ISMS - IA - Delegate Manual PDF

INFORMATION SECURITY MANAGEMENT
SYSTEMS
INTERNAL AUDITOR TRAINING
(based on ISO 27001:2013)
DELEGATE MANUAL
Course Timetable
Bureau Veritas Certification

ISO 27001:2013 INTERNAL AUDITOR COURSE
COURSE TIMETABLE
DAY ONE
No
Session Title
Start
Finish
Chapter 1 - Course Introduction
9:00
9:30
Chapter 2 - Introduction to Information Security

Management
9:30
10:00
Exercise 1 Context of the Organisation
10:00
10:45
Tea Break
10:45
11:00
Chapter 3 - ISO 27001 Overview
11:00
12:00
Exercise 2 Leadership
12:00
13:00
LUNCH
13:00
13:45
Chapter 4 - ISO/IEC 27001:2013 Clauses Review
13:45
14:15
10
Exercise 3 - Operation
14:15
15:00
11
Tea/Coffee Break
15:00
15:15
12
Chapter 5 - Introduction to Audits
15:15
16:00
13
Exercise 04 - Performance evaluation
16:00
17:00
Issue: Mar 2014
ISMS Inte rnal Auditor Course
1 of 2
Course Timetable
Bureau Veritas Certification
DAY TWO
No
Session Title
Start
Finish
Recap on Day 1
09:00
09:30
14
Exercise 05 - Improvement
09:30
10:30
15
Tea/Coffee Break
10:30
10:45
16
Chapter 6 ANCRs & Corrective actions
10:45
11:30
17
Chapter 6 B NCRs & Corrective actions
11:30
12:00
18
Chapter 7 - Performing Audits
12:00
13:00
19
LUNCH
13:00
13:45
20
Exercise 06 - Annexure A controls
13:45
14:45
21
Exercise 07 - ISO 27001 Quiz
14:45
15:00
22
Exercise 08 - Non Conformity Reports
15:00
15:45
23
Tea/ Coffee Break
15:45
16:00
24
Exam
16:00
17:00
25
Course Closure
17:00
17:30
Issue: Mar 2014
ISMS Inte rnal Auditor Course
2 of 2
Information Security Management System

Internal Auditor
Training Course
Chapter 1 Course Introduction
Course introduction
Bureau Veritas
Established in 1828
Offices in 140 countries
Turnover over 3.9 billion Euros
1330 offices incl laboratories
Over 400 000 customers worldwide
Over 59 000 employees
Our Vision
Become the leader in our industry and a major player in each of our
market segments and key geographical markets.
Our Mission
Deliver economic value to customers through QHSESA management of
their assets, projects, products and systems, resulting in licence to
operate, risk reduction and performance improvement.
ISMS Internal Auditor Training course-March 2014
Course introduction
One of the most widely recognised certification bodies in the World

Global Leadership in Management Systems Certification services
6500+ auditors worldwide in 140 countries
100,000+ companies certified
World leader for Environmental Management System (ISO 14001) certification
World leader (50% Market Share) for ethical and social certification (SA 8000)
Most widely accredited Certification Body (over 44 International Accreditations)
Global market leader in accredited training
Global reach with local expertise
Common sense and pragmatic audits
Total Bureau Veritas Certification Offer

Food Safety
Health & Safety
BRC Global Food Standard
OHSAS 18001
IFS International Food Standard
Compliance Audits
EurepGAP
Industry Standards
Dutch HACCP and Danish HACCP DS 3027
Social Accountability
GMP+ and QS and GMO
Fami-QS
Bio-terrorism
Supply Chain Management / Confidence
ISO 9001
AS/EN-9100
TL 9000
SA8000
Global Reporting Initiative (GRI)
AA1000
Security
Quality
ISO 27001
TAPA
ISO 28000
ISO/TS 16949
Others:
ISO 20000
Clients Own / Bespoke Auditing
TICK IT
Integrated Management Systems
Environment & Energy
ISO 14001/EMAS/ISO 14064
ISO 50001
Greenhouse Gas UN CDM / Eu ETS
Forestry -PEFC, FSC
ISO 31000
Vericert
And Training services on all the above schemes!!!

Course introduction
Course Timing
Day 1 TBD each country
Day 2 TBD each country
Lunch breaks: TBD each Organization
Coffee breaks: mid morning & mid afternoon
Course introduction
House rules
Facilities
Safety rules & evacuation routes
Courtesy
(mobile phones, pagers, recording devices)

Local arrangements
Course introduction
Learning Methods
Evaluation Methods
Continuous Assessment
Tutorials
Discussions
Exercises and Workshops
Case study
Direct Tutor- Delegate
Formal Examination
Two hours
Course introduction
Learning Objectives (Knowledge):
Explain the purpose and business benefits of

an information security management system,
information security management systems standards
management system audit
Course introduction
Learning Objective (Skills)

Plan, conduct, report and follow up an audit of an

information security management system to establish
conformity (or otherwise) with ISO/IEC 27001 (with
ISO/IEC 27002) in accordance with ISO 19011 (and
ISO 17021 where appropriate
10
Course introduction
Exercise 1 - Delegate Introduction

Interview in pairs (5 minutes per interview / presentation up to 2 minutes)
Information to be obtained
Full name, Name of organisation for which they work
Position and role within that organisation
Career background
Their knowledge of ISO 27001:2013 ranked from 1 to 10
Auditing experience - First, Second or Third party
Personal objective for attending the course
Any valuable information allowing successful communication
Records will be used for team allocation

11
Chapter 2
Introduction to Information Security Management
BRIEF BACKGROUND
Traditional Stakeholder Concept :

Shareholders, Customers, Employees
Issues
Globalisation
Global Competition
Global Exposure
Pressures on Business
competition
legislation
liability
fiscal and policy measures
public image
ISMS Internal Auditor Training CourseMarch 2014
Interested parties
Customers
Workers and their communities
Consumers
Contractors / subcontractors
Governments
Trade unions
International community
Non-governmental organisations
Local community
Grass-roots organisations (People or
society at a local level )
Investors
Companies / Retailers
Monitors / verifiers of codes
So, what is Information?
Information may be:

Created
Stored
Transmitted
Destroyed
Processed
Used
Corrupted
Lost
What are the different
types of Media in which

Information can be Stored,
Processed or Transmitted ?
What is Information Security ?
CIA:
CONFIDENTIALITY: property that information is not made available or disclosed to
unauthorised individuals, entities, or processes

INTEGRITY: property of accuracy and completeness
AVAILABILITY: property of being accessible and usable upon demand by an
authorized entity
(ISO /IEC 27000:2014)
Confidentiality
Organisations need to achieve a balance
Availability
Integrity
So, what is Information Security?

Information Security
Definition:
Preservation of confidentiality, integrity and availability of information.
NOTE : In addition, other properties, such as authenticity, accountability, nonrepudiation , and reliability can also be involved.
(ISO /IEC 27000:2014)
So, what is an Information Security Management System?
What is an ISMS?
An Information security management system is a systematic approach

for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving an organizations information security to
achieve business objectives.
But what are the benefits?

Benefits of Information Security Management System

Always sell the benefits!!
Competitive Edge
Profitability
Legal Compliance
Image
Security
Provides an excellent checklist of available controls
Forms a sound basis for your Information Security Policy
Tangible demonstration of appropriate practices
To business clients
To end user customers
To Auditors
To Regulators
Safeguard information assets appropriately
Controls driven by risk

No under protection
No over protection
10
Chapter 3
Overview of ISO/IEC 27001:2013
ISO 27000 Family

ISMS - Overview &
vocabulary
ISMS
Requirements for
Certification
Bodies
ISO
27000:2014
ISO
27006:2011
ISO
27002:2013
ISMS - Security
techniques - Code
of practice
ISO
27001:2013
ISMS - Risk
Management
ISO
27005:2011
ISMS Requirements
ISMS Measurement
ISO
27004:2009
ISO
27003:2010
ISMS Implementation
guidance
ISO
19011
:2011
ISO
27007:2011
Auditing
Guidelines
2
Other Information Security Guidelines
ISO TR 27015 : Information Security management

guidelines for Financial Services
ISO/IEC 27032 cyber security
ISO/IEC 27033 Series - IT Network Security
ISO/IEC 27034 Application Security
ISO/IEC 27035 - Security Incident Management
ISO 27799 : Information Security Management in
Healthcare Services
ISO/IEC 27001:2013 Information technology - Security

techniques - Information security management systems Requirements
ISO/IEC 27002:2013: Information technology - Security
techniques - Code of practice for information security controls
History of the standards
BS 7799 Part One Published - Feb 1995
BS 7799 Part Two Published - Feb 1998
BS 7799 Part Two - May 1999 and amended Feb 2001
BS 7799 Part Two - September 2002
ISO/IEC 27001 Published - 15th October 2005
ISO 17799 First Published - Dec 2000
ISO/IEC 17799 Republished - 16th June 2005
ISO/IEC 27002:2005 - Published to Replace ISO 17799
ISO/IEC 27001:2013 Published 1st Oct 2013
ISO/IEC 27002:2013 Published 1st Oct 2013
High level structure

7 Support
Foreword
0 Introduction
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
4.1 Understanding of the organization and its context
4.2 Understanding the needs and expectations of
interested parties
4.3 Determining the scope of the Information security
management system
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.4 Organizational roles, responsibilities and authorities
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment\
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Annexure A : Reference control objective and controls
Bibliography
6 Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to
achieve them
ISO/IEC 27001:2013 : Introduction and scope

Adoption of an ISMS A strategic decision
Objective of the ISMS :

preserves the confidentiality, integrity and availability of information by
applying a risk management process and gives confidence to interested
parties that risks are adequately managed
ISMS integration with organizations processes and overall management

structure
Information security is considered in the design of processes, information

systems, and controls
Application of Annex SL framework to ISO 27001
Compatibility with other management system standards
Covers all types of organisations
Specifies Requirements for Establishing, implementing, maintaining and

continually improving an Information Security Management System
Exclusion of clause 4 to 10 not permitted

PDCA Cycle
Plan-Do-Check-Act
can be applied to the ISMS
Act: Improve the

ISMS
Plan: Plan the ISMS

considering the context
of the organisation and
using a risk based
approach
heck: Evaluate
performance of the ISMS
Do: Operate the ISMS

A permanent objective of the organisation
Chapter 4
Overview of ISO/IEC 27001:2013
Clause 4 Context of the organization (New requirement )
4.1 Understanding the organization and its context

Determine external and internal issues that are relevant (this is aligned
with clause 5.3 of ISO 31000:2009)
4.2 Understanding the needs and expectations of interested parties.

Identification of requirements of interested parties. These requirements
may include legal & regulatory requirement s and contractual

obligations
Eg:- Customer, Regulatory(RBI, SEBI), HIPAA, DND
4.3 Determining the scope of the information security management
system
Internal/ External issues and requirements of interested parties to be
considered while defining the ISMS Scope
4.4 Information security management system

Establish, implement, maintain and continually improve ISMS
5 Leadership
5.1 Leadership and commitment - Provides requirements for Top
management person or group of people who directs and controls an

Organization at the highest level
5.2 Policy - Standard defines the characteristics of Information security
policy
Information security policy to be communicated within Organization and
be available to interested parties, as appropriate

5.3 Organizational roles, responsibilities and authorities - Requires
on top management to assign information security relevant

responsibilities and authorities, highlighting two particular roles
concerning ISMS conformance to ISO/IEC 27001 and reporting on
ISMS performance.
6 Planning
Clause 6.1.1 General
This clause along with 4.1 and 4.2 provides for how the Organisation should
address preventive actions through the risk management process
The first part of this clause (i.e. down to and including 6.1.1 c)) concerns risk
assessment whilst Clause 6.1.1 d) concerns risk treatment.
As the assessment and treatment of information security risk is dealt with in
Clauses 6.1.2 and 6.1.3, then organizations could use this clause to consider
ISMS risks and opportunities.
Clause 6 Planning (contd...)

