ISMS Internal Auditor Course

Internal ISMS Auditor Course
COMS Vantage
Committed to Systems
Learning Objectives
To be able to: Have knowledge of concepts of Information & Information Security Management System
Understand the requirements of ISO 27001 : 2005 in auditing terms Understand of Risk Assessment Methodology Plan and conduct an IMS audit Report the audit Undertake audit follow-up activities
Committed to Systems 2
COMS Vantage
Course Content
DAY 1 Concepts and Philosophy of ISMS Framework ISO 27001:2005 Requirements Concepts and Principles of Auditing Audit Planning (Audit Schedule & Audit Checklist)
DAY 2 Audit Execution Audit Reporting (Identification of Non-conformances & Preparing Non-conformance Report) Audit Closing (Verification of Corrective Actions) Examination
COMS Vantage
3
Course Structure
Tutorial sessions Practical exercises Quiz Examination
COMS Vantage
Concepts and Philosophy of ISMS Framework
COMS Vantage
Exercise 1 : ISMS Definition
Complete Exercise 1 on definition of ISMS related terms
COMS Vantage
Information
Information is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably protected.
COMS Vantage
Types of Information
Internal Information that you would not want your competitors to know Customer/client Information that they would not wish you to divulge Shared Information that may be shared with other trading partners/persons
COMS Vantage
Types of Information

Company financial data (business performance) Company business plan & strategies Employee data Credit card and bank account numbers Passwords Designs, patents, technical research Bids for contracts, market research, competitive analysis Intelligence (on criminals, hostile nations, etc) Security information (risk assessment, network diagram, facilities plans)
COMS Vantage
Information Lifecycle
Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc) Information may need protection through its entire lifecycle including deletion or disposal
COMS Vantage
10
Information Security
Information Security means preservation of confidentiality, integrity and availability of information; other properties, such as authenticity, accountability, non-repudiation, and reliability may also be managed.
COMS Vantage
11
Information Security - a Definition

Information security is preservation of; Confidentiality ensuring that information is available only to those with authorised access Integrity safeguarding the accuracy and completeness of
information and information processing methods & facilities

Availability ensuring authorised users have access to information when required In some organizations integrity and/or availability may be more important than confidentiality COMS Vantage Committed to Systems
Information Security Why?

In todays fast-paced, global business environment, access to information is critical to an organisations success. Timely, accurate and complete information is a necessary business asset to an organisation, and like any other business asset, information needs to be understood and appropriately secured.
COMS Vantage
Information Security Risks

Some categories of risk : Loss Corruption Theft Unauthorized disclosure Accidental disclosure Unauthorized modification Unavailability or denial of service Lack of integrity Intrusion and subversion of system resources
COMS Vantage
14
Non IT Information Security Risks
Paper documents: on desks, in waste bins, left on photocopiers Whiteboards and flipcharts Telephone conversations overheard Conversations on public transport Social engineering
COMS Vantage
Information Security - Aim

Information Security aims to : To minimize business damage by preventing and minimizing the impact of security incidents Reduce the likelihood of a security incident occurring Prevent information security incident from occurring Detect an incident occurring, or its effect Respond to an event to minimize business damage Ensure Business Continuity Ensure preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved
COMS Vantage
Business Effects of Information Security
Maintain stakeholder confidence in the organization Preserve business position
Ensure business continuity
COMS Vantage
Why Are We Here?

Information security management: the key to confidence and trust for business
Customer Requirements
Business Requirements
Government Laws and Regulations
COMS Vantage
Interested Parties

IT department Line managers Senior managers Company Boards Government Business and Trading Partners Customers
COMS Vantage
Managers Must Understand
Poor information security outcomes are commonly the

result of poor management and not poor technical controls
COMS Vantage
Information Security is Not all about Technology

IT Dependent 80% 50% 20% IT Independent 20% Business Service 1 50% Business Service 2 80% Business Service 3
(Source: Office of E-Government. (2002). PowerPoint presentation)
COMS Vantage
Information Security Management System

Information Security Management System (ISMS) is : That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
A management process Not a technological process
COMS Vantage
What is an ISMS
An ISMS is a set of processes designed to produce predictable information security outcomes (well managed security risks) Implementation must cover Requirements and policies Planning implementation Implementation and operations Monitoring and reviewing Improving the management system
COMS Vantage
Information Security Framework
(Source: Government of Western Australia: Department of Industry and Technology. (2002).

