Practical Workbook – ISO27001:2022

Information Security Management Systems

Lead Implementor Training Course based on
ISO 27001:2022

INSTRUCTIONS FOR PARTICIPANTS:

1) This workbook dully filled ones shall, be used for participants continuous assessment on every day. Please ensure that
you submit this workbook to the tutor(s), for daily continuous assessment at the end of each day.
2) On the last day, please send your workbook for review to your tutor or mail at [email protected]

3) Tips for SUCCESSFUL COMPLETION OF THE COURSE:

➢ Be attentive and be present on all days, all modules have to be attended;
➢ Please clarify all doubts from the tutors during breaks as well;
➢ Your active participation is desired – throughout the course;
4) Read ISO27001 and ISO27002 and write all Annex A controls on a single page this will help you to remember
controls.(Try to create your own mind map) as given on page 2 of this document. ( Exercise – A)

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 1 of 24
Practical Workbook – ISO27001:2022

Exercise - A

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 2 of 24
 Practical Workbook – ISO27001:2022

Exercise -1 Terms & Definitions pertaining to

Information Security
Term Definition / Standard Terms
A Person or body that is recognized as being independent of the
1. Base measure
parties involved, as concerns the issue in question.
2. Audit scope B Effect of uncertainty on objectives.
C Continual and iterative processes that an organization conducts to
3. Conformity provide, share or obtain information, and to engage in dialogue
with stakeholders regarding the management risk.
4. Confidentiality D Occurrence or change of particular set of circumstances.
F Property being accessible and usable by an authorized entity.
5. Derived measure

P Property that information is not made available or disclosed to

6. Decision criteria
unauthorized individuals, entitles or processes.
7. Event G Fulfillment of requirement.
K Measure that is defined as a function of two or more values of
8. Record
base measures.
W Extent and boundaries of an audit.
9. Risk
J Potential cause of an unwanted incident, which may result in harm
10. Availability
to a system or organization
11. Risk communication and M Measure that is defined as a function of two more values of base
consultation measures.
I Means of managing risk, including policies, procedures, guidelines,
12. Vulnerability practices or organizational structures, which can be of
administrative, technical, management, or legal nature.
13. Third party Z Measure defined in terms of an attribute and the method for
quantifying it.
N Document stating result achieved or providing evidence of
14. Threat
activities performed.
O Weakness of an asset or control that can be exploited by one or
15. Derived measure
more threats.

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 3 of 24
Practical Workbook – ISO27001:2022

‘
Exercise-2 Auditing Information Security Principles

# Management Principle # Management Principle # Management Principle

Awareness of the need for Assignment of responsibility for information Incorporating management commitment and the
1 information security
2
security
3
interests of stakeholders
Risk assessments determining appropriate Security incorporated as an essential element of
4 Enhancing societal values 5
controls to reach acceptable levels of risk
6
information networks and systems
Active prevention and detection of Ensuring a comprehensive approach to Continual reassessment of information security
7 8 9
information security incidents; information security management; and making of modifications as appropriate

Scenario – Note > Some scenarios may demonstrate correct implementation of one or Principle
#
more principle(s) OR may be violating one or more principle(s). ( Srl. # )
The Data Privacy policy of the organization focusses on giving respect to privacy of all the Interested Parties and mitigation of
1 all risks for the same

The process owners of the organization review their residual risks (as a disciplined activity) every six months and updates the
2
approved residual risks

Five delivery executives of the online shopping portal company, do not collect the identity of the person to whom delivery
3 made, as per delivery policy & process

The Housing Society declares a special Information Security awareness training to enhance the knowledge of the residents on
4 the subject and give an idea of prioritization of risks – for the benefit of the residential colony member’s benefit

The school principal investigated the incident of the Artificial Intelligence examination paper of final year vanishing from his
5 locker

The Car rental company collects the identity of the person hiring car without driver and in one case of Ms Jene, did not collect
6 the driving license
The General Manager who also happens to be in Governance Board of the automotive company, wanted the R&D manager to
7 give presentation on the new steering technology used for which the R&D Manager in the upcoming Tech. conference – the
R&D manager refused to do so as per organization’s risk assessment control of R&D department
The Passenger lost his boarding pass after security clearance – wanted to go back to check-in counter to get the duplicate
8 boarding pass – security personnel escorted to check-in counter to verify and ensure that this person is the same and boarding
pass belongs to the same person
Incident records in the DR server got corrupted… and the main server also went down. at the same time this was already
9 identified an approved residual risk (low probability) that both might go down at the same time

10 The incident details (including causes) were envisaged as new ones – updated into ISMS KEDB and Risk Assessments

The traditional way of risk assessments in Excel is replaced by locally developed tool with Risk Assessments for C, I & A done
11 separately, as part of Board decision taken

