actual performance
Applicable To
ITSMS
ISMS
Opening meeting
D1 Pm
Closing meeting
D2 Am
Management Review
Y
A5, A6
D1 Pm
Internal Audits
Y
9.2
D1 Pm
Continual Improvement
Y
10.2
D1 Pm
Management of change
Y
A12
D1 Pm
Corrective action
Y
10
D1 Pm
Preventive action
Y
D1 Pm
Complaint Management
Y
D1 Pm
Use of Logo
Y
Y
D1 Pm
Performance against the client
management system objectives
Y
5.2
D1 Pm
Top Management
Y
5
D1 Pm
Documentation Requirements /
Compliance
Y
A8, A18
D2 Am
Risk Assessment RTP & SoA
6.1
Support desk / incident
management
Y
A16,
A18
D2 Am
Support desk / problem
management
Y
A16
D2 Pm
Change Management
Y
A12
D2 Pm
Configuration & Release
management
Y
A12
D2 Pm
Service Catalogue
Y
D1 Am
Service Level management
Y
D2 Am
Service Reporting
Y
D2 Am
Business Relationship
Management
Y
D3 Am
Design & Transition of new &
changed services
Y
A6, A14
D3 Am
IT Project Management
D2 Am
Service continuity & availability
management; business
continuity
Y
A17
D3 Am
Capacity Management
Y
A12
D3 Am
Information Security Incidents
Y
A16
D1 Am
Supplier Management
Y
A15
D4 Am
Scope
ISO/IEC 20000-1:2011: The provision, to Isle of Man government departments, of managed IT services
denoted as 'ISO20000' in the Service Catalogue.
ISO27001:2013: Management and delivery of infrastructure and services and the provision of a secure
portal. The provision of desktop services; electronic office, email and internet to the Isle Of Man
Government. . In accordance with Statement of Applicability Version 6
Exclusion
None
LRQA Report considerations
Have there been any deviation from the original
assessment plan:
Yes
If yes detail these in the introduction section of the report
along with the reasons for the deviations
Have there been any significant issues impacting
on the audit programme:
No
If yes detail these in the introduction of the report and
amend the APP
Have there been any significant changes that
affect the management system of the client since
the last audit took place:
No
If yes detail these within the executive summary section
of the report
Have any unresolved issues been identified during
the assessment:
Yes
If yes detail these within the executive summary section
of the report
Was the audit undertaken a combined or
integrated audit:
No
If yes confirm what type of audit and the standards
covered in the introduction to the report.
Was the organisation effectively controlling the
use of the certification documents and marks:
Yes
If no document within the reporting table covering the
mandatory elements
If applicable has the organisation taken effective
corrective action regarding previously identified
nonconformities:,
No
Record outcome in the findings log against the relevant
findings.
Does the management system of the organisation
continue to meet the applicable requirements and
meet the expected outcomes:
Yes
If no details reasons within the executive summary of the
report
Does the scope of certification continue to be
appropriate to the activities/products/services of
organisation:
No ?
If no then document the actions necessary in relation to
the scope in the executive summary of the report and
amend the APP as required.
Were the objectives of the visit as defined in the
APP fulfilled during the visit:
Yes
If no detail the reasons and any necessary actions in the
executive summary of the report and amend/update the
APP
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
An opening meeting was held with KB NL and BAO to discuss the audit plan for the next three days and
included a review of LRQA minor non conformance 20TH July 2016 issued against, ISO 20000-1;2011 9
4.5.4) and ISO 27001:2013 ( 9.2 ) . KB suggested that will require a review and changes to the current
audit plan enduring that both processes and clauses are audited. This will require the audit plan to
become “a living document” to ensure weaknesses are identified and audit planning reflects those
weaknesses.
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
It was noted that the outputs did not agree and record action timescales which may lead to actions
lacking focus and priority.
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
There is no documented process in place which is a requirement of the standard and needs to be
included in policy document 001/005 . Alan Chambers explained that this is covered under 27001:2013
GTS Corporate Governance Policy and therefore policy document 001/005 needs to refer to this.
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 5 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
Section 3.6 sets out roles and responsibilities in a table on page 3 but needs updating to reflect staff and
restructure changes
It may be beneficial to define review periods for documents as Sharepoint appears to be lacking as to
when these are reviewed.
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 6 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 7 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 8 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
As detailed early in this report LRQA have raised a minor non conformance and require audits to cover all
elements of the standard, processes and weighted based on previous audit results.
The output dated 28th July 2016 was reviewed and it was noted that actions from previous meetings was
not covered within the agenda or outputs.
This is a requirement within the standard 4.5.4.3 (g)
BAO explained that NL runs the improvement program and is not a separate item in the management
review process
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 10 of 10
Effective Date: 30th March 2015
Classification – Restricted Access
It may be beneficial to define review periods for documents as Sharepoint appears to be lacking as to
when these are reviewed.
