SlideShare a Scribd company logo

Infosec Audit Lecture_4

Obrina Candra, CISA, ISMS-LA
Obrina Candra, CISA, ISMS-LA

This document provides an overview of ISMS audits using ISO 27001:2013. It discusses ISO and the ISO 27000 series of standards. It then covers the process-based ISMS approach and outlines the mandatory and discretionary controls in ISO 27001. The document defines an audit and outlines key audit principles. It describes the different types of audits and details the audit process, including developing audit checklists and the stages of an on-site audit.

1 of 50
Downloaded 491 times
ISMS Audit using ISO 27001:2013 Obrina Candra August, 2015
ISMS Audit Using ISO 27001:2013 supported by :
Contents Outline 1. Introduction to Information Security Management Systems (and the ISO 27000 series of standards) 2. Process-based ISMS 3. Audit : definitions, principles and types 4. Audit process (audit plan, preparing for the on-site audit (audit stage 1), developing checklists, conducting the on-site audit (audit stage 2)) 5. Audit review 6. Report and follow-up
Introduction to the ISO 27000 series of standards
what is ISO? ISO, founded in 1947, is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States. According to ISO, "ISO" is not an abbreviation. It is a word, derived from the Greek isos, meaning "equal", The name ISO is used around the world to denote the organization, thus avoiding the assortment of abbreviations that would result from the translation of "International Organization for Standardization" into the different national languages of members. Whatever the country, the short form of the organization's name is always ISO.
what is ISO? • International  Organization  for  Standardization  is  the  world's  largest  developer  and  publisher   of  International  Standards.   • ISO  is  a  network  of  the  national  standards  institutes  of  160  countries,  one  member  per  country  (ANSI  in   US,  SNI  in  Indo),  with  a  Central  Secretariat  in  Geneva,  Switzerland,  that  coordinates  the  system.   • ISO  is  a  non-­‐governmental  organization  that  forms  a  bridge  between  the  public  and  private  sectors.   • ISO  and  IEC  (the  International  Electrotechnical  Commission)  form  the  specialized  system  for  worldwide   standardization.     • National  bodies  that  are  members  of  ISO  or  IEC  participate  in  the  development  of  International   Standards  through  technical  committees  established  by  the  respective  organization  to  deal  with   particular  fields  of  technical  activity.  ISO  and  IEC  technical  committees  collaborate  in  fields  of  mutual   interest.   • n  the  field  of  information  technology,  ISO  and  IEC  have  established  a  joint  technical  committee,  ISO/IEC   JTC  1.   • International  Standards  are  drafted  in  accordance  with  the  rules  given  in  the  ISO/IEC  Directives.   •  The  main  task  of  the  joint  technical  committee  is  to  prepare  International  Standards.  Draft  International   Standards  adopted  by  the  joint  technical  committee  are  circulated  to  national  bodies  for  voting.   Publication  as  an  International  Standard  requires  approval  by  at  least  75  %  of  the  national  bodies   casting  a  vote.
27001 27002 27000 27004 27011 27799 Applicability Telecommunications Health Financial services Inter-sector and Inter organizational 27003 27005 Risk Management 31000 Guide 73 27006 Certification 27007 27008 19011 Guidelines for ISMS auditing 17021 Governance Measurements Code of practice Requirements Implementation guidance 27001+20000-1 Overview and vocabulary Requirements for bodies audit and certification Guidance for auditors on controls - TR Guidelines for auditing management system Conformity assessment - ISMS Vocabulary Principles and guidelines 27016 Organizational economics 27018 Cloud Computing service 17000 Conformity Assessment – Vocabulary and general principals 31010 Risk assessment techniques 27001 + industry vertical 27010 27009 27013 27014 27015 Process control system - TR27019 27017 Data protection control of public cloud computing service 27x Extended Range ISO/IEC 27001 family of standards last update : 10/2013
Introduction ISMS are intended to provide organisations with the elements of an effective information security system in order to achieve the best practice in information security and to maintain economic goals. ISO 27001, ISO 27002 are recognisable standards against which ISMS can be audited and certificated
ISO 27001 (certification) •ISO 27001 specifies how to establish an Information Security Management System (ISMS). •The adoption of an ISMS is a strategic decision. •The design and implementation of an organization’s ISMS is influenced by its business, its security risks and control requirements, the processes employed and the size and structure of the organization: a simple situation requires a simple ISMS. •The ISMS will evolve systematically in response to changing risks. •Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.
Benefit of ISO 27001 Cert •Achieve marketing advantage •Lower cost •Better organization •Comply with legal requirements or regulations
ISO 27002 (non-certification) • ISO 27002 is a “Code of Practice” recommending a large number of information security controls. • the standard are generic, high-level statements of business requirements for securing or protecting information assets. • the standard are meant to be implemented in the context of an ISMS, in order to address risks and satisfy applicable control objectives systematically. • Compliance with ISO 27002 implies that the organization has adopted a comprehensive, good practice approach to securing information.
a brief history of the 2700x series
27001:2005 Vs 27001:2013 Context'of'the' Organiza0on' ' Leadership' Planning' Opera0on'Improvement' Performance' Evalua0on' Support' ISO/IEC'27001:2013' Management' Responsibility' ' Management'Review' Establish' ISMS' Implement' ISMS' Improve' ISMS' Monitor' ISMS' Doc.'' Req.' Internal'' Audit' ISMS'' Improve' ISO/IEC'27001:2005' Mgmt.' Review' Structure'simplified'
27001:2005 Vs 27001:2013 ISO/IEC 27001:2005 !  132 “shall” statements (section 4-8) !  Annexure A !  11 clauses !  39 categories !  133 controls ISO/IEC 27001:2013 !  125 “shall” statements (section 4-10) !  Annexure A !  14 clauses !  35 categories !  114 controls Number'of'requirements'reduced'
Process-based ISMS
ISO 27001 Structures • Sections 0 to 3 are introductory and are not mandatory for implementation • Sections 4 to 10 contains requirements that must be implemented in an organization if it wants to comply • Annex A contains 114 controls that must be implemented if applicable Section 0 Introduction Section 1 Scope Section 2 Normative references Section 3 Terms and definitions Section 4 Context of the organization Section 5 Leadership Section 6 Planning Section 7 Support Section 8 Operation Section 9 Performance evaluation Section 10 Improvement Annex A
PDCA Model applied to ISMS Processes Interested Parties Interested Parties Information Security Requirements & Expectations Managed Information Security Establish ISMS Implement & Operate ISMS Maintain & Improve ISMS Monitor & Review ISMS Plan Do Check Act Development, Maintenance and Improvement Cycle
Infosec Audit Lecture_4
Mandatory controls • The importance of mandatory clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any single one of the mandatory clauses are not supported by evidence, missing or is deemed ineffective it is considered a major non- conformity. This mean it is reason enough for the auditor not to recommended the organization for certification. • In the event that the audit is part of the ongoing continuous assessment review the organization could be decertified. Its that important! • Clauses 4 – 10 require a gap assessment initially to identify the missing mandatory controls. Zero exclusions are permitted and that’s why a Gap Assessment is the best approach.
Mandatory controls (sample) the organization must define the scope of the ISMS (clause 4.3) top mgmt and managers must show leadership to the ISMS (clause 5.1) the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be documented and communicated the mgmt must ensure the responsibilities and authorities for security roles must be assigned & communicated (clause 5.3) there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3) there must be an information security objectives that meets the organization’s business goals and risk management process (clause 6.2) competency needs must be identified, reviewed and managed so that personnel can perform their roles effectively (clause 7.2) etc…
Discretionary controls • Within Annex A a series of control objectives have been listed. These control objectives have been designed to address known risks. • These controls are initially risk assessed during implementation /adoption for fit within each individual organization. • The risk assessment provides evidence for applicability and /or justification for exclusion. The results are listed within the Statement of Applicability (SoA). • The SoA is a controlled document that gets included with the Registration Auditors recommendations which the auditor submits to ISO for final gating and approval. • During the ISMS internal and external audits if a weaknesses is discovered within the controls it will require a corrective action plan and /or preventive action (CAPA) plan. The CAPA is listed within the Risk Treatment Plan and monitored until completed and then validated before its formally closed. • Please note that while a single weakness may be tolerated a cluster of failed controls within the same domain will result in a major nonconformity and potential decertification.