The College has introduced an online training module for giving training on Information Security Management Systems (ISO
12 27001:2022) for benefit of college staff and students

The Zonal Sales Manager recommended termination of the Sales Man as he stole the mobile of the Board Member visiting office
13 for a meeting (left mobile on table before going to washroom) – entire incident was captured in CCTV

The Business Continuity Plan includes testing of Encrypted Data Retrieval to ensure the Data Integrity reliability – risk
14
assessment shows the approved residual risk of the failure of the De-encryption (low possibility)

The organization does Gap Analysis towards GDPR compliance (as per Board Instructions) for the purpose complying to GDPR,
15 if applicable to business

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 4 of 24
Practical Workbook – ISO27001:2022

Exercise -3

Read the Iso27001:2022 standard and try to write down

External and Internal Issues – list down the external and internal issues consider you company as case
study for ISO27001 implementation.

Exercise -4
List down interested parties

Exercise -5
Write Scope statement

Exercise -6

Write your Information security policy

Exercise -7

Draw Organization chart as per your company structure ( only to cover information security team &
concerned team)

Exercise -8

Define Roles and responsibilities as per the organization chart in exercise -7

Exercise -9

Risk Assessment and Risk Assessment methodology.

Asset base V/s Issue base Risk assessment

Exercise -9A

Make a list of information asset ( Inventory)

Exercise -9B
Make a list of Risk / Issues as per your organization

Exercise -9C

List down information security objectives of your organization

Exercise-10
INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903
Issue1 November 2022 Page 5 of 24
Practical Workbook – ISO27001:2022

Resource and Competence matrix

Exercise-11
Resource and Competence matrix
Policy / process doc for Document control

Exercise-12

Define communication Plan /policy

Exercise-12

Risk treatment plan

Exercise-13

Define Internal Audit Schedule

Internal Audit training

Exercise-14

Internal Audit Process

Exercise-15
Management Review Process

Exercise-16
Corrective action process Management Review Process

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 6 of 24
Practical Workbook – ISO27001:2022

CHECKLIST FOR COMPLETE IMPLEMENTATION – ISO27001:2022

ASSESSMENT CRITERIA OBJECTIVE EVIDENCE
4 CONTEXT OF THE ORGANIZATION
4.1 Understanding of the organization and its
context
4.2 Understanding the needs and expectations
of interested parties
4.2.1 General
4.2.2 Legal and regulatory requirements
4.3 Determining the scope of the Information
Security management system
4.3.1 General
4.3.2 Scope of the ISMS
4.4 Information Security management system
5 LEADERSHIP
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and
authorities
6 PLANNING
6.1 Actions to address risks and opportunities
6.2 Information Security objectives and plans to
achieve
them

7 SUPPORT
7.2 Competence
7.4 Communication
7.5 Documented information
7.2.1 General
7.2.2 Creating and updating
7.2.3 Control of documented information

OPERATION
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment

9 PERFORMANCE EVALUATION
9.1 Monitoring, measurement, analysis and
evaluation
9.1.1 General
9.1.2 Evaluation of Information Security procedures
9.2 Internal audit
9.3 Management review

10 IMPROVEMENT
10.1 Continual improvement
10.2 Nonconformity and corrective action

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 7 of 24
 Practical Workbook – ISO27001:2022

INTERNAL AUDIT
Assessment Plan Date: DD/MM/YYYY (Atleast 7 days prior)

Organization:
Scope:

Objective of Assessment:

Criteria System Documentation:

Team
Leader: Audit Start Date: Opening Meeting:

Team
Member: Audit End Date: Closing Meeting:

Audit Schedule
Date Client Function Auditor Time (hrs)

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 8 of 24
Practical Workbook – ISO27001:2022

Clause# CHECK POINT (For Verification) Conclusion Evidences

(Compliance/ for NC
NC)

4 Context of the Organization

5 Leadership

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 9 of 24
Practical Workbook – ISO27001:2022

6 Planning

7 Support

8 Operation

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 10 of 24
Practical Workbook – ISO27001:2022

9 Performance Evaluation

10 Improvement

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 11 of 24
Practical Workbook – ISO27001:2022

Exercise – Non Conformity ( NC )

