Documente Academic
Documente Profesional
Documente Cultură
SYSTEMS
INTERNAL AUDITOR TRAINING
(based on ISO 27001:2013)
DELEGATE MANUAL
Course Timetable
No
Session Title
Start
Finish
9:00
9:30
9:30
10:00
10:00
10:45
Tea Break
10:45
11:00
11:00
12:00
Exercise 2 Leadership
12:00
13:00
LUNCH
13:00
13:45
13:45
14:15
10
Exercise 3 - Operation
14:15
15:00
11
Tea/Coffee Break
15:00
15:15
12
15:15
16:00
13
16:00
17:00
1 of 2
Course Timetable
DAY TWO
No
Session Title
Start
Finish
Recap on Day 1
09:00
09:30
14
Exercise 05 - Improvement
09:30
10:30
15
Tea/Coffee Break
10:30
10:45
16
10:45
11:30
17
11:30
12:00
18
12:00
13:00
19
LUNCH
13:00
13:45
20
13:45
14:45
21
14:45
15:00
22
15:00
15:45
23
15:45
16:00
24
Exam
16:00
17:00
25
Course Closure
17:00
17:30
2 of 2
Course introduction
Bureau Veritas
Established in 1828
Our Vision
Become the leader in our industry and a major player in each of our
market segments and key geographical markets.
Our Mission
Deliver economic value to customers through QHSESA management of
their assets, projects, products and systems, resulting in licence to
operate, risk reduction and performance improvement.
ISMS Internal Auditor Training course-March 2014
Course introduction
World leader (50% Market Share) for ethical and social certification (SA 8000)
OHSAS 18001
Compliance Audits
EurepGAP
Industry Standards
Social Accountability
Fami-QS
Bio-terrorism
ISO 9001
AS/EN-9100
TL 9000
SA8000
AA1000
Security
Quality
ISO 27001
TAPA
ISO 28000
ISO/TS 16949
Others:
ISO 20000
TICK IT
ISO 50001
ISO 31000
Vericert
Course introduction
Course Timing
Day 1 TBD each country
Day 2 TBD each country
Lunch breaks: TBD each Organization
Coffee breaks: mid morning & mid afternoon
Course introduction
House rules
Facilities
Safety rules & evacuation routes
Courtesy
Course introduction
Learning Methods
Evaluation Methods
Continuous Assessment
Tutorials
Discussions
Case study
Formal Examination
Two hours
Course introduction
Learning Objectives (Knowledge):
Course introduction
10
Course introduction
11
Chapter 2
Introduction to Information Security Management
BRIEF BACKGROUND
Issues
Globalisation
Global Competition
Global Exposure
Pressures on Business
competition
legislation
liability
fiscal and policy measures
public image
ISMS Internal Auditor Training CourseMarch 2014
Interested parties
Customers
Consumers
Contractors / subcontractors
Governments
Trade unions
International community
Non-governmental organisations
Local community
Investors
Companies / Retailers
Stored
Transmitted
Destroyed
Processed
Used
Corrupted
Lost
CIA:
CONFIDENTIALITY: property that information is not made available or disclosed to
authorized entity
(ISO /IEC 27000:2014)
Confidentiality
Organisations need to achieve a balance
Availability
Integrity
Information Security
Definition:
Preservation of confidentiality, integrity and availability of information.
NOTE : In addition, other properties, such as authenticity, accountability, nonrepudiation , and reliability can also be involved.
(ISO /IEC 27000:2014)
What is an ISMS?
