isms internal auditor course.ppt

of 146/146
COMS Vantage Committed to Systems Internal ISMS Auditor Course COMS 1

Post on 29-Nov-2015




7 download

Embed Size (px)


ISMS AUditor Course


Slide 1Have knowledge of concepts of Information & Information Security Management System
Understand the requirements of ISO 27001 : 2005 in auditing terms
Understand of Risk Assessment Methodology
Plan and conduct an IMS audit
Report the audit
ISO 27001:2005 Requirements
Audit Planning (Audit Schedule & Audit Checklist)
Audit Execution
Audit Closing (Verification of Corrective Actions)
COMS Vantage
is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably protected.
COMS Vantage
Information that you would not want your competitors to know
COMS Vantage
Company business plan & strategies
Intelligence (on criminals, hostile nations, etc)
Security information (risk assessment, network diagram, facilities plans)
COMS Vantage
Information may need protection through its entire lifecycle including deletion or disposal
COMS Vantage
COMS Vantage
Confidentiality – ensuring that information is available only to those with authorised access
Integrity – safeguarding the accuracy and completeness of information and information processing methods & facilities
Availability – ensuring authorised users have access to information when required
In some organizations integrity and/or availability may
be more important than confidentiality
COMS Vantage
Committed to Systems
Information Security – Why?
In today’s fast-paced, global business environment, access to information is critical to an organisation’s success. Timely, accurate and complete information is a necessary business asset to an organisation, and like any other business asset, information needs to be understood and appropriately secured.
COMS Vantage
Lack of integrity
COMS Vantage
Paper documents:
on desks,
Information Security aims to :
To minimize business damage by preventing and minimizing the impact of security incidents
Reduce the likelihood of a security incident occurring
Prevent information security incident from occurring
Detect an incident occurring, or its effect
Respond to an event to minimize business damage
Ensure Business Continuity
COMS Vantage
Maintain stakeholder confidence in the organization
Preserve business position
Ensure business continuity
Committed to Systems
Managers Must Understand
Poor information security outcomes are commonly the result of poor management and not poor technical controls
COMS Vantage
COMS Vantage
Information Security Management System (ISMS) is :
That part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
A management process
An ISMS is a set of processes designed to produce
predictable information security outcomes (well managed
security risks)
(Source: Government of Western Australia: Department of Industry and Technology. (2002).
Pamphlet - Managing Risks in the Internet Economy - An Executive’s Guide. p.5).
COMS Vantage
- Focus on outcomes
- Outcomes are predictable
Requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an ISMS
Information security is a Management process, more than just IT
ISO 27001 can be used for assessment and certification
COMS Vantage
Provides guidance on good practice for Information Security Management Prime objectives
A common basis for organisations
Confidence in inter-organisational dealings
Defines a set of control objectives, controls and implementation guidance
It cannot be used for assessment and certification
COMS Vantage
Process approach = identification of processes and their interactions between each other and the mgmt of these.
COMS Vantage
COMS Vantage
PDCA model used in the ISO/IEC 27001: 2005
Process approach for
Establish ISMS (Plan)
COMS Vantage
Clause 5 : Management Responsibility
Clause 7 : Management Review of the ISMS
Clause 8 : ISMS Improvement
COMS Vantage
Establish &
Scope and boundaries
COMS Vantage
Scope to be described in terms of
Characteristics of the business
Other organisations
ISMS Policy
Statement of management commitment & set out organisation’s approach to managing information security
Definition of information security, objectives & scope
Statement of management intent, supporting goals & principles
Include framework for setting control objectives & controls
Brief explanation of security policies, principles and standards
Compliance with legislative, regulatory & contractual requirements
Security education, training & awareness requirements
Business continuity management
Definition of general & specific responsibilities
References to documentation supporting policy
Communicated throughout the organisation
Define the risk assessment approach of the organization
Identify risks (assets and owners, threats, vulnerabilities, impacts)
Analyse and evaluate the risks
Identify and evaluate options for treatment of risks
Select control objectives & controls for the treatment of risks (select from Annex A)
Obtain management approval of proposed residual risks
Obtain management authorization to implement and operate the ISMS
Prepare a Statement of Applicability
COMS Vantage
Identify a suitable risk assessment methodology
Develop criteria for accepting risks and identify acceptable levels of risk (5.1f)
Ensure that risk assessments produce comparable and reproducible results
Method is decided by organization and audited against its information security scope, boundaries and policy
Risk Assessment Approach
controls) depends on :
Impact on organization of successful exploitation
COMS Vantage
Assets within the scope of the ISMS (Primary Assets & Supporting Assets)
- Documents /Data
- Physical/ Hardware
Asset owners & Users
Ranking of Assets done based on Asset Value :
A potential cause of an unwanted incident which may result in harm to a system or organization.
e.g. Network failure
A weakness of an asset or group of assets, which can be exploited by a threat.