Incident 1

A Bank’s back has outsourced the Archiving of its Paper Documents (Daily vouchers, etc.) to a company called
“Document Bank” [DB] . The process involves (as per contract) 1. DC shall collect the documents from the Bank
(every three months) and put them in Boxes having BAR Code takes the same for stage in their warehouse 2.In
warehouse for each BOX - they scan every document in Software, which after scanning the system puts a separate
watermark of document unique Bar Code. 3. Keeps the BOX in the located, allocate by system. 4. The scanned
documents are converted to CD’s and hand delivered to the BANK, in next cycle, when they go to pick up the same
(for access soft copy of the docs., when needed – if need be the Bank might ask for original and the Warehouse
delivery vehicle delivers the BOX – all movements tracked. This service has been going on for 10 years. In half yearly
reconciliation, it was found that the for last two visits, the CD’s were not delivered, and the Bank also have not
escalated this matter. The DB did not log this as an Incident, saying that the Delivery process is outsourced and now
they have made a change in the software for online daily reconciliation and escalating the reconciliation exceptional
report to Supervisor and Operations head on daily basis. There is no risk of such kind in the Risk Assessment
identified.
NON-CONFORMITY NOTE: 01

ISO 27001:2022 CLAUSE No: ________________

Area unit involve MAJOR / MINOR
Company Documents [Strike out as required]
Requirement:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 12 of 24
Practical Workbook – ISO27001:2022

Failure (Nonconformity):

NC Impact(s):
Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Evidence (reference of Process/Personnel/Documents):

Auditor Auditee Date

Incident 2

The commercial DATA Centre (TIER 3) operations applied for ISMS Certification. During Stage 1 review of ISMS
documentation review, you observed that there exists a list of IT Assets SPOF (Single point of failures – without
redundancies) which includes Routers which are very important for continuity of Networks. Further analysis shows,
the Asset list of SPOF comprises of 30% of total IT Network assets and also includes 2 of total 10 Firewalls. On enquiry,
the IT Manager says, now a days business is down and require lot of budgets….once business grows due to
certification, all the redundancies would be procured and used. The list of Single point of failures have been approved
by Management in Risk Assessment.

NON CONFORMITY NOTE: 02

ISO 27001:2022 CLAUSE No: ________________

Area unit involved MAJOR / MINOR
Company Documents [Strike out as required]
Requirement:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 13 of 24
Practical Workbook – ISO27001:2022

Failure (Nonconformity):

NC Impact(s):
Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Evidence (reference of Process/Personnel/Documents):

Auditor Auditee Date

Incident 3

A Pen drive containing formula of a medicine (for enhance the eye site) with Quality Testing Software was given to
the Quality Head (QH) given by Managing Director (who has gone to USA for research in University), with encryption
and opens with VPN connectivity & operates with special password only. This is used during every batch of product
testing by QH ONLY. One evening, the QH when entered the laboratory for performing that day’s last batch testing,
was surprised to see the Pen Drive was missing from the Lap Top (which was in the USP port, used in previous
testing). An incident report was made and started to search for the same… never to be found again. The MD informed
from US “Stop production, I am coming back and sorry – I do not have backup and very disappointed by this
negligence of QH & Laboratory functioning”.

NON-CONFORMITY NOTE: 03

ISO 27001:2022 CLAUSE No: ________________

Area unit involved MAJOR / MINOR
Company Documents [Strike out as required]

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 14 of 24
Practical Workbook – ISO27001:2022

Requirement:

Failure (Nonconformity):

NC Impact(s):
Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Evidence (reference of Process/Personnel/Documents):

Auditor Auditee Date

Incident 4

An employee was to attend a conference abroad and forgot her Pouch (containing Passport, Ticket, $ & local
currency, Debit & Credit Cards) in the taxi, after reaching the airport and paying off the fare (distracted due to a call
on mobile) and at the check-in counter realizes that she does not have the Pouch – all she has is her luggage, ladies
purse and boarding pass. She tries call the cab (multiple times) but no response. She comes out of Airport, call her
BOSS, who directs her to come to office. She leaves for office in another cab, but blocks her cards by calling bank (to
prevent further losses) and also uses her mobile for recording FIR with local police. In the evening, she goes home
but surprised to see Police in the house. The police shows her Passport and informs that this passport was found
near a dead body of a person. On observing her Passport, she points out that this was her Passport but the
Photograph in the Passport is not hers and Police was also surprised. Further she shows all evidences to Policy (FIR,
all cab payment receipts, calls she made to Bank to block her cards etc. The police leaves the premises saying “They
would be investigating and she might be required for clarifications, if need be.

NON CONFORMITY NOTE: 04

ISO 27001:2022 CLAUSE No: __________

Company Documents Area unit involved MAJOR / MINOR
[Strike out as required]
Requirement:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 15 of 24
Practical Workbook – ISO27001:2022

Failure (Nonconformity):

NC Impact(s):
Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Evidence (reference of Process/Personnel/Documents):

Auditor Auditee Date

Incident 5

In an Audit of a Public Sector Bank, you observed in Incident # 202 that in activity EOD (End of Day) as on 4 th April,
in daily P & L Statement, the reminder value of the balance is credited into an account of a person every day, who
happens to ex-employee in IT department, who developed the software (grandson of Ex-Board of Director, on whose
recommendation he was employed). Further observing revealed that, there were no debit entry to this credit entry,
as per Accounting Principle# 1 of Bank’s operating manual Ver.2.0 Dt. 5 th March 2017, which says there has to be
corresponding debit entry for each credit entry. All stake holders involved in doing EOD, have declared that they
don’t have this manual & were not aware of this thing has been happening since last 10 years. No other action taken
rather than releasing a new version of the software with this flaw removed – no incident was recorded,
subsequently.

