Internal Audit Programme

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This document defines Glassbreak's internal audit programme: the rolling schedule by which each published policy and each control family is internally audited at least once per certification cycle, and the per-audit workflow that produces a findings report an external auditor can sample.

The programme provides the internal-audit evidence expected by ISO 27001 (Clause 9.2) and the periodic control-testing evidence expected by the SOC 2 Common Criteria.

2. Scope

The programme covers every published policy and every control family that supports them:

The six published policies at /policies: Information Security, Incident Response, Business Continuity & Disaster Recovery, Onboarding, Offboarding, and Sanctions & Disciplinary.
The cadence procedures: access review, vulnerability review, technical evaluation, management review, board-level review, capacity planning, remediation SLAs, and this programme.
The control families inside the Information Security Policy: confidentiality, integrity, availability, identity and access, cryptography, change management, vendor management, logging and audit, incident response, risk management, and coordinated disclosure.
The supporting artefacts: the risk register, the access register, the incident register, the sub-processor list, the disaster-recovery scenario suite, and the daily security-posture snapshot.

3. Ownership

Programme owner — the Security Officer owns this programme and signs each per-audit findings report.
Auditor independence — for each individual audit, the assigned auditor is independent of the day-to-day operation of the area under audit. Where an audit covers an area the Security Officer operates, an alternative auditor is named and the counter-sign sits with leadership rather than with the Security Officer.
Per-audit owners — each finding has a named owner accountable for driving it to closure by the recorded deadline.

4. Cadence and rolling schedule

The certification cycle is taken to be 12 months starting from the policy effective date.
Every in-scope item is audited at least once per cycle.
The cycle is divided into four quarters; each in-scope item is assigned a target quarter, distributed to even the workload.
The rolling schedule is reviewed and re-balanced at the annual board-level ISMS review.
A higher audit frequency is set for any item that has failed an audit in the previous cycle until two consecutive successful audits have closed the elevation.

5. Per-audit workflow

5.1 Prepare

The auditor confirms the scope of the audit against the rolling schedule.
The auditor identifies the criteria — the policy statements, cadence procedure steps, or framework clauses against which the area under audit will be tested.
The auditor identifies the evidence sources to be sampled and the sampling method.

5.2 Test

For each criterion, the auditor inspects the evidence and records whether the criterion is Met, Partial, or Not Met.
Where Partial or Not Met is recorded, the auditor captures the underlying cause and the affected artefacts.
The auditor records every sampled item so the sample is reproducible.

5.3 Report

The auditor drafts a findings report per the template in §6.
The draft is shared with the area owner for fact-check correction (not for negotiation of the conclusions).
The final report is signed by the auditor and, where the auditor is not the Security Officer, counter-signed by the Security Officer.

5.4 Remediate

Each finding is assigned an owner and a remediation deadline under the Remediation SLA procedure.
Findings remain open in the standard issue tracker until closure evidence has been recorded against them.
The status of open findings is reported at the next quarterly management review.

6. Template — per-audit findings report

Each audit produces a single findings report with the following structure. This template is the artefact that an external auditor may sample.

Header — audit identifier, scope statement, cycle and quarter, target date, actual date, auditor, counter-signer.
Criteria — the list of policy statements, procedure steps, or framework clauses against which the area was tested.
Method and sample — sampling method and the items sampled, recorded for reproducibility.
Results — table with: criterion, evidence reference, result (Met / Partial / Not Met), rationale.
Findings — every Partial and Not Met result restated as a numbered finding, with severity, owner, remediation deadline.
Carry-over — status of findings from the previous audit of the same area.
Sign-off — auditor signature and date, counter-signer signature and date.

7. Template — programme document

This page is the programme document itself; it is supplemented by an annexed schedule listing, per cycle:

each in-scope item,
its target quarter,
its assigned auditor,
the date the audit was completed,
the reference of the resulting findings report.

8. First instance

The inaugural cycle of this programme started on the effective date of this document (27 May 2026). The first quarter of the cycle ran a baseline audit covering every published policy and the operation of every cadence procedure to date. The signed findings report and the annexed schedule are held in the compliance evidence store and available under NDA.

9. Records

Signed per-audit findings reports are retained for at least 5 years.
The annexed schedule for each cycle is retained alongside the reports.
Open findings remain tracked under the Remediation SLA procedure until closure.

10. Review of this programme

This programme is reviewed at least annually at the board-level ISMS review and after any material change to the published policy set or to the cadence procedures. The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.