Goals and Principles
The primary goal of Orange Parachute's ISO 27001 internal audit is to perform an independent, objective assurance of the ISMS with intent to help the Client accomplish its objectives through a systematic, disciplined approach to evaluate and improve the effectiveness of its governance, risk management, compliance and operational information security processes. Orange Parachute's Internal Audit service will adhere to the following audit principles:

1. Ethical Conduct: Auditors will strive to demonstrate trust, integrity, confidentiality and discretion in all audit activities;
2. Independence: Auditors will maintain independence of the activity being audited and will be free from bias and conflict of interest;
3. Fair Presentation: Audit findings, conclusions and reports will reflect truthfully and accurately the audit activities. Significant obstacles and unresolved diverging opinions between the audit team and the auditee will be reported;
4. Due Professional Care: Auditors will exercise care in accordance with the importance of the task they perform and the confidence placed in them by audit clients.
5. Evidence based approach: Since the audit is conducted during a finite period of time and with finite resources, audit evidence will be based on the samples of information available. The appropriate use of sampling is closely related to the confidence that can be placed in the audit conclusions.

Audit Plan
The Orange Parachute ISO 27001 Team will perform the following audit activities:

1. Scope review
   ref ISO27001:4.2.1.d.1
2. Legal/Regulatory review
   ISO27001:4.2.1.b.2
   ref A.15.1.1
3. Risk Assessment review
   ref ISO27001:4.2.1.cdef
4. Documentation review
   ref ISO27001:4.3
5. Status of management review
   ref ISO27001:7.1
   ref ISO27001:7.2
6. Status of corrective preventive actions
   ref ISO27001:4.2.4
   ref ISO27001:5.2.1
   ref ISO27001:8.1
   ref ISO27001:8.2
7. End point controls
• Monitoring and measuring through meaningful metrics
  ISO27001:4.2.3
• Analysis of end point control effectiveness
  The analysis of end point controls shall be focused on the top third of risk as identified in the risk assessment. Within the time constraints imposed upon the audit activities, focus shall be on depth rather than breadth.
• Analysis of the risk assessment methodology
  End point control auditing shall also random sample risks rated in the bottom two thirds of the risk assessment in order to validate the effectiveness of the risk assessment process.