NON-CONFORMITY NOTE: 05

ISO 27001:2022 CLAUSE No: ________________

Area unit involved MAJOR / MINOR
Company Documents [Strike out as required]
Requirement:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 16 of 24
Practical Workbook – ISO27001:2022

Failure (Nonconformity):

NC Impact(s):
Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Evidence (reference of Process/Personnel/Documents):

Auditor Auditee Date

Excercise -26 – NC Template

NON CONFORMITY NOTE : 01

ISO 27001:2022 CLAUSE No: ________

Company documents Area unit involved MAJOR / MINOR
[Strike out as required]
Requirement:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 17 of 24
Practical Workbook – ISO27001:2022

Failure (Nonconformity):

NC Impact(s):
Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Impacts witnessed in Risk Assessment of the organization

Confidentiality Integrity Availability
□ YES / □ NO □ YES / □ NO □ YES / □ NO

Evidence (reference of Process/Personnel/Documents):

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 18 of 24
Practical Workbook – ISO27001:2022

Exercise – 27

AUDIT REPORT- ASSESSMENT AS PER ISO27001:2022 - MOCK ASSESSMENT

Name of Company (Organization):

Address:

Contact Person: Position:

Alternate Contact Person: Position:
Registration Scope:

No. of Employees: No. of Shifts:

Company’s Key Documented Information Reference (if any):

Management Standard:

Assessment Type:

Assessment Commencement Date:

Assessment Completion Date:
Assessment Team:
Name

Mandays :
Nonconformities raised during Assessment

NCR Ref. No. NC 01 NC 02

Minor/Major Minor Minor
Nonconformities raised during last visit
NCR Ref. No. NA
Closed/Open

Areas Assessed:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 19 of 24
Practical Workbook – ISO27001:2022

Audit Conclusion & Appropriateness of the Certification Scope

**Disclaimer - Auditing & its conclusion is based on a sampling process of the available information**

Non-applicability of requirements (with suitable justification)

ISMS ASSESSMENT COMMENTARY

Context of the Organization

Leadership

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 20 of 24
Practical Workbook – ISO27001:2022

Planning

Support

Operation

Performance Evaluation

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 21 of 24
Practical Workbook – ISO27001:2022

Improvement

ASSESSMENT COMMENTARY

Positive Issues:

Observations:

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 22 of 24
Practical Workbook – ISO27001:2022

(Write NA if this sheet if not applicable)

NONCONFORMITY REPORT

NCR Management
Reference Details of nonconformity Standard Reference

Exercise-0 Your Objective from this course & Exercise -A

Exercise-1 Terms & Definitions pertaining to ISO27001
Exercise-2 Auditing Information Security Principles

Exercise-3 External and Internal Issues – list down the external and internal issues consider you company as c

Exercise-4 List down interested parties

Exercise-5 Write Scope statement
Exercise-6 Write your Information security policy

Exercise-7 Draw Organization chart as per your company structure ( only to cover information security team

Exercise-8 Define Roles and responsibilities as per the organization chart in exercise -7

Risk Assessment and Risk Ass

Exercise-9
Asset base V/s Issue base Risk assessment
Exercise-10 Make a list of information asset ( Inventory)
Exercise-11 Make a list of Risk / Issues as per your organization

Exercise-12 List down information security objectives of your organization

Exercise-13 Resource and Competence matrix

Exercise-14 Resource and Competence matrix
Exercise-15 Policy / process doc for Document control
Exercise-16 Define communication Plan /policy
INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903
Issue1 November 2022 Page 23 of 24
Practical Workbook – ISO27001:2022

Exercise-17 Risk treatment plan

Exercise-18 Define Internal Audit Schedule
Exercise-19 Internal Audit training
Exercise-20 Internal Audit Process
Exercise-21 Management Review Process
Exercise-22 Corrective action process Management Review Process
Exercise-23 Prepare Your own checklist - for Implemention & Audit
Exercise-24 Internal Audit template
Exercise-25 Non Confirmity Exercise
Exercise-26 NC - Template
Exercise-27 Final Audit Report - Template

INFOCUS IT Consulting Pvt. Ltd. | [email protected] | www.infocus-it.com | 91-8178210903

Issue1 November 2022 Page 24 of 24