Sec1310cl Iso27001 Lead Auditor Ig.v4.3.1 Itp Demo

Information Security Training
t
ISMS Auditor/Lead
rin
Auditor Training
ep
Course ISO 27001
rR
fo
ot
l -N
ia
Instructor Guide
er
Version 4.3.1
at
M
pe
m
Sa
Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.

ITpreneurs Nederland B.V. is affiliated to Veridion.
ISO27001CL_Lead Auditor_IG_Cover page.indd 1 5/26/2011 3:20:11 PM

The information contained in this classroom material is subject to change without notice.
This material contains proprietary information that is protected by copyright.
No part of this material may be photocopied, reproduced, or translated to another language
without the prior consent of ITpreneurs Nederland B.V.
Copyright 2011 by ITpreneurs Nederland B.V. All rights reserved.
t
rin
This training material is sold subject to the condition that it, or any part of it, shall not by way of
trade or otherwise, be sold, lent, re-sold, displayed, advertised or otherwise circulated, without
the publishers prior written consent, in any form of binding, cover or title other than that in which
ep
it is published and without a similar condition including this condition being imposed on the
subsequent purchaser(s).
rR
Version 4.3.1
fo
Training materials are based on PECBs Training Provider and Examiner Certification
ot
Scheme. Documents provided to participants are strictly reserved for training purposes and are
copyrighted by ITpreneurs. ITpreneurs Nederland B.V. is affiliated to Veridion. Unless otherwise
-N
specified, no part of this publication may be, without ITpreneurs written permission, reproduced
or used in any way or format or by any means whether it be electronic or mechanical including
photocopy and microfilm.
l
ia
er
at
M
pe
m
Sa
ISO27001CL_Lead Auditor_IG_Cover page.indd 2 5/26/2011 3:20:12 PM

Contents
MODULE 1: INTRODUCTION TO INFORMATION SECURITY AND ISO/IEC 27001:2005 1
Course Agenda 3
t
Section 1: Course Objective and Structure 4
rin
1. Meet and greet 5
2. General points 6
ep
3. Training objectives and structure 7
4. Instructional approach 9
rR
5. What is PECB? 14
Section 2: Standard and Regulatory Framework 21
1. ISO structure 22
fo
2. Fundamental ISO principles 23
3. Information Security Standards 27
4. ISO 27000 family
5. ISO 27001 Advantages
ot 32
42
-N
6. Legal and regulatory conformity 44
7. Conformity framework - United States 45
8. Conformity framework - Europe 47
l
Section 3: Certification Process 52

ia
1. Certification process 53
er
2. Certification schema 55
3. Accreditation authority 56
at
4. Certification body 58
5. Personnel Certification body 60
M
Section 4: Fundamental Principles in Information Security 62

1. Asset 63
pe
2. Information security 64
3. Vulnerability 68
m
4. Threat 70
5. Risk 71
Sa
6. Confidentiality, integrity and availability 72

7. Security objectives and controls 77
8. Control environment 80
Section 5: Information Security Management System (ISMS) 91
1. Definition of an ISMS 92
2. Process approach 94
3. ISMS implementation 104
4. Overview Clauses 4 to 8 111
5. Mandatory controls 122
i
MODULE 2: AUDIT RULES, PREPARATION AND LAUNCHING OF AN AUDIT 129
Course Agenda 131
Section 6: Fundamental Audit Concepts and Principles 134
1. What is an audit? 135
2. The actors 141
3. Audit criteria 142
4. Audit types 144
5. Audit objectives 145
7. Responsibility of auditors 164
t
8. Ways to reinforce ethics 165
rin
Section 7: The approach based on evidence and risk 170
1. Evidence Based Approach 171
ep
2. Type of audit evidence 173
3. Quality of an audit evidence 181
rR
4. Risk Based Audit Approach 186
5. Materiality dimension of an information system 187
6. Reasonable assurance 191
fo
Section 8: Preparation of the audit 193
1. The audit team 194
2. Defining the audit objectives
3. Defining the scope
ot 196
197
-N
4. Determining the feasibility of the audit 201
5. Engagement letter 207
6. Initial contact 209
l
7. Auditing a small organization 210

ia
Section 9: Stage 1 Audit 213

er
1. Objectives of stage 1 audit 214

2. Stage 1 audit steps 216
at
3. Audit activities of stage 1 217

4. Documents review 218
M
5. Evaluation criteria of documents 219

6. Type of documents 224
pe
7. Documents mandatory to be audited 225

8. Stage 1 audit report 229
m
Section 10: Preparing and initiating stage 2 audit (on-site audit) 233
1. Stage 2 audit objectives 234
Sa
2. Preparing the audit plan 236

