infosec audit lecture_4
TRANSCRIPT
ISMS Audit using ISO 27001:2013Obrina Candra August, 2015
ISMS Audit Using ISO 27001:2013
supported by :
Contents Outline
1. Introduction to Information Security Management Systems (and the ISO 27000 series of standards)
2. Process-based ISMS
3. Audit : definitions, principles and types
4. Audit process (audit plan, preparing for the on-site audit (audit stage 1), developing checklists, conducting the on-site audit (audit stage 2))
5. Audit review
6. Report and follow-up
Introduction to the ISO 27000 series of standards
what is ISO?
ISO, founded in 1947, is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States.
According to ISO, "ISO" is not an abbreviation. It is a word, derived from the Greek isos, meaning "equal",
The name ISO is used around the world to denote the organization, thus avoiding the assortment of abbreviations that would result from the translation of "International Organization for Standardization" into the different national languages of members. Whatever the country, the short form of the organization's name is always ISO.
what is ISO?• International Organization for Standardization is the world's largest developer and publisher
of International Standards.
• ISO is a network of the national standards institutes of 160 countries, one member per country (ANSI in US, SNI in Indo), with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
• ISO is a non-‐governmental organization that forms a bridge between the public and private sectors.
• ISO and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.
• National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest.
• n the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
• International Standards are drafted in accordance with the rules given in the ISO/IEC Directives.
• The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
27001
27002
27000
27004
27011
27799
Applicability
Telecommunications
Health
Financial services
Inter-sector and Inter organizational
27003 27005
Risk Management
31000
Guide 73
27006
Certification
27007
27008
19011 Guidelines for ISMS auditing
17021
Governance
Measurements
Code of practice
Requirements
Implementation guidance
27001+20000-1
Overview and vocabulary
Requirements for bodies audit and certification
Guidance for auditors on controls - TR
Guidelines for auditing management system
Conformity assessment - ISMS
Vocabulary
Principles and guidelines
27016 Organizational economics
27018
Cloud Computing service
17000
Conformity Assessment – Vocabulary and general principals
31010 Risk assessment techniques 27001
+ industry vertical
27010
27009
27013
27014
27015
Process control system - TR 27019
27017
Data protection control of public cloud computing service
27x Extended Range
ISO/IEC 27001 family of standards last update : 10/2013
Introduction
ISMS are intended to provide organisations with the elements of an effective information security system in order to achieve the best practice in information security and to maintain economic goals.
ISO 27001, ISO 27002 are recognisable standards against which ISMS can be audited and certificated
ISO 27001 (certification)•ISO 27001 specifies how to establish an Information Security Management System (ISMS).
•The adoption of an ISMS is a strategic decision. •The design and implementation of an organization’s ISMS is influenced by its business, its security risks and control requirements, the processes employed and the size and structure of the organization: a simple situation requires a simple ISMS.
•The ISMS will evolve systematically in response to changing risks.
•Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.
Benefit of ISO 27001 Cert
•Achieve marketing advantage
•Lower cost•Better organization•Comply with legal requirements or regulations
ISO 27002 (non-certification)
• ISO 27002 is a “Code of Practice” recommending a large number of information security controls.
• the standard are generic, high-level statements of business requirements for securing or protecting information assets.
• the standard are meant to be implemented in the context of an ISMS, in order to address risks and satisfy applicable control objectives systematically.
• Compliance with ISO 27002 implies that the organization has adopted a comprehensive, good practice approach to securing information.
a brief history of the 2700x series
27001:2005 Vs 27001:2013
Context'of'the'Organiza0on'
'Leadership'
Planning'
Opera0on'Improvement'
Performance'Evalua0on'
Support'
ISO/IEC'27001:2013'
Management'Responsibility'
'Management'Review'
Establish'ISMS'
Implement'ISMS'
Improve'ISMS'
Monitor'ISMS'
Doc.''Req.'