Pamphlet - Managing Risks in the Internet Economy - An Executives Guide. p.5).
COMS Vantage
Benefits of an ISMS
An operational framework for operation - Focus on outcomes - Outcomes are predictable Basis for stakeholder trust - The general public - Clients and customers - Business partners, suppliers, service providers & outsources - Line management & senior management
COMS Vantage
ISO 27001:2005 Requirements
COMS Vantage
26
ISO/IEC 27001:2005
Information Technology Security Techniques Information Security Management Systems Requirements
Requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS
Information security is a Management process, more than just IT

ISO 27001 can be used for assessment and certification
COMS Vantage
27
ISO/IEC 27002:2005
Information Technology Security Techniques Code of practice for information security management Provides guidance on good practice for Information Security Management Prime objectives A common basis for organisations Confidence in inter-organisational dealings Defines a set of control objectives, controls and implementation guidance It cannot be used for assessment and certification
COMS Vantage
28
PDCA model & ISMS Processes

Plan Establish ISMS Do Interested Parties Implement and operate the ISMS Monitor and review the ISMS Check Maintain and improve the ISMS Act Interested Parties
Information security requirements and expectations
Managed Information Security
COMS Vantage
Clauses within ISO 27001:2005

ISO 27001:2005
0 1 2 3 Introduction Scope Normative references Terms & definitions
Clauses 4 to 8
Annex A Control objectives & controls A.5 to A.15

Annex B OECD principles Annex C Correspondence between standards
COMS Vantage
30
Plan - Do - Check - Act Cycle
PDCA model used in the ISO/IEC 27001: 2005

Process approach for Establish ISMS (Plan) Implement and operate ISMS (Do) Monitor and review ISMS (Check) Maintain and improve ISMS (Act)
COMS Vantage
31
ISO 27001:2005, Clauses 4 to 8
Clause 4 : Information Security Management System
Clause 5 : Management Responsibility

Clause 6 : Internal ISMS Audits Clause 7 : Management Review of the ISMS Clause 8 : ISMS Improvement Annex A Controls (A.5 to A.15)
32
COMS Vantage
Clause 4 - Information Security Management System

4.1 General Requirements
4.2.1 4.2.2
4.2.3 4.2.4
4.2 Establish & Manage ISMS

Establish ISMS Implement & operate ISMS Monitor & review ISMS Maintain & improve ISMS
4.3 Documentation Requirements

4.3.1 General 4.3.2 Document control 4.3.3 Record control
COMS Vantage
33
Clause 4.2.1 Establish the ISMS (Plan)
Scope and boundaries Policy - objectives, business and legal or regulatory requirements, strategy, criteria, approved by management
COMS Vantage
34
Scope and Boundaries of ISMS

Scope to be described in terms of Characteristics of the business Organization Location Information Assets Technology Boundaries to include interface with Other organisations Third party suppliers Partners Other IT systems COMS Vantage Committed to Systems
35
ISMS Policy
Statement of management commitment & set out organisations approach to managing information security Definition of information security, objectives & scope Statement of management intent, supporting goals & principles Include framework for setting control objectives & controls Brief explanation of security policies, principles and standards Compliance with legislative, regulatory & contractual requirements Security education, training & awareness requirements Business continuity management Consequences of information security policy violations Definition of general & specific responsibilities References to documentation supporting policy Communicated throughout the organisation
COMS Vantage
36
Clause 4.2.1 Establish the ISMS (Plan) (cont)

Define the risk assessment approach of the organization Identify risks (assets and owners, threats, vulnerabilities, impacts) Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls for the treatment of risks (select from Annex A) Obtain management approval of proposed residual risks Obtain management authorization to implement and operate the ISMS Prepare a Statement of Applicability
37
COMS Vantage
Risk Assessment Approach
Identify a suitable risk assessment methodology Develop criteria for accepting risks and identify acceptable levels of risk (5.1f) Ensure that risk assessments produce comparable and reproducible results Method is decided by organization and audited against its information security scope, boundaries and policy
COMS Vantage
38
Risk Assessment
Risk (and decision on which risks to mitigate with controls) depends on : Asset value Threat Vulnerability Likelihood and frequency of threat exploiting vulnerability Impact on organization of successful exploitation
COMS Vantage
39
Asset Identification & Classification