Discretionary controls (sample) labelling of information (A8.2.2) handling of assets (A8.2.3) management of removable media (A8.3.1) disposal of media (A8.3.2) secure log-on (A9.2.3) working in secure areas (A11.1.5) installation of software on operational system (A12.5.1) information transfer (A13.2.1) system change control (A14.2.2) response to information security incidents (A16) information security continuity (A17.1.2) intellectual property rights (A18.1.2) etc…
Audit : definitions, principles and types
My#Life#as#an#Information#Security#Consultant#
Definition ISO 19011 define audit as a : “Systematic process, independent and documented for obtaining audit evidence and evaluate objectively, in order to establish to what extent are audit criteria met”.
Principles ethical conduct professional, fair (unbiased), responsible fair presentation presents appropriately (words, gesture, etc), truthful and accurate in findings due professional care competence in the field of the audit independence free from conflict of interest evidence–based approach do not make assumptions, stick to the audit evidence confidentiality careful and discreet towards the informations provided by the audit
Types of audit • Internal audits (1st party) sponsored by by the organization with the aim of improvement of the ISMS. • External audit (2nd party) audits carried out by an organisation on its supplier (partners, vendors) using, either internal personnel, or external entity entrusted with doing it. • Certification audit (third party) independent from the organizationwith the aim to release the certificate of conformity with the requirements taken as a audit criteria (ISO 27001).
Audit Process
the big picture What is happening What changes are needed What should be happening
the medium picture
the process 1. Audit planning 2. Stage 1 audit 3. Stage 2 audit
audit planning 1. define audit objectives 2. define audit scope 3. select audit criteria 4. select sampling method 5. select audit team 6. define observers and guides (if necessary) 7. define resources needed
stage 1 audit 1. Initiation of audit 2. Auditee’s application (self-assessment document) 3. Document review 4. Planning work documents (forms, procedures, etc) 5. Organisation’s unit and processes to be audited 6. Estimation of time 7. Work schedule
developing a checklist 1. Appropriately phrased questions 2. Use open questions (avoid yes/no answers) 3. Dig deep
developing a checklist
developing a checklist
stage 2 audit (on-site audit) 1. Opening meeting 2. Collecting information by appropriate sampling 3. Questioning techniques (calm, polite, reassuring) 4. Stick to the plan (time, resource) 5. Documentation (collect evidence, take notes) 6. Control the audit (avoid confrontation and intimidation)
Sampling technique Random Sample = each record in the population has an equal chance of being selected for inclusion in the sample e.g. Population = 200 hip replacements 10% random sample= any 20 cases in the population Stratified Random Sample = Identifying a subset of the population and randomly sampling that subset. e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements 10% random stratified sample= any 20 cases in the population where the patient is aged over 65 years Targeted Sample = Sample includes only a particular section of the population e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements Targeted sample= All cases in the population where the patient is aged over 65 years
stage 2 audit (on-site audit) techniques : 1. Questioning - people 2. Observing - process, equipment 3. Documenting - audit finding, evidence 4. Checking - assets
Audit Review
audit review 1. Audit team review meeting 2. Listing of audit findings (with evidence, if any) 3. Finding statement 4. Corrective Action Request (CAR) form 5. Classification of CARs (major - minor) 6. Opportunity of improvement 7. Audit conclusion
audit findings 1. Non-Conformity (NC) -> non-fulfillment of requirement (mandatory req = major NC; discretionary req = minor NC) 2. Opportunity of Improvement (OFI) -> non-fulfillment of controls 3. Observation -> negligence, e.g. one-day of log is missing
finding statement 1. clear statement of the finding (NC/OFI) 2. the evidence which the finding is based 3. summary of the requirement (clause/annex)
finding statement
CARs example
Major CARs 1. Major CARs must be corrected before certification of ISO 27001 can be recommended 2. Minor CARs allows certification to proceed 3. Corrective actions described in CARs usually verified at the following surveillance visit 4. If not closed, a Minor CARs will be re-classified as Major 5. Audit should be positive and constructive, therefore, effective corrective action is more important.
Report and follow-up
Reporting & follow-up 1. Conducting a closing meeting (presenting the finding) 2. Reporting on the audit (approval, distribution, retention) 3. Audit follow-up (surveillance visits, revised CARs) will be initiated by the audit 4. Audit close-out (signing-off all forms)
that’s all folks..
Workshops A. Audit evidence/audit trails B. Continual improvement C. Risk assessment D. ISMS audit questionnaire E. Document review F. Planning the audit G. Interpretation of the standard H. Case study
Ad

Recommended

ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
Jisc
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
Ramiro Cid
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
Uppala Anand
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014
DQS Inc.
 
Ad

More Related Content

What's hot (20)

Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
Jisc
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
Ramiro Cid
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
Uppala Anand
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
Jisc
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
Ramiro Cid
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
Uppala Anand
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 

Viewers also liked (20)

ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014
DQS Inc.
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
SAIGlobalAssurance
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india
iFour Consultancy
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Mustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç Tetkik
Mustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç TetkikMustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç Tetkik
Mustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç Tetkik
Dr. Mustafa Değerli
 
Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013
APEXMarCom
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Demystifying ISO 20000-1 Standard
Demystifying ISO 20000-1 StandardDemystifying ISO 20000-1 Standard
Demystifying ISO 20000-1 Standard
NUS-ISS
 
How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 Reports
Salvi Jansen
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
SAIGlobalAssurance
 
Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015
Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015
Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Security and control in Management Information System
Security and control in Management Information SystemSecurity and control in Management Information System
Security and control in Management Information System
Satya P. Joshi
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014
DQS Inc.
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
SAIGlobalAssurance
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india
iFour Consultancy
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Mustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç Tetkik
Mustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç TetkikMustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç Tetkik
Mustafa Değerli – 2015 – ISO/IEC 27001 Bilgi Güvenliği Yönetim Sistemi İç Tetkik
Dr. Mustafa Değerli
 
Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013Friday Forum ISO 27001: 2013
Friday Forum ISO 27001: 2013
APEXMarCom
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Demystifying ISO 20000-1 Standard
Demystifying ISO 20000-1 StandardDemystifying ISO 20000-1 Standard
Demystifying ISO 20000-1 Standard
NUS-ISS
 
How to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 ReportsHow to effectively use ISO 27001 Certification and SOC 2 Reports
How to effectively use ISO 27001 Certification and SOC 2 Reports
Salvi Jansen
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
SAIGlobalAssurance
 
Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015
Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015
Sosialisasi sni iso iec 38500-2015 rev2 - 15 des2015
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Security and control in Management Information System
Security and control in Management Information SystemSecurity and control in Management Information System
Security and control in Management Information System
Satya P. Joshi
 
Ad

Similar to Infosec Audit Lecture_4 (20)

Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013
Andrea Porter
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
SIS Certifications Pvt Ltd
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
the role of 27001 in cybersecurity pp.pptx
the role of 27001 in cybersecurity pp.pptxthe role of 27001 in cybersecurity pp.pptx
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018
Wervyan Shalannanda
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
ISO 27001 Training Module 1 - An Introduction to ISO 27001.pptx
ISO 27001 Training Module 1 - An Introduction to ISO 27001.pptxISO 27001 Training Module 1 - An Introduction to ISO 27001.pptx
ISO 27001 Training Module 1 - An Introduction to ISO 27001.pptx
MustafaHaydar3
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
Internal auditor 9001 day 1
Internal auditor 9001 day 1Internal auditor 9001 day 1
Internal auditor 9001 day 1
Dr Madhu Aman Sharma
 
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdfEverything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
dhanashrinovelvista2
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
ssuser00d6eb
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
Suman Garai
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
Lars Neupart
 
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
KMD
 
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdfISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
spore090
 
Information Security Management-Planning 1.pptx
Information Security Management-Planning 1.pptxInformation Security Management-Planning 1.pptx
Information Security Management-Planning 1.pptx
FrancisFayiah
 
ISO 27001 is the commonly used standard for ISMS implementation and certifica
ISO 27001 is the commonly used standard for ISMS implementation and certificaISO 27001 is the commonly used standard for ISMS implementation and certifica
ISO 27001 is the commonly used standard for ISMS implementation and certifica
Ibrahim78026
 
Implementing ISO 27001: A Step-by-Step Guide
Implementing ISO 27001: A Step-by-Step GuideImplementing ISO 27001: A Step-by-Step Guide
Implementing ISO 27001: A Step-by-Step Guide
Ahad
 
Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013
Andrea Porter
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
SIS Certifications Pvt Ltd
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
the role of 27001 in cybersecurity pp.pptx
the role of 27001 in cybersecurity pp.pptxthe role of 27001 in cybersecurity pp.pptx
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018
Wervyan Shalannanda
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
ISO 27001 Training Module 1 - An Introduction to ISO 27001.pptx
ISO 27001 Training Module 1 - An Introduction to ISO 27001.pptxISO 27001 Training Module 1 - An Introduction to ISO 27001.pptx
ISO 27001 Training Module 1 - An Introduction to ISO 27001.pptx
MustafaHaydar3
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
Internal auditor 9001 day 1
Internal auditor 9001 day 1Internal auditor 9001 day 1
Internal auditor 9001 day 1
Dr Madhu Aman Sharma
 
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdfEverything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
dhanashrinovelvista2
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
ssuser00d6eb
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
Suman Garai
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
Lars Neupart
 
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
KMD
 
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdfISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
spore090
 
Information Security Management-Planning 1.pptx
Information Security Management-Planning 1.pptxInformation Security Management-Planning 1.pptx
Information Security Management-Planning 1.pptx
FrancisFayiah
 
ISO 27001 is the commonly used standard for ISMS implementation and certifica
ISO 27001 is the commonly used standard for ISMS implementation and certificaISO 27001 is the commonly used standard for ISMS implementation and certifica
ISO 27001 is the commonly used standard for ISMS implementation and certifica
Ibrahim78026
 
Implementing ISO 27001: A Step-by-Step Guide
Implementing ISO 27001: A Step-by-Step GuideImplementing ISO 27001: A Step-by-Step Guide
Implementing ISO 27001: A Step-by-Step Guide
Ahad
 