A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset .
e.g. No system monitoring
Assess the likelihood that combination of threats and vulnerabilities occur
Threats and vulnerabilities may be assessed
Risk =
Asset Value x Threat Value x Vulnerability Value x Probability x Impact Value
*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets
Some examples are on the following OH.
COMS Vantage
Manage and treat risks appropriately within business context :
Apply appropriate controls
Complete Exercise 2 to test understanding of Information
Risk Methodology.
11 Control Objectives
39 Sub-Control Objectives
A.5 Security Policy
A.6.1 Internal organization
A.6.2 External parties
A.7 Asset Management
COMS Vantage
A.9 Physical and Environmental Security
A.9.1 Secure areas
A.9.2 Equipment security
A.10.2 Third party service delivery management
A.10.3 System planning and acceptance
A.10.4 Protection against malicious and mobile code
A.10.5 Back-up
A.11 Access Control
A.11.2 User access management
A.11.6 Application and information access control
A.11.7 Mobile computing and teleworking
A.12 Information systems acquisition, Development and
A.12.2 Correct processing in applications
A.12.3 Cryptographic controls
A.12.5 Security in development and support processes
A.12.6 Technical vulnerability management
A.13 Information Security Incident Management
A.13.1 Reporting information security events and weaknesses
A.13.2 Management of information security incidents and
A.15.2 Compliance with security policies and standards, and
technical compliance
COMS Vantage
organisation might consider that additional control objectives and controls are necessary
Not all the controls will be relevant to every situation
Consider local environmental or technological constraints
In a form that suits every potential user in an organisation
Review controls already in place
Assess how much controls will reduce risk
Reduced residual risk
Acceptable or unacceptable
Implement more controls
Overview of the Risk Assessment Process
Generally, risk assessment methods and techniques are applied to a complete ISMS or specific information systems and facilities, but they can also be directed to individual system components or services where this is practicable, realistic and helpful. Assessment of risks involves the systematic consideration of the following
• Consequence - the business harm likely to result from a significant breach of information security, taking account of the potential consequences of loss or failure of information confidentiality, integrity and availability;
• Probability - the realistic likelihood of such a breach occurring in the light of prevailing threats, vulnerabilities and controls. The process involves:
• The selection of a method of risk assessment that is suitable for the ISMS, and the identified business information security, legal and regulatory requirements, as well as determining criteria for accepting risks and identifying the acceptable levels of risk.
• Identify and assess the risks for the ISMS(s) and the information systems encompassed in ISMS(s), identify and evaluate options for the treatment of risk, select control objectives and controls to reduce the risks to acceptable levels, and – for certification purposes – produce a Statement of Applicability.
COMS Vantage
Documented statement describing the control objectives and controls that are relevant and applicable to the organisation’s ISMS.
Contents of Statement of Applicability
Control objectives and controls selected
Reasons for selection
Control objectives and controls currently implemented
Exclusion of any control objectives and controls to be listed in Annex A and the justification for their exclusion
The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
COMS Vantage
Risk – not justified by risk exposure
Budget – financial constraints
Culture – sociological constraints
N/A – not applicable
Select Control Objectives and Controls for the Treatment of Risks
Select and implement Control Objectives and Controls
To meet requirements identified by risk assessment and risk treatment process
Take into account of criteria for accepting risks (4.2.1c)
Legal, regulatory and contractual requirements
Control objectives & controls selected from Annex A of ISO 27001:2005
COMS Vantage
Formulate and implement risk treatment plan
Implement controls
Manage operations & resources
Undertake regular reviews of the effectiveness of the ISMS
Measure effectiveness of controls
Review level of residual risk and identified acceptable risk
Conduct Internal ISMS Audits at planned intervals (Clause 6)
Undertake Management Review of the ISMS (Clause 7)
Update security plans
Also covered in Clause 8
Implement the identified improvements in the ISMS
Appropriate corrective and preventive action
Communicate actions and improvements
COMS Vantage
5.2 Resource management
with company, customers, suppliers/ third party
service providers
COMS Vantage
Understanding and complying with the information security policy and objectives
Understanding security responsibilities
Correct use of company equipment
Correct use of e-mail and the internet
and others
COMS Vantage
Promptly detect errors
Security activities delegated to people or implemented by information technology are performing as expected
Help detect security events
Prevent security incidents
Determine whether actions taken to resolve a breach of security were effective
COMS Vantage
ISMS policy and objectives
Measure the effectiveness of controls
Verify security requirements are met
COMS Vantage
Conduct internal audits at planned intervals
Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits
Responsibilities for audit planning, conducting and reporting is defined in procedure
Auditee is responsible for taking timely corrective action
COMS Vantage
(atleast once a year)
Result from effective measurements
Update Risk Assessment & Risk Treatment Plan
Modification of procedures & controls
COMS Vantage
Complete the Quiz on ISO 27001 to test your
understanding of the standard.
