SlideShare a Scribd company logo

Auditing Information Security Management System Using ISO 27001 2013

Andrea Porter, profile picture
Andrea Porter

The document provides an overview of information security management systems (ISMS) audits using ISO 27001:2013. It discusses ISO and the 27000 series of standards, including ISO 27001 for certification and ISO 27002 for non-certification. The document outlines the key sections and clauses of ISO 27001, including mandatory and discretionary controls. It also introduces process-based ISMS using the PDCA model and discusses topics that will be covered in more depth, such as audit definitions, principles, types, and the audit process.

Education
1 of 50
Download to read offline
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Most read
50
ISMS Audit using ISO 27001:2013 Obrina Candra August, 2015
ISMS Audit Using ISO 27001:2013 supported by :
Contents Outline 1. Introduction to Information Security Management Systems (and the ISO 27000 series of standards) 2. Process-based ISMS 3. Audit : definitions, principles and types 4. Audit process (audit plan, preparing for the on-site audit (audit stage 1), developing checklists, conducting the on-site audit (audit stage 2)) 5. Audit review 6. Report and follow-up
Introduction to the ISO 27000 series of standards
what is ISO? ISO, founded in 1947, is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States. According to ISO, "ISO" is not an abbreviation. It is a word, derived from the Greek isos, meaning "equal", The name ISO is used around the world to denote the organization, thus avoiding the assortment of abbreviations that would result from the translation of "International Organization for Standardization" into the different national languages of members. Whatever the country, the short form of the organization's name is always ISO.
what is ISO? • International Organization for Standardization is the world's largest developer and publisher of International Standards. • ISO is a network of the national standards institutes of 160 countries, one member per country (ANSI in US, SNI in Indo), with a Central Secretariat in Geneva, Switzerland, that coordinates the system. • ISO is a non‐governmental organization that forms a bridge between the public and private sectors. • ISO and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. • National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. • n the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. • International Standards are drafted in accordance with the rules given in the ISO/IEC Directives. • The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
27001 27002 27000 27004 27011 27799 Applicability Telecommunications Health Financial services Inter-sector and Inter organizational 27003 27005 Risk Management 31000 Guide 73 27006 Certification 27007 27008 19011 Guidelines for ISMS auditing 17021 Governance Measurements Code of practice Requirements Implementation guidance 27001+20000-1 Overview and vocabulary Requirements for bodies audit and certification Guidance for auditors on controls - TR Guidelines for auditing management system Conformity assessment - ISMS Vocabulary Principles and guidelines 27016 Organizational economics 27018 Cloud Computing service 17000 Conformity Assessment – Vocabulary and general principals 31010 Risk assessment techniques 27001 + industry vertical 27010 27009 27013 27014 27015 Process control system - TR 27019 27017 Data protection control of public cloud computing service 27x Extended Range ISO/IEC 27001 family of standards last update : 10/2013
Introduction ISMS are intended to provide organisations with the elements of an effective information security system in order to achieve the best practice in information security and to maintain economic goals. ISO 27001, ISO 27002 are recognisable standards against which ISMS can be audited and certificated
ISO 27001 (certification) •ISO 27001 specifies how to establish an Information Security Management System (ISMS). •The adoption of an ISMS is a strategic decision. •The design and implementation of an organization’s ISMS is influenced by its business, its security risks and control requirements, the processes employed and the size and structure of the organization: a simple situation requires a simple ISMS. •The ISMS will evolve systematically in response to changing risks. •Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.
Benefit of ISO 27001 Cert •Achieve marketing advantage •Lower cost •Better organization •Comply with legal requirements or regulations