Ad

Infosec Audit Lecture_4

  • 1. ISMS Audit using ISO 27001:2013 Obrina Candra August, 2015
  • 2. ISMS Audit Using ISO 27001:2013 supported by :
  • 3. Contents Outline 1. Introduction to Information Security Management Systems (and the ISO 27000 series of standards) 2. Process-based ISMS 3. Audit : definitions, principles and types 4. Audit process (audit plan, preparing for the on-site audit (audit stage 1), developing checklists, conducting the on-site audit (audit stage 2)) 5. Audit review 6. Report and follow-up
  • 4. Introduction to the ISO 27000 series of standards
  • 5. what is ISO? ISO, founded in 1947, is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States. According to ISO, "ISO" is not an abbreviation. It is a word, derived from the Greek isos, meaning "equal", The name ISO is used around the world to denote the organization, thus avoiding the assortment of abbreviations that would result from the translation of "International Organization for Standardization" into the different national languages of members. Whatever the country, the short form of the organization's name is always ISO.
  • 6. what is ISO? • International  Organization  for  Standardization  is  the  world's  largest  developer  and  publisher   of  International  Standards.   • ISO  is  a  network  of  the  national  standards  institutes  of  160  countries,  one  member  per  country  (ANSI  in   US,  SNI  in  Indo),  with  a  Central  Secretariat  in  Geneva,  Switzerland,  that  coordinates  the  system.   • ISO  is  a  non-­‐governmental  organization  that  forms  a  bridge  between  the  public  and  private  sectors.   • ISO  and  IEC  (the  International  Electrotechnical  Commission)  form  the  specialized  system  for  worldwide   standardization.     • National  bodies  that  are  members  of  ISO  or  IEC  participate  in  the  development  of  International   Standards  through  technical  committees  established  by  the  respective  organization  to  deal  with   particular  fields  of  technical  activity.  ISO  and  IEC  technical  committees  collaborate  in  fields  of  mutual   interest.   • n  the  field  of  information  technology,  ISO  and  IEC  have  established  a  joint  technical  committee,  ISO/IEC   JTC  1.   • International  Standards  are  drafted  in  accordance  with  the  rules  given  in  the  ISO/IEC  Directives.   •  The  main  task  of  the  joint  technical  committee  is  to  prepare  International  Standards.  Draft  International   Standards  adopted  by  the  joint  technical  committee  are  circulated  to  national  bodies  for  voting.   Publication  as  an  International  Standard  requires  approval  by  at  least  75  %  of  the  national  bodies   casting  a  vote.
  • 7. 27001 27002 27000 27004 27011 27799 Applicability Telecommunications Health Financial services Inter-sector and Inter organizational 27003 27005 Risk Management 31000 Guide 73 27006 Certification 27007 27008 19011 Guidelines for ISMS auditing 17021 Governance Measurements Code of practice Requirements Implementation guidance 27001+20000-1 Overview and vocabulary Requirements for bodies audit and certification Guidance for auditors on controls - TR Guidelines for auditing management system Conformity assessment - ISMS Vocabulary Principles and guidelines 27016 Organizational economics 27018 Cloud Computing service 17000 Conformity Assessment – Vocabulary and general principals 31010 Risk assessment techniques 27001 + industry vertical 27010 27009 27013 27014 27015 Process control system - TR27019 27017 Data protection control of public cloud computing service 27x Extended Range ISO/IEC 27001 family of standards last update : 10/2013
  • 8. Introduction ISMS are intended to provide organisations with the elements of an effective information security system in order to achieve the best practice in information security and to maintain economic goals. ISO 27001, ISO 27002 are recognisable standards against which ISMS can be audited and certificated
  • 9. ISO 27001 (certification) •ISO 27001 specifies how to establish an Information Security Management System (ISMS). •The adoption of an ISMS is a strategic decision. •The design and implementation of an organization’s ISMS is influenced by its business, its security risks and control requirements, the processes employed and the size and structure of the organization: a simple situation requires a simple ISMS. •The ISMS will evolve systematically in response to changing risks. •Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.
  • 10. Benefit of ISO 27001 Cert •Achieve marketing advantage •Lower cost •Better organization •Comply with legal requirements or regulations
