INITIAL CERTIFICATION STAGE 2 AUDIT REPORT FOR …

1/22

KEBS- CERTIFICATION BODY

ISO 27001:2013 ISMS

INITIAL CERTIFICATION STAGE 2 AUDIT REPORT

FOR

UNIVERSITY OF EMBU (UoEm)

Audit No. KEBS/ISMS/SC/04/2/2018

19 June 2018

2/22

Table of Contents

1.0 Introduction …………………………………………………… 3

2.0 Audit summary …………………………………………..……… 4

3.0 Detailed report ………………………………………………….. 5

4.0 Other Information.................................................................... 19

5.0 Conclusion & Opinion……….. ………………………………… 19

6.0 Confirmation of Audit Objectives……………………………….. 19

Appendices………………………………………………………………. 21

Appendix 1: Audit Timetable/Scope

Appendix 2: Meetings Attendance Register (Opening/Closing Meetings)

Appendix 3: Corrective Action Request forms (CARs)

Appendix 4: Audit Program

3/22

SECTION 1: INTRODUCTION Audit client name: University of Embu (UoEm) Client Address: Along Embu-Meru Road, P.O. Box 6-60100, Embu Email: [email protected] ; [email protected] Tel: 0722347057 - Dr. Kerama Client Representative: Prof. Kotut Designation: Management Representative (M.R)

Audit date(s): 29 and 30/5/2018 No. of Audit Days: 2 Audit Basis/Criteria: ISO 27001:2013, UoEm ISMS documentation, Applicable Legal & Contractual requirements Audit Scope: Provision of Training, Research and Extension Audit Number: KEBS/ISMS/04/2/2018 Audit Type: Initial Certification Stage 2 Audit Team: Purity Wangai (PW) – Lead Auditor Evelyne Mirembo (EM) - Auditor Audit Objective(s):

i. Determination of the conformity of the client’s management system, or parts of it, with audit

criteria;

ii. Determination of the ability of the management system to ensure the client meets applicable statutory, regulatory and contractual requirements;

iii. Determination of the effectiveness of the management system to ensure the client can

reasonably expect to achieving its specified objectives;

iv. As applicable, identification of areas for potential improvement of the management system

mailto:[email protected]/

4/22

SECTION 2: SUMMARY OF AUDIT FINDINGS ISO 27001:2013 Information Security Management System (ISMS) Initial Certification Stage 2 audit

was conducted on 29 and 30/5/2018 at University of Embu (UoEm). Opening and closing meetings

were conducted and the meeting attendance register is on Appendix 2.

It was confirmed interested parties and their needs and expectations were determined, Risk treatment

plan and selected controls were documented per department, actions taken to implement the selected

controls were recorded, staffs had signed oath of confidentiality, ISMS objectives and ISMS policy

were communicated at each department, staffs are aware of ISMS policy, internal ISMS audits and

management review were conducted, among other positive findings.

However, areas of improvement were identified e.g. Some of the risks discussed and confirmed with

auditee were not included in ISMS e.g ‘lack of integrity’ for research resource person(s)/supervisors

was not identified as a risk at research department. Risk levels have not been monitored after

implementation of the selected controls. Assets inventory is not available in some areas and where it

is documented, it is not comprehensive. There was no evidence of ISMS training for some staffs.

Opportunities were not determined for security office, among other weaknesses.

These areas of improvement have the potential to become nonconformities if nothing is done about

them.

A total of 3 minor non-conformities (NCs) were also identified as indicated on appendix 3. The NCs

were discussed during the closing meeting and agreed upon. Follow up on the NCs will be conducted

during the next audit should a decision to certify the client be made.

It is the opinion of the audit team that the implemented ISMS meets most of the requirements of the

audit criteria, the ISMS has ability to meet applicable legal and contractual requirements, the ISMS is

effective and the client can reasonably expect to achieve ISMS objectives, and the ISMS has weak

areas that need improvement.

The client having already forwarded appropriate corrective action and which has been approved,

recommendation for certification to ISO 27001:2013 is hereby made.

The audit objectives were achieved.

5/22

SECTION 3: DETAILED AUDIT FINDINGS 3.1 LIBRARY- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1

Positive Findings

1. Clause 4.2 – External and Internal interested parties include;

External parties (E.P) E.P needs & expectations

Internal parties (I.P)

I.P needs & expectations

Government bodies e.g. CUE, Min of Education, Public Health

compliance with applicable regulations e.g. CUE regulation requires an online portal through which any interested party can access library catalogue

Students and Staffs

Access to information

Members of public Information available at the library e.g. books

- -

2. Clause 5.1- Resources provided for ISMS include;

- Lockable Cabinets for keeping confidential files e.g. file with JDs for staffs

- Trained staffs on ISO 27001

- Computers to keep information like library catalogues

- Internet through which online portal for catalogues can be accessed by students, staffs and

members of public.