ISO 27002 (non-certification) • ISO 27002 is a “Code of Practice” recommending a large number of information security controls. • the standard are generic, high-level statements of business requirements for securing or protecting information assets. • the standard are meant to be implemented in the context of an ISMS, in order to address risks and satisfy applicable control objectives systematically. • Compliance with ISO 27002 implies that the organization has adopted a comprehensive, good practice approach to securing information.
a brief history of the 2700x series
27001:2005 Vs 27001:2013 Context'of'the' Organiza0on' ' Leadership' Planning' Opera0on' Improvement' Performance' Evalua0on' Support' ISO/IEC'27001:2013' Management' Responsibility' ' Management'Review' Establish' ISMS' Implement' ISMS' Improve' ISMS' Monitor' ISMS' Doc.'' Req.' Internal'' Audit' ISMS'' Improve' ISO/IEC'27001:2005' Mgmt.' Review' Structure'simplified'
27001:2005 Vs 27001:2013 ISO/IEC 27001:2005 ! 132 “shall” statements (section 4-8) ! Annexure A ! 11 clauses ! 39 categories ! 133 controls ISO/IEC 27001:2013 ! 125 “shall” statements (section 4-10) ! Annexure A ! 14 clauses ! 35 categories ! 114 controls Number'of'requirements'reduced'
Process-based ISMS
ISO 27001 Structures • Sections 0 to 3 are introductory and are not mandatory for implementation • Sections 4 to 10 contains requirements that must be implemented in an organization if it wants to comply • Annex A contains 114 controls that must be implemented if applicable Section 0 Introduction Section 1 Scope Section 2 Normative references Section 3 Terms and definitions Section 4 Context of the organization Section 5 Leadership Section 6 Planning Section 7 Support Section 8 Operation Section 9 Performance evaluation Section 10 Improvement Annex A
PDCA Model applied to ISMS Processes Interested Parties Interested Parties Information Security Requirements & Expectations Managed Information Security Establish ISMS Implement & Operate ISMS Maintain & Improve ISMS Monitor & Review ISMS Plan Do Check Act Development, Maintenance and Improvement Cycle
Auditing Information Security Management System Using ISO 27001 2013
Mandatory controls • The importance of mandatory clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any single one of the mandatory clauses are not supported by evidence, missing or is deemed ineffective it is considered a major non- conformity. This mean it is reason enough for the auditor not to recommended the organization for certification. • In the event that the audit is part of the ongoing continuous assessment review the organization could be decertified. Its that important! • Clauses 4 – 10 require a gap assessment initially to identify the missing mandatory controls. Zero exclusions are permitted and that’s why a Gap Assessment is the best approach.
Mandatory controls (sample) the organization must define the scope of the ISMS (clause 4.3) top mgmt and managers must show leadership to the ISMS (clause 5.1) the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be documented and communicated the mgmt must ensure the responsibilities and authorities for security roles must be assigned & communicated (clause 5.3) there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3) there must be an information security objectives that meets the organization’s business goals and risk management process (clause 6.2) competency needs must be identified, reviewed and managed so that personnel can perform their roles effectively (clause 7.2) etc…
Discretionary controls • Within Annex A a series of control objectives have been listed. These control objectives have been designed to address known risks. • These controls are initially risk assessed during implementation /adoption for fit within each individual organization. • The risk assessment provides evidence for applicability and /or justification for exclusion. The results are listed within the Statement of Applicability (SoA). • The SoA is a controlled document that gets included with the Registration Auditors recommendations which the auditor submits to ISO for final gating and approval. • During the ISMS internal and external audits if a weaknesses is discovered within the controls it will require a corrective action plan and /or preventive action (CAPA) plan. The CAPA is listed within the Risk Treatment Plan and monitored until completed and then validated before its formally closed. • Please note that while a single weakness may be tolerated a cluster of failed controls within the same domain will result in a major nonconformity and potential decertification.
Discretionary controls (sample) labelling of information (A8.2.2) handling of assets (A8.2.3) management of removable media (A8.3.1) disposal of media (A8.3.2) secure log-on (A9.2.3) working in secure areas (A11.1.5) installation of software on operational system (A12.5.1) information transfer (A13.2.1) system change control (A14.2.2) response to information security incidents (A16) information security continuity (A17.1.2) intellectual property rights (A18.1.2) etc…