3. Assigning the auditors 238
4. Using technical experts 239
5. Preparing the work documents 240
6. Using a control list 241
7. Conducting the opening meeting 244
ii
MODULE 3: ON-SITE AUDIT ACTIVITIES 253
Course Agenda 255
Section 11: Communication during the audit 258
1. Behaviour during on-site visits 259
2. Communication during the audit 260
3. Team meetings 263
4. Observer and guide roles 264
5. Conflict management 266
6. Cultural aspects of the audit 269
7. Communication with management 271
t
Section 12: Audit procedures 278
rin
1. Information gathering 279
2. Observation 284
ep
3. Documentation review 287
4. Interview 288
rR
5. Analysis 301
6. Technical verification 314
7. Audit Procedure 318
fo
Section 13: Audit test plan creation 322
1. Creating audit test plans 323
2. Audit test plan examples
ot
Section 14: Writing conclusions and nonconformity reports
326
335
-N
1. Drafting audit findings 336
2. Nonconformity definition 338
3. Major nonconformity 339
l
4. Minor nonconformity 342

ia
5. Anomaly 345
er
6. Observation 346
7. Documenting a nonconformity 347
at
8. Benefit of the doubt 349

M
MODULE 4: CLOSING THE AUDIT 355

Course Agenda 357
pe
Section 15: Documentation of audit and quality review 361

1. Work documents 362
m
2. Audit records 365

3. Quality review 366
Sa
4. Documentation of quality review 370

5. Review of findings and preparation of audit conclusions 372
Section 16: Closing an audit 374
1. Certification recommendation 375
2. Discussion with management 381
3. Closing meeting 383
4. Audit report 388
5. Drafting recommendations for improvement 390
6. Certification decision 393
7. Content of the certificate 396
iii
Section 17: Follow-up audit 399
1. Follow-up audit 400
2. Submission of action plans 401
3. Content of action plans 402
4. Evaluation of action plans 403
5. Alternatives to follow-up audits 405
Section 18: Follow-ups to Initial audit 409
1. Surveillance activities 410
2. Surveillance audit 413
t
3. Recertification audit 415
rin
4. Extending the scope 417
5. Transferring a certificate 418
ep
6. Suspending a certificate 419
7. Using the ISO trademark 421
rR
Section 19: Managing an audit program 424
1. Audit program 425
2. Audit resources 426
fo
3. Creating audit tools 427
4. Audit procedures 428
5. Records of the audit program
6. Follow-up and review
ot 429
438
-N
7. Managing combined audits 439
Section 20: The competence and evaluation of auditors 442
1. Competencies of auditors 443
l
2. Career Path 454

ia
3. Audit register 455

er
4. Continuous improvement of competencies 457

5. Evaluation of auditors 458
at
Section 21: Closing the training 461

1. Evaluation of training 462
M
2. Preparing for the examination 463

pe
APPENDIX A: CASE STUDY 465

m
APPENDIX B: EXERCIESES LIST N/A

Sa
APPENDIX C: CORRECTION KEY 487
APPENDIX D: RELEASE NOTE 501
INSTRUCTOR FEEDBACK FORM 505
iv
Instructor | Introduction to Information Security and ISO/IEC 27001:2005
Course Agenda
Day 1
Module 1 : Introduction to Information Security and ISO/IEC 27001:2005
Section Name Start End Total Time
(in hours)
1 Course Objectives and Structure 8:30 9:00 0:30
t
rin
2 Standard and Regulatory Framework 9:00 10:30 1:30
3 Certification Process 10:30 11:00 0:30
ep
4 Fundamental Principles of Information Security 11:00 12:00 1:00
rR
Lunch 12:00 1:00 1:00
4 Fundamental Principles of Information Security (Contd.) 1:00 2:30 1:30
fo
5 Information Security Management System (ISMS) 2:30 5:30 3:00
Total Time 9:00

ot
l -N
ia
er
at
M
pe
m
Sa
Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 3

ISO 27001 | Lead Auditor
Section 1: Course Objective and Structure
1. Meet and greet
t
rin
2. General points
3. Training objectives and structure
ep
4. Instructional approach
rR
5. What is PECB?
fo
ot
l -N
ia
3
er
at
M
pe
m
Sa
4 Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.


1. Meet and greet
2. General points
5. What is PECB?
Meet and greet
t
rin
ep
rR
fo
ot
l -N
ia
4
er
1. Meet and greet

at
To break the ice, participants introduce themselves stating:

M
y Name
y Current position
pe
y Previous positions
y Knowledge of and experience with ISO/IEC 27001:2005
m
y Knowledge and experience with audit

y Objectives to be reached by participating in this course
Sa
Duration of activity: 20 minutes


1. Meet and greet
2. General points
5. What is PECB?
General Information
t
rin
ep
rR
Smoking Meals Timetable and breaks
fo
ot
-N
Mobiles Absences
l
ia
5
er
2. General points
at
For simplification, only the masculine is used throughout this training.

M
pe
m
Sa


1. Meet and greet
2. General points
5. What is PECB?
Training Objectives
t
Knowledge
rin
Explain the components of an Information Security Management
ep
1 System based on ISO/IEC 27001:2005 and its principal processes
rR
Explain the goal, content and correlation between ISO/IEC
fo
2 27001:2005 and ISO/IEC 27002:2005 as well as with other standards
and regulatory frameworks
ot
-N
Explain an auditors role: plan, lead and follow-up an ISMS audit in
3 accordance with ISO 19011:2009
l
ia
6
er

at
This training is focused on the acquisition of knowledge related to audit techniques applied to information
M
security, and not on the acquisition of an expertise in information security. Minimal knowledge of information
security is however required for successful completion of the course.
pe
To obtain more in-depth knowledge of the management of information security, it is recommended you take
the course ISO/IEC 27001:2005 implementation.
m
At the end of the course, participants will obtain knowledge on How to audit and not only on the Why audit
Sa
and What to do during an audit.


1. Meet and greet
2. General points
5. What is PECB?
Training Objectives
t
Competencies
rin
ep
Interpret ISO/IEC 27001:2005 requirements for the purpose of an
1 ISMS audit
rR
Interpret and audit the requirements in accordance with several
fo
2 standards and regulatory frameworks
ot
Acquire the basic competencies of an auditor to: Plan an audit, Lead
-N
3 an audit, Draft reports, and Follow up an audit in compliance with
ISO 19011:2009
l
ia
7
er
The objective of this training is to ensure that the candidate can actively participate to an ISO/IEC
at
27001:2005 certification audit the day following the end of the training.
M
This training is focused on the reality of conducting an audit. The case study and role-plays act as simulations
of situations as close to reality in the field as possible. Tools and audit templates provided in this training are
based on those currently used by certification organisations.
pe
m
Sa


1. Meet and greet
2. General points
5. What is PECB?
Course Structure
t
Student oriented
rin
ep
rR
fo
ot
l -N
ia
8
er
at
This course is primarily based on:

M
y Trainer lead sessions, where questions are welcomed.

y Student involvement in various ways: exercises, case studies, role-plays, notes, reactions,
pe
discussions (participant experiences).
Remember, this course is yours: you are the main players of its success.
m
Students are encouraged to take additional notes

Sa
Homework and exercises are essential in the acquisition of the competencies necessary to conduct an audit.
Thus it is very important to do them conscientiously. In addition, these homeworks and exercises are used
to prepare students for the final exam.


