ISO27002 Partial Compliance Audit: Audit Plan Report

Initial Work-In-Progress Report

You are one of the postgraduate trainees newly employed in IT security auditing at CyberSAFE Auditors. A new client, English & American plc based in the Lloyds of London insurance market in the city of London, has requested a partial ISO27002 compliance audit to be undertaken by CyberSAFE. Before giving CyberSAFE the  contract the CEO of English & American has asked for an Audit Plan detailing the methods and approach to auditing that CyberSAFE intends to undertake on their systems and premises. The Chief Auditor of CyberSAFE, Nigel Waring, is very keen on getting trainees involved with real clients and so, as part of the postgraduate induction programme, has divided trainees into teams of two persons with each team writing an Audit Plan on how the required ISO27002 partial audit is to be conducted. Nigel will then select the best report to present to the real client. Nigel says that each pair must arrange between themselves  for the following tasks to be undertaken:

1.An initial meeting together, either in-person or by Teams or Zoom, and to allocate one person to do Secure Areas (Section4 in report) and another person to Equipment Security (Section5 in report). All other sections to be dealt with jointly. The team members must also decide on their fieldwork methods, timetable and overall audit approach. This initial meeting should have minutes taken and recorded as Initial Work-In-Progress Report (min. 250 words).
2.Two further Work-In-Progress meetings should be undertaken, using same methods as above, and minutes taken of each. Such minutes should cover decisions made together, disagreements, allocation of tasks, and plans. Minutes should be  no more than 250 words each and titled Interim and Final Work-In-Progress Reports. 
3.Finally, the team collectively must produce an Audit Plan report according to the template stipulated by Nigel Waring (see Audit Job Allocation App.B) 

Nigel then presents each team formally with the following documents:-
1.Copy of original letter from the client specifying their constraints on this work (App.A),
2.An Audit Job Allocation Form from Nigel (App.B)
3.Copy of relevant parts of ISO27002:2013 sect. 11 that Nigel wants you to use (App,C),

Write an Audit Plan report as requested by Nigel in the Job Allocation Form (App.B below). The report should have a minimum 3000 words, maximum 5000 words excluding any appendices/references. The report must be word-processed and must have the headings and sub-headings specified by your Chief Auditor Nigel Waring in the Audit Job Allocation form. 

Control: Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Control: Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
Control: Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage.