Internal Audit & Compliance Policy

Purpose

The purpose of the Internal Audit Policy is to provide Management with information relating to the performance of the Information Security Management System (ISMS) and the Security of KX products and services.  This is achieved by following the related policies defined in the ISMS, which facilitate various aspects of Information Security with respect to the infrastructure, platforms, products and services / provisioning of services on cloud.  The policy activities are then collated and analyzed to produce management information which represents the performance of the ISMS.  Management then uses this information as the basis for making ISMS amendments and process improvements.

Scope

The Internal Audit process operated covers all aspects of the KX business.  The approach to Internal Audit is based on an approach to cover all aspects of the ISMS by conducting sample internal audits as scheduled throughout the year.  Evidence gathered will verify compliance, provide management with a status on performance and be used to drive corrective actions or process improvements.

Terms

• ISO 27001 – Formal Information Security Standard that is relevant to companies committed to Information Security.
• Accreditation Body – An independent external body that is qualified to assess companies to any specific quality standard.
• Non-Compliance – Not adhering to the requirements of the ISMS policies.
• Observation – Inference from something seen or experienced that may develop into a non-compliance.
• Improvement – Enhances or makes something better
• Corrective Action – Activities which will prevent the recurrence of an audit failure or other ISMS issue.
• Preventative Action – As part of the correct action process, activities which will ensure that potential issues are prevented from occurring in the first place.
• Root cause – The result of an investigation to identify the origin of any audit failure of the ISMS

Roles & Responsibilities

Roles and Responsibilities will be made clear in the context of each process step definition.

Here is a list of key roles for the Internal Audit Process:

• Lead Auditor – Create, manage and maintain the audit schedule
• Auditor – Plan and conduct the audit
• Auditee – Provide factual evidence in support of any audit request
• SVP of Information Security & Compliance – Review and assess Internal Audit results to drive management and improvement to the ISMS

Management Review

Management Reviews are formal communications of the status of KX Security and Compliance.  These formal meetings will be conducted at minimum once every 6 months based on the agenda below:

• Status of actions from previous management reviews
• Feedback on the information security performance, including trends in:
• Fulfillment of information security objectives
• Feedback from interested parties
• Results of risk assessment and status of risk treatment plan(s)
• Opportunities for continual improvement
• Any other business issues / needs

Internal Audit Process

The list below details the linked activities that make up an Internal Audit as it is implemented within the ISMS.

• Process Audit Schedule
• Planning for an Audit
• Notification of Process Audit
• Preparing for an Audit
• Conducting a Process Audit
• Corrective Actions
• Process Audit Results