1. Meet and greet
2. General points
5. What is PECB?
Course Based
t
On best practices in Audit
rin
ep
rR
ISO 19011:2009 International Federation Generally accepted
of Accountants audit standards
fo
ot
-N
Institute of internal Information Systems Audit
auditors and Control Association
l
ia
9
er
ISO 19011:2009: provides advice on audit principles, audit program management, management systems
at
audit, as well as advice on the competencies of auditors. It applies to all organizations needing to conduct
internal and external audits or to manage an audit program. The application of the ISO 19011 standard to
M
the other types of audits is possible: It is sufficient, in this type of case, to give special attention to identifying
the competencies required of the audit team members.
pe
Reference: www.iso.org
International Federation of Accountants - IFAC: This is the world accounting organization. It operates
m
with its 157 members and associates in 122 countries to protect public interest by encouraging high quality
practices by the accounting world. Standards developed by IFAC provide guidelines and advice in the
Sa
following fields: audit, insurance, control and services related to quality, to training, ethics and accounting.
Reference: www.ifac.org
Generally Accepted Auditing Standards - GAAS: These are 10 audit standards, developed by the AICPA
(American Institute of Certified Public Accountants), including general standards, standards by activity sector
and report standards, with interpretations. They were developed by AICPA in 1947 and have undergone a
few minor changes since then.
Reference: www.aicpa.org

ISACA standards and guidelines: The Information Systems Audit and Control Association (ISACA) has
developed several standards and guidelines to provide advice on the audit of information systems. Founded
in 1967, ISACA has over 65,000 members. Its two professional certifications, CISA (Certified Information
Systems Auditor) and CISM (Certified Information Security Manager), enjoy international recognition.
Reference: www.isaca.org
Professional practices of the Internal Auditors Institute: The provide advice on conducting internal
audits. They are the result of a careful analysis, consultations and deliberations on the fundamental principles
concerning the performance of internal audit services by members of the IIA (Institute of Internal Auditor) and
t
the CIA (Certified Internal Auditor).
rin
Reference: www.theiia.org
ep
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa


1. Meet and greet
2. General points
5. What is PECB?
Templates and Use of ISO Standards
t
rin
ep
rR
fo
ot
l -N
ia
10
er
ITpreneurs provides participants with a series of templates developed by our team of auditors, based on
at
best practices in the field. ITpreneurs, hereby grants you a non proprietary and personal perpetual license
to: (1) install the tools and templates, (2) use them internally, and (3) make a backup copy for the purpose
M
of archiving.
By using these tools and templates, you recognize that you have read, understood and that you agree to
pe
be bound by these general conditions. The material provided in the course is protected by Canadian and
worldwide copyright laws. Except where explicitly specified, the material cannot be copied, reproduced,
m
distributed, republished, downloaded, shown, mailed or transmitted, by any way or means, without having
previously received written authorization from ITpreneurs. ITpreneurs does not guarantee error-free use
Sa
of this material and does not guarantee that the information accessible and included in the examples are
precise and complete. To buy a professional license for commercial use, do not hesitate to contact an
ITpreneurs representative.
ISO documents provided to participants are strictly reserved to this training session and are copyright
protected by ISO. No part of this publication may be reproduced by any means or use in any way whether
it be electronic our mechanical, including photocopies and microfilms, without written permission from ISO
(see address below) or a member to the ISO organization located in the country of the person of the related
organization.
Copies of the different ISO standards can be bought on the www.iso.org site or from the accreditation
authority of each country.


1. Meet and greet
2. General points
5. What is PECB?
Knowledge Acquisition Evaluation
t
rin
ep
rR
fo
100% Final exam
ot
-N
Note: Minimum required attendance is 75%

l
ia
11
er
at
M
pe
m
Sa


1. Meet and greet
2. General points
5. What is PECB?
What is PECB?
t
Main services
rin
Personal certification (auditor or implementer)
ep
rR
fo
ot
l -N
ia
12
er
5. What is PECB?
at
PECB Inc. is a personnel certification body for various standards, including ISO 9001, ISO 14001, ISO/IEC
M
20000, ISO/IEC 27001, ISO/IEC 27005, ISO 22301.

pe
m
Sa


1. Meet and greet
2. General points
5. What is PECB?
Why Become a Certified Auditor?
t
Advantages
rin
ep
Qualifying oneself to conduct audits for a registrar
rR
Formal and independent recognition of personal
competencies
fo
ot
Certified professionals usually earn
-N
salaries higher than those of non-certified
professionals
l
ia
13
er
y An internationally recognized certification can help you maximise your career potential and
at
reach you professional objectives.