The audit reviewed the minutes from 28th July 2016 as evidence of outputs from meetings. Item
balanced score card was allocated to RO.
It was noted that the outputs did not agree and record action timescales which may lead to actions
lacking focus and priority.
BAO is the appointed representative for the ISO 20000-1 systems the SMS policy document was reviewed
including item 6 which include a statement defining responsibilities. It was noted that this needs
updating to refer to GTS A-E.
There is no documented process in place which is a requirement of the standard and needs to be
included in policy document 001/005 . Alan Chambers explained that this is covered under 27001:2013
GTS Corporate Governance Policy and therefore policy document 001/005 needs to refer to this.
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 5 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 6 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
It was noted that the coms room was cluttered and contained combustible materials including empty
boxes. The riser area was also inspected and found to have unprotected lighting tubes and therefore
maybe susceptible to breakage and leakage.
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 8 of 8
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 5 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Document
No
Document Type
To Release?
Exemption Applied
Exemption Applied
1
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
2
Audit report on ISO
Yes - in entirety
3
Audit report on ISO
Yes - in entirety
4
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 32(2) and (3)(i) - Law
Enforcement
Section 36(b) - Health and Safety
5
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
Section 32(2) and (3) (i) - Law
Enforcement
6
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
7
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
8
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
9
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 32(1)(a)
Section 35(c) - Conduct of Public
Business
10
Audit report on ISO
Yes - in entirety
11
Audit report on ISO
No - redacted in
entirety
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
12
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 32(2) and (3)(i) - Law
Enforcement
13
Audit report on ISO
Yes - in entirety
14
Audit report on ISO
No - redacted in
entirety
Section 25(2)(a) and (b)(i)
Absolutely Exempt Personal
Information
15
Audit report on ISO
Yes - in entirety
16
Audit report on ISO
No - redacted in
entirety
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
17
Audit report on ISO
Yes - with redactions
Section 35(c) - Conduct of Public
Business
18
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
19
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
20
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
Section 32(2) and (3) (i) - Law
Enforcement
21
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
Section 32(1)(a) - Law
Enforcement
22
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
Section 32(2) and (3) (i) - Law
Enforcement
23
Audit report on ISO
Yes - in entirety
24
Audit report on ISO
Yes - with redactions
Section 25(2)(b)(i)
Absolutely Exempt Personal
Information
Section 35(c) - Conduct of Public
Business
25
Audit report on ISO
Yes - with redactions
Section 35(c) - Conduct of Public
Business
26
Audit report on ISO
Yes - with redactions
Section 32(1)(a) Law
Enforcement
Section 35(c) - Conduct of Public
Business
27
Audit report on ISO
Yes - with redactions
Section 35(c) - Conduct of Public
Business
Full Response Text
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
AUDIT REPORT NUMBER: 17060701
Auditor(s)
K Burnell
Auditee(s)
- Application and Client
Architect
Audit Date 7th June 2017
Audit Times 10.00-11.55
Distribution
Richard Oliphant
Steve Parker
Audit Criteria:
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure.
Frequency of audit:
Audits are carried out at planned intervals as detailed in the audit plan and shall reflect previous
audit results and the importance of processes.
Audit methods:
The audit process is carried out to ensure that planned arrangements and the ISO standard are
conforming. They are conducted by independent trained auditors who carry out the function in an
objective and impartial manner. The frequency of audits is detailed above. They are conducted
either at the point of use of a procedure, within a process or department or as a desk audit as
appropriate.
During the audit process the auditor interacts with the auditee in order to obtain objective evidence
which can be in the form of documents, statements (verbal or written), records and visual media.
This evidence is recorded as detailed below and includes a summary and a final result based on the
above audit criteria.
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
This report is signed by both the auditor and the auditee to confirm that the audit has been
conducted following the above process which includes agreement regarding the selected resulting
criteria.
Introduction
This audit was commissioned by GTS to ensure that their information technology – service
management systems conforming to the requirements of ISO 20000-1:2011
This will ensure that any non-conformances (major or minor) are dealt with accordingly and
preventive actions are put in place. The organisation also requires feedback on opportunities for
improvement.
Scope
The audit reviewed ISO 20000-1:2011 9.2 Change Management against currents process and
systems.
Documentation reviewed during audit
Change Management Procedure
Details of audit and samples taken
gave an overview of process which uses web help desk to track and manage changes through
change ticket with various options.
There are a total of 11 options which include Application Packaging, Mobile, Security, Server Hardware,
and Server Software. Samples were taken of these options (see below)
Requests for changes are documented within the web help desk (WHD).
demonstrated how a
request is inputted into the WHD by text detail and customised fields allowing for increased information
for the engineer.