  • 11. ISO 27002 (non-certification) • ISO 27002 is a “Code of Practice” recommending a large number of information security controls. • the standard are generic, high-level statements of business requirements for securing or protecting information assets. • the standard are meant to be implemented in the context of an ISMS, in order to address risks and satisfy applicable control objectives systematically. • Compliance with ISO 27002 implies that the organization has adopted a comprehensive, good practice approach to securing information.
  • 12. a brief history of the 2700x series
  • 14. 27001:2005 Vs 27001:2013 ISO/IEC 27001:2005 !  132 “shall” statements (section 4-8) !  Annexure A !  11 clauses !  39 categories !  133 controls ISO/IEC 27001:2013 !  125 “shall” statements (section 4-10) !  Annexure A !  14 clauses !  35 categories !  114 controls Number'of'requirements'reduced'
  • 16. ISO 27001 Structures • Sections 0 to 3 are introductory and are not mandatory for implementation • Sections 4 to 10 contains requirements that must be implemented in an organization if it wants to comply • Annex A contains 114 controls that must be implemented if applicable Section 0 Introduction Section 1 Scope Section 2 Normative references Section 3 Terms and definitions Section 4 Context of the organization Section 5 Leadership Section 6 Planning Section 7 Support Section 8 Operation Section 9 Performance evaluation Section 10 Improvement Annex A
  • 17. PDCA Model applied to ISMS Processes Interested Parties Interested Parties Information Security Requirements & Expectations Managed Information Security Establish ISMS Implement & Operate ISMS Maintain & Improve ISMS Monitor & Review ISMS Plan Do Check Act Development, Maintenance and Improvement Cycle
  • 19. Mandatory controls • The importance of mandatory clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any single one of the mandatory clauses are not supported by evidence, missing or is deemed ineffective it is considered a major non- conformity. This mean it is reason enough for the auditor not to recommended the organization for certification. • In the event that the audit is part of the ongoing continuous assessment review the organization could be decertified. Its that important! • Clauses 4 – 10 require a gap assessment initially to identify the missing mandatory controls. Zero exclusions are permitted and that’s why a Gap Assessment is the best approach.
  • 20. Mandatory controls (sample) the organization must define the scope of the ISMS (clause 4.3) top mgmt and managers must show leadership to the ISMS (clause 5.1) the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be documented and communicated the mgmt must ensure the responsibilities and authorities for security roles must be assigned & communicated (clause 5.3) there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3) there must be an information security objectives that meets the organization’s business goals and risk management process (clause 6.2) competency needs must be identified, reviewed and managed so that personnel can perform their roles effectively (clause 7.2) etc…
  • 21. Discretionary controls • Within Annex A a series of control objectives have been listed. These control objectives have been designed to address known risks. • These controls are initially risk assessed during implementation /adoption for fit within each individual organization. • The risk assessment provides evidence for applicability and /or justification for exclusion. The results are listed within the Statement of Applicability (SoA). • The SoA is a controlled document that gets included with the Registration Auditors recommendations which the auditor submits to ISO for final gating and approval. • During the ISMS internal and external audits if a weaknesses is discovered within the controls it will require a corrective action plan and /or preventive action (CAPA) plan. The CAPA is listed within the Risk Treatment Plan and monitored until completed and then validated before its formally closed. • Please note that while a single weakness may be tolerated a cluster of failed controls within the same domain will result in a major nonconformity and potential decertification.
  • 22. Discretionary controls (sample) labelling of information (A8.2.2) handling of assets (A8.2.3) management of removable media (A8.3.1) disposal of media (A8.3.2) secure log-on (A9.2.3) working in secure areas (A11.1.5) installation of software on operational system (A12.5.1) information transfer (A13.2.1) system change control (A14.2.2) response to information security incidents (A16) information security continuity (A17.1.2) intellectual property rights (A18.1.2) etc…