M
y An international certification is the formal recognition of personal competencies in improving

the performance of organizations.
y According to salary surveys published by the Quality Progress magazine in the last five years,
pe
certified auditors have an average salary considerably higher than their non-certified
counterparts.
m
Sa


1. Meet and greet
2. General points
5. What is PECB?
Certificates
t
Students who successfully complete the exams in this
rin
course will receive a:
Certificate of Attainment of the
ep
ISMS auditor/lead auditor course
rR
fo
ot
l -N
ia
14
er
The certificate of attainment of the ISMS auditor/lead auditor course is valid for a period of 3 years starting
at
from the last day of training. This delay does not take into account the final exam date and allows the student
to be registered as certified auditor by PECB .
M
y Upon passing the Lead Auditor Exam, the candidate can get registered with PECB to become:
o A Provisional Auditor Required: No experience required
pe
o An Auditor Required: 2 years of professional experience, 1 year of information security

experience, audit activities totaling 200 hours
m
o A Lead Auditor - Required: 5 years of professional experience, 2 years of information security

experience, audit activities totaling 300 hours
Sa
For more information about these requirements, please visit either www.pecb.org or https://www.pecb.org/
en/certifications/iso-27001-and-information-security-certifications/iso-27001-lead-auditor
In case one fails to pass the exam or continuous assessment (but meets the attendance conditions) the
student will receive certificate of attendance.


1. Meet and greet
2. General points
5. What is PECB?
Customer Service
t
Comments, questions and complaints
rin
ep
Sending a
complaint
rR
Participant ITpreneurs
fo
Answer in
writing
ot
-N
Appeal PECB
l
ia
15
er
To ensure your satisfaction and the continuous improvement of this training, ITpreneurss Training
at
Department has set in place a complaint management system. If you are dissatisfied with the training ( tutor,
equipment...), do not hesitate to contact us.
M
Training Department, ITpreneurs

pe
servicedesk@itsmcampus.com
m
Sa

Schedule for the Week
t
rin
ep
rR
fo
ot
l -N
ia
16
er
Day 1: Introduction to Information Security and ISO/IEC 27001:2005

at
1. Course objectives and structure

M
2. Standard and regulatory framework

pe
3. Certification process
4. Fundamental principles of information security

m
5. Information Security Management System (ISMS)

Sa
Day 2: Audit rules, preparation and launching of an Audit

6. Fundamental Audit Concepts and Principles
7. The approach based on evidence and risk
8. Preparation of the audit
9. Stage 1 audit
10. Preparing and initiating stage 2 audit (on-site audit)

Day 3: On-site Audit Activities

11. Communication during the audit
12. Audit procedures
13. Audit test plan creation
14. Writing conclusions and nonconformity reports
t
Day 4: Closing the Audit
rin
15. Documentation of the audit and quality review
ep
16. Closing an audit
17. Follow-up audit
rR
18. Initial audit follow-ups
19. Managing an audit program
fo
20. The competence and evaluation of auditors
Day 5: Final exam

ot
l -N
ia
er
at
M
pe
m
Sa

Section Summary and Questions
t
rin
ep
rR
fo
ot
l -N
ia
17
er
Section summary:
at
1. The main objective of this training is to acquire the knowledge and competencies to participate
M
in an ISO/IEC 27001:2005 certification audit.
2. Success of the training is based on participant involvement (experience feedback, discussions,

pe
role-play, exercises, etc.).
3. Final exam is an open-book 3-hour exam and is focused on the candidates understanding of
m
audit concepts applied to appliqus ISO/IEC 27001:2005 certification.