- Internet is also used to access electronic information like e-books and journals for which

the university has subscribed to other external information sources.

- Resources for physical security include security personnel/guards engaged on contract

basis

- Lockable doors at the library

3. Clause 6.1.1- Risks and opportunities

Risks Related Opportunities Actions to address opportunity

Denial of information due to power outage that makes electronic information unavailable, and due to wrong cataloguing.

-Marketing library services (it has not been done before)

Posting signage, introduction of online chatting on library website

4. There is a document identified as ‘monitoring template for interested parties &

Requirements/Internal & External issues/Risks/Opportunities’ which has information as follows;

Interested party & requirement/Issue/Risks/Opportunities

Activities (what will be done/is being done)

Responsibility

Timeframe when to implement activities

Monitoring frequency (when results shall be analyzed & evaluated)

Evidence/records required

Interested party Students- Up to date information resources (both print and e-resources

Involvement of users in selection

Librarian Last ¼ of Academic year when

annual Book selection forms

6/22

process for books

users make request

Requests

5. Clause 6.1.2- Information security risk assessment

- There is a soft copy of Library risk register accessed using password through university

website. The excel sheet has risk assessment results and is identified as ‘Risk Register’. It

has 3 risks identified and each scored 6 and therefore requires further action by urgency as

indicated on the scale. Risk owner is identified as ‘Librarian’.

- Risk criteria is indicated on the excel risk register which also indicates risk Likelihood and

consequences explained, and risk appetite on a scale of 1 to 5 with color codes and

interpretation of the colors.

6. 6.1.3 - Risk treatment plan is also on the same excel risk register. Auditee indicted that if the

document is on the university portal (accessed through website), it is an indication that it has

been approved.

7. 6.2 - ISMS Objectives. There are 3 objectives approved on 6/1/2018 with a plan to achieve

them. E.g;

Objective What will be done

When to complete

Resources required

Responsible How results will be evaluated

Achievement

Create awareness among staff in the library on all ISMS requirements relevant to the department

HOD sensitization for staff

Dec. 2018

Personnel, Information material

librarian Evaluation of awareness reports

Minutes of meeting held on 10/1/2018 discussed ISMS policies and objectives.

8. 10.1- No information security incident has occurred. However, and there is an incident register

UoEm-REG-LIB-VOL.01-021 from Jan. 2018.

- No situation that required improvement actions that had occurred.

Areas of Improvement

1. Clause 6.1.1- Risks and opportunities

- For the risk ‘loss of information by theft, mutilation’, opportunities identified are not suitable

in risk-based thinking (RBT) concept, e,g, back up, university stamp on physical information

like books, inventory for library stocks/resources. All these are old practices and therefore

not suitable in RBT.

- However, after discussion with auditee, suitable opportunities were identified but were not

considered in ISMS e,g. There is plan to install Integrated library security management

system that will enhance security of physical information like books, and the system can

detect any information at the exit that has not been properly issued as a control against

theft, planned to be installed by Dec. 2018 through Tender process . Procurement process

has been initiated as shown by memo dated 25/4/2018 and circulated to VC. For the risk

‘Denial of information’, there is a plan to install library self-issuing machine that will enable

users to self-issue and return books by themselves using university identification card and

7/22

this will be operationalized by Dec. 2018. However, these opportunities were not included

in ISMS.

2. Clause 6.1.2 and 7.5 - Information security risk assessment

There is a soft copy Library risk register. For the first 2 risks, it has color code

orange/yellow for auditee but for auditor has red color.

3.2 SCHOOL OF NURSING- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1

Positive Findings

1. 4.2 - Interested parties include students interested in correct information for exam results, staffs

interested in accurate information e.g. about teaching arrangement and how many lectures are

allocated/semester. The staffs also expect availability of other information they need to

operate.

2. 5.1 - ISMS resources needed and provided include lockable cabinets for confidential and

restricted information, computers for storing electronic information e.g. exams that are opened

by password, staffs to handle the information, and office space for exam scripts.

3. 6.1.1 - Risks and opportunities in relation to clauses 4.1 and 4.2

- For the risk ‘Unauthorised access to exam results’ actions to address it include existing

controls e.g. designated office of Exam Coordinator, and additional controls from ISO

27001 determined are A.13.2.1, A.7.2.3.

- The departmental risk register indicates that cryptography shall be applied to protect exam

results by Dec. 2018 as an opportunity.

4. 6.1.2 - Information security risk assessment results is documented. The risk ‘Unauthorized

access to exam results’ had a risk score of 4 and the risk treatment plan indicates that the

target is reduce it to 1 by Dec. 2018. Applicable controls are determined.

5. 6.1.3- The Information security risk treatment plan indicates existing controls and additional

controls from ISO 27001 Annex A.