Identify: Assets within the scope of the ISMS (Primary Assets & Supporting Assets) - Documents /Data - Physical/ Hardware - Software - People - Services ( e.g. Lighting, Airconditioning, DG etc) Classification V. Confidential, Confidential, Internal & Public Asset owners & Users
COMS Vantage
40
Asset Value
Asset Value : Confidentiality X Integrity X Availability Ranking of Assets done based on Asset Value : Low Medium High Critical
COMS Vantage
41
Identification of Threats and Vulnerabilities

Threat Vulnerability A potential cause of an A weakness of an asset or unwanted incident which group of assets, which can may result in harm to a be exploited by a threat. system or organization. e.g. Network failure
A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset . e.g. No system monitoring
COMS Vantage
42
Assessment of Threats and Vulnerabilities
Assess the likelihood that combination of threats and vulnerabilities occur
Threats and vulnerabilities may be assessed Separately Together
COMS Vantage
43
Security Risk Calculations

Risk = Asset Value x Threat Value x Vulnerability Value x Probability x Impact Value
*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets
COMS Vantage
44
Identify and Evaluate options for the Treatment of Risks

Manage and treat risks appropriately within business context :
Apply appropriate controls Accept risks Avoid risk Transfer risk
COMS Vantage
45
Exercise 2 : Information Risk Assessment
Complete Exercise 2 to test understanding of Information Risk Methodology.
COMS Vantage
46
Control Objectives and Controls (Annexure A of ISO 27001:2005)

11 Control Objectives
A.15
Compliance
A.5
Security Policy
A.6
Organisation of Information Security
39 Sub-Control Objectives
A.14
Business Continuity Management Information Security Incident Management Information Systems Acquisition, Development and Maintenance
A.7
Asset Management
133 Controls
Control Objectives and Controls
A.13
Human Resources Security
A.8
Physical and Environmental Security Access Control Communications and Operations Management
A.12
A.9
A.11
A.10
COMS Vantage
Control Objectives & Controls

(Annexure A of ISO 27001:2005 Standard)
A.5 Security Policy A.5.1 Information Security Policy
A.6 Organization of Information Security A.6.1 Internal organization A.6.2 External parties
A.7 Asset Management A.7.1 Responsibility for assets A.7.2 Information classification A.8 Human Resources Security A.8.1 Prior to employment A.8.2 During employment A.8.3 Termination or change of employment
COMS Vantage
Annexure A of ISO 27001:2005 Standard

A.9 Physical and Environmental Security A.9.1 Secure areas A.9.2 Equipment security A.10 Communications and operations management A.10.1 Operational procedures and responsibilities A.10.2 Third party service delivery management A.10.3 System planning and acceptance A.10.4 Protection against malicious and mobile code A.10.5 Back-up A.10.6 Network security management A.10.7 Media handling A.10.8 Exchange of information A.10.9 Electronic commerce services A.10.10 Monitoring
COMS Vantage

A.11 Access Control A.11.1 Business requirement for access control A.11.2 User access management A.11.3 User responsibility A.11.4 Network access control A.11.5 Operating system access control A.11.6 Application and information access control A.11.7 Mobile computing and teleworking A.12 A.12.1 A.12.2 A.12.3 A.12.4 A.12.5 A.12.6 Information systems acquisition, Development and Maintenance Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management
COMS Vantage

A.13 Information Security Incident Management A.13.1 Reporting information security events and weaknesses A.13.2 Management of information security incidents and improvements A.14 Business Continuity Management A.14.1 Information security aspects of business continuity management A.15 Compliance A.15.1 Compliance with legal requirements A.15.2 Compliance with security policies and standards, and technical compliance A.15.3 Information system audit considerations
COMS Vantage
Selection of Security Controls
Additional control objectives and controls organisation might consider that additional control objectives and controls are necessary
Not all the controls will be relevant to every situation Consider local environmental or technological constraints In a form that suits every potential user in an organisation Review controls already in place Remove Improve Implement additional controls
COMS Vantage
52
Residual risk
The risk remaining after risk treatment Assess how much controls will reduce risk Reduced residual risk Acceptable or unacceptable Implement more controls May have to accept Obtain Management Approval of proposed residual risk
COMS Vantage
53
Statement of Applicability
Definition Documented statement describing the control objectives and controls that are relevant and applicable to the organisations ISMS.
Contents of Statement of Applicability Control objectives and controls selected Reasons for selection Control objectives and controls currently implemented Exclusion of any control objectives and controls to be listed in Annex A and the justification for their exclusion The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
COMS Vantage
54
Statement of Applicability
Why a control has not been fully implemented Risk not justified by risk exposure Budget financial constraints Environment influence on safeguards, climate, space etc Technology some measures are not technically feasible Culture sociological constraints Time some requirements cannot be implemented now. N/A not applicable Others ?
COMS Vantage
55
Select Control Objectives and Controls for the Treatment of Risks
Select and implement Control Objectives and Controls To meet requirements identified by risk assessment and risk treatment process Take into account of criteria for accepting risks (4.2.1c) Legal, regulatory and contractual requirements
Control objectives & controls selected from Annex A of ISO 27001:2005