Audit : definitions, principles and types
My#Life#as#an#Information#Security#Consultant#
Definition ISO 19011 define audit as a : “Systematic process, independent and documented for obtaining audit evidence and evaluate objectively, in order to establish to what extent are audit criteria met”.
Principles ethical conduct professional, fair (unbiased), responsible fair presentation presents appropriately (words, gesture, etc), truthful and accurate in findings due professional care competence in the field of the audit independence free from conflict of interest evidence–based approach do not make assumptions, stick to the audit evidence confidentiality careful and discreet towards the informations provided by the audit
Types of audit • Internal audits (1st party) sponsored by by the organization with the aim of improvement of the ISMS. • External audit (2nd party) audits carried out by an organisation on its supplier (partners, vendors) using, either internal personnel, or external entity entrusted with doing it. • Certification audit (third party) independent from the organizationwith the aim to release the certificate of conformity with the requirements taken as a audit criteria (ISO 27001).
Audit Process
the big picture What is happening What changes are needed What should be happening
the medium picture
the process 1. Audit planning 2. Stage 1 audit 3. Stage 2 audit
audit planning 1. define audit objectives 2. define audit scope 3. select audit criteria 4. select sampling method 5. select audit team 6. define observers and guides (if necessary) 7. define resources needed
stage 1 audit 1. Initiation of audit 2. Auditee’s application (self-assessment document) 3. Document review 4. Planning work documents (forms, procedures, etc) 5. Organisation’s unit and processes to be audited 6. Estimation of time 7. Work schedule
developing a checklist 1. Appropriately phrased questions 2. Use open questions (avoid yes/no answers) 3. Dig deep
developing a checklist
developing a checklist
stage 2 audit (on-site audit) 1. Opening meeting 2. Collecting information by appropriate sampling 3. Questioning techniques (calm, polite, reassuring) 4. Stick to the plan (time, resource) 5. Documentation (collect evidence, take notes) 6. Control the audit (avoid confrontation and intimidation)
Sampling technique Random Sample = each record in the population has an equal chance of being selected for inclusion in the sample e.g. Population = 200 hip replacements 10% random sample= any 20 cases in the population Stratified Random Sample = Identifying a subset of the population and randomly sampling that subset. e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements 10% random stratified sample= any 20 cases in the population where the patient is aged over 65 years Targeted Sample = Sample includes only a particular section of the population e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements Targeted sample= All cases in the population where the patient is aged over 65 years
stage 2 audit (on-site audit) techniques : 1. Questioning - people 2. Observing - process, equipment 3. Documenting - audit finding, evidence 4. Checking - assets
Audit Review
audit review 1. Audit team review meeting 2. Listing of audit findings (with evidence, if any) 3. Finding statement 4. Corrective Action Request (CAR) form 5. Classification of CARs (major - minor) 6. Opportunity of improvement 7. Audit conclusion
audit findings 1. Non-Conformity (NC) -> non-fulfillment of requirement (mandatory req = major NC; discretionary req = minor NC) 2. Opportunity of Improvement (OFI) -> non-fulfillment of controls 3. Observation -> negligence, e.g. one-day of log is missing
finding statement 1. clear statement of the finding (NC/OFI) 2. the evidence which the finding is based 3. summary of the requirement (clause/annex)
finding statement
CARs example
Major CARs 1. Major CARs must be corrected before certification of ISO 27001 can be recommended 2. Minor CARs allows certification to proceed 3. Corrective actions described in CARs usually verified at the following surveillance visit 4. If not closed, a Minor CARs will be re-classified as Major 5. Audit should be positive and constructive, therefore, effective corrective action is more important.
Report and follow-up
Reporting & follow-up 1. Conducting a closing meeting (presenting the finding) 2. Reporting on the audit (approval, distribution, retention) 3. Audit follow-up (surveillance visits, revised CARs) will be initiated by the audit 4. Audit close-out (signing-off all forms)
that’s all folks..
Workshops A. Audit evidence/audit trails B. Continual improvement C. Risk assessment D. ISMS audit questionnaire E. Document review F. Planning the audit G. Interpretation of the standard H. Case study