Information Security Manual
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled.
ISO 9000:2005
Data supporting the existence or verity of something – ISO 9000:2005
May be obtained through
Auditors gather information by seeing and hearing.
Statements can be considered as objective evidence when made by those responsible for the activity being audited – admissible statements.
Whenever possible, auditors should gather material or documented support for the statements made.
If found, nonconformities shall be quantified to enable the auditor to communicate the depth of the problem to the auditee.
COMS Vantage
Audit Purpose
Only informed judgements must be made by auditors, and are based on the objective evidence gathered during the audit.
Auditors must not allow their opinions or prejudices to influence decisions.
This concludes module 9.
Due Professional Care
Exercise care according to the confidence placed in them by their clients Competence is essential
Auditors are independent of the activities being audited and are free from bias or conflict of interest Conclusions will be objective and based only on audit evidence
Evidence-Based Approach
Audit evidence is based on samples of information Conclusions are verifiable
COMS Vantage
Conformity vs. Compliance
Conformity: Fulfillment of a requirement Nonconformity can lead to suspension or revocation of registration Voluntary
Compliance: Fulfillment of legal/statutory requirements Noncompliance can lead to fines/incarceration Mandatory
Audit of a
First Party Audit (Internal Audit) is when an organization audits its management system. It is a cross-functional audit.
Second Party Audit is when a customer audits it’s supplier. (Customer Audit).
Pre-assessment is an audit prior to the main audit. The purpose of the audit is to assess the level of preparation/ status and to identify the gaps which can be completed before the main audit.
Source of information for use by management
Powerful tool for continual improvement through:
Employee involvement
Provides a measurement of effectiveness of the system to management
Reduces risk of system failure
Identifies improvement opportunities
Frequency of audit (as mentioned in procedure)
Processes/ area to be audited
Duration of audit
Qualified internal auditors
Real Estate Dev C & D
1400 - 1700 BPO E & F
Educational Portal G & H
IT K & L
Administration O & P
COMS Vantage
Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditee’s IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.
A checklist should not be a list of questions to ask the auditee. It is simply a “prompt” for aspects of the system which require review
COMS Vantage
Keep audit objectives clear
Reduce auditor bias
Tick (√) lists
Checklist may be prepared for your department.
COMS Vantage
A catalyst
Management instrument
The main role of an auditor is to verify compliance or otherwise with specified requirements.
Particularly with 3rd party audits, the mere fact that an auditor is due to appear on the premises sparks the auditee to ‘tidy-up’
All audit results must be made known to management. Therefore auditors are by default management instruments.
Auditing of any type is a vehicle for communication. The very nature of auditing makes the auditor a major interface with different people/companies.
The ‘consultative’ role that an auditor can undertake is dependent on the type of audit and the terms of reference given to the auditor. A 3rd party auditor is prohibited from giving consultancy, as this could breach confidentiality and negate the independence of the auditing body.
COMS Vantage
Open minded
Reasoning of nonconformities
Avoid interruptions
Use of body language
Detail, Detail, Detail
COMS Vantage
Sampling audit
Don’t keep on auditing until problems are found
Sample/ sample frame
Interviews are an important means of collecting information
and should be carried out in a manner adapted to the
situation and the person interviewed
May start with asking the auditee
to describe the work
& discuss with auditee
Probing questions
Closed questions
Questions should be asked like a funnel – starting with open questions and ending with closed questions
COMS Vantage
Who (does it)
What (is done)
How (is it done; often is it done)
And seventh friend (For verification)
Show me
Adopt a logical approach
Follow a natural sequence
Use silence appropriately
Strategies and tests
Test records
Training records
Non-conformance records
Work environment
Audit the complete scope
Document / Record numbers and issue/revision levels
Identifiers (Product identification)
Issues which may impact other functions
Notes is an evidence of the professionalism of the auditor
Evidence of sample size and observation
Should be legible & retrievable
Record all the evidence in detail
Establish why a nonconformity or otherwise & who (preferably by job title)
Audit focus must be on conformity and effectiveness, not on finding nonconformities
Therefore, auditors must be competent in –
Reasoning of nonconformities
Discuss concerns freely with auditee. Auditing is an ‘open book’ activity.