The security type is selected using a drop down menu. There are 4 options in total:
-
Firewall
-
NLB Configuration change
-
Remote access change
-
Restricted site access
Includes data centre access requests.
This section also details:
-
Implementation plan
-
Risk assessment – drop down menu includes major, significant, important and minor
The audit reviewed the Change Management Procedure in share point. It was noted that this
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
document may be old as
searched for the current document and consulted with AC to clarify if the
document in share point was current.
Change Management Process ref 102/002 pages 1-18. Contents include:
3.2.1.1 Create change request
3.2.1.2 Sign off
3.2.1.3 Evaluation
Page 9 addresses risk management.
Figure 2 is the risk matrix heat map – Impacts v probability
Impact – 1 = low; 5 = extreme
Probability – 1 = rare; 5 = almost certain
Figure 3 details risk based change priorities and allocates category 1 to category 3 which is allocated from
the risk matrix:
Major = category 1
Minor = category 3
Removal and transfers of service are detailed in section 3 Leading Practice and are controlled in the same
way.
Emergency changes are detailed in section 3.2.3 and includes additional controls, e.g. approval by
Director of Technology (NL), testing criteria and documentation controls.
Unsuccessful/failed changes are detailed in section 3.2.1.9 and include a “back out” plan and record of
failure.
CMBD update is detailed in section 3.2.1.11
-
Close the change
-
Interested parties
See samples for details
Section 3.2.1.3 – assess and evaluate the change request prior to the change.
Post reviews are detailed in section 3.2.1.10
“Post implementation review” includes lessons learned which generates OFI’s
Records of classification are detailed in the WHD, i.e. CAT 1, CAT 2, CAT 3
explained that CAT 4 (section 3.2.2) is for a standard change. It was noted that CAT 4 is not
included in the risk matrix as it is a known risk.
Change Management Policy is within the process.
The request for change scope is documented in WHD under the sections Plan to change, risk, rest, and
back out plan.
Samples reviewed during the audit were:
1) Application Packaging:
No. 244119 17/5/17 13:55; Closed 17/5/17 15:40
Record details:
Request – upgrade WHD live license key
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
CAT 4 Standard change
Minor risk
Removed license and applied old one
CMBD checked – yes
Change approved 17/5/17 13:58 by
2) Application Packaging:
No. 243543 15/5/17 13:41; Closed 17/5/17 12:19
Urgent – Microsoft patch installed on servers listed
CAT 4 Standard change
Minor risk
Tested and OK
CMBD checked
Change approved 15/5/17 15:31 by
3) Mobile:
No. 221001 9/1/17 08:39; Closed 28/4/17 08:49
Upgrade IFormBuilder with supplier (interested party)
Category not inputted into system
Classified as major but this may be a default setting
No implementation plan
Risk assessment and test plan in wrong boxes
Approved 19/1/17 09:01 by JP
CMBD not checked
5) Mobile:
No. 179702 opened 10/5/16 12:42; Closed 23/5/16 10:54
Request: upgrade live
servers
Implementation plan completed
No category entered
Major risk – default
Risk assessment blank
Approved 10/5/16 14:05 by JP
Post field blank
Audit Report
BS ISO/IEC 20000-1:2011
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 6 of 6
Effective Date: 30th March 2015
Classification – Restricted Access
Corrective Action Agreed
Signed (auditor) Date
Signed (process owner) Date
Corrective action completed
Signed (auditor) Date
Signed (process owner) Date
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 1 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
AUDIT REPORT NUMBER: 17 10 16 01
Auditor(s) K Burnell (KTB)
Auditee(s)
Richard Oliphant (RO)
Brain Osborn (BAO)
Observer Tana Wondergem (TW)
Audit Date 16th October 2017
Audit Times 11.30 – 13.30
Distribution
Tana Wondergem
Audit Criteria:
Passed: - The processes and procedures are conforming to requirements
OFI: - The processes and procedures are conforming to requirements but improvements could be
made.
Minor Non Conformance: - The processes and procedures do not fulfil a requirement but is unlikely
to result in ISMS failure.
Major Non Conformance: - The processes and procedures do not fulfil a requirement and is likely to
result in ISMS failure.
Frequency of audit:
Audits are carried out at planned intervals as detailed in the audit plan and shall reflect previous
audit results and the importance of processes.
Audit methods:
The audit process is carried out to ensure that planned arrangements and the ISO standard are
conforming. They are conducted by independent trained auditors who carry out the function in an
objective and impartial manner. The frequency of audits is detailed above. They are conducted
either at the point of use of a procedure, within a process or department or as a desk audit as
appropriate.
During the audit process the auditor interacts with the auditee in order to obtain objective evidence
which can be in the form of documents, statements (verbal or written), records and visual media.
This evidence is recorded as detailed below and includes a summary and a final result based on the
above audit criteria.