More Related Content

PDF
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
PDF
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPT
Intro to ISO
Adrian Hall
 
PPTX
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
SIS Certifications Pvt Ltd
 
PPTX
english_bok_ismp_202306.pptx
ssuser00d6eb
 
PPTX
Internal auditor 9001 day 1
Dr Madhu Aman Sharma
 
PDF
Implementing ISO 27001: A Step-by-Step Guide
Ahad
 
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Intro to ISO
Adrian Hall
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
SIS Certifications Pvt Ltd
 
english_bok_ismp_202306.pptx
ssuser00d6eb
 
Internal auditor 9001 day 1
Dr Madhu Aman Sharma
 
Implementing ISO 27001: A Step-by-Step Guide
Ahad
 

Similar to Auditing Information Security Management System Using ISO 27001 2013 (20)

PPTX
ISO27k ISMS implementation and certification process overview v2.pptx
Napoleon NV
 
PDF
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
KMD
 
PDF
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
Lars Neupart
 
PPTX
ISO 9000 & ISO 14000: pptx..............
GayatriBahatkar1
 
PPT
Auditing Standard and Practice
Bikash Kumar
 
PPTX
20220911-ISO27000-SecurityStandards.pptx
Suman Garai
 
PDF
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
dhanashrinovelvista2
 
PPTX
ISO_22301_Clause_by Clause Explained.pptx
JustinNickaf3
 
PDF
Chapter 10 security standart
newbie2019
 
PPTX
ISO27001_COBIT_Students.pptx
jojo82637
 
PDF
G12: Implementation to Business Value
HyTrust
 
PPTX
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
PDF
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
spore090
 
PPTX
TOP MANAGEMENT BRIEFING TO NSIB ON ISO 45001 2018 LATEST.pptx
JustinBNickaf
 
PPT
FULL INTEGRATED MANAGEMENT SYSTEMS IMPLEMENTATION TRAINING DANGOTE FERTILIZE...
JustinBNickaf
 
PDF
NQA ISO 9001 to ISO 27001 Gap Guide
NQA
 
PDF
ISO27k_ISMS_9.2_internal_audit_procedure_2022.pdf
denykrisnanda13
 
PPTX
Upload iso 9001 2015 presentation
Rajeesh Thumpayil
 
ODP
Damco iso 27001
Dipin Sharma
 
PDF
Maximize Data Security with ISO 27001 Certification in Saudi Arabia.pdf
Maxicert Mohan
 
ISO27k ISMS implementation and certification process overview v2.pptx
Napoleon NV
 
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
KMD
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
Lars Neupart
 
ISO 9000 & ISO 14000: pptx..............
GayatriBahatkar1
 
Auditing Standard and Practice
Bikash Kumar
 
20220911-ISO27000-SecurityStandards.pptx
Suman Garai
 
Everything You Need to Know About ISO 27001 Certification FAQs Answered.pdf
dhanashrinovelvista2
 
ISO_22301_Clause_by Clause Explained.pptx
JustinNickaf3
 
Chapter 10 security standart
newbie2019
 
ISO27001_COBIT_Students.pptx
jojo82637
 
G12: Implementation to Business Value
HyTrust
 
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
spore090
 
TOP MANAGEMENT BRIEFING TO NSIB ON ISO 45001 2018 LATEST.pptx
JustinBNickaf
 
FULL INTEGRATED MANAGEMENT SYSTEMS IMPLEMENTATION TRAINING DANGOTE FERTILIZE...
JustinBNickaf
 
NQA ISO 9001 to ISO 27001 Gap Guide
NQA
 
ISO27k_ISMS_9.2_internal_audit_procedure_2022.pdf
denykrisnanda13
 
Upload iso 9001 2015 presentation
Rajeesh Thumpayil
 
Damco iso 27001
Dipin Sharma
 
Maximize Data Security with ISO 27001 Certification in Saudi Arabia.pdf
Maxicert Mohan
 
Ad

More from Andrea Porter (20)

PDF
Taking Notes With Note Cards
Andrea Porter
 
PDF
How To Write A TOK Essay 15 Steps (With Pictures) - WikiHow
Andrea Porter
 
PDF
How To Write A Good Topic Sentence In Academic Writing
Andrea Porter
 
PDF
Narrative Essay Argumentative Essay Thesis
Andrea Porter
 
PDF
A Good Introduction For A Research Paper. Writing A G
Andrea Porter
 
PDF
How To Find The Best Paper Writing Company
Andrea Porter
 
PDF
Primary Handwriting Paper - Paging Supermom - Free Printable Writing
Andrea Porter
 