Clause 6.1.2 Information Security risk assessment
Aligns with the principles and guidance in ISO 31000

Identification of assets, threats and vulnerabilities not a pre-requisite to
risk identification, thereby widening the choice of risk assessment
methods that an Organisation may use
In addition to Risk acceptance criteria Organisations to also define
criteria for performing information security risk assessment
Clause refers to risk owners rather than asset owners as in the earlier
version of the standard
Risk owners to approve risk treatment plan and residual risks

Clause 6.1.3 Information Security risk treatment
Possible options for risk treatment have been removed (there were 4
options listed in the earlier version of the standard
Determination of necessary controls rather than selecting controls from
Annex A
Standard retains use of Annex A as a cross check to make sure no
controls have been omitted
Formulation of risk treatment plan now part of this clause
SOA requirements remain the same
Risk owners to approve risk treatment plan and residual risks

Clause 6.2 Information Security objectives and planning to achieve
them
Requirements have been substantially elaborated
Objectives to be established at relevant functions and levels
Properties of Objectives and planning activities for achieving objectives

are specificied
Clause 7 - Support
Clause 7.1 Resources
Similar to clause 5.2.1 of earlier standard

Requires resources to be determined and provided at all stages of the Information
security management system
Clause 7.2 Competence

Though requirements are reworded, similar to clause 5.2.2 of earlier standard

Note added identifies actions that may be taken to acquire the necessary
competence
Clause 7.3 Awareness

Specifies requirement of awareness on Information security policy, contribution to

effectiveness of ISMS and implications of NOT conforming with ISMS
requirements
Clause 7 Support (contd...)

Clause 7.4 Communication
New requirement addressing internal and external communication relevant to

ISMS including what to communicate, when to, with whom, who shall and the
process of communication
Clause 7.5 Documented information

Documented information new term that replaces documents and records

These requirements relate to the creation and updating of documented information
and to their control. The requirements are similar to their counterparts in ISO/IEC
27001:2005 for the control of documents and for the control of records.
The requirements for documented information are presented in the clause to that
they refer to. They are not summarized in a clause of their own, as they are in
ISO/IEC 27001:2005
10
Clause 8 Operation
This clause deals with the execution of the plans and processes that are the
subject of previous clauses.

Clause 8.1 Operational planning and control
Deals with the execution of the actions determined in Clause 6.1 and 6.2
(implementation of plans for achievement of the information security objectives)
Also requires determination and control of outsourced processes
Clause 8.2 Information security risk assessment

Deals with the performance of information security risk assessments at planned

intervals, or when significant changes are proposed or occur
Similar to clause 4.2.3 d) of ISO/IEC 27001:2005
Also note reference clause 6.1.2 regarding criteria for performing information
security risk assessments
Clause 8.3 Information security risk treatment

Deals with implementation of the risk treatment plan

11
Clause 9 Performance evaluation

Clause 9.1 Monitoring, measurement, analysis and evaluation
Determine what information is needed to evaluate the information security

performance and effectiveness of ISMS
Based on this, determine what to measure and monitor, when, who and how
Only monitor and measure if it supports the requirement to evaluate information
security performance and ISMS effectiveness.
Similar to requirement on measuring effectiveness of controls of the 2005 version
but much more elaborate in scope and activities to be performed
Clause 9.2 Internal audit

This clause is similar to its counterpart in ISO/IEC 27001:2005. However, the

requirement holding the management responsible for ensuring that audit actions
are taken without undue delay has been removed
requirement that auditors shall not audit their own work has also been removed,
as it is covered by the requirement to ensure objectivity andimpartiality (Clause 9.2
e)).
12
Clause 9 Performance evaluation (contd...)

Clause 9.3 Management review
The requirement for reviews to be held at planned intervals remains but the
requirement to hold the reviews at least once per year has been dropped.
Rather than specify precise inputs this clause now provides requirements on the
topics for consideration during the review.
New inputs for consideration in management reviews include
changes in external and internal issues that are relevant to the information
security management
Information security performance including trends in NCRs/ Corrective

Actions, monitoring & measurement results, audit results and fulfilment of
security objectives
Results of risk assessment and status of risk treatment plan
Precise outputs for management reviews now made much more concise address
decisions related to continual improvement opportunities and need for changes to
the ISMS
13
Clause 10 Improvement
Clause 10.1 Nonconformity and corrective action
Due to new way of handling preventive action (through clauses 4.1, 4.2 and 6.1),
this requirement has been removed from this clause
Changes in corrective action requirements
react to nonconformities and take action, as applicable, to control and correct

the nonconformity and deal with the consequences
determine whether similar nonconformities exist or could potential occur
Corrective actions shall be appropriate to the effects of the nonconformities

encountered.
Clause 10.2 Continual improvement

The requirement for continual improvement has been extended to cover the
suitability and adequacy of the ISMS as well as its effectiveness, but it no longer
specifies how an organization achieves this.
14
Documented Information
The requirement for documented information is spread through the standard and not
summarized under one clause as in 4.3.1 of the 2005 version. These are listed
below
Clause
Documented information
4.3
Scope of the ISMS
5.2
Information security policy
6.1.2
Information security risk assessment process
6.1.3
Information security risk treatment process
6.2
Statement of Applicability
7.5.1 b)
Documented information determined by the

organization as being necessary for the effectiveness
of the ISMS
8.1
Operational planning and control
8.2
Results of the information security risk assessments
8.3
Results of the information security risk treatment
15
Documented Information (contd...)

Clause
Documented information
9.1
Evidence of the monitoring and measurement results
9.2 g)
Evidence of the audit programme(s) and the audit results
9.3
Evidence of the results of management reviews
10.1 f)
Evidence of the nature of the nonconformities and any

subsequent actions taken
10.1 g)
Evidence of the results of any corrective action
16
Annexure A
Number of controls have been reduced from 133 to 114 and number
of control categories (domains) have been increased from 11 to 14

(from A5 to A18)
Some controls are identical or very similar to the one in the 2005
version, some have been merged together, some deleted and a few
are added
17
Annexure A
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
18
Annexure A
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity
management
A.18 Compliance
19
10
Chapter 5
Introduction to audits
What is an Audit Process ?
What is an Audit ?
Systematic, Independent and
Documented Process of obtaining
audit evidence and evaluating it
objectively to determine the extent to
which audit criteria are fulfilled
ISMS Internal Auditor Training Course-March 2014
3 Types of Audits
First Party Audit
Self-audit (Client, auditor and auditees are
Internal)
Second Party Audit

Audit by an interested body (like a customer)
Third Party Audit

Audit by independent body
(certification/registration body)
Objectives
Objectives of an Audit :
To verify conformance against Requirements for Certification
To verify conformance to Contractual Requirements
To verify compliance to Legal Requirements
To obtain confidence in the process capability in an organisation
To contribute to the improvement of the management system
Identify Major Issues, if any
Verify Top Management Commitment to system implementation
Factors influencing the audits

Factors influencing the coverage of an audit :
1. Scope of the management systems, objective, duration and
frequency of the audit
2. The volume, importance, complexity, similarity and locations of
the activities to be audited
3. Results of the previous audits, status and importance of the
activity
4. Language, cultural & social issues
5. Significant changes to an organization or its operations
Responsibilities of Auditors
Responsibilities of Audit Team Leader
To establish the objectives, scope and extent of audit programme
To establish the responsibilities & procedures, and ensure resources
are provided
Ensure implementation of audit programme
Monitor, review and improve the audit programme and maintain relevant
Documentation.
Resources for the Audit Programme:

Financial and Human Resources (Auditors), Technical Experts
Processes to achieve and maintain the competence of auditors and
improve their performance
Responsibilities of auditors
Responsibilities of an Auditor:
To plan & organize the work effectively
To conduct Audits within scheduled timeframe
To prioritize and focus on matters of significance
To gather objective evidence through effective interviewing,
listening, observing and reviewing documents, records and data
To verify the data against the audit criteria to support audit
conclusions
To prepare appropriate, factual and accurate audit reports
To communicate effectively with the auditee
Audit procedures & records

Audit Programme Procedures:
Planning and scheduling audits
Selection of audit team, team leader and appropriate technical /
process experts
Conducting Audits and Audit follow up
Monitoring the performance and effectiveness of the audit programme
Completion of the audit programme
Maintaining Audit records
Audit procedures & records
Audit plans
Audit Reports
Non conformity reports
Corrective action reports and audit follow up , if any
Records related to auditors competence and
performance evaluation
Checklists & Process matrix
Personal Attributes of an Auditor

Desired:
Ethical
Perceptive
Self Reliant
Open Minded
Tenacious
Decisive
Critical
Over-conclusive
Indecisive
Aggressive
Argumentative
Susceptible
Inconsiderate
Devious
Diplomatic
Undesired :
10
Competence & evaluation of Auditors
Knowledge & Skills:

Application of Management systems to different organizations
General business processes and related terminology
Applicable laws, regulations
Management Principles, tools and their applications
Processes and products including services ; technical
characteristics, and sector specific processes and practices
11
Principles of auditing
Ethical Conduct
the foundation of professionalism
Fair Presentation
the obligation to report the truth
Due Professional Care
the application of diligence and judgment in auditing
Independence
the basis for impartiality of the audit and objectivity of
the audit conclusions
Evidence based approach
the rational method for reaching reliable and reproducible
audit conclusions in a systematic audit process
12
Chapter 6 A- NCRs and Corrective Actions
Non-conformity reports and Corrective actions
What is a Nonconformance?
ISO/IEC 27000:2014
Non-fulfillment
of a requirement
Objective evidence exists showing that:

a requirement has not been addressed
(intent)
practice differs from the defined system
(implementation)
the practice is not effective
(effectiveness)
Communicating Findings of Nonconformance

Do not view non-conformance in a negative way. This
is NOT like a speeding fine. It is NOT a punishment.

Uncovering a non-conformance is a previously
undiscovered opportunity for improvement.

Be positive, be professional, be precise.
Nonconformity Report
No set rules; however the three important elements
The nonconformity description
The evidence
The requirement of the standard
Different organizations have different formats

Use the format chosen by your client or firm
A Nonconformance Must Also Be...

Factual
Precise
Objective
Traceable
Concise
Will someone else be able to trace back and find the

same evidence you found, based on what you wrote?
Examples of Objective Evidence

Factual evidence of differences between
documented and implemented procedures

Factual evidence of differences between procedures
and working practices

Lack of evidence to support implementation of
various standard clauses

Lack of evidence to show continuous
implementation of various parts of the system

1
Incident Number ....................
NONCONFORMITY REPORT
Area
Company under Audit: XYZ plc
Grading
ABC1
Note Number .............................
Area under review:

Design department
.
Category MAJOR* MINOR*
* delete one
Nonconformity description
The process for ensuring awareness about Information
security policy is not effective
Evidence :
3 of the 5 persons interviewed in the design department were
not aware about the organisations information security policy
ISO 27001:2013 clause and requirement
7.3 a)
Persons doing work under the organizations control shall be
aware of the information security policy
Auditor
A. U. Ditor
Sign

A word of Caution
Be cautious, do not not be over conclusive!
Dont judge on face value!
Make sure you have complete evidence!
Make sure your evidence is objective!
When in doubt, investigate!
Identify the leads for further investigation.
Chapter 6 B- NCRs and Corrective Actions

Corrective Action
Action to eliminate the cause of a nonconformity
and to prevent recurrence
Dont cure symptoms only!

Hit the cause!!
Effective Corrective Action
Auditor
Auditee
Identify, note
& communicate
Agreement
Prepare
Prepare NCR
NCR
Acknowledge
& investigate
Agreement
Explain Cause/Propose
Corrective Action
Review
effectiveness
Implement,
verify & notify

Corrective Action Request
Example:
Company:
Non-conformance and
Corrective Action
Request Form
Date:
Auditor:
Standard & Clause
NCR
Number:
Auditee:
Major:
Minor
Auditors Report: of non-conformance
Signed:
Date:
Correction :
Cause & Proposed Corrective Action:
Note area for review of

effectiveness of corrective
actions.
Proposed Completion Date:
What should be entered

here? By whom?
Date :
Date:
Signature
Verification of Corrective Actions:
Signature
Review of effectiveness of Corrective Actions:
Date:
Signature
Chapter 7 - Performing an audit
Performing an audit
How do auditors find evidence ?

Reviewing documents
Looking at records
Interviewing people at all levels
Observing practices and physical
environment
NOTE: Can/should the auditor cover all people,

documents and records during the audit?
Performing an audit
Observations
Keep observing the physical evidence:
records
equipment, instruments
conditions, controls
Observation What to Look for

Posted Procedures
Structure & Organization
Actual Operations
Communications Postings
Control Points
Awareness Reminders
Operating Logs
Security Breaches
Process Records
Infrastructure
Security Logs
Performing an audit
Auditor Proverb: Seeing is believing
Visit the field! See the 'real world'!!!
risk assessments, statement
of applicability, assets
register;
risk treatment plans;

records systems;
access control systems;
identification of threats,
vulnerabilities;
maintenance of legal
talk to people on the field - if
you can hear them!;
watch the processes as and
where they happen;
check what is happening and
verify the documented

version of events
ask what the controls are and

how the control objectives are
being met.
compliance, controls and

control objectives;
Keen observation is one of the keys to successful audit
Performing an audit
Check planning of the ISMS

Check operation of the ISMS
Check performance evaluation of the ISMS
Check improvement of the ISMS
Performing an audit
Why Prepare a Checklist before an Audit?

to assist memory
to ensure covering all issues and control points
to ensure depth & continuity of the audit
help in time management
organise note taking
part of audit report
Performing an audit
Checklists should:
Checklists should NOT:
Be specific for a given ISMS.
Narrow the vision or limit
Be prepared using ISMS
documentation.
evaluation.
Obstruct communication.
Be clear about evaluation criteria.
Be too strict or constraining.
Note documents to review.
Be a script of exact questions.
Identify records to sample (and
Restrict auditors inquiry.
sample size).
Be yes/no lists.
Identify key people to interview.
Be completely generic.
Include some key questions for
interviews.
Note physical evidence you
expect to see.
Performing an audit
Follow Audit Trails

As you audit you will find
interesting opportunities for
follow-up (audit trails).
Pick promising audit trails:
Follow it through
Interact with team
Auditing ISMS related legislations

Auditors to be abreast of ISMS related legislations applicable
to the Organisation being audited
Some examples
Data Privacy
Copyrights and Patents
Data Protection
Electronic commerce
Computer misuse
Electronic signatures
Identification of legislations
Approach to comply with legislations
Demonstration of compliance with legislations
Updates to legislations
Interview Top Management

Obtain evidence of leadership and commitment
Observe attendance and interest in opening, closing and
feedback meetings
Review documents:
Information Security policy
Security Objectives
Management reviews records
Interview members of top management:
Do they know their system?
Do they monitor, analyse data, draw conclusions, define actions?
Interview personnel at other levels:
Do they understand what top management is trying to communicate?
10
Performing an audit
Always take notes

Explain the need to take notes to auditee
Make your notes:
Comprehensive
Accurate
Precise
Legible
11
Performing an audit
Time management
Time is always short
Plan well
Do not allow your audit to get
side-tracked
Do not dig too much (beware
false audit trails)

Do not focus on trivia
Remember an audit is a
sampling
12
ISMS Auditor/ Lead Auditor Training Course
List of useful References

Related to Information Security Management System
Standards and guidelines
ISO/IEC 27000 : 2014
Information technology -- Security techniques -- Information security management
systems -- Overview and vocabulary
ISO/IEC 27001 : 2013
systems -- Requirements
ISO/IEC 27002 : 2013
Information technology -- Security techniques -- Code of practice for information
security management
ISO/IEC 27003 : 2010
system implementation guidance
ISO/IEC 27004 : 2009
Information technology -- Security techniques -- Information security management -Measurement
ISO/IEC 27005 : 2011
Information technology -- Security techniques -- Information security risk management
ISO/IEC 27006 : 2011
Information technology -- Security techniques -- Requirements for bodies providing
audit and certification of information security management systems
ISO/IEC 27007 :2011
Information technology -- Security techniques -- Guidelines for information security
management systems auditing
ISO/IEC TR 27008 :2011
Information technology -- Security techniques -- Guidelines for auditors on information
security controls
ISO/IEC 27010 :2012
Information technology -- Security techniques -- Information security management for
inter-sector and inter-organizational communications
ISO/IEC 27013 :2012
Information technology -- Security techniques -- Guidance on the integrated
implementation of ISO/IEC 27001 and ISO/IEC 20000-1
Issue: March 2014
ISMS Auditor/Lead Auditor Training Course (A17207)