Internal''Audit'
ISMS''Improve'
ISO/IEC'27001:2005'
Mgmt.'Review'
Structure'simplified'
27001:2005 Vs 27001:2013ISO/IEC 27001:2005
! 132 “shall” statements
(section 4-8)
! Annexure A ! 11 clauses ! 39 categories ! 133 controls
ISO/IEC 27001:2013
! 125 “shall” statements (section 4-10)
! Annexure A ! 14 clauses ! 35 categories ! 114 controls
Number'of'requirements'reduced'
Process-based ISMS
ISO 27001 Structures
• Sections 0 to 3 are introductory and are not mandatory for implementation
• Sections 4 to 10 contains requirements that must be implemented in an organization if it wants to comply
• Annex A contains 114 controls that must be implemented if applicable
Section 0 Introduction
Section 1 Scope
Section 2 Normative references
Section 3 Terms and definitions
Section 4 Context of the organization
Section 5 Leadership
Section 6 Planning
Section 7 Support
Section 8 Operation
Section 9 Performance
evaluation
Section 10 Improvement
Annex A
PDCA Model applied to ISMS Processes
Interested Parties
Interested Parties
Information Security
Requirements & Expectations
Managed Information Security
Establish ISMS
Implement & Operate ISMS
Maintain & Improve ISMS
Monitor & Review ISMS
Plan
Do
Check
Act
Development, Maintenance and
Improvement Cycle
Mandatory controls• The importance of mandatory
clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any single one of the mandatory clauses are not supported by evidence, missing or is deemed ineffective it is considered a major non-conformity. This mean it is reason enough for the auditor not to recommended the organization for certification.
• In the event that the audit is part of the ongoing continuous assessment review the organization could be decertified. Its that important!
• Clauses 4 – 10 require a gap assessment initially to identify the missing mandatory controls. Zero exclusions are permitted and that’s why a Gap Assessment is the best approach.
Mandatory controls (sample)the organization must define the scope of the ISMS (clause 4.3)
top mgmt and managers must show leadership to the ISMS (clause 5.1)
the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be documented and communicated
the mgmt must ensure the responsibilities and authorities for security roles must be assigned & communicated (clause 5.3)
there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3)
there must be an information security objectives that meets the organization’s business goals and risk management process (clause 6.2)
competency needs must be identified, reviewed and managed so that personnel can perform their roles effectively (clause 7.2)
etc…
Discretionary controls• Within Annex A a series of control
objectives have been listed. These control objectives have been designed to address known risks.
• These controls are initially risk assessed during implementation /adoption for fit within each individual organization.
• The risk assessment provides evidence for applicability and /or justification for exclusion. The results are listed within the Statement of Applicability (SoA).
• The SoA is a controlled document that gets included with the Registration Auditors recommendations which the auditor submits to ISO for final gating and approval.
• During the ISMS internal and external audits if a weaknesses is discovered within the controls it will require a corrective action plan and /or preventive action (CAPA) plan. The CAPA is listed within the Risk Treatment Plan and monitored until completed and then validated before its formally closed.
• Please note that while a single weakness may be tolerated a cluster of failed controls within the same domain will result in a major nonconformity and potential decertification.
Discretionary controls (sample)labelling of information (A8.2.2)
handling of assets (A8.2.3)
management of removable media (A8.3.1)
disposal of media (A8.3.2)
secure log-on (A9.2.3)
working in secure areas (A11.1.5)
installation of software on operational system (A12.5.1)
information transfer (A13.2.1)
system change control (A14.2.2)
response to information security incidents (A16)
information security continuity (A17.1.2)
intellectual property rights (A18.1.2)
etc…
Audit : definitions, principles and types
My#Life#as#an#Information#Security#Consultant#
Definition
ISO 19011 define audit as a :
“Systematic process, independent and documented for obtaining audit evidence and evaluate objectively, in order to establish to what extent are audit criteria met”.