6. 7.2 – Competence

- Responsibilities for staffs were indicated on a memo from the Dean dated 8/1/2018.

- Staff PF No. 0122, his responsibility is ‘Updating ISMS documents and table reports in

meetings’. He signed oath of confidentiality in his employment in July 2017 and had ISMS

training in May 2017.

- PF No. 0095 has responsibility ‘Information transfer according to the information transfer

and handling guidelines’. Minutes of school meeting held on 3/11/2017 in which she

participated included staff sensitization on clear desk/screen policy.

7. 7.5.2 - Incident register is identified by title and also by code UoEm-REG-SoN-007/VOL1. Soft

copy file of risk register is identified as ‘SoN ISMS Risk register 18-5-2018’ and in the electronic

document it is identified as ‘Teaching Risk Register Doc. No. UoEM/TEACH/TRR/005 Version

A’.

- Electronic information on Deans’ computer is protected by SMADAV 2014 Free anti-virus

8. 7.5.3 - passwords are used to protect electronic information e.g. exams. Hard copies are in

lockable cabinets. Exam hard copies are reproduced by exam office. Deans office has a

lockable door

9. 10.1- There is no incidence of IS that has occurred. Auditee indicated that opportunity to

improve had not occurred.

8/22

10. During school board meetings, staffs are sensitized on ISMS e.g. In a meeting held on

20/3/2018.


1. Auditee demonstrated passwords used to open computer and to open exams. There is

passwords guidelines and item (f) page 2 of the guidelines has criteria for passwords. But

auditee passwords did not meet the criteria.

2. 7.2 – There was no evidence of ISMS training for staffs Jacqueline and PF No. 0095

3. There is a file identified as EoEm/SoN/M-L-R/VOL1 that has list of records at the department.

This file was shown by auditee as the Information assets register.

3.3 ICT- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1

Positive Findings

1. 4.2 and 6.1.1

External Parties (EP)

Needs & Expectations of EP

Internal parties (IP)

Needs & Expectations of IP

Actions taken to address IP interests

Risks to IP interests

Opportunities

Suppliers e.g. ISP

Access to tender documents on website -Implementation of SLA in the case of ISP

Students Reliable Internet access with low downtime, functional computer labs

-quarterly maintenance schedules for computer labs -installation of UPS in server room -back up generator -Redundant fibre link

-Breakdown/ faulty equipment at computer lab -power loss

-close proximity to a variety of high speed fibre optic cable. So far 3 cables have been installed from 2014. -Introduction of SMS function, email function, and email alerts and knowledge base for users on OS ticketing system as from Jan, 2018. - Assessing students innovations in the projects they do to determine how they could benefit the university.

Public/ community

Courses offered to be posted on the website, enquires to be handled through website

staffs Reliable Internet access with low downtime, confidentiality of information in backup server, functional ICT equipment

- as above for students -Encryption of information in server back up for confidentiality

-leakage of back up information e.g. pay slips -ICT equipment malfunction -Malware attacks -Hacking -lack of passwords for computers

9/22

- Email address on website [email protected] was tested by auditor by sending an email. The email

was received at ICT office immediately after sending.

2. 5.1 - Resources determined for ISMS include personnel, funds, staff training. Training was done as

indicated on item 6 below.

3. 6.1.2- Information security risk assessment results are documented on the risk register. Risk

acceptance criteria is 2 as indicated on Risk Appetite matrix on the register.

4. 6.2- ISMS objectives are documented e.g. to enhance information security by encrypting the backed

up information by Dec.2018, installation of antivirus software on all university computers by Dec.

2019. So far, antivirus has been installed in 200 computers out of total about 320 computers at the

university.

5. 6.1.3 - Information security risk treatment plan is documented. It indicates controls selected for the

risks determined.

6. 7.2- ISMS Training:

Ag. ICT director – trained as ISMS internal auditor in February 2018.

PF/ No. 0426 and PF/No. 0337 – ISMS awareness was done for these staffs during staff

meeting on 21/11/2017 and again on 16/1/2018.

8. 7.5.3 - ISMS documents are on university website accessible by all staffs by use of password.

9. 10.1- Incidents register UoEm-REG-ICT-008-Vol1 is available and one incident was identified as

‘the meeting dashboard failed to send invitations for a meeting (Deans committee) reported on

17/5/2018’. Root cause and all actions taken were recorded on the register.

10. Business Continuity Plan- Licensed antivirus is expected to be purchased by 30/6/2018 for all

computers based on new computer inventory that is currently being developed at the various

departments.

11. ISMS Assets Register- there is an assets register for ICT department which includes assets in

server room, desktop computers, etc. Serial numbers and other pertinent information for the assets

are indicated on the register.

12. Signed ISMS policy is displayed at the office

13. Monitoring and measurement of implementation of risk treatment plan:

- There is a documented monitoring tool for actions to be taken to implement selected controls.

Results of actions taken are recorded and resultant status of the system is indicated.

mailto:[email protected]

10/22


1. 7.5.2- Auditee has a soft copy of risk register from the website identified as

UoEm/ICT/ICTRR/009 Version A Revision 1 dated 23/5/2018. Auditors’ copy of the same

document is Revision 0 dated 5/12/2017. Auditee indicated that the register was recently

amended. A memo dated 16/5/2018 required ISO documentation to be reviewed and finalized

by 21/5/2018 and so ICT risk register was amended. However, Document amendment form

for the register was not filled.

2. There is a documented monitoring tool for actions taken to implement selected controls.

However, risk level has not been monitored after implementation of the controls.

3.4 DIRECTORATE OF RESEARCH & EXTENSION- clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4,

7.5.2, 7.5.3

Positive Findings

1. At the Directors’ office, no information was on the desk and computer had a clear screen.

2. Approved ISMS objectives and ISMS policy are displayed.

3. 7.3- Interviewed person (administrative assistant) is aware of the ISMS policy and his

contribution towards confidentiality of information. He’s also aware of consequences of not

implementing ISMS requirements.

4. There was power outage around 8.51am during the audit. The power generator automatically

switched on within few seconds.

5. There is UPS for computer power back up at Directors’ office.

6. 4.2 - External interested parties include community interested in research output and outreach,

government interested in whether the research at the university is aligned to the national

agenda, Regulators like CUE are interested in quality of research. NACOSTI is interested in

the types of research. ISMS interests of these parties include;

Community- interested in integrity and availability of information

Government bodies- interested in integrity and availability of information

7. 6.1.1 - Risks determined are on the risk register accessed from website using password. Risks

e.g. Leakage of confidential research information, Acceptance of falsified research information.

8. 5.1- Resources determined include fireproof cabinets.

9. 6.1.2 and 6.1.3 - Risk assessment results are indicated on the risk register on excel sheet

identified ‘Risk Register’. The register also has ‘Risk Treatment Plan’ which indicates the

planned treatment results.

10. Results of implementing the risk treatment plan are indicated on a monitoring tool on the risk

register which indicates controls applied, Responsibility, time-frame to implement controls,

evidence for implementation required, results of controls implementation and status of actions

(done or continuous).

11. 7.1 - Resources provided include, Office for physical security, computer for information

processing, storage and communication by email, and lockable file cabinets.

12. Copies of research reports are sent to DVC- Academics Research, while copies are retained at

office as back up.

13. 7.4- Communication about ISMS

11/22

- This is done during meetings e.g. minutes of meeting held on 6/2/2018 in which ISMS

objectives, clear desk clear screen policy, etc. were discussed.

- Director determines what is to be communicated e.g. agenda for meetings.

14. 7.5.2, 7.5.3 – Documents are uniquely identified e.g. File with research reports is identified as

UoEm/DRE/RESEARCH/VOL.2.

15. Personal desktop Computer for director is protected by licensed Kaspersky antivirus

16. A.8.1.1 Assets inventory- There is electronic register of ICT devices which indicates one

computer for the office Administrator.

- There is ‘Information and Information Assets Register’ that has classification of information

and a list of information and information assets e.g. Research reports.

17. There is incident register opened on 8/3/2018 but has no record because no incident had

occurred.


1. ‘Lack of integrity’ on the part of resource person(s)/supervisors was identified as a risk during

auditor discussion with auditee. But this risk was not considered in ISMS.

2. Interviewed person (administrator) does not clearly understand about integrity and availability

of information.

3. 6.1.1- Opportunity determined was not clearly relevant to ISMS i.e. ‘establishment of

collaboration with different institutions e.g. universities, research institutions, etc., as required

by the National Research Fund in Feb. 2018’.

4. Residual risk levels have not been determined/monitored after implementation of the controls

(i.e. from risk level 9 towards level 1).

5. There is only one key for the lockable metal cabinet at Directors’ office.

6. Administration Officer has both original keys held together for a file cabinet. This situation does

not provide key back up.

7. 7.5.2, 7.5.3 – Auditee has Risk register Version A Rev. 1 dated 23/5/2018, while auditors’

edition is Version A Rev. 0 dated 5/12/2017. Document amendment form was not filled for

amendment of the register.

- The metallic and wooden file cabinets are not fire proof as required by business continuity

plan (BCP).

8. No CCTV installed according to BCP

9. A.8.1.1 Asset Register- The personal computer privately owned by the director is not included

as an asset yet it contains research information for the university. The asset register also does

not include personnel as information as assets.

10. Clear desk and clear screen policy item 3.2 requires HODs/Sections to conduct regular

monitoring and evaluation of the policy. But there is no evidence of implementation of this

requirement.

12/22

3.5 MANAGEMENT REPRESENTATIVE (QISMR) -4.1, 4.2, 4.3, 7.5, 6.1.3, 9.3

Positive Findings

1. 4.2- Interested parties include external providers, community, government bodies,

parents/guardians/ sponsors, industry, professional/regulatory bodies, Financial intuitions.

2. 7.5- Statement of Applicability (SOA)- Auditees’ copy is accessed from website by use of

password. It is Version A revision 1 dated 23/5/2018. A request to review various documents

was approved by M.R on a memo on 10/5/2018.

3. 6.1.3- SOA has selected controls indicated with justification. Controls not selected are also

justified e.g. 6.2.2- Teleworking is not selected with acceptable justification.

- Control A.7.2.2 selected on Procurement Risk register is on SOA with justification for RRA.

A.11.2.9 selected on the same register based on risk assessment results is justified on SOA.

Justification is also given for exclusion of A.14.1.3 on SOA.

- A. 11.2.9 selected by procurement department based on risk assessment results is justified

on SOA.

4. 9.2 Internals audits for ISMS

a) ISMS internal auditors were appointed by M.R by a memo dated 26/2/2018 to conduct audit

from 13 to 15/3/2018. Auditors and audit team leader were indicated on the memo.

b) Report for audits conducted in March 2018 is documented for every department.

Nonconformities (NCs) were also included in the report.

c) Security office had a major NC about lack of awareness of information security policy and

correct clause of the standard which was contravened was identified on the NC report. The NC

report also indicates adequate root cause and corrective action (CA), and follow up on

implementation of the CA was done on 9/4/2018.

d) At Health Services department, NC was recorded that ‘No evidence of development of Rules

and Regulations on the use of information assets’. Root cause was indicated that nobody was

assigned the responsibility to develop ISO documents. Correction was indicated ‘to develop the

rules and regulations’. CA was also adequate. Evidence of the developed rules and regulations

was available dated 20/3/2018.

5. 9.3 Management Review is planned to be conducted twice/year

a) A meeting was conducted on 16/4/2018 and minutes were documented

b) Minutes indicate that some 5 departments provided details of achievement of information

security objectives and other members were urged to emulate. Fulfilment of information

security objectives was also discussed for the same departments.

c) The outputs of the management review which included decisions related to continual

improvement opportunities were recorded on Appendix 6 of the minutes.

6. 4.1 and 4.3: ISMS Context & Scope are documented.


1. SOA- Auditees’ copy is Version A Revision 1 dated 23/5/2018 while auditors’ copy is Revision

0. Document change request form was not filled (but M.R approved for the change on a memo

on 10/5/2018).

2. ICT department Risk Register has the risk of ‘Denial of access to information’ that has risk level

of 6 and selected control A.7.2.3. However, SOA has not indicated justification to include the

13/22

control based on Results of Risk Assessment (RRA). The same case with A.11.2.2 and

A.11.2.4 for the department.

- On Procurement department Risk Register, risk identified ‘Leakage of supplier information

to a competitor’ has risk level 6. Control A.16 is selected for the risk but justification for

inclusion based on the risk assessment results is not indicated on the SOA.

3. 9.2- Internals audits for ISMS

a) At Health Services department, NC was recorded that ‘No evidence of development of Rules

and Regulations on the use of information assets’. Document UoEm/QISMR/PD/008 section

2.1 (3) was identified as the relevant criteria document violated. However, the criteria document

does not have section 2.1 (3) but the requirement violated is on the document.

b) At VCs office, it was reported by internal auditor as ‘observations’ that there was no evidence

that the office had an inventory/ information assets register, and also that one of the 2

computers had a password of 4 characters. The same weaknesses were detected elsewhere

by the external auditor in May 2018; the weaknesses had not been addressed at the time of

external audit.

4. 9.3- Management review was conducted on 16/4/2018

a) Client indicated that there were no changes in ISMS but this was not recorded on the minutes.

b) There was no evidence that monitoring and measurement results were discussed.

3.6 TOP MANAGEMENT COMMITMENT- ISO 27001 clause 5.1

1. 5.1 - Resources determined and provided for maintenance of both ISMS and QMS include

Kshs 4 million for 2017/2018, there is M.R office with 3 staffs dedicated for QMS/ISMS, there

are ISO Champions.

- Other resources to be provided according to Business Continuity Plan include CCTV

Cameras to be installed in 2018/2019 and fire proof cabinets will also be provided within

the same year.

- Staffs have been trained on ISMS

3.7 DIRECTORATE OF POST GRADUATE STUDIES- ISO 27001 clauses 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1,

10.1

Positive Findings

1. Clause 6.1.1- Actions to address risks and opportunities

Risks and opportunities for the department have been determined.

Mitigations and controls for the risks identified had been determined.

The plan for actions to address the risks and opportunities identified had been drawn, for

example, capacity building and implementation follow up committees.

The actions to address the risks were being implemented, for example, risk 6, 9 and 7.

Review of the actions to address the risks was being done, for example, the actions to be

implemented in 3 months effective December 2017 had been reviewed, previous levels for the

risks sampled were 6 and reviewed over 3 months to capture a risk level of 1 and 2 for an initial

risk level of 9.

2. Clause 6.1.2 – Information security risk assessment

14/22

A risk criterion and the acceptance levels for the risks have been established.

3. Clause 6.1.3 – Information security risk treatment

Controls to be applied on the risks identified have been determined and a risk treatment plan

formulated, they included capacity building, awareness creation and disciplinary actions,

allocation of cabinets and passwords to the members of staff in the department.

4. Clause 6.2 – Information security objectives and planning to achieve them

ISMS objectives for the department have been established in line with the requirements of the

standard; they included, ‘to check all thesis and project reports for plagiarism’.

Monitoring of the implementation of the objectives was being done, 10 projects were evaluated

in the period July to September 2017 and an analysis of the hand deliveries, courier delivered

done on 30th September 2017.

5. Clause 9.1 –Monitoring, measurement, analysis and evaluation

The department has determined similarity levels in the projects in the university and the global

world as data to be collected, monitored and analysed for decision making in the department.

The results from monitoring are to be analysed every quarter of the academic year.

6. Clause 10.1 – Non conformity and corrective action

The department has a mechanism for capturing customer feedback, complaints and non-

conformities.

Registers like UoEm-REG-BPS-005 for compliments and UoEm-REG-BPS-006 for complaints

are maintained and used by the customers in the department.

Complaints are captured and resolved, for example, complaint on scholarship stipends taking

too long recorded on 3rd May 2018.


1. The complaints record does not address root cause analysis adequately, for example, the

complaint on stipends delay had the root cause as ‘there was no delay as per finance voucher’.

3.8 DEPARTMENT OF BUSINESS AND ECONOMICS- ISO 27001 clauses 4.2, 5.1, 6.1.2, 6.1.3, 6.2,

9.1, 10.1

Positive Findings

1. Clause 5.1 – Leadership commitment

The information security policy has been shared within the department; the policy was

understood by the sampled staff in the department.

The procurement plan and the approved budget for the department’s needs were available,

approved on 19th September 2017.

2. Clause 4.2 –Understanding the needs and expectations of interested parties

Interested parties relevant to ISMS had been determined.

Relevant requirements of the interested parties have been determined – they included

accurate and timely feedback on exam and results for the students.

15/22

The needs and expectations of interested parties have been used to come up with some of the

risks, for example, examination delay by the department.


Controls for the risks identified have been determined, they included lock and keys for exam

papers, use of examination policies.

A risk treatment plan had been formulated and the plan approved by the identified owners.

Analysis of the risks identified for the department was being done; the risks identified on 4th

December 2017 will be reviewed in the month of June 2018 to come up with the

implementation status.


Risk owners within the department have been identified.

The risk acceptance criteria has been developed in the department with the likelihoods and the

risks appetites.

Opportunities for the department have also been identified.

A plan for implementation of the actions to address opportunities has been drawn, for example,

a proposal for establishing a business wing for the department had been drawn in May 2018.

5. Clause 6.2 – Information security objectives and planning to achieve them

Information security objectives for the department have been developed and shared within the

department, approved on 2nd March 2018.

The plan for achieving the information security objectives had been drawn in line with the

requirement of the Standard.

6. Clause 9.1 –Monitoring, measurement, analysis and evaluation

Fabrication of marks incidences has been determined by the department as data to be

collected and analysed, external examiners reports are also analyzed for malpractices.

7. Clause 10.1 – No conformity and corrective action

Customer feedback is captured using registers like UoEm-REG-DBE-011-VOL. 1 for

incidences, UoEm –REG-DBE-004-VOL.1 for complaints and compliments register UoEm –

REG-DBE-005-VOL.1.

3.9 DEPARTMENT OF LAND AND WATER MANAGEMENT- ISO 27001 clauses 4.2, 6.1.1,7.2, 7.5.2,

7.5.3, 10.1

Positive Findings

1. Clause 5.3 – Organisational roles, responsibilities and authorities

Responsibilities for the staff implementing ISMS in the department have been defined and

communicated.

There was an ISMS policy in the department, approved on 4th December 2017.

2. Clause 7.2 – Competence

Competences required by the staff in the department for ISMS have been determined, for

example, IT knowledge, knowledge in record keeping and good communication skills, minute

09/01/2018 of the meeting held on 16th January 2018.