  • 23. Audit : definitions, principles and types
  • 25. Definition ISO 19011 define audit as a : “Systematic process, independent and documented for obtaining audit evidence and evaluate objectively, in order to establish to what extent are audit criteria met”.
  • 26. Principles ethical conduct professional, fair (unbiased), responsible fair presentation presents appropriately (words, gesture, etc), truthful and accurate in findings due professional care competence in the field of the audit independence free from conflict of interest evidence–based approach do not make assumptions, stick to the audit evidence confidentiality careful and discreet towards the informations provided by the audit
  • 27. Types of audit • Internal audits (1st party) sponsored by by the organization with the aim of improvement of the ISMS. • External audit (2nd party) audits carried out by an organisation on its supplier (partners, vendors) using, either internal personnel, or external entity entrusted with doing it. • Certification audit (third party) independent from the organizationwith the aim to release the certificate of conformity with the requirements taken as a audit criteria (ISO 27001).
  • 29. the big picture What is happening What changes are needed What should be happening
  • 31. the process 1. Audit planning 2. Stage 1 audit 3. Stage 2 audit
  • 32. audit planning 1. define audit objectives 2. define audit scope 3. select audit criteria 4. select sampling method 5. select audit team 6. define observers and guides (if necessary) 7. define resources needed
  • 33. stage 1 audit 1. Initiation of audit 2. Auditee’s application (self-assessment document) 3. Document review 4. Planning work documents (forms, procedures, etc) 5. Organisation’s unit and processes to be audited 6. Estimation of time 7. Work schedule
  • 34. developing a checklist 1. Appropriately phrased questions 2. Use open questions (avoid yes/no answers) 3. Dig deep
  • 37. stage 2 audit (on-site audit) 1. Opening meeting 2. Collecting information by appropriate sampling 3. Questioning techniques (calm, polite, reassuring) 4. Stick to the plan (time, resource) 5. Documentation (collect evidence, take notes) 6. Control the audit (avoid confrontation and intimidation)
  • 38. Sampling technique Random Sample = each record in the population has an equal chance of being selected for inclusion in the sample e.g. Population = 200 hip replacements 10% random sample= any 20 cases in the population Stratified Random Sample = Identifying a subset of the population and randomly sampling that subset. e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements 10% random stratified sample= any 20 cases in the population where the patient is aged over 65 years Targeted Sample = Sample includes only a particular section of the population e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements Targeted sample= All cases in the population where the patient is aged over 65 years
  • 39. stage 2 audit (on-site audit) techniques : 1. Questioning - people 2. Observing - process, equipment 3. Documenting - audit finding, evidence 4. Checking - assets
  • 41. audit review 1. Audit team review meeting 2. Listing of audit findings (with evidence, if any) 3. Finding statement 4. Corrective Action Request (CAR) form 5. Classification of CARs (major - minor) 6. Opportunity of improvement 7. Audit conclusion
  • 42. audit findings 1. Non-Conformity (NC) -> non-fulfillment of requirement (mandatory req = major NC; discretionary req = minor NC) 2. Opportunity of Improvement (OFI) -> non-fulfillment of controls 3. Observation -> negligence, e.g. one-day of log is missing
  • 43. finding statement 1. clear statement of the finding (NC/OFI) 2. the evidence which the finding is based 3. summary of the requirement (clause/annex)
  • 46. Major CARs 1. Major CARs must be corrected before certification of ISO 27001 can be recommended 2. Minor CARs allows certification to proceed 3. Corrective actions described in CARs usually verified at the following surveillance visit 4. If not closed, a Minor CARs will be re-classified as Major 5. Audit should be positive and constructive, therefore, effective corrective action is more important.
  • 48. Reporting & follow-up 1. Conducting a closing meeting (presenting the finding) 2. Reporting on the audit (approval, distribution, retention) 3. Audit follow-up (surveillance visits, revised CARs) will be initiated by the audit 4. Audit close-out (signing-off all forms)
  • 50. Workshops A. Audit evidence/audit trails B. Continual improvement C. Risk assessment D. ISMS audit questionnaire E. Document review F. Planning the audit G. Interpretation of the standard H. Case study