56
COMS Vantage
Clause 4.2.2 Implement and operate the ISMS (Do)

Formulate and implement risk treatment plan Implement controls Training and awareness (Also covered in clause 5.2.2) Manage operations & resources Implement procedures
COMS Vantage
57
Clause 4.2.3 Monitor and review the ISMS (Check)
Execute monitoring and review procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Conduct Internal ISMS Audits at planned intervals (Clause 6) Undertake Management Review of the ISMS (Clause 7) Update security plans Record actions and events
58
COMS Vantage
Clause 4.2.4 Maintain and improve the ISMS (Act)
Also covered in Clause 8 Implement the identified improvements in the ISMS Appropriate corrective and preventive action Communicate actions and improvements Ensure improvements achieve their intended objectives
COMS Vantage
59
Clause 5 - Management Responsibility

5.1 Management commitment
Management
shall provide evidence of commitment
5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training awareness and competency - employees, people (outside scope) interfacing with company, customers, suppliers/ third party service providers
COMS Vantage
60
Training and Awareness

Training is to be provided for : Understanding and complying with the information security policy and objectives Understanding security responsibilities What to do regarding: Reporting security incidents, weaknesses Applying virus protection Doing backups Complying with relevant Local and International legislation Correct use of company equipment Correct use of e-mail and the internet and others COMS Vantage Committed to Systems
61
Monitoring of ISMS
Execute monitoring procedures and other controls: Promptly detect errors Promptly identify attempted and successful security breaches and incidents Security activities delegated to people or implemented by information technology are performing as expected Help detect security events Prevent security incidents Determine whether actions taken to resolve a breach of security were effective
COMS Vantage
62
Monitoring of ISMS
Undertake regular reviews of effectiveness of ISMS ISMS policy and objectives Security controls Take into account Security audits Incidents Effective measurements Suggestions and feedback from interested parties Measure the effectiveness of controls Verify security requirements are met
63
COMS Vantage
Clause 6 Internal ISM Audits
Conduct internal audits at planned intervals Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits Responsibilities for audit planning, conducting and reporting is defined in procedure Auditee is responsible for taking timely corrective action
COMS Vantage
64
Clause 7 - Management Review

Undertake planned reviews of effectiveness of ISMS (atleast once a year) Review inputs

ISMS policy and objectives Audit results Suggestions and feedback from interested parties Threats and vulnerabilities not adequately addressed Result from effective measurements Improvement of effectiveness of ISMS Update Risk Assessment & Risk Treatment Plan Modification of procedures & controls Resource needs Improvements in measuring effectiveness of controls
65
Review outputs

COMS Vantage
Clause 8 ISMS Improvements

Continual Improvement Corrective Action Preventive Action
COMS Vantage
66
Exercise 3: Quiz on ISO 27001:2005
Complete the Quiz on ISO 27001 to test your understanding of the standard.
COMS Vantage
67
ISMS Documentation
COMS Vantage
68
Documentation Structure
IMS MANUAL (Apex Document) Level - I STANDARD OPERATING PROCEDURE POLICIES CHECKLISTS, GUIDELINES ETC, Level - III FORMATS, Log-Books, Registers Level - IV Dep1 Dep2 Dep3 Dep4 Dep5
Dep6
Level - II
COMS Vantage 10/31/2013
ISMS Documentation
The ISMS Documentation includes: Documented statements of a ISMS policy and ISMS objectives Information Security Manual Information Security Risk Assessment Statement of Applicability Information Security Policies Procedures Formats/ Logs/ Records
COMS Vantage
70
Concepts & Principles of Auditing
COMS Vantage
71
Audit
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled. ISO 9000:2005
COMS Vantage
72
Objective Evidence
Data supporting the existence or verity of something ISO 9000:2005 May be obtained through - Records - Observation - Measurement or test - Stated or verbal Can be verified
COMS Vantage
73
Specified Requirements
Organization system requirements Manuals Policies & Procedures ISO 27001 standard requirements Legal requirements-statutory, regulatory or industry body
COMS Vantage
74
Audit Purpose
To collect objective evidence to permit an informed judgement about the status and effectiveness of the integrated management system.
COMS Vantage
75
Principles of Auditing
Ethical Conduct Fair Presentation Due Professional Care Independence Trust, integrity, confidentiality, discretion Audit findings and conclusions are accurate and truthful Exercise care according to the confidence placed in them by their clients Competence is essential Auditors are independent of the activities being audited and are free from bias or conflict of interest
Evidence-Based Approach
Conclusions will be objective and based only on audit evidence

Audit evidence is based on samples of information Conclusions are verifiable
COMS Vantage
Committed to Systems COMS
76
Conformity vs. Compliance

Conformity:
Fulfillment of a requirement
Compliance:
Fulfillment of legal/statutory requirements Noncompliance can lead to fines/incarceration Mandatory
Nonconformity can lead to suspension or revocation of registration

Voluntary
COMS Vantage CORPOR ADV

MANAGEMENT
77
Types of Audit
Internal External
1st Party
Audit ones own company QMS Audit of a supplier by a customer Audit by an Independent body
2nd Party
3rd Party
COMS Vantage
Other Types of Audit
Pre-assessment Certification Surveillance Process Product
COMS Vantage
Reasons for Internal Audits
Requirement of all management system standards Source of information for use by management Powerful tool for continual improvement through: Employee involvement Communication Employee awareness, etc.
COMS Vantage
80
Benefits of Auditing

Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the system to management Reduces risk of system failure Identifies improvement opportunities Precipitates the corrective action cycle Precipitates the preventive action cycle
COMS Vantage
81
Audit Process - Overview

Key Stages in the Internal Auditing process PERC
Planning Execution Reporting
Closing
COMS Vantage
82
Audit Planning & Preparation
COMS Vantage
83
Audit Planning
Audit Schedule Audit Checklist
COMS Vantage
84
Audit Schedule
Audit Schedule is based on : Frequency of audit (as mentioned in procedure) Processes/ area to be audited Duration of audit Qualified internal auditors Audit Team to have applicable technical expertise Independence of audit team (Cross functional audit)
COMS Vantage
85
Audit Schedule-1
Processes Marketing J P P P P A F M A M J J A S P P P P O N D
IT Technology
System Administration HR Administration
P = Planned A = Additional
P
P A P P
COMS Vantage
86
Audit Schedule - 2
Day 1
Time 1000 1300 1400 - 1700 Processes Software Dev Real Estate Dev BPO Educational Portal Auditors A& B C&D E&F G&H
Day 2
1000 1300 1400 - 1700 Executive Search IT HR Administration I&J K&L M&N O&P
cc : To all Department Heads and Auditors
COMS Vantage
87
Checklists
Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditees IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.
A checklist should not be a list of questions to ask the auditee. It is simply a prompt for aspects of the system which require review
COMS Vantage
88
Checklists
Checklists may be :
Generic Or
Tailored
COMS Vantage
89
Checklists- Benefits
A well constructed aide memoir will help to:

Keep audit objectives clear Provide evidence of audit planning Maintain audit pace and continuity Reduce auditor bias Reduce workload during audit
COMS Vantage
90
Checklist Drawbacks
Checklists tend to lose value if they are:

Tick () lists Questionnaires Too focused Inflexible
Prepare them as aides-memoir
COMS Vantage
91
Checklists Preparation - Inputs

Company Policies and Procedures Process information Customer requirements Applicable legal requirements Codes of practice Management priorities Previous incidents and accidents Previous audits reports Known problems
COMS Vantage
92
Sample Checklist Format

Process/Deptt: Auditor/s: S.No. Auditee: Date: Objective Evidence
Requirements Standard Clause No.
COMS Vantage
Exercise 4 : Audit Checklist
In your teams, prepare checklist for an ISMS audit. Checklist may be prepared for your department.
COMS Vantage
94
Audit Execution
COMS Vantage
95
Audit System
Various roles of an auditor: A catalyst Management instrument An interface with suppliers customers colleagues A consultant (NOT 3rd Party)
COMS Vantage
96
Some Attributes of a Good Auditor

Ethical Open minded Diplomatic
Observant Perceptive Selfreliant Tenacious Decisive
Any More?
COMS Vantage
97
Auditor Qualification
Auditors must be competent in
Reasoning of nonconformities
Evaluating effectiveness of corrective action
COMS Vantage
98
Managing Communications

Put auditee at ease Ask questions and listen Have the appropriate body language Smile and show eye contact Avoid interruptions Avoid sarcastic & condescending remarks Give praise and feedback Acknowledge and show interest Be tactful and polite Show patience and understanding Thank the auditee on completing the audit
COMS Vantage
Personality Types
The Everything is Absolutely Fine
Stick to the Bare Facts

Detail, Detail, Detail I Always Have the Right and Best Answer
COMS Vantage
Managing Communications
Effective communication Questioning
Listening
Body Language
COMS Vantage
101
Resolving Differences

Types of conflict Dealing with conflict
COMS Vantage
102
Conduct of the Audit
Meet the auditee
Explain what you want to see

Sampling audit Investigate to the depth necessary No problems found, move on Dont keep on auditing until problems are found
COMS Vantage
Sampling
Why ?..............Reduces time and costs
Sample/ sample frame Representative Random Chosen by the auditor Permission sought
COMS Vantage
Audit Execution
The Audit Process Gathering information
Validating the findings
Evaluating the findings
COMS Vantage
105
Procedure for Gathering Evidence

Question
Check
Observe
COMS Vantage
Collecting & Verifying information

Sources of information
Collecting by appropriate sampling and verifying Audit Evidence Evaluating against audit criteria Audit Findings Reviewing
Audit conclusions
COMS Vantage
Sources of Information
Interviews Documents (procedures, instructions, specifications, etc) Records Data Summaries (analysis and performance) Reports (customer feedback, supplier ratings) Databases Observations (of activities and conditions)
COMS Vantage
Conducting Interviews
Interviews are an important means of collecting information and should be carried out in a manner adapted to the situation and the person interviewed
May start with asking the auditee to describe the work Avoid misleading questions Listen carefully & make notes Summarize the results of interview & discuss with auditee
COMS Vantage
Questions
Open questions - Encourage auditee to speak Probing questions Closed questions Questions should be asked like a funnel starting with open questions and ending with closed questions
COMS Vantage
Questioning Techniques
Hypothetical
Obvious Answered Repetitive Non-verbal
COMS Vantage
Open Questions
Six friends (To gather information) Who (does it) What (is done) Where (is it done) Why (is it done) When (does it get done) How (is it done; often is it done) And seventh friend (For verification) Show me
COMS Vantage
7 Tips for Interviewing
Use appropriate types of question Adopt a logical approach Follow a natural sequence Actively listen to what is being said Use silence appropriately Seek clarification, where necessary Verify responses, where necessary
COMS Vantage
Documents

Policy & Objectives Plans Policies and procedures / instructions Specifications/ drawings Contracts/ Orders Licenses/ permits
Review documents which describe activities, plans, controls, Strategies and tests
COMS Vantage
Records
Records are evidence of an activity performed Test records Training records Performance monitoring records Audit Report Management Review Minutes of Meetings Non-conformance records Customer Satisfaction records Vendor performance evaluation records and COMS Vantage
Observations
Observations of : Activities being performed Housekeeping Condition of infrastructure and hardware Work environment
COMS Vantage
Control of the Audit
Checklist is a servant not a master Audit the complete scope If potential audit trails appear, decide: disregard note for later follow up immediately
Might affect the sample size
Might affect the audit programme COMS Vantage Committed to Systems
Notes
Recording the objective evidence: Admissible statements (Quotes and statements) Document / Record numbers and issue/revision levels Identifiers (Product identification) Surroundings Name of auditee or preferably job titles Issues which may impact other functions
COMS Vantage
Mental Notes
Workload Employee behaviour Management approach Organization culture Reactions
COMS Vantage
Notes