PDF
Write An Essay On College Experience In EnglishDesc
Andrea Porter
 
PDF
Ghost Writing KennyLeeHolmes.Com
Andrea Porter
 
PDF
How To Write A Good Concluding Observation Bo
Andrea Porter
 
PDF
How To Write An Argumentative Essay
Andrea Porter
 
PDF
7 Introduction Essay About Yourself - Introduction Letter
Andrea Porter
 
PDF
Persuasive Essay Essaypro Writers
Andrea Porter
 
PDF
Scholarship Personal Essays Templates At Allbusinesst
Andrea Porter
 
PDF
How To Create An Outline For An Essay
Andrea Porter
 
PDF
ESSAY - Qualities Of A Good Teach
Andrea Porter
 
PDF
Fountain Pen Writing On Paper - Castle Rock Financial Planning
Andrea Porter
 
PDF
Formatting A Research Paper E
Andrea Porter
 
PDF
Business Paper Examples Of Graduate School Admissio
Andrea Porter
 
PDF
Impact Of Poverty On The Society - Free Essay E
Andrea Porter
 
Taking Notes With Note Cards
Andrea Porter
 
How To Write A TOK Essay 15 Steps (With Pictures) - WikiHow
Andrea Porter
 
How To Write A Good Topic Sentence In Academic Writing
Andrea Porter
 
Narrative Essay Argumentative Essay Thesis
Andrea Porter
 
A Good Introduction For A Research Paper. Writing A G
Andrea Porter
 
How To Find The Best Paper Writing Company
Andrea Porter
 
Primary Handwriting Paper - Paging Supermom - Free Printable Writing
Andrea Porter
 
Write An Essay On College Experience In EnglishDesc
Andrea Porter
 
Ghost Writing KennyLeeHolmes.Com
Andrea Porter
 
How To Write A Good Concluding Observation Bo
Andrea Porter
 
How To Write An Argumentative Essay
Andrea Porter
 
7 Introduction Essay About Yourself - Introduction Letter
Andrea Porter
 
Persuasive Essay Essaypro Writers
Andrea Porter
 
Scholarship Personal Essays Templates At Allbusinesst
Andrea Porter
 
How To Create An Outline For An Essay
Andrea Porter
 
ESSAY - Qualities Of A Good Teach
Andrea Porter
 
Fountain Pen Writing On Paper - Castle Rock Financial Planning
Andrea Porter
 
Formatting A Research Paper E
Andrea Porter
 
Business Paper Examples Of Graduate School Admissio
Andrea Porter
 
Impact Of Poverty On The Society - Free Essay E
Andrea Porter
 
Ad

Recently uploaded (20)

PDF
The-Invisible-Living-World-Beyond-Our-Naked-Eye chapter 2.pdf/8th science cur...
Sandeep Swamy
 
PPTX
INTESTINALPARASITES OR WORM INFESTATIONS.pptx
PRADEEP ABOTHU
 
PPTX
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
PPTX
Dakar Framework Education For All- 2000(Act)
santoshmohalik1
 
PPTX
A Smarter Way to Think About Choosing a College
Cyndy McDonald
 
PPTX
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
DOCX
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
PPTX
Information Texts_Infographic on Forgetting Curve.pptx
Tata Sevilla
 
PPTX
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
PPTX
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
PDF
Virat Kohli- the Pride of Indian cricket
kushpar147
 
PPTX
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
PPTX
CDH. pptx
AneetaSharma15
 
PPTX
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
DOCX
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
PDF
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
PDF
2.Reshaping-Indias-Political-Map.ppt/pdf/8th class social science Exploring S...
Sandeep Swamy
 
PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PPTX
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 
The-Invisible-Living-World-Beyond-Our-Naked-Eye chapter 2.pdf/8th science cur...
Sandeep Swamy
 
INTESTINALPARASITES OR WORM INFESTATIONS.pptx
PRADEEP ABOTHU
 
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
Dakar Framework Education For All- 2000(Act)
santoshmohalik1
 