Competitive Edge
Profitability
Legal Compliance
Image
Security
Provides an excellent checklist of available controls
Forms a sound basis for your Information Security Policy
Tangible demonstration of appropriate practices
To business clients
To end user customers
To Auditors
To Regulators
Safeguard information assets appropriately
10
Chapter 3
ISO
27000:2014
ISO
27006:2011
ISO
27002:2013
ISMS - Security
techniques - Code
of practice
ISO
27001:2013
ISMS - Risk
Management
ISO
27005:2011
ISMS Requirements
ISMS Measurement
ISO
27004:2009
ISO
27003:2010
ISMS Implementation
guidance
ISO
19011
:2011
ISO
27007:2011
Auditing
Guidelines
2
Foreword
0 Introduction
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
4.1 Understanding of the organization and its context
4.2 Understanding the needs and expectations of
interested parties
4.3 Determining the scope of the Information security
management system
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.4 Organizational roles, responsibilities and authorities
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment\
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Annexure A : Reference control objective and controls
Bibliography
6 Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to
achieve them
PDCA Cycle
Plan-Do-Check-Act
can be applied to the ISMS
heck: Evaluate
performance of the ISMS
Chapter 4
Overview of ISO/IEC 27001:2013
system
Internal/ External issues and requirements of interested parties to be
5 Leadership
5.1 Leadership and commitment - Provides requirements for Top
policy
Information security policy to be communicated within Organization and
6 Planning
Clause 6.1.1 General
This clause along with 4.1 and 4.2 provides for how the Organisation should
address preventive actions through the risk management process
The first part of this clause (i.e. down to and including 6.1.1 c)) concerns risk
assessment whilst Clause 6.1.1 d) concerns risk treatment.
As the assessment and treatment of information security risk is dealt with in
Clauses 6.1.2 and 6.1.3, then organizations could use this clause to consider
ISMS risks and opportunities.
Possible options for risk treatment have been removed (there were 4
options listed in the earlier version of the standard
Determination of necessary controls rather than selecting controls from
Annex A
Standard retains use of Annex A as a cross check to make sure no
controls have been omitted
them
Clause 7 - Support
Clause 7.1 Resources
10
Clause 8 Operation
This clause deals with the execution of the plans and processes that are the
Deals with the execution of the actions determined in Clause 6.1 and 6.2
(implementation of plans for achievement of the information security objectives)
Also requires determination and control of outsourced processes
11
12
The requirement for reviews to be held at planned intervals remains but the
requirement to hold the reviews at least once per year has been dropped.
Rather than specify precise inputs this clause now provides requirements on the
topics for consideration during the review.
New inputs for consideration in management reviews include
changes in external and internal issues that are relevant to the information
security management
Precise outputs for management reviews now made much more concise address
decisions related to continual improvement opportunities and need for changes to
the ISMS
13
Clause 10 Improvement
Clause 10.1 Nonconformity and corrective action
Due to new way of handling preventive action (through clauses 4.1, 4.2 and 6.1),
this requirement has been removed from this clause
Changes in corrective action requirements
The requirement for continual improvement has been extended to cover the
suitability and adequacy of the ISMS as well as its effectiveness, but it no longer
specifies how an organization achieves this.
14
Documented Information
The requirement for documented information is spread through the standard and not
summarized under one clause as in 4.3.1 of the 2005 version. These are listed
below
Clause
Documented information
4.3
5.2
6.1.2
6.1.3
6.2
Statement of Applicability
7.5.1 b)
8.1
8.2
8.3
15
Documented information
9.1
9.2 g)
9.3
10.1 f)
10.1 g)
16
Annexure A
Number of controls have been reduced from 133 to 114 and number
Some controls are identical or very similar to the one in the 2005
version, some have been merged together, some deleted and a few
are added
17
Annexure A
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
18
Annexure A
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity
management
A.18 Compliance
19
10
Chapter 5
Introduction to audits
What is an Audit ?
Systematic, Independent and
Documented Process of obtaining
audit evidence and evaluating it
objectively to determine the extent to
which audit criteria are fulfilled
3 Types of Audits
First Party Audit
Self-audit (Client, auditor and auditees are
Internal)
Objectives
Objectives of an Audit :
To verify conformance against Requirements for Certification
To verify conformance to Contractual Requirements
To verify compliance to Legal Requirements
To obtain confidence in the process capability in an organisation
To contribute to the improvement of the management system
Identify Major Issues, if any
Verify Top Management Commitment to system implementation
Responsibilities of Auditors
Responsibilities of Audit Team Leader
To establish the objectives, scope and extent of audit programme
To establish the responsibilities & procedures, and ensure resources
are provided
Ensure implementation of audit programme
Monitor, review and improve the audit programme and maintain relevant
Documentation.
Responsibilities of auditors
Responsibilities of an Auditor:
To plan & organize the work effectively
To conduct Audits within scheduled timeframe
To prioritize and focus on matters of significance
To gather objective evidence through effective interviewing,
listening, observing and reviewing documents, records and data
To verify the data against the audit criteria to support audit
conclusions
To prepare appropriate, factual and accurate audit reports
To communicate effectively with the auditee
ISMS Internal Auditor Training Course-March 2014
Audit plans
Audit Reports
Non conformity reports
Corrective action reports and audit follow up , if any
Records related to auditors competence and
performance evaluation
Checklists & Process matrix
Perceptive
Self Reliant
Open Minded
Tenacious
Decisive
Critical
Over-conclusive
Indecisive
Aggressive
Argumentative
Susceptible
Inconsiderate
Devious
Diplomatic
Undesired :
10
11
Principles of auditing
Ethical Conduct
the foundation of professionalism
Fair Presentation
the obligation to report the truth
Due Professional Care
the application of diligence and judgment in auditing
Independence
the basis for impartiality of the audit and objectivity of
the audit conclusions
Evidence based approach
the rational method for reaching reliable and reproducible
audit conclusions in a systematic audit process
12
What is a Nonconformance?
ISO/IEC 27000:2014
Non-fulfillment
of a requirement
(intent)
practice differs from the defined system
(implementation)
the practice is not effective
(effectiveness)
Nonconformity Report
No set rules; however the three important elements
The evidence
Area
Grading
ABC1
Note Number .............................
* delete one
Nonconformity description
The process for ensuring awareness about Information
security policy is not effective
Evidence :
3 of the 5 persons interviewed in the design department were
not aware about the organisations information security policy
ISO 27001:2013 clause and requirement
7.3 a)
Persons doing work under the organizations control shall be
aware of the information security policy
Auditor
A. U. Ditor
Sign
ISMS Internal Auditor Training Course-March 2014
Auditor
Auditee
Identify, note
& communicate
Agreement
Prepare
Prepare NCR
NCR
Acknowledge
& investigate
Agreement
Explain Cause/Propose
Corrective Action
Review
effectiveness
Implement,
verify & notify
Example:
Company:
Non-conformance and
Corrective Action
Request Form
Date:
Auditor:
Standard & Clause
NCR
Number:
Auditee:
Major:
Minor
Signed:
Date:
Correction :
Date :
Date:
Signature
Verification of Corrective Actions:
Signature
Date:
Signature
Performing an audit
environment
Performing an audit
Observations
Keep observing the physical evidence:
records
equipment, instruments
conditions, controls
Actual Operations
Communications Postings
Control Points
Awareness Reminders
Operating Logs
Security Breaches
Process Records
Infrastructure
Security Logs
ISMS Internal Auditor Training Course-March 2014
Performing an audit
Auditor Proverb: Seeing is believing
Visit the field! See the 'real world'!!!
risk assessments, statement
of applicability, assets
register;
vulnerabilities;
maintenance of legal
Performing an audit
Performing an audit
Performing an audit
Checklists should:
documentation.
evaluation.
Obstruct communication.
sample size).
Be yes/no lists.
Be completely generic.
interviews.
Note physical evidence you
expect to see.
Performing an audit
10
Performing an audit
Comprehensive
Accurate
Precise
Legible
11
Performing an audit
Time management
Time is always short
Plan well
Do not allow your audit to get
side-tracked
Do not dig too much (beware
sampling
12
Books
IT governance - an international guide to data security and ISO27001/ISO27002 by
Alan Calder and Steve Watkins
Implementing the ISO/IEC 27001 Information Security Management System Standard
by Professor Edward Humphreys
How to Achieve 27001 Certification - An Example of Applied Compliance Management
by Sigurjon Thor Arnason and Keith D. Willett
Information Security Governance by Krag
Information Security Management Handbook by Hal Tipton
Information Security: Principles and Practice by Mark Stamp
Websites
ISO Standards
www.iso.org
www.iso.org/iso/jtc1_home.html
Certification
www.iaf.nu
www.european-accreditation.org
Training
www.irca.org
www.bureauveritas.com
www.certification.bureauveritas.com
Information Security related organizations
www.isaca.org
www.csrc.nist.gov
www.bcs.org.uk
www.isc2.org