Notes is an evidence of the professionalism of the auditor Evidence of sample size and observation Should be legible & retrievable Shall be an input to the audit report May be used for further investigation & subsequent audits
COMS Vantage
Verify Facts

Discuss concerns with auditee Auditee may provide correct information Record all the evidence in detail Establish why a nonconformity or otherwise & who (preferably by job title) Audit focus must be on conformity and effectiveness, not on finding nonconformities
Therefore, auditors must be competent in Reasoning of nonconformities Evaluating effectiveness of corrective action
COMS Vantage
Good Practices
Ask the right person - the person with the responsibility for what it is you are auditing Dont talk down or be rude/ sacarstic Ensure questions are clear and understood - avoid jargon, use plain and simple language, rephrase the question if not understood. Do not confuse, ask one question at a time. Allow time for auditee to answer any questions you ask Do not take sides, stay impartial, do not jump to conclusions; always look for the evidence Be polite at all times, regardless of any provocation you may encounter COMS Vantage Committed to Systems
122
Handling Difficult Situations
Time Wasting Descrimination Hostility Avoidance
Undermining Deception Obstruction Usurping Control
Finger - pointing
Flattery
COMS Vantage
Audit Reporting
COMS Vantage
124
Nonconformity
Non fulfilment of a requirement Specified requirements: Company policies and procedures ISO 27001 standard requirements legal requirements
COMS Vantage
125
Nonconformity
The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness. Non conformities could arise out of two reasons: - System deficiencies - Human slip ups
Internal audits should be aimed at identifying system deficiencies COMS Vantage

126
Reporting Categories
Categories such as Non-conformance or Noncompliance represent a non-fulfilment of a specified requirement, and for many organisations are given the highest priority when determining corrective actions.
A lower priority is often given to Observations or Areas Requiring Attention. These findings are recognised as being of lower risk to the organisation.
COMS Vantage
Minor Non-conformance
Violation or failure to meet a requirement of the standard Any minor lapse in the system Examples - Training not planned for two employees from Customer Care Department - Background verification not done for x,y & z employee prior to hiring
COMS Vantage
Major Non-conformity

Complete absence or total breakdown of any clause of the standard(s) Complete non-compliance of company policy or procedure Non-compliance of legislative requirement A number of nonconformities leading to system breakdown Examples - Management Review has not been conducted since more than a year. - Information Security Policy not defined
COMS Vantage
Consider the Seriousness

Three questions to be answered 1. What could go wrong if the nonconformity remains uncorrected? 2. What is the likelihood of such a thing going wrong? 3. How likely is it to be detected if it did go wrong? A nonconformity with moderate consequences but High probability could be a Major
A nonconformity with serious consequences but with negligible probability could be a Minor COMS Vantage
Observation
Observation or Opportunity for Improvement (OFI) is a situation where there is a weakness where there is not enough evidence for a nonconformity/issue, but if allowed to remain, could result in a nonconformity/issue
COMS Vantage
131
Exercise 5 : Identifying Non-conformances

10 statement were presented by an audit team. Identify if there is a non-conformance. If yes, identify the ISO 27001:2005 Clause / Control Objective Number . If no, then state what further action should be taken by the auditor
COMS Vantage
132
Writing Statements of Nonconformity
Objective Evidence
Deficiency Statement
Reference
Explanation
COMS Vantage
Writing Statements of Nonconformity
Use auditees terminology Make it retrievable Must be factual Make it complete
Make it concise
COMS Vantage
134
Nonconformity Statement (1)

Procedure KCL-Pl-15 requires that access to server room is only to 2 System Administrators and the IT Head. If required others could access along with the 3 persons with authorised access and they were to enter in the Entry Log Register. The auditor entered the server room with the System Administrator, however no entry was made in the Entry Log Register. Nonconformity to Procedure KCL-15 and ISO 27001:2005 clause A.9.1.5
COMS Vantage
135
Nonconformity Statement (2)

Policy for Compliance states that that no software, unless provided by corporate IT, must be loaded onto the network without the prior permission of the IT manager SW department were currently using a new data analysis tool which was sent to them direct from the developers after their agreement to take part in the testing of the new tool in return for a free copy of the finished product. Nonconformity to Policy for Compliance and ISO 27001, Control 15.1
COMS Vantage
136
Ethos of Auditing
Positive approach Aim to help improve system
Dont look for blame