The auditee will know more about the system than the auditor, so request their help to gain a better understanding.
Verify with auditee the findings.
Record in the notes all the relevant information.
Remember, it is an audit of the quality management system, not of the people working to it. Only use names when it is clear that personal criticism is not implied.
COMS Vantage
Good Practices
Ask the right person - the person with the responsibility for what it is you are auditing
Don’t talk down or be rude/ sacarstic
Ensure questions are clear and understood - avoid jargon, use plain and simple language, rephrase the question if not understood.
Do not confuse, ask one question at a time.
Allow time for auditee to answer any questions you ask
Do not take sides, stay impartial, do not jump to conclusions; always look for the evidence
Be polite at all times, regardless of any provocation you may encounter
COMS Vantage
Specified requirements:
The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness.
Non conformities could arise out of two reasons:
- System deficiencies
identifying system deficiencies
Reporting Categories
A lower priority is often given to Observations or Areas Requiring Attention. These findings are recognised as being of lower risk to the organisation.
COMS Vantage
Violation or failure to meet a requirement of the standard
Any minor lapse in the system
Care Department
prior to hiring
Major Non-conformity
Complete absence or total breakdown of any clause of the standard(s)
Complete non-compliance of company policy or procedure
Non-compliance of legislative requirement
more than a year.
COMS Vantage
1. What could go wrong if the nonconformity remains uncorrected?
2. What is the likelihood of such a thing going wrong?
3. How likely is it to be detected if it did go wrong?
A nonconformity with moderate consequences but
High probability could be a Major
A nonconformity with serious consequences but
with negligible probability could be a Minor
The frequency of the nonconformity is often not enough to evaluate its significance.
Enlist the auditee’s help in answering these two questions.
When specialist knowledge by the auditor is necessary then this can help the evaluation of nonconformities, but the auditee’s help should also be enlisted.
A nonconformity with moderate consequences but high probability could be a major.
A nonconformity with serious consequences but with negligible probability could only be a minor.
COMS Vantage
Observation or Opportunity for Improvement (OFI)
is a situation where there is a weakness where there is
not enough evidence for a nonconformity/issue, but if
allowed to remain, could result in a nonconformity/issue
COMS Vantage
Identify if there is a non-conformance. If yes, identify the
ISO 27001:2005 Clause / Control Objective Number .
If no, then state what further action should be taken by the
Nonconformity Statement (1)
Procedure KCL-Pl-15 requires that access to server room is only to 2 System Administrators and the IT Head. If required others could access along with the 3 persons with authorised access and they were to enter in the Entry Log Register.
The auditor entered the server room with the System Administrator, however no entry was made in the Entry Log Register.
Nonconformity to Procedure KCL-15 and ISO 27001:2005 clause A.9.1.5
Nonconformity Statement (2)
Policy for Compliance states that that no software, unless provided by
corporate IT, must be loaded onto the network without the prior
permission of the IT manager
SW department were currently using a new data analysis tool which was sent to them direct from the developers after their agreement to take part in the testing of the new tool in return for a free copy of the finished product.
Aid identification of solutions
Submits report to auditee
Agrees dates for corrective action
Ensures that action is taken effectively
COMS Vantage
Write the nonconformance report for any nonconformance in Exercise 5
COMS Vantage
Identifying the nonconformance
Conducting Audit Follow-Up
At the conclusion of the follow up audit, the auditor must make a conclusion as to the completion and effectiveness of the previously proposed corrective actions :
Has the action been taken and has it been effective?
Has the action not been taken or is it incomplete?
Has the action been taken but is ineffective?
COMS Vantage
COMS Vantage
Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.
COMS Vantage
Overview of the Risk Assessment Process
Generally, risk assessment methods and techniques are applied to a complete
ISMS or specific information systems and facilities, but they can also be
directed to individual system components or services where this i
s practicable,
realistic and helpful. Assessment of risks involves the systematic consideration
of the following
and availability;
the realistic likelihood of such a breach occurring in the
light of prevailing threats, vulnerabilities and controls. The process
of a method of risk assessment that is suitable for
the ISMS, and the identified business information security, legal
and regulatory requirements, as well as determining criteria for
accepting risks and identifying the acceptable levels of risk.
• Identify
information systems encompassed in ISMS(s), identify and
evaluate options for the treatment of risk, select control
objectives and controls to reduce the risks to acceptable levels,