3. Contents Outline
1. Introduction to Information Security Management Systems (and the
ISO 27000 series of standards)
2. Process-based ISMS
3. Audit : definitions, principles and types
4. Audit process (audit plan, preparing for the on-site audit (audit stage
1), developing checklists, conducting the on-site audit (audit stage 2))
5. Audit review
6. Report and follow-up
5. what is ISO?
ISO, founded in 1947, is a worldwide federation of
national standards bodies from some 100 countries, with
one standards body representing each member country.
The American National Standards Institute (ANSI), for
example, represents the United States.
According to ISO, "ISO" is not an abbreviation. It is a
word, derived from the Greek isos, meaning "equal",
The name ISO is used around the world to denote the
organization, thus avoiding the assortment of
abbreviations that would result from the translation of
"International Organization for Standardization" into the
different national languages of members. Whatever the
country, the short form of the organization's name is
always ISO.
6. what is ISO?
• International
Organization
for
Standardization
is
the
world's
largest
developer
and
publisher
of
International
Standards.
• ISO
is
a
network
of
the
national
standards
institutes
of
160
countries,
one
member
per
country
(ANSI
in
US,
SNI
in
Indo),
with
a
Central
Secretariat
in
Geneva,
Switzerland,
that
coordinates
the
system.
• ISO
is
a
non-‐governmental
organization
that
forms
a
bridge
between
the
public
and
private
sectors.
• ISO
and
IEC
(the
International
Electrotechnical
Commission)
form
the
specialized
system
for
worldwide
standardization.
• National
bodies
that
are
members
of
ISO
or
IEC
participate
in
the
development
of
International
Standards
through
technical
committees
established
by
the
respective
organization
to
deal
with
particular
fields
of
technical
activity.
ISO
and
IEC
technical
committees
collaborate
in
fields
of
mutual
interest.
• n
the
field
of
information
technology,
ISO
and
IEC
have
established
a
joint
technical
committee,
ISO/IEC
JTC
1.
• International
Standards
are
drafted
in
accordance
with
the
rules
given
in
the
ISO/IEC
Directives.
•
The
main
task
of
the
joint
technical
committee
is
to
prepare
International
Standards.
Draft
International
Standards
adopted
by
the
joint
technical
committee
are
circulated
to
national
bodies
for
voting.
Publication
as
an
International
Standard
requires
approval
by
at
least
75
%
of
the
national
bodies
casting
a
vote.
7. 27001
27002
27000
27004
27011
27799
Applicability
Telecommunications
Health
Financial services
Inter-sector and
Inter organizational
27003
27005
Risk Management
31000
Guide 73
27006
Certification
27007
27008
19011
Guidelines for ISMS
auditing
17021
Governance
Measurements
Code of practice
Requirements
Implementation guidance
27001+20000-1
Overview and vocabulary
Requirements for bodies
audit and certification
Guidance for auditors
on controls - TR
Guidelines for
auditing management system
Conformity assessment
- ISMS
Vocabulary
Principles and
guidelines
27016 Organizational economics
27018
Cloud Computing service
17000
Conformity Assessment –
Vocabulary and general principals
31010
Risk assessment
techniques 27001
+
industry vertical
27010
27009
27013
27014
27015
Process control system - TR27019
27017
Data protection control of
public cloud computing service
27x Extended Range
ISO/IEC 27001 family of standards last update : 10/2013
8. Introduction
ISMS are intended to provide organisations with
the elements of an effective information security
system in order to achieve the best practice in
information security and to maintain economic
goals.
ISO 27001, ISO 27002 are recognisable standards
against which ISMS can be audited and
certificated
9. ISO 27001 (certification)
•ISO 27001 specifies how to establish an Information
Security Management System (ISMS).
•The adoption of an ISMS is a strategic decision.
•The design and implementation of an organization’s
ISMS is influenced by its business, its security risks
and control requirements, the processes employed
and the size and structure of the organization: a
simple situation requires a simple ISMS.