16/22

3. Clause 7.5.2 – Creating and updating

Files in the department have been created and referenced in line with the requirements of the

standard for example, UoEm-REG-LWM-003-VOL.1

4. Clause 7.5.3 – Control of documented information

Retention periods for information within the department have been determined, for example,

past exam papers-6 years, class attendance registers-6 years and staff leaves and offs – 6

years.

5. Clause 10.1 – Non conformity and corrective action

Customer feedback is captured within the department; registers like UoEm-REG-LWM-003-

VOL.1 are maintained.

Complaints are recorded and resolved, for example, complaint on little time spent with the

assesse on attachment.

6. Clause 4.2 –Understanding the needs and expectation of interested parties.

Interested parties, their needs and expectations have been determined in the department; they

included students, University council and the government with requirements for accurate and

complete information.

7. Clause 6.1.1 – Actions to address risks and opportunities

Risks and opportunities have been determined for the departments’ processes.

Actions to address risks and opportunities have been planned for, for example, the risk

treatment plan with activities to be undertaken – folio 69 UoEm/LWM/ISO PC/ VOL. 2.


1. Root cause analysis is not adequately performed for the complaints recorded, for example, for

little time spent with the assessor and insufficient funds given to the assessor complaint, the

root cause was indicated as ‘no basis provided’ and corrective action indicated as ‘not

applicable’.

3.10 FINANCE- ISO 27001 clauses 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4

Positive Findings

1. Clause 4.2 – Understanding the needs and expectations of interested parties

Interested parties have been determined in the department.

Relevant needs and expectations of interested parties have also been determined.

2. Clause 5.1 – Leadership and commitment

ISMS objectives have been established in the department.

The policy has been shared in the department and sampled staff understood their ISMS roles

and responsibilities.

17/22

An approved budget and procurement plan capturing the department’s activities was available

and being implemented, the budget was approved on 29th June 2017.

Duties and responsibilities of staff in line with ISMS have been defined; the department has 2

ISMS/QMS champions.


The risk register implementation monitoring matrix has been developed, UoEm/FIN/DATA

ANALYSIS/VOL. 1.


Risk assessment has been carried out in the department, the risk criteria and levels have been

defined.

The risk treatment plan has been developed; controls have been identified, for example,

A.7.2.2, A.16.1 and A.18.2.2 from ISO IEC 27001:2013 annex A.

Reviews for the risks had been determined to be carried out once every year.


Control measures and a plan for treatment of the risks had been drawn and being

implemented.

Analysis of the risks is also done on a quarterly basis.

6. Clause 7.1 – Resources

Resources needed in the department have been determined; the department has 18 members

of staff and 2 interns.

The department has a schedule for monitoring the implementation and adherence to the

requirements of ISMS – ISO audit rota for 2017/2018 sampled with reports on implementation

of the clauses of the standard.

Staff training on ISMS had been carried out, training and sensitization carried out on 12th

February 2018.

7. Clause 7.4 – Communication

External communication is done from the VCs office, the department communicates internally

on ISMS procedures and process performance.

Information security guidelines have been developed to guide the department in ISMS

implementation, for example, for portable/mobile devices and handling confidential information.

The staff in the department have signed codes of conduct which includes requirements for

confidentiality and protection of university information – Institutional Code of conduct clause 18

a-c.

Physical security is performed in the department where access to the office is controlled, staff

register and sign before access into the offices.

18/22

3.11 SECURITY- ISO 27001 clauses 4.2, 5.1, 6.1.1, 7.1, 7.3, 8.1, 9.1

Positive Findings

1. Clause 4.2 – Understanding the needs and expectations of interested parties

The department has identified interested parties such students, the general university

management, the community and site forces.

Needs and expectations of the interested parties have also been determined.

2. Clause 5.1 – Leadership and commitment

Awareness creation on the ISMS policy to the security guards is done, the last meeting held

was on 20th April 2018, minute3/2018 on QMS and ISMS – UoEm/SEC/MEETINGS/VOL. 1.


Risks have been identified for the departments. The actions to address the risks identified

have been documented.

The department has a risk criteria including acceptance, controls and mitigation measures

have been identified for the medium and high identified risks while the low ones are to be

monitored within the system.

4. Clause 7.1 – Resources

Contracts for the contracted security services, Mocam security services limited were available;

the current contract was signed in January 2018.

The contract includes CIA aspects, for example, contract number UoEm/17/2017-2018 clause

1.11 on confidentiality.

5. Clause 7.3 – Awareness

Awareness on the staff for the requirements of ISMS has been done for the staff in the

University and the outsourced security.

Monthly reports on implementation and progress of the system are generated, report for

quarter 3 of FY 2017/2018. The scores given for Integrity in CIA were 60% for all the 3

months.

6. Clause 8.1 – Operational planning and control

Plans for implementing and achieving Information security objectives had been developed, for

example, meeting held on 12th April 2018 to discuss installation of the CCTV and a report for

the exercise tabled in the meeting held on 3rd May 2018 and fencing of the perimeter wall-

initiation memo done on 23rd April 2018 and the assignment forwarded to Estates department

for coordination.

