Professional Documents
Culture Documents
COMS Vantage
Committed to Systems
Learning Objectives
To be able to: Have knowledge of concepts of Information & Information Security Management System
Understand the requirements of ISO 27001 : 2005 in auditing terms Understand of Risk Assessment Methodology Plan and conduct an IMS audit Report the audit Undertake audit follow-up activities
Committed to Systems 2
COMS Vantage
Course Content
DAY 1 Concepts and Philosophy of ISMS Framework ISO 27001:2005 Requirements Concepts and Principles of Auditing Audit Planning (Audit Schedule & Audit Checklist)
DAY 2 Audit Execution Audit Reporting (Identification of Non-conformances & Preparing Non-conformance Report) Audit Closing (Verification of Corrective Actions) Examination
COMS Vantage
3
Committed to Systems
Course Structure
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
Information
Information is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably protected.
COMS Vantage
Committed to Systems
Types of Information
Internal Information that you would not want your competitors to know Customer/client Information that they would not wish you to divulge Shared Information that may be shared with other trading partners/persons
COMS Vantage
Committed to Systems
Types of Information
Company financial data (business performance) Company business plan & strategies Employee data Credit card and bank account numbers Passwords Designs, patents, technical research Bids for contracts, market research, competitive analysis Intelligence (on criminals, hostile nations, etc) Security information (risk assessment, network diagram, facilities plans)
COMS Vantage
Committed to Systems
Information Lifecycle
Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
COMS Vantage
10
Committed to Systems
Information Security
Information Security means preservation of confidentiality, integrity and availability of information; other properties, such as authenticity, accountability, non-repudiation, and reliability may also be managed.
COMS Vantage
11
Committed to Systems
COMS Vantage
Committed to Systems
COMS Vantage
14
Committed to Systems
Paper documents: on desks, in waste bins, left on photocopiers Whiteboards and flipcharts Telephone conversations overheard Conversations on public transport Social engineering
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
Customer Requirements
Business Requirements
COMS Vantage
Committed to Systems
Interested Parties
IT department Line managers Senior managers Company Boards Government Business and Trading Partners Customers
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
What is an ISMS
An ISMS is a set of processes designed to produce predictable information security outcomes (well managed security risks) Implementation must cover Requirements and policies Planning implementation Implementation and operations Monitoring and reviewing Improving the management system
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
Benefits of an ISMS
An operational framework for operation - Focus on outcomes - Outcomes are predictable Basis for stakeholder trust - The general public - Clients and customers - Business partners, suppliers, service providers & outsources - Line management & senior management
Committed to Systems
COMS Vantage
COMS Vantage
Committed to Systems
26
ISO/IEC 27001:2005
Information Technology Security Techniques Information Security Management Systems Requirements
Requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS
COMS Vantage
27
Committed to Systems
ISO/IEC 27002:2005
Information Technology Security Techniques Code of practice for information security management Provides guidance on good practice for Information Security Management Prime objectives A common basis for organisations Confidence in inter-organisational dealings Defines a set of control objectives, controls and implementation guidance It cannot be used for assessment and certification
COMS Vantage
28
Committed to Systems
COMS Vantage
Committed to Systems 29
Clauses 4 to 8
COMS Vantage
30
Committed to Systems
COMS Vantage
31
Committed to Systems
COMS Vantage
COMS Vantage
33
Committed to Systems
Scope and boundaries Policy - objectives, business and legal or regulatory requirements, strategy, criteria, approved by management
COMS Vantage
34
Committed to Systems
ISMS Policy
Statement of management commitment & set out organisations approach to managing information security Definition of information security, objectives & scope Statement of management intent, supporting goals & principles Include framework for setting control objectives & controls Brief explanation of security policies, principles and standards Compliance with legislative, regulatory & contractual requirements Security education, training & awareness requirements Business continuity management Consequences of information security policy violations Definition of general & specific responsibilities References to documentation supporting policy Communicated throughout the organisation
COMS Vantage
36
Committed to Systems
Define the risk assessment approach of the organization Identify risks (assets and owners, threats, vulnerabilities, impacts) Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls for the treatment of risks (select from Annex A) Obtain management approval of proposed residual risks Obtain management authorization to implement and operate the ISMS Prepare a Statement of Applicability
37
Committed to Systems
COMS Vantage
Identify a suitable risk assessment methodology Develop criteria for accepting risks and identify acceptable levels of risk (5.1f) Ensure that risk assessments produce comparable and reproducible results Method is decided by organization and audited against its information security scope, boundaries and policy
COMS Vantage
38
Committed to Systems
Risk Assessment
Risk (and decision on which risks to mitigate with controls) depends on : Asset value Threat Vulnerability Likelihood and frequency of threat exploiting vulnerability Impact on organization of successful exploitation