Aid identification of solutions
COMS Vantage
137
Audit Report

Date Process/Area of Audit Auditor(s) Auditee NCR Root cause Proposed Corrective Action Corrective Action taken Verification of effectiveness of corrective action Review
COMS Vantage
Reporting
After Audit Report is generated , Auditor Submits report to auditee Gets auditee to agree on nonconformance Agrees dates for corrective action Ensures that action is taken effectively
COMS Vantage
139
Exercise 6 : Nonconformance Report
Write the nonconformance report for any nonconformance in Exercise 5
COMS Vantage
140
Audit Closing
COMS Vantage
141
Conducting Audit Follow-up

The auditor is responsible for : Identifying the nonconformance and Closing the nonconformance
COMS Vantage
142
Conducting Audit Follow-Up

At the conclusion of the follow up audit, the auditor must make a conclusion as to the completion and effectiveness of the previously proposed corrective actions :
Has the action been taken and has it been effective?

Has the action not been taken or is it incomplete? Has the action been taken but is ineffective?
COMS Vantage
143
Follow-up Action
Receive NCR
Auditee Auditee Auditee Auditor Auditee Auditee Auditee Auditee Auditor
Records made of all actions taken
Identify Root Cause Corrective action plan prepared Evaluates response Implements plan Evaluates effectiveness Revises plan if necessary Documents the changes Verifies implementation & effectiveness
COMS Vantage
Exercise 7 : Corrective Action
Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.
COMS Vantage
145
Thank You
Working Together For Better Environment.
COMS Vantage
146

ISMS Internal Auditor Course

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISMS Internal Auditor Course

Uploaded by

Copyright:

Available Formats

Internal ISMS Auditor Course

Tutorial sessions Practical exercises Quiz Examination

Concepts and Philosophy of ISMS Framework

Exercise 1 : ISMS Definition

Complete Exercise 1 on definition of ISMS related terms

Information Security - a Definition

information and information processing methods & facilities

Information Security Why?

Information Security Risks

Non IT Information Security Risks

Information Security - Aim

Business Effects of Information Security

Maintain stakeholder confidence in the organization Preserve business position

Ensure business continuity

Why Are We Here?

Government Laws and Regulations

Managers Must Understand

Poor information security outcomes are commonly the

Information Security is Not all about Technology

(Source: Office of E-Government. (2002). PowerPoint presentation)

Information Security Management System

A management process Not a technological process

Information Security Framework

(Source: Government of Western Australia: Department of Industry and Technology. (2002).

ISO 27001:2005 Requirements

Information security is a Management process, more than just IT

PDCA model & ISMS Processes

Information security requirements and expectations

Managed Information Security

Clauses within ISO 27001:2005

Annex A Control objectives & controls A.5 to A.15

Plan - Do - Check - Act Cycle

PDCA model used in the ISO/IEC 27001: 2005

ISO 27001:2005, Clauses 4 to 8

Clause 4 : Information Security Management System

Clause 5 : Management Responsibility

Clause 4 - Information Security Management System

4.2 Establish & Manage ISMS

4.3 Documentation Requirements

Clause 4.2.1 Establish the ISMS (Plan)

Scope and Boundaries of ISMS

Clause 4.2.1 Establish the ISMS (Plan) (cont)

Risk Assessment Approach

Asset Identification & Classification

Identification of Threats and Vulnerabilities

Assessment of Threats and Vulnerabilities

Assess the likelihood that combination of threats and vulnerabilities occur

Threats and vulnerabilities may be assessed Separately Together

Security Risk Calculations

Identify and Evaluate options for the Treatment of Risks

Apply appropriate controls Accept risks Avoid risk Transfer risk

Exercise 2 : Information Risk Assessment

Complete Exercise 2 to test understanding of Information Risk Methodology.

Control Objectives and Controls (Annexure A of ISO 27001:2005)

Human Resources Security

Control Objectives & Controls

Annexure A of ISO 27001:2005 Standard

Annexure A of ISO 27001:2005 Standard

Annexure A of ISO 27001:2005 Standard

Selection of Security Controls

Select Control Objectives and Controls for the Treatment of Risks

Control objectives & controls selected from Annex A of ISO 27001:2005

Clause 4.2.2 Implement and operate the ISMS (Do)