•The ISMS will evolve systematically in response to
changing risks.
•Compliance with ISO27001 can be formally assessed
and certified. A certified ISMS builds confidence in
the organization’s approach to information security
management among stakeholders.
10. Benefit of ISO 27001 Cert
•Achieve marketing
advantage
•Lower cost
•Better organization
•Comply with legal
requirements or
regulations
11. ISO 27002 (non-certification)
• ISO 27002 is a “Code of Practice” recommending a
large number of information security controls.
• the standard are generic, high-level statements of
business requirements for securing or protecting
information assets.
• the standard are meant to be implemented in the
context of an ISMS, in order to address risks and
satisfy applicable control objectives systematically.
• Compliance with ISO 27002 implies that the
organization has adopted a comprehensive, good
practice approach to securing information.
16. ISO 27001 Structures
• Sections 0 to 3 are
introductory and are not
mandatory for
implementation
• Sections 4 to 10 contains
requirements that must be
implemented in an
organization if it wants to
comply
• Annex A contains 114
controls that must be
implemented if applicable
Section 0
Introduction
Section 1
Scope
Section 2
Normative
references
Section 3
Terms and
definitions
Section 4
Context of the
organization
Section 5
Leadership
Section 6
Planning
Section 7
Support
Section 8
Operation
Section 9
Performance
evaluation
Section 10
Improvement
Annex A
17. PDCA Model applied to ISMS Processes
Interested
Parties
Interested
Parties
Information
Security
Requirements
& Expectations
Managed
Information
Security
Establish
ISMS
Implement &
Operate ISMS
Maintain &
Improve ISMS
Monitor &
Review ISMS
Plan
Do
Check
Act
Development,
Maintenance and
Improvement Cycle
18.
19. Mandatory controls
• The importance of mandatory
clauses is punctuated by the fact
that during ISMS audits if the
auditor discovers that any single
one of the mandatory clauses are
not supported by evidence, missing
or is deemed ineffective it is
considered a major non-
conformity. This mean it is reason
enough for the auditor not to
recommended the organization for
certification.
• In the event that the audit is part of
the ongoing continuous assessment
review the organization could be
decertified. Its that important!
• Clauses 4 – 10 require a gap
assessment initially to identify the
missing mandatory controls. Zero
exclusions are permitted and
that’s why a Gap Assessment is the
best approach.
20. Mandatory controls (sample)
the organization must define the scope of the ISMS (clause 4.3)
top mgmt and managers must show leadership to the ISMS (clause 5.1)
the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be
documented and communicated
the mgmt must ensure the responsibilities and authorities for security roles must be assigned &
communicated (clause 5.3)
there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3)
there must be an information security objectives that meets the organization’s business goals and
risk management process (clause 6.2)
competency needs must be identified, reviewed and managed so that personnel can perform their
roles effectively (clause 7.2)
etc…
21. Discretionary controls
• Within Annex A a series of control
objectives have been listed. These control
objectives have been designed to address
known risks.
• These controls are initially risk assessed
during implementation /adoption for fit
within each individual organization.
• The risk assessment provides evidence for
applicability and /or justification for
exclusion. The results are listed within the
Statement of Applicability (SoA).
• The SoA is a controlled document that gets
included with the Registration Auditors
recommendations which the auditor submits
to ISO for final gating and approval.
• During the ISMS internal and external
audits if a weaknesses is discovered within
the controls it will require a corrective
action plan and /or preventive action
(CAPA) plan. The CAPA is listed within the
Risk Treatment Plan and monitored until
completed and then validated before its
formally closed.
• Please note that while a single weakness
may be tolerated a cluster of failed
controls within the same domain will
result in a major nonconformity and
potential decertification.