7. Clause 9.1 – Monitoring, measurement, analysis and evaluation

Monitoring and evaluation of the risks and processes is planned to be undertaken in the month

of June 2018 and October 2019.


1. No opportunities have been identified for the department.

2. There was no evidence of the action taken after the analysis report on integrity of the guards;

the risk matrix is yet to be updated.

19/22

SECTION 4: OTHER INFORMATION

4.1 Comments on any effected changes to audit scope/audit plan, audit objectives and any proposed changes to the surveillance audit programme, etc.

4.1.1 Changes effected on audit plan

Audit area ISO 27001 clauses ISO 27001 clauses

Not audited as planned Reasons New audited

Management

5.1, 6.1.1, 7.3, 8.1, 8.2, 9.2, 10.1, 10.2

Time constraints

4.2, 7.5, 6.1.3, 9.3

Top Management 4.1, 4.2, 5.2, 5.3, 7.1, 9.3, 10 -

Directorate of Post Graduate Studies 4.2 -

Department of Business and Economics 6.1.1 -

Department of Land and Water Management 5.1, 6.1.2, 6.1.3, -

Finance 7.5.2, 7.5.3 -

Security 7.2, 8.2 -

4.2 Record of unresolved issues None 4.3 Scope of certification Provision of Training, Research and Extension

4.4 Disclaimer statement This report is based only on areas sampled during the audit. There is therefore an element of uncertainty about performance in other areas not sampled during the audit. Therefore, this report may not be a representative for the whole scope.

4.5 Any other information The audit was combined with ISO 9001:2015 Recertification audit which was conducted by a different team (Netty and Maru).

SECTION 5: AUDIT CONCLUSION/OVERALL OPINION OF AUDIT TEAM It is the opinion of the audit team that the implemented ISMS meets most of the requirements of the

audit criteria, the ISMS has ability to meet applicable legal and contractual requirements, the ISMS is

effective and the client can reasonably expect to achieve ISMS objectives, and the ISMS has weak

areas that need improvement.

The client having already forwarded appropriate corrective action and which has been approved,

recommendation for certification to ISO 27001:2013 is hereby made.

SECTION 6: CONFIRMATION WHETHER AUDIT OBJECTIVE(S) HAVE BEEN FULFILLED

The audit objectives were fulfilled.

20/22

Appendices

1. Audit timetable 2. Meetings attendance register 3. Corrective Action Request forms (CARs) 4. Audit program

Name:_Purity Wangai_____ Sign: Date: 19 June 2018 Lead Auditor

21/22

Appendix 1: Audit Plan/Time table

Day/Date : TUESDAY 29TH MAY 2018

Time Activity Elements of Normative Document Key Participants

0900-0930 Opening meeting

N/A Auditors, top management , sectional heads, any other persons as determined by QISMR.

0930-1130

Directorate of Postgraduate studies

ISO/IEC 27001 Cl. 4.2, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1

EM, section head

Library ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1

PW, section head

1130-1300

Department of business & economics

ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 6.2, 9.1, 10.1

EM, section head

School of nursing

ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1

PW, section head

1300-1400 LUNCH BREAK

1400-1600

Department of land & water management

ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1

EM, section head

ICT ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.2, 7.5.2, 7.5.3, 10.1

PW, section head

1600 - 1700 Auditors Meeting

N/A Auditors

Day/Date: WEDNESDAY 30TH MAY 2018

0900 - 1030

Finance ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4, 7.5.2, 7.5.3

EM, section head

Directorate of research & extension

ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 6.1.2, 6.1.3, 7.1, 7.4, 7.5.2, 7.5.3

PW, section head

1030 - 1230

Security ISO/IEC 27001 Cl. 4.2, 5.1, 6.1.1, 7.1, 7.2, 7.3, 8.1, 8.2, 9.1

EM, section head

QISMR ISO/IEC 27001 Cl. 4.1, 4.3, 5.1, 6.1.1, 7.3, 8.1, 8.2, 9.2, 10.1, 10.2

PW, QISMR

1230 - 1300 Top Management

ISO/IEC 27001 Cl. 4.1, 4.2, 5.1, 5.2, 5.3, 7.1, 9.3, 10.2

CM, EM, PW, NK

1300 - 1400 LUNCH BREAK

1400 – 1600 Auditors review meeting

N/A Auditors

1600 Closing Meeting

N/A All

22/22

Appendix 2: Opening and Closing meeting attendance register

The register is in client file at KEBS-CB as a hard copy.

Appendix 3: Corrective Action Request forms (CARs)

The CARs are in client file at KEBS-CB as hard copies.

Appendix 4: Audit Program

A combined ISMS and QMS audit program will be sent to client once it is developed.