A Smarter Way to Think About Choosing a College
Cyndy McDonald
 
Applications of matrices In Real Life_20250724_091307_0000.pptx
gehlotkrish03
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
SAROCES Action-Plan FOR ARAL PROGRAM IN DEPED
Levenmartlacuna1
 
Information Texts_Infographic on Forgetting Curve.pptx
Tata Sevilla
 
Cleaning Validation Ppt Pharmaceutical validation
Ms. Ashatai Patil
 
20250924 Navigating the Future: How to tell the difference between an emergen...
McGuinness Institute
 
Virat Kohli- the Pride of Indian cricket
kushpar147
 
How to Manage Leads in Odoo 18 CRM - Odoo Slides
Celine George
 
CDH. pptx
AneetaSharma15
 
Five Point Someone – Chetan Bhagat | Book Summary & Analysis by Bhupesh Kushwaha
Bhupesh Kushwaha
 
pgdei-UNIT -V Neurological Disorders & developmental disabilities
JELLA VISHNU DURGA PRASAD
 
The Minister of Tourism, Culture and Creative Arts, Abla Dzifa Gomashie has e...
nservice241
 
2.Reshaping-Indias-Political-Map.ppt/pdf/8th class social science Exploring S...
Sandeep Swamy
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
CONCEPT OF CHILD CARE. pptx
AneetaSharma15
 

