Purpose

This procedure defines the methods for conducting ISMS (Information Security Management System) audits within Sourcegraph. Its purpose is to verify that procedures are adequate, well-understood, and implemented by the personnel involved, while assessing the ISMS’s effectiveness as a value-added tool for the organization. Additionally, this procedure defines the method for tracking audit non-conformances raised by external agencies or customers (e.g., regulatory bodies, audit consultants, or customer due diligence).

Scope

This procedure applies to all Sourcegraph activities within the documented ISMS.

Procedure

Internal Audits Conducted by Sourcegraph Employees

1. Audit Scheduling: The Head of Security and/or ISMS Manager shall develop and maintain an Internal Audit Schedule, outlining audits to be conducted at least once a year. The schedule will be integrated into the company calendar as recurring meetings.

2. Authorization and Review: The Head of Security and/or ISMS Manager will authorize the Internal Audit Schedule, which will be reviewed during each Management Review.

3. Trained Auditor Log: The Head of Security and/or ISMS Manager shall keep a log of all trained auditors eligible to conduct internal audits.

4. Auditor Independence: Audits will be conducted by trained auditors who are independent of the activity being audited.

5. Nomination of Auditors: The Head of Security and/or ISMS Manager will assign an auditor for each audit, providing the audit’s scope, special requirements, and timeline. Auditors will typically receive four weeks’ notice before the audit.

6. Scheduling Agreement: It is the auditor’s responsibility to agree with the auditee on the audit's exact time, date, and place.

7. Audit Rescheduling: If an audit cannot be scheduled within the designated timeline, the auditor must inform the Head of Security and ISMS Manager, who may authorize a delay of up to one month. Any further delay requires written approval from the Head of Engineering, including an explanation from the auditee.

8. Audit Documentation Standards: The auditor will utilize the appropriate ISO Standards, processes, procedures, and reference documents applicable to the audit scope.

9. Recording Findings: Evidence gathered during the audit will be recorded on the audit check sheet, with findings categorized as follows with the respective SLAs to complete the corrective action for each category:

   • Opportunity for Improvements (OFI) - 9 months SLA
   • Minor Nonconformity - 5 months SLA
   • Major Nonconformity - 3 months SLA

   An extension to the original corrective action SLA needs to be approved by the Head of Security and ISMS Manager.

10. ISMS Action Log: Observations and non-conformances identified during audits will be documented in the ISMS Actions Log.

11. Single Issue Logging: Each ISMS Actions Log entry will address only one observation or non-conformance.

12. Root Cause and Corrective Action: The auditee is responsible for documenting the root cause of non-conformities and proposing corrective actions in the ISMS Actions Log.

13. Agreement on Actions: Corrective and preventive actions will be agreed upon between the auditor and the business function lead responsible within ten working days of the audit.

14. Audit Documentation Retention: All audit-related documents will be provided to the Head of Security and ISMS Manager for secure retention for at least three years.