This report is signed by both the auditor and the auditee to confirm that the audit has been
conducted following the above process which includes agreement regarding the selected resulting
criteria.
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 2 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
Introduction
This audit was commissioned by GTS to ensure that their management information security systems
conforming to the requirements of ISO 20000-1:2011.
This will ensure that any non-conformances (major or minor) are dealt with accordingly and
preventive actions are put in place. The organisation also requires feedback on opportunities for
improvement.
Scope
The audit reviewed procedures against Clause 7 Relationship Process
Documentation and systems reviewed during audit
SharePoint
GTS Corporate Governance
GTS Project Review Board
Web Help Desk
Supplier Contracts
Customer Satisfaction Results
Customer Complaints
Details of audit and samples taken
OBS It was noted that A9.25 Minor Non-Conformance remains open which was raised by LRQR during
last audit as not all users’ access is being reviewed.
7.1. Business Relationship Management was reviewed against documented evidence;
RO presented documents within ‘’SharePoint’’
BAO explained the processes and systems within the Business Development Group – Director, Head of
PMO, Delivery and Support Group, a number of business reps.
Treasury are the relationship management at macro level and also in Department of Education and one
in Social Care with contractors used in DOI, DHA, DEFA to manage relationships.
Documents reviewed were GTS Corporate Governance and structure defines high level relationship
management and includes;
GTS Management Committee
GTS Business Development Group
GTS Development Support Group
The audit reviewed the Business Development Group which details Key purposes, I.T delivery level which
sets out DEC I.T, DED I.T, DOI I.T, DHSC I.T, DEFA I.T, DHA I.T and Treasury I.T.
Sampled DHSC I.T for audit evidence which detailed minutes of BDG Group reviewed 3/8/17.
Item 4 details GTS Project Review Board.
3 Requests were documented as detailed below;
1 Service request Forms MIAS deleted 3/8/17.
Items 1 – 9.
No 1 ref 2946 – Moving to SS0.
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 3 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
No 4 ref 2950 – Till system for passport and immigration.
Sampled GTS Service Form.
Ref 2950 25/7/17 – defines delivery of request
Ref 2946 23/6/17 – defines delivery of request
New SRF to PRB process with comms out which is being taken to cost improvement group.
Also details action log refs recorded:-
Ref no. 060402/7 used to track actions from meetings and allocates owners of action.
Status open date updated 3/8/17 review date 7/9/17.
Review evidence dated 7/9/17 covered under item 3 and next review planned 5/10/17.
Customer satisfaction driven by service delivery and results documented through surveys every two
years at micro level through Web help desk.
RO presented status for 2015 and 2016
Details included;
Performance – detailed both positive and negative feedback.
Experience – detailed both positive and negative feedback.
Communication detailed both positive and negative feedback.
Overall results demonstrated customer satisfaction improving year on year.
Also Pie Chart was demonstrated which detailed 58.3% activity through help desk which helped improve
the results.
Also Customer satisfaction is monitored through CSI dashboard which details results by team and by
quarter.
Teams reviewed were;
Desk Top Support
Desk Top Security
DHSC
Distribution Support
Help desk
Infrastructure Support
Reviewed CSI dashboard for help desk quarter 2 17/18.
July 17 = 100%
Aug 17 = 99.9% - No poor responses received.
Sept 17 = 100%
Also reviewed SLA desk board which is monitored by the above teams.
It was noted that upward trend in achieving SLAS and ticket numbers increasing. Results of SLA achieved
were;
July 17 = 97.7%
Aug 17 = 975
Sept 17 = 100%
Complaints documented through Mann Comm:-
Evidence reviewed in March 2017 records which detailed complaints/poor response in Q4 Management
Pack.
3 events were recorded:-
Audit Report
BS ISO/IEC 27001:2013
Issue 1
Ref. AUDIT
Authorised by:- K Burnell
Page 4 of 5
Effective Date: 30th March 2015
Classification – Restricted Access
2/3/17 Ticket No 229379 – FIU – Too long to sort out ticket.
24/3/17 Ticket No 232196 – Police Headquarters – Access card information incorrect.
27/3/17 Ticket No 233592 – Physiotherapy – Not happy with response time.
Also reviewed positive replies and compliments received documents through two of E-Mail and Web
help desk.
Reviewed September 17. Total of 14 recorded.
Sampled.
For RQ – excellent, prompt response.
For MB and AS – Advice and support client focused.
For GIS Team – Maps and Apps received well by client.
7.2 Supplies Management:-
BAO explained, supplies used for:-
GTS.
Customers.
Range includes software, hardware, fixes and managed services.
A total of approximately 200 suppliers who have documented contracts were presented to the auditor
who reviewed samples raised from PISAM.
Argon:- printer support – reviewed contract 6/3/17 signed off by Chief Secretary and two Argon
directors.
Conten
[Response truncated — full text is 431,994 characters]