Principlesethical conduct professional, fair (unbiased), responsible
fair presentation presents appropriately (words, gesture, etc), truthful and accurate in findings
due professional care competence in the field of the audit
independence free from conflict of interest
evidence–based approach do not make assumptions, stick to the audit evidence
confidentiality careful and discreet towards the informations provided by the audit
Types of audit
• Internal audits (1st party) sponsored by by the organization with the aim of improvement of the ISMS.
• External audit (2nd party) audits carried out by an organisation on its supplier (partners, vendors) using, either internal personnel, or external entity entrusted with doing it.
• Certification audit (third party) independent from the organizationwith the aim to release the certificate of conformity with the requirements taken as a audit criteria (ISO 27001).
Audit Process
the big picture
What is happening
What changes
are needed
What should be happening
the medium picture
the process
1. Audit planning
2. Stage 1 audit
3. Stage 2 audit
audit planning
1. define audit objectives
2. define audit scope
3. select audit criteria
4. select sampling method
5. select audit team
6. define observers and guides (if necessary)
7. define resources needed
stage 1 audit
1. Initiation of audit
2. Auditee’s application (self-assessment document)
3. Document review
4. Planning work documents (forms, procedures, etc)
5. Organisation’s unit and processes to be audited
6. Estimation of time
7. Work schedule
developing a checklist
1. Appropriately phrased questions
2. Use open questions (avoid yes/no answers)
3. Dig deep
developing a checklist
developing a checklist
stage 2 audit (on-site audit)
1. Opening meeting
2. Collecting information by appropriate sampling
3. Questioning techniques (calm, polite, reassuring)
4. Stick to the plan (time, resource)
5. Documentation (collect evidence, take notes)
6. Control the audit (avoid confrontation and intimidation)
Sampling techniqueRandom Sample = each record in the population has an equal chance of being selected for inclusion in the sample e.g. Population = 200 hip replacements 10% random sample= any 20 cases in the population
Stratified Random Sample = Identifying a subset of the population and randomly sampling that subset. e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements 10% random stratified sample= any 20 cases in the population where the patient is aged over 65 years
Targeted Sample = Sample includes only a particular section of the population e.g. Patients aged over 65 with a hip replacement Population = 200 hip replacements Targeted sample= All cases in the population where the patient is aged over 65 years
stage 2 audit (on-site audit)
techniques :
1. Questioning - people
2. Observing - process, equipment
3. Documenting - audit finding, evidence
4. Checking - assets
Audit Review
audit review1. Audit team review meeting
2. Listing of audit findings (with evidence, if any)
3. Finding statement
4. Corrective Action Request (CAR) form
5. Classification of CARs (major - minor)
6. Opportunity of improvement
7. Audit conclusion
audit findings
1. Non-Conformity (NC) -> non-fulfillment of requirement (mandatory req = major NC; discretionary req = minor NC)
2. Opportunity of Improvement (OFI) -> non-fulfillment of controls
3. Observation -> negligence, e.g. one-day of log is missing
finding statement
1. clear statement of the finding (NC/OFI)
2. the evidence which the finding is based
3. summary of the requirement (clause/annex)
finding statement
CARs example
Major CARs1. Major CARs must be corrected before certification of ISO 27001
can be recommended
2. Minor CARs allows certification to proceed
3. Corrective actions described in CARs usually verified at the following surveillance visit
4. If not closed, a Minor CARs will be re-classified as Major
5. Audit should be positive and constructive, therefore, effective corrective action is more important.
Report and follow-up
Reporting & follow-up
1. Conducting a closing meeting (presenting the finding)
2. Reporting on the audit (approval, distribution, retention)
3. Audit follow-up (surveillance visits, revised CARs) will be initiated by the audit
4. Audit close-out (signing-off all forms)
that’s all folks..
WorkshopsA. Audit evidence/audit trails
B. Continual improvement
C. Risk assessment
D. ISMS audit questionnaire
E. Document review
F. Planning the audit
G. Interpretation of the standard
H. Case study