COMS Vantage
39
Committed to Systems
COMS Vantage
40
Committed to Systems
Asset Value
Asset Value : Confidentiality X Integrity X Availability Ranking of Assets done based on Asset Value : Low Medium High Critical
COMS Vantage
41
Committed to Systems
A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset . e.g. No system monitoring
Committed to Systems
COMS Vantage
42
COMS Vantage
43
Committed to Systems
*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets
COMS Vantage
44
Committed to Systems
COMS Vantage
45
Committed to Systems
COMS Vantage
Committed to Systems
46
A.5
Security Policy
A.6
Organisation of Information Security
39 Sub-Control Objectives
A.14
Business Continuity Management Information Security Incident Management Information Systems Acquisition, Development and Maintenance
A.7
Asset Management
133 Controls
Control Objectives and Controls
A.13
A.8
Physical and Environmental Security Access Control Communications and Operations Management
A.12
A.9
A.11
A.10
Committed to Systems 47
COMS Vantage
A.6 Organization of Information Security A.6.1 Internal organization A.6.2 External parties
A.7 Asset Management A.7.1 Responsibility for assets A.7.2 Information classification A.8 Human Resources Security A.8.1 Prior to employment A.8.2 During employment A.8.3 Termination or change of employment
COMS Vantage
Committed to Systems
COMS Vantage
Committed to Systems
COMS Vantage
COMS Vantage
Committed to Systems
Additional control objectives and controls organisation might consider that additional control objectives and controls are necessary
Not all the controls will be relevant to every situation Consider local environmental or technological constraints In a form that suits every potential user in an organisation Review controls already in place Remove Improve Implement additional controls
COMS Vantage
52
Committed to Systems
Residual risk
The risk remaining after risk treatment Assess how much controls will reduce risk Reduced residual risk Acceptable or unacceptable Implement more controls May have to accept Obtain Management Approval of proposed residual risk
COMS Vantage
53
Committed to Systems
Statement of Applicability
Definition Documented statement describing the control objectives and controls that are relevant and applicable to the organisations ISMS.
Contents of Statement of Applicability Control objectives and controls selected Reasons for selection Control objectives and controls currently implemented Exclusion of any control objectives and controls to be listed in Annex A and the justification for their exclusion The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
COMS Vantage
54
Committed to Systems
Statement of Applicability
Why a control has not been fully implemented Risk not justified by risk exposure Budget financial constraints Environment influence on safeguards, climate, space etc Technology some measures are not technically feasible Culture sociological constraints Time some requirements cannot be implemented now. N/A not applicable Others ?
COMS Vantage
55
Committed to Systems
Select and implement Control Objectives and Controls To meet requirements identified by risk assessment and risk treatment process Take into account of criteria for accepting risks (4.2.1c) Legal, regulatory and contractual requirements
COMS Vantage
Formulate and implement risk treatment plan Implement controls Training and awareness (Also covered in clause 5.2.2) Manage operations & resources Implement procedures
COMS Vantage
57
Committed to Systems
Execute monitoring and review procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Conduct Internal ISMS Audits at planned intervals (Clause 6) Undertake Management Review of the ISMS (Clause 7) Update security plans Record actions and events
58
Committed to Systems
COMS Vantage
Also covered in Clause 8 Implement the identified improvements in the ISMS Appropriate corrective and preventive action Communicate actions and improvements Ensure improvements achieve their intended objectives
COMS Vantage
59
Committed to Systems
5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training awareness and competency - employees, people (outside scope) interfacing with company, customers, suppliers/ third party service providers
COMS Vantage
60
Committed to Systems
Monitoring of ISMS
Execute monitoring procedures and other controls: Promptly detect errors Promptly identify attempted and successful security breaches and incidents Security activities delegated to people or implemented by information technology are performing as expected Help detect security events Prevent security incidents Determine whether actions taken to resolve a breach of security were effective
COMS Vantage
62
Committed to Systems
Monitoring of ISMS
Undertake regular reviews of effectiveness of ISMS ISMS policy and objectives Security controls Take into account Security audits Incidents Effective measurements Suggestions and feedback from interested parties Measure the effectiveness of controls Verify security requirements are met
63
Committed to Systems
COMS Vantage
Conduct internal audits at planned intervals Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits Responsibilities for audit planning, conducting and reporting is defined in procedure Auditee is responsible for taking timely corrective action
Committed to Systems
COMS Vantage
64
Undertake planned reviews of effectiveness of ISMS (atleast once a year) Review inputs
ISMS policy and objectives Audit results Suggestions and feedback from interested parties Threats and vulnerabilities not adequately addressed Result from effective measurements Improvement of effectiveness of ISMS Update Risk Assessment & Risk Treatment Plan Modification of procedures & controls Resource needs Improvements in measuring effectiveness of controls
65
Committed to Systems
Review outputs
COMS Vantage
COMS Vantage
66
Committed to Systems
Complete the Quiz on ISO 27001 to test your understanding of the standard.