Auditing Information Security Management System Using ISO 27001 2013

  • 1. ISMS Audit using ISO 27001:2013 Obrina Candra August, 2015
  • 2. ISMS Audit Using ISO 27001:2013 supported by :
  • 3. Contents Outline 1. Introduction to Information Security Management Systems (and the ISO 27000 series of standards) 2. Process-based ISMS 3. Audit : definitions, principles and types 4. Audit process (audit plan, preparing for the on-site audit (audit stage 1), developing checklists, conducting the on-site audit (audit stage 2)) 5. Audit review 6. Report and follow-up
  • 4. Introduction to the ISO 27000 series of standards
  • 5. what is ISO? ISO, founded in 1947, is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States. According to ISO, "ISO" is not an abbreviation. It is a word, derived from the Greek isos, meaning "equal", The name ISO is used around the world to denote the organization, thus avoiding the assortment of abbreviations that would result from the translation of "International Organization for Standardization" into the different national languages of members. Whatever the country, the short form of the organization's name is always ISO.
  • 6. what is ISO? • International Organization for Standardization is the world's largest developer and publisher of International Standards. • ISO is a network of the national standards institutes of 160 countries, one member per country (ANSI in US, SNI in Indo), with a Central Secretariat in Geneva, Switzerland, that coordinates the system. • ISO is a non‐governmental organization that forms a bridge between the public and private sectors. • ISO and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. • National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. • n the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. • International Standards are drafted in accordance with the rules given in the ISO/IEC Directives. • The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
  • 7. 27001 27002 27000 27004 27011 27799 Applicability Telecommunications Health Financial services Inter-sector and Inter organizational 27003 27005 Risk Management 31000 Guide 73 27006 Certification 27007 27008 19011 Guidelines for ISMS auditing 17021 Governance Measurements Code of practice Requirements Implementation guidance 27001+20000-1 Overview and vocabulary Requirements for bodies audit and certification Guidance for auditors on controls - TR Guidelines for auditing management system Conformity assessment - ISMS Vocabulary Principles and guidelines 27016 Organizational economics 27018 Cloud Computing service 17000 Conformity Assessment – Vocabulary and general principals 31010 Risk assessment techniques 27001 + industry vertical 27010 27009 27013 27014 27015 Process control system - TR 27019 27017 Data protection control of public cloud computing service 27x Extended Range ISO/IEC 27001 family of standards last update : 10/2013
  • 8. Introduction ISMS are intended to provide organisations with the elements of an effective information security system in order to achieve the best practice in information security and to maintain economic goals. ISO 27001, ISO 27002 are recognisable standards against which ISMS can be audited and certificated
  • 9. ISO 27001 (certification) •ISO 27001 specifies how to establish an Information Security Management System (ISMS). •The adoption of an ISMS is a strategic decision. •The design and implementation of an organization’s ISMS is influenced by its business, its security risks and control requirements, the processes employed and the size and structure of the organization: a simple situation requires a simple ISMS. •The ISMS will evolve systematically in response to changing risks. •Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.
  • 10. Benefit of ISO 27001 Cert •Achieve marketing advantage •Lower cost •Better organization •Comply with legal requirements or regulations
  • 11. ISO 27002 (non-certification) • ISO 27002 is a “Code of Practice” recommending a large number of information security controls. • the standard are generic, high-level statements of business requirements for securing or protecting information assets. • the standard are meant to be implemented in the context of an ISMS, in order to address risks and satisfy applicable control objectives systematically. • Compliance with ISO 27002 implies that the organization has adopted a comprehensive, good practice approach to securing information.
  • 12. a brief history of the 2700x series
  • 14. 27001:2005 Vs 27001:2013 ISO/IEC 27001:2005 ! 132 “shall” statements (section 4-8) ! Annexure A ! 11 clauses ! 39 categories ! 133 controls ISO/IEC 27001:2013 ! 125 “shall” statements (section 4-10) ! Annexure A ! 14 clauses ! 35 categories ! 114 controls Number'of'requirements'reduced'
  • 16. ISO 27001 Structures • Sections 0 to 3 are introductory and are not mandatory for implementation • Sections 4 to 10 contains requirements that must be implemented in an organization if it wants to comply • Annex A contains 114 controls that must be implemented if applicable Section 0 Introduction Section 1 Scope Section 2 Normative references Section 3 Terms and definitions Section 4 Context of the organization Section 5 Leadership Section 6 Planning Section 7 Support Section 8 Operation Section 9 Performance evaluation Section 10 Improvement Annex A
  • 17. PDCA Model applied to ISMS Processes Interested Parties Interested Parties Information Security Requirements & Expectations Managed Information Security Establish ISMS Implement & Operate ISMS Maintain & Improve ISMS Monitor & Review ISMS Plan Do Check Act Development, Maintenance and Improvement Cycle
  • 19. Mandatory controls • The importance of mandatory clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any single one of the mandatory clauses are not supported by evidence, missing or is deemed ineffective it is considered a major non- conformity. This mean it is reason enough for the auditor not to recommended the organization for certification. • In the event that the audit is part of the ongoing continuous assessment review the organization could be decertified. Its that important! • Clauses 4 – 10 require a gap assessment initially to identify the missing mandatory controls. Zero exclusions are permitted and that’s why a Gap Assessment is the best approach.