22. Discretionary controls (sample)
labelling of information (A8.2.2)
handling of assets (A8.2.3)
management of removable media (A8.3.1)
disposal of media (A8.3.2)
secure log-on (A9.2.3)
working in secure areas (A11.1.5)
installation of software on operational system (A12.5.1)
information transfer (A13.2.1)
system change control (A14.2.2)
response to information security incidents (A16)
information security continuity (A17.1.2)
intellectual property rights (A18.1.2)
etc…
25. Definition
ISO 19011 define audit as a :
“Systematic process, independent and documented for
obtaining audit evidence and evaluate objectively, in order
to establish to what extent are audit criteria met”.
26. Principles
ethical conduct
professional, fair (unbiased), responsible
fair presentation
presents appropriately (words, gesture, etc), truthful and accurate in findings
due professional care
competence in the field of the audit
independence
free from conflict of interest
evidence–based approach
do not make assumptions, stick to the audit evidence
confidentiality
careful and discreet towards the informations provided by the audit
27. Types of audit
• Internal audits (1st party) sponsored by by the organization with the
aim of improvement of the ISMS.
• External audit (2nd party) audits carried out by an organisation on its
supplier (partners, vendors) using, either internal personnel, or external
entity entrusted with doing it.
• Certification audit (third party) independent from the
organizationwith the aim to release the certificate of conformity with the
requirements taken as a audit criteria (ISO 27001).
33. stage 1 audit
1. Initiation of audit
2. Auditee’s application (self-assessment document)
3. Document review
4. Planning work documents (forms, procedures, etc)
5. Organisation’s unit and processes to be audited
6. Estimation of time
7. Work schedule
34. developing a checklist
1. Appropriately phrased questions
2. Use open questions (avoid yes/no answers)
3. Dig deep
37. stage 2 audit (on-site audit)
1. Opening meeting
2. Collecting information by appropriate sampling
3. Questioning techniques (calm, polite, reassuring)
4. Stick to the plan (time, resource)
5. Documentation (collect evidence, take notes)
6. Control the audit (avoid confrontation and intimidation)
38. Sampling technique
Random Sample = each record in the population has an equal chance of being
selected for inclusion in the sample
e.g. Population = 200 hip replacements
10% random sample= any 20 cases in the population
Stratified Random Sample = Identifying a subset of the population and randomly
sampling that subset.
e.g. Patients aged over 65 with a hip replacement
Population = 200 hip replacements
10% random stratified sample= any 20 cases in the population where the patient is
aged over 65 years
Targeted Sample = Sample includes only a particular section of the population e.g.
Patients aged over 65 with a hip replacement
Population = 200 hip replacements
Targeted sample= All cases in the population where the patient is aged over 65
years
41. audit review
1. Audit team review meeting
2. Listing of audit findings (with evidence, if any)
3. Finding statement
4. Corrective Action Request (CAR) form
5. Classification of CARs (major - minor)
6. Opportunity of improvement
7. Audit conclusion
42. audit findings
1. Non-Conformity (NC) -> non-fulfillment of requirement
(mandatory req = major NC; discretionary req = minor NC)
2. Opportunity of Improvement (OFI) -> non-fulfillment of
controls
3. Observation -> negligence, e.g. one-day of log is missing
43. finding statement
1. clear statement of the finding (NC/OFI)
2. the evidence which the finding is based
3. summary of the requirement (clause/annex)
46. Major CARs
1. Major CARs must be corrected before certification of ISO 27001
can be recommended
2. Minor CARs allows certification to proceed
3. Corrective actions described in CARs usually verified at the
following surveillance visit
4. If not closed, a Minor CARs will be re-classified as Major
5. Audit should be positive and constructive, therefore, effective
corrective action is more important.
48. Reporting & follow-up
1. Conducting a closing meeting (presenting the finding)
2. Reporting on the audit (approval, distribution, retention)
3. Audit follow-up (surveillance visits, revised CARs) will be initiated
by the audit
4. Audit close-out (signing-off all forms)
50. Workshops
A. Audit evidence/audit trails
B. Continual improvement
C. Risk assessment
D. ISMS audit questionnaire
E. Document review
F. Planning the audit
G. Interpretation of the standard
H. Case study