oboloo Limited (Company Number: 12420854), with its trading address at 7 Bell Yard, London, England, WC2A 2JR (the “Company”), has implemented this Internal Audit Program to ensure the effective operation and continual improvement of its ISMS. The program provides a structured and impartial framework for conducting internal audits across all information security domains, supporting certification readiness and demonstrating compliance with ISO/IEC 27001 and applicable regulatory requirements.

- Audit Team: Individuals assigned by the Company to conduct internal audits who operate independently of the area being audited.

- Audit Scope: The defined boundaries and focus areas for each audit, including departments, processes, and systems within the ISMS.

- Audit Findings: The results of the audit, including nonconformities, observations, and opportunities for improvement.

- Corrective Action: Steps taken to address and resolve nonconformities identified during the audit process.

- ISMS: Information Security Management System implemented by the Company in accordance with ISO/IEC 27001:2022.

Company Name: oboloo Limited
Company Number: 12420854
Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact: oboloo.com/contact-us

This program may be updated periodically to reflect changes in risk, compliance obligations, or internal audit findings. All updates will be communicated to relevant stakeholders.

To define a structured, impartial approach for conducting internal audits across oboloo Limited’s information security domains and to ensure nonconformities are identified, tracked, and resolved in accordance with ISO/IEC 27001 requirements.

This program applies to all departments, systems, and third-party services within the scope of oboloo Limited’s ISMS. This includes but is not limited to:

- Information security policies

- Access controls

- Backup processes

- Vendor and supplier management

- Incident response procedures

1. Risk Identification
Risks are identified through formal assessments, audits, incidents, or changes in technology or regulation.

2. Risk Evaluation
Each risk is evaluated based on likelihood and impact using oboloo’s defined risk matrix. Unacceptable risks are flagged for treatment.

3. Treatment Options
For each risk, one or more of the following options is selected:

- Avoid: Cease the activity causing the risk.
- Mitigate: Apply security controls to reduce likelihood or impact.
- Transfer: Share the risk via outsourcing or insurance.
- Accept: Document and approve residual risk if within appetite.

4. Implementation of Controls
Controls aligned with ISO/IEC 27001 Annex A are defined for each treated risk. Actions are assigned owners and target deadlines.

The internal audit program supports:
- ISO/IEC 27001 compliance
- Risk treatment plans
- Governance and oversight responsibilities
- Continuous improvement of security posture

- ISMS Auditing (A.18.2.1) - Independent review of information security
- Corrective Action (A.10.1.1 / A.10.2) - Improvements based on audit findings
- Governance Oversight (A.5.1.2) - Management oversight of ISMS

- Bi-Annual Review: This program is reviewed every 6 months or following an internal audit or certification cycle.
- Updates: If significant risks, compliance requirements, or operational changes arise, this policy will be adjusted accordingly and document

Version: 1.2
Date: April 2025
Description: Refined public summary structure and aligned review cadence with ISMS roadmap

Previous Versions:
- Version 1.1 (December 2024): Initial release of public audit summary