ISO/IEC 27011 :2008
guidelines for telecommunications organizations based on ISO/IEC 27002
ISO/IEC TR 27015:2012
guidelines for financial services
ISO/IEC 27032:2012
Information technology -- Security techniques -- Guidelines for cybersecurity
ISO/IEC 27033-1:2009
Information technology -- Security techniques -- Network security -- Part 1: Overview
and concepts
ISO/IEC 27033-2:2012
Information technology -- Security techniques -- Network security -- Part 2: Guidelines
for the design and implementation of network security
ISO/IEC 27033-3:2010
Information technology -- Security techniques -- Network security -- Part 3: Reference
networking scenarios -- Threats, design techniques and control issues
ISO/IEC 27034-1:2011
Information technology -- Security techniques -- Application security -- Part 1:
Overview and concepts
ISO/IEC 27035:2011
Information technology -- Security techniques -- Information security incident
management
ISO 27799:2008
Health informatics -- Information security management in health using ISO/IEC 27002
ISO 19011:2011
Guidelines for auditing management systems
Issue: March 2014
Books
IT governance - an international guide to data security and ISO27001/ISO27002 by
Alan Calder and Steve Watkins
Implementing the ISO/IEC 27001 Information Security Management System Standard
by Professor Edward Humphreys
How to Achieve 27001 Certification - An Example of Applied Compliance Management
by Sigurjon Thor Arnason and Keith D. Willett
Information Security Governance by Krag
Information Security Management Handbook by Hal Tipton
Information Security: Principles and Practice by Mark Stamp
Websites
ISO Standards
www.iso.org
www.iso.org/iso/jtc1_home.html
Certification
www.iaf.nu
www.european-accreditation.org
Training
www.irca.org
www.bureauveritas.com
www.certification.bureauveritas.com
Information Security related organizations
www.isaca.org
www.csrc.nist.gov
www.bcs.org.uk
www.isc2.org
Issue: March 2014

ISMS - IA - Delegate Manual PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

ISMS - IA - Delegate Manual PDF

Enviado por

Direitos autorais:

Formatos disponíveis

INFORMATION SECURITY MANAGEMENT

Bureau Veritas Certification

Chapter 1 - Course Introduction

Chapter 2 - Introduction to Information Security

Exercise 1 Context of the Organisation

Chapter 3 - ISO 27001 Overview

Chapter 4 - ISO/IEC 27001:2013 Clauses Review

Chapter 5 - Introduction to Audits

Exercise 04 - Performance evaluation

Issue: Mar 2014

ISMS Inte rnal Auditor Course

Bureau Veritas Certification

Chapter 6 ANCRs & Corrective actions

Chapter 6 B NCRs & Corrective actions

Chapter 7 - Performing Audits

Exercise 06 - Annexure A controls

Exercise 07 - ISO 27001 Quiz

Exercise 08 - Non Conformity Reports

Tea/ Coffee Break

Issue: Mar 2014

ISMS Inte rnal Auditor Course

Information Security Management System

Chapter 1 Course Introduction

Offices in 140 countries

Turnover over 3.9 billion Euros

1330 offices incl laboratories

Over 400 000 customers worldwide

Over 59 000 employees

One of the most widely recognised certification bodies in the World

6500+ auditors worldwide in 140 countries

100,000+ companies certified

World leader for Environmental Management System (ISO 14001) certification

Most widely accredited Certification Body (over 44 International Accreditations)

Global market leader in accredited training

Global reach with local expertise

Common sense and pragmatic audits

ISMS Internal Auditor Training course-March 2014

Total Bureau Veritas Certification Offer

Health & Safety

BRC Global Food Standard

IFS International Food Standard

Dutch HACCP and Danish HACCP DS 3027

GMP+ and QS and GMO

Supply Chain Management / Confidence

Global Reporting Initiative (GRI)

Clients Own / Bespoke Auditing

Integrated Management Systems

Environment & Energy

ISO 14001/EMAS/ISO 14064

Greenhouse Gas UN CDM / Eu ETS

Forestry -PEFC, FSC

And Training services on all the above schemes!!!

ISMS Internal Auditor Training course-March 2014

(mobile phones, pagers, recording devices)

ISMS Internal Auditor Training course-March 2014

Exercises and Workshops

Direct Tutor- Delegate

ISMS Internal Auditor Training course-March 2014

Explain the purpose and business benefits of

ISMS Internal Auditor Training course-March 2014

Learning Objective (Skills)

Plan, conduct, report and follow up an audit of an