COMS Vantage
Committed to Systems
67
ISMS Documentation
COMS Vantage
Committed to Systems
68
Documentation Structure
IMS MANUAL (Apex Document) Level - I STANDARD OPERATING PROCEDURE POLICIES CHECKLISTS, GUIDELINES ETC, Level - III FORMATS, Log-Books, Registers Level - IV Dep1 Dep2 Dep3 Dep4 Dep5
Dep6
Level - II
Committed to Systems
ISMS Documentation
The ISMS Documentation includes: Documented statements of a ISMS policy and ISMS objectives Information Security Manual Information Security Risk Assessment Statement of Applicability Information Security Policies Procedures Formats/ Logs/ Records
COMS Vantage
70
Committed to Systems
COMS Vantage
Committed to Systems
71
Audit
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled. ISO 9000:2005
COMS Vantage
Committed to Systems
72
Objective Evidence
Data supporting the existence or verity of something ISO 9000:2005 May be obtained through - Records - Observation - Measurement or test - Stated or verbal Can be verified
Committed to Systems
COMS Vantage
73
Specified Requirements
Organization system requirements Manuals Policies & Procedures ISO 27001 standard requirements Legal requirements-statutory, regulatory or industry body
COMS Vantage
Committed to Systems
74
Audit Purpose
To collect objective evidence to permit an informed judgement about the status and effectiveness of the integrated management system.
COMS Vantage
Committed to Systems
75
Principles of Auditing
Ethical Conduct Fair Presentation Due Professional Care Independence Trust, integrity, confidentiality, discretion Audit findings and conclusions are accurate and truthful Exercise care according to the confidence placed in them by their clients Competence is essential Auditors are independent of the activities being audited and are free from bias or conflict of interest
Evidence-Based Approach
COMS Vantage
76
Compliance:
Fulfillment of legal/statutory requirements Noncompliance can lead to fines/incarceration Mandatory
77
Types of Audit
Internal External
1st Party
Audit ones own company QMS Audit of a supplier by a customer Audit by an Independent body
Committed to Systems
2nd Party
3rd Party
COMS Vantage
COMS Vantage
Committed to Systems
Requirement of all management system standards Source of information for use by management Powerful tool for continual improvement through: Employee involvement Communication Employee awareness, etc.
COMS Vantage
80
Benefits of Auditing
Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the system to management Reduces risk of system failure Identifies improvement opportunities Precipitates the corrective action cycle Precipitates the preventive action cycle
COMS Vantage
Committed to Systems
81
Closing
COMS Vantage
Committed to Systems
82
COMS Vantage
Committed to Systems
83
Audit Planning
COMS Vantage
Committed to Systems
84
Audit Schedule
Audit Schedule is based on : Frequency of audit (as mentioned in procedure) Processes/ area to be audited Duration of audit Qualified internal auditors Audit Team to have applicable technical expertise Independence of audit team (Cross functional audit)
COMS Vantage
85
Audit Schedule-1
Processes Marketing J P P P P A F M A M J J A S P P P P O N D
IT Technology
System Administration HR Administration
P = Planned A = Additional
P
P A P P
COMS Vantage
Committed to Systems
86
Audit Schedule - 2
Day 1
Time 1000 1300 1400 - 1700 Processes Software Dev Real Estate Dev BPO Educational Portal Auditors A& B C&D E&F G&H
Day 2
1000 1300 1400 - 1700 Executive Search IT HR Administration I&J K&L M&N O&P
COMS Vantage
87
Checklists
Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditees IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.
