Internal Audit Procedure

Document ID: DPWAT-ISMS-PROC-009
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-11-10
Next review: 2027-02-01

1. Purpose

Plan and perform internal ISMS audits (ISO 27001 clause 9.2) and record results.

2. Programme

• Perform at least one internal audit per year covering ISMS clauses and applicable Annex A controls.
• Additional audits may be conducted after major changes or significant incidents.

3. Independence

Auditors must be objective and not audit their own work where feasible (given company size, use compensating measures: peer review of findings by an Administrator).

4. Protection of systems during audits

Internal audits - Audit scope and schedule agreed in advance. - Auditor does not have unsupervised access to production systems; CISO provides guided access as needed.

External audits (certification body, customer audits) - Scope and objectives agreed before audit begins. - External auditors do not receive direct/unsupervised access to DP WAT systems. - CISO provides supervised, side-by-side access - showing auditors what they need to see. - Access is limited to the minimum required for the audit scope.

Penetration testing - Pen testing of customer systems is scoped per customer project requirements. - DP WAT does not perform pen testing on its own internal systems; security reviews are performed by the CISO.

5. Records

• Audit programme/schedule: internal-audit-program
• Audit reports: 07-records/ using template-internal-audit-report
• Nonconformities and corrective actions: 07-records/ using the corrective action template