  • 20. Mandatory controls (sample) the organization must define the scope of the ISMS (clause 4.3) top mgmt and managers must show leadership to the ISMS (clause 5.1) the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be documented and communicated the mgmt must ensure the responsibilities and authorities for security roles must be assigned & communicated (clause 5.3) there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3) there must be an information security objectives that meets the organization’s business goals and risk management process (clause 6.2) competency needs must be identified, reviewed and managed so that personnel can perform their roles effectively (clause 7.2) etc…
  • 21. Discretionary controls • Within Annex A a series of control objectives have been listed. These control objectives have been designed to address known risks. • These controls are initially risk assessed during implementation /adoption for fit within each individual organization. • The risk assessment provides evidence for applicability and /or justification for exclusion. The results are listed within the Statement of Applicability (SoA). • The SoA is a controlled document that gets included with the Registration Auditors recommendations which the auditor submits to ISO for final gating and approval. • During the ISMS internal and external audits if a weaknesses is discovered within the controls it will require a corrective action plan and /or preventive action (CAPA) plan. The CAPA is listed within the Risk Treatment Plan and monitored until completed and then validated before its formally closed. • Please note that while a single weakness may be tolerated a cluster of failed controls within the same domain will result in a major nonconformity and potential decertification.
  • 22. Discretionary controls (sample) labelling of information (A8.2.2) handling of assets (A8.2.3) management of removable media (A8.3.1) disposal of media (A8.3.2) secure log-on (A9.2.3) working in secure areas (A11.1.5) installation of software on operational system (A12.5.1) information transfer (A13.2.1) system change control (A14.2.2) response to information security incidents (A16) information security continuity (A17.1.2) intellectual property rights (A18.1.2) etc…
  • 23. Audit : definitions, principles and types
  • 25. Definition ISO 19011 define audit as a : “Systematic process, independent and documented for obtaining audit evidence and evaluate objectively, in order to establish to what extent are audit criteria met”.
  • 26. Principles ethical conduct professional, fair (unbiased), responsible fair presentation presents appropriately (words, gesture, etc), truthful and accurate in findings due professional care competence in the field of the audit independence free from conflict of interest evidence–based approach do not make assumptions, stick to the audit evidence confidentiality careful and discreet towards the informations provided by the audit
  • 27. Types of audit • Internal audits (1st party) sponsored by by the organization with the aim of improvement of the ISMS. • External audit (2nd party) audits carried out by an organisation on its supplier (partners, vendors) using, either internal personnel, or external entity entrusted with doing it. • Certification audit (third party) independent from the organizationwith the aim to release the certificate of conformity with the requirements taken as a audit criteria (ISO 27001).
  • 29. the big picture What is happening What changes are needed What should be happening
  • 31. the process 1. Audit planning 2. Stage 1 audit 3. Stage 2 audit
  • 32. audit planning 1. define audit objectives 2. define audit scope 3. select audit criteria 4. select sampling method 5. select audit team 6. define observers and guides (if necessary) 7. define resources needed
  • 33. stage 1 audit 1. Initiation of audit 2. Auditee’s application (self-assessment document) 3. Document review 4. Planning work documents (forms, procedures, etc) 5. Organisation’s unit and processes to be audited 6. Estimation of time 7. Work schedule
  • 34. developing a checklist 1. Appropriately phrased questions 2. Use open questions (avoid yes/no answers) 3. Dig deep
  • 37. stage 2 audit (on-site audit) 1. Opening meeting 2. Collecting information by appropriate sampling 3. Questioning techniques (calm, polite, reassuring) 4. Stick to the plan (time, resource) 5. Documentation (collect evidence, take notes) 6. Control the audit (avoid confrontation and intimidation)
  • 38. Sampling technique Random Sample = each record in the population has an equal chance of being selected for inclusion in the sample e.g. Population = 200 hip replacements 10% random sample= any 20 cases in the population Stratified Random Sample = Identifying a subset of the population and randomly sampling that subset. e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements 10% random stratified sample= any 20 cases in the population where the patient is aged over 65 years Targeted Sample = Sample includes only a particular section of the population e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements Targeted sample= All cases in the population where the patient is aged over 65 years
  • 39. stage 2 audit (on-site audit) techniques : 1. Questioning - people 2. Observing - process, equipment 3. Documenting - audit finding, evidence 4. Checking - assets
  • 41. audit review 1. Audit team review meeting 2. Listing of audit findings (with evidence, if any) 3. Finding statement 4. Corrective Action Request (CAR) form 5. Classification of CARs (major - minor) 6. Opportunity of improvement 7. Audit conclusion
  • 42. audit findings 1. Non-Conformity (NC) -> non-fulfillment of requirement (mandatory req = major NC; discretionary req = minor NC) 2. Opportunity of Improvement (OFI) -> non-fulfillment of controls 3. Observation -> negligence, e.g. one-day of log is missing
  • 43. finding statement 1. clear statement of the finding (NC/OFI) 2. the evidence which the finding is based 3. summary of the requirement (clause/annex)
  • 46. Major CARs 1. Major CARs must be corrected before certification of ISO 27001 can be recommended 2. Minor CARs allows certification to proceed 3. Corrective actions described in CARs usually verified at the following surveillance visit 4. If not closed, a Minor CARs will be re-classified as Major 5. Audit should be positive and constructive, therefore, effective corrective action is more important.
  • 48. Reporting & follow-up 1. Conducting a closing meeting (presenting the finding) 2. Reporting on the audit (approval, distribution, retention) 3. Audit follow-up (surveillance visits, revised CARs) will be initiated by the audit 4. Audit close-out (signing-off all forms)
  • 50. Workshops A. Audit evidence/audit trails B. Continual improvement C. Risk assessment D. ISMS audit questionnaire E. Document review F. Planning the audit G. Interpretation of the standard H. Case study