A checklist should not be a list of questions to ask the auditee. It is simply a prompt for aspects of the system which require review
COMS Vantage
Committed to Systems
88
Checklists
Checklists may be :
Generic Or
Tailored
COMS Vantage
Committed to Systems
89
Checklists- Benefits
A well constructed aide memoir will help to:
Keep audit objectives clear Provide evidence of audit planning Maintain audit pace and continuity Reduce auditor bias Reduce workload during audit
COMS Vantage
Committed to Systems
90
Checklist Drawbacks
Checklists tend to lose value if they are:
COMS Vantage
Committed to Systems
91
Company Policies and Procedures Process information Customer requirements Applicable legal requirements Codes of practice Management priorities Previous incidents and accidents Previous audits reports Known problems
COMS Vantage
Committed to Systems
92
COMS Vantage
Committed to Systems
In your teams, prepare checklist for an ISMS audit. Checklist may be prepared for your department.
COMS Vantage
Committed to Systems
94
Audit Execution
COMS Vantage
Committed to Systems
95
Audit System
Various roles of an auditor: A catalyst Management instrument An interface with suppliers customers colleagues A consultant (NOT 3rd Party)
COMS Vantage
Committed to Systems
96
Any More?
COMS Vantage
Committed to Systems
97
Auditor Qualification
Auditors must be competent in
Reasoning of nonconformities
COMS Vantage
Committed to Systems
98
Managing Communications
Put auditee at ease Ask questions and listen Have the appropriate body language Smile and show eye contact Avoid interruptions Avoid sarcastic & condescending remarks Give praise and feedback Acknowledge and show interest Be tactful and polite Show patience and understanding Thank the auditee on completing the audit
Committed to Systems
COMS Vantage
Personality Types
COMS Vantage
Committed to Systems
Managing Communications
Listening
Body Language
COMS Vantage
Committed to Systems
101
Resolving Differences
COMS Vantage
Committed to Systems
102
COMS Vantage
Sampling
Why ?..............Reduces time and costs
Sample/ sample frame Representative Random Chosen by the auditor Permission sought
Committed to Systems
COMS Vantage
Audit Execution
The Audit Process Gathering information
COMS Vantage
Committed to Systems
105
Check
Observe
Committed to Systems
COMS Vantage
Collecting by appropriate sampling and verifying Audit Evidence Evaluating against audit criteria Audit Findings Reviewing
Audit conclusions
COMS Vantage
Committed to Systems
Sources of Information
Interviews Documents (procedures, instructions, specifications, etc) Records Data Summaries (analysis and performance) Reports (customer feedback, supplier ratings) Databases Observations (of activities and conditions)
COMS Vantage
Committed to Systems
Conducting Interviews
Interviews are an important means of collecting information and should be carried out in a manner adapted to the situation and the person interviewed
May start with asking the auditee to describe the work Avoid misleading questions Listen carefully & make notes Summarize the results of interview & discuss with auditee
Committed to Systems
COMS Vantage
Questions
Open questions - Encourage auditee to speak Probing questions Closed questions Questions should be asked like a funnel starting with open questions and ending with closed questions
COMS Vantage
Committed to Systems
Questioning Techniques
Hypothetical
Obvious Answered Repetitive Non-verbal
COMS Vantage
Committed to Systems
Open Questions
Six friends (To gather information) Who (does it) What (is done) Where (is it done) Why (is it done) When (does it get done) How (is it done; often is it done) And seventh friend (For verification) Show me
COMS Vantage
Committed to Systems
Use appropriate types of question Adopt a logical approach Follow a natural sequence Actively listen to what is being said Use silence appropriately Seek clarification, where necessary Verify responses, where necessary
COMS Vantage
Committed to Systems
Documents
Policy & Objectives Plans Policies and procedures / instructions Specifications/ drawings Contracts/ Orders Licenses/ permits
Review documents which describe activities, plans, controls, Strategies and tests
COMS Vantage
Committed to Systems
Records
Records are evidence of an activity performed Test records Training records Performance monitoring records Audit Report Management Review Minutes of Meetings Non-conformance records Customer Satisfaction records Vendor performance evaluation records and COMS Vantage
Committed to Systems
Observations
Observations of : Activities being performed Housekeeping Condition of infrastructure and hardware Work environment
COMS Vantage
Committed to Systems
Checklist is a servant not a master Audit the complete scope If potential audit trails appear, decide: disregard note for later follow up immediately
Notes
Recording the objective evidence: Admissible statements (Quotes and statements) Document / Record numbers and issue/revision levels Identifiers (Product identification) Surroundings Name of auditee or preferably job titles Issues which may impact other functions
COMS Vantage
Committed to Systems
Mental Notes
COMS Vantage
Committed to Systems
Notes
Notes is an evidence of the professionalism of the auditor Evidence of sample size and observation Should be legible & retrievable Shall be an input to the audit report May be used for further investigation & subsequent audits
COMS Vantage
Committed to Systems
Verify Facts
Discuss concerns with auditee Auditee may provide correct information Record all the evidence in detail Establish why a nonconformity or otherwise & who (preferably by job title) Audit focus must be on conformity and effectiveness, not on finding nonconformities
Therefore, auditors must be competent in Reasoning of nonconformities Evaluating effectiveness of corrective action
COMS Vantage
Committed to Systems
Good Practices
Ask the right person - the person with the responsibility for what it is you are auditing Dont talk down or be rude/ sacarstic Ensure questions are clear and understood - avoid jargon, use plain and simple language, rephrase the question if not understood. Do not confuse, ask one question at a time. Allow time for auditee to answer any questions you ask Do not take sides, stay impartial, do not jump to conclusions; always look for the evidence Be polite at all times, regardless of any provocation you may encounter COMS Vantage Committed to Systems
122
Finger - pointing
Flattery
COMS Vantage
Committed to Systems
Audit Reporting
COMS Vantage
Committed to Systems
124
Nonconformity
Non fulfilment of a requirement Specified requirements: Company policies and procedures ISO 27001 standard requirements legal requirements
COMS Vantage
125
Nonconformity
The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness. Non conformities could arise out of two reasons: - System deficiencies - Human slip ups
126
Reporting Categories
Categories such as Non-conformance or Noncompliance represent a non-fulfilment of a specified requirement, and for many organisations are given the highest priority when determining corrective actions.
A lower priority is often given to Observations or Areas Requiring Attention. These findings are recognised as being of lower risk to the organisation.
COMS Vantage
Committed to Systems
Minor Non-conformance
Violation or failure to meet a requirement of the standard Any minor lapse in the system Examples - Training not planned for two employees from Customer Care Department - Background verification not done for x,y & z employee prior to hiring
COMS Vantage
Committed to Systems
Major Non-conformity
Complete absence or total breakdown of any clause of the standard(s) Complete non-compliance of company policy or procedure Non-compliance of legislative requirement A number of nonconformities leading to system breakdown Examples - Management Review has not been conducted since more than a year. - Information Security Policy not defined
COMS Vantage
Committed to Systems
A nonconformity with serious consequences but with negligible probability could be a Minor COMS Vantage
Committed to Systems 130
Observation
Observation or Opportunity for Improvement (OFI) is a situation where there is a weakness where there is not enough evidence for a nonconformity/issue, but if allowed to remain, could result in a nonconformity/issue
COMS Vantage
131
Committed to Systems
COMS Vantage
Committed to Systems
132
Objective Evidence
Deficiency Statement
Reference
Explanation
COMS Vantage
Committed to Systems
Make it concise
COMS Vantage
Committed to Systems
134
COMS Vantage
Committed to Systems
135
COMS Vantage
Committed to Systems
136
Ethos of Auditing
COMS Vantage
Committed to Systems
137
Audit Report
Date Process/Area of Audit Auditor(s) Auditee NCR Root cause Proposed Corrective Action Corrective Action taken Verification of effectiveness of corrective action Review
COMS Vantage
Committed to Systems
Reporting
After Audit Report is generated , Auditor Submits report to auditee Gets auditee to agree on nonconformance Agrees dates for corrective action Ensures that action is taken effectively
COMS Vantage
139
Committed to Systems
COMS Vantage
Committed to Systems
140
Audit Closing
COMS Vantage
Committed to Systems
141
COMS Vantage
Committed to Systems
142
COMS Vantage
Committed to Systems
143
Follow-up Action
Receive NCR
Identify Root Cause Corrective action plan prepared Evaluates response Implements plan Evaluates effectiveness Revises plan if necessary Documents the changes Verifies implementation & effectiveness
COMS Vantage
Committed to Systems
Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.
COMS Vantage
Committed to Systems
145
Thank You
Working Together For Better Environment.
COMS Vantage
Committed to Systems
146