Sa

Section 2: Standard and Regulatory Framework
1. ISO structure
t
rin
2. Fundamental ISO principles
3. Information Security Standards
ep
4. ISO 27000 family
rR
6. Legal and regulatory conformity
fo
7. Conformity framework - United States
8. Conformity framework - Europe ot
l -N
ia
18
er
During this training, we will adopt the following convention: standards will often be referenced as ISO XXXX
at
in the slide instead of their official designation ISO/IEC XXXXX:20XX without specifying their publication
date, each referring to its latest version.
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
What is ISO? 6.
7.
Legal and regulatory conformity
Conformity framework - United States
t
8. Conformity framework - Europe
rin
ISO is a network of national standardization
bodies of over 160 countries
ep
The final results of ISO works are published
as international standards
rR
Over 17,000 standards have been published
since 1947
fo
ot
l -N
ia
19
er
1. ISO structure
at
History
M
The International Standards Organisation, more commonly called ISO, was created in 1947. It is a non-
pe
governmental organisation that holds a special position between the public sector and the private sector. Its
members are include national standards organizations who often are part of government structures in their
countries or who are mandated by these governments.
m
On the other hand, other members only have their roots in the private sector created by national partnerships
Sa
of industry associations.
Goals/Advantages
The role of ISO is to facilitate international coordination and the uniformization of industrial standards.
To reach these objectives, ISO has published technical standards. These standards contribute to the
development, manufacturing and delivery of products and services that are more effective, safer and clearer.
They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security,
and environmental legislation to governments ; and they help transfer technologies to developing countries.
ISO standards are also used to protect consumers and general users of products and services. These
standards are also used to simplify their lives.
Source : www.iso.org


1. ISO structure
4. ISO 27000 family
Basic Principles ISO Standards 6.
7.
t
rin
ep
1. Equal representation: 1 vote per country
rR
2. Voluntary membership: ISO does not have the authority
to implement its standards
Basic principles of
fo
3. Business orientation: only develops standards that fill
ISO standards market needs
ot
4. Consensus approach: looking for a large consensus
among the different stakeholders
-N
5. International cooperation: over 160 member countries
l
ia
20
er

at
ISO basic principles

M
1. Equal representation: Every ISO member (full-fledged member) has the right to participate in
the development of any standard it judges important to the economy of its country. Whatever
pe
the size or strength of the economy, each participating member can claim their right to vote. ISO
activities are thus carried out in a democratic structure where member countries are on the same
footing in terms of their influence on work orientation.
m
2. Voluntary: ISO standards are voluntary. As a non-governmental organization, ISO has no legal
Sa
authority for their implementation. A percentage of ISO standards more particularly those
related to health, security and the environment have been adopted in several countries as part
of the regulatory framework, or are mentioned in the legislation for which they act as technical
basis. Such adoptions are sovereign decisions by regulatory organizations or governments of
the affected countries.
ISO itself does not regulate, or legislate. However, although ISO standards are voluntary,
they can become a market requirement, as is the case with ISO 9001 or with freight container
dimensions, the traceability of food products, etc.

3. Business orientation: ISO only develops standards for which a market demand exists. Work
is carried out by experts in the related industrial, technical and business sectors. These experts
may be joined by other experts holding the appropriate knowledge such as public organizations,
academic world and testing laboratories.
4. Consensus approach: ISO standards are based on a representative consensus approach of

the different stakeholders (experts, industries, researchers, governments, etc.). This ensures a
larger broadcast and a greater application.
5. International cooperation: ISO standards are technical agreements that bring, at the
t
rin
international level, technological compatibility structures. Developing a technical consensus on
an international scale is a major activity. 3,000 technical ISO groups are identified (technical
committees, subcommittees, work groups, etc.) within which 50,000 experts take part in
ep
developing standards annually.
Source: www.iso.org
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
Eight ISO Management Principles 6.
7.
t
rin
ep
rR
fo
ot
l -N
ia
21
er
1. Customer orientation: Organizations depend on their customers. Consequently the current

at
and future needs of clients should be understood, their requirements be satisfied, and their
expectations be anticipated.
M
ISO 27001 Implications -> Security controls to be set in place and determination of the risk
acceptance threshold must account for business needs and client concerns.
pe
2. Leadership: Top management establish the purpose and orientations (policies) of the
organization. It is agreed that they create and maintain an internal environment where people
m
can get fully involved in the achievement of the organizations objectives.

Sa
ISO 27001 Implications -> Without a clear demonstration of leadership, the implementation of a
system as complex as ISO 27001 is doomed to failure.
3. Personnel involvement: People at all levels are the essence of an organization and total
involvement on their part allows the use of their skills in its favor.
ISO 27001 Implications -> An information security programme could not reach its objectives
without the involvement of the majority of stakeholders and having them understand their
responsibilities.

4. Process approach: This is the idea that any activity of an organization can be designed as an
interrelated series of actions. The Process approach allows to target improvement interventions
and to quantify/measure the performance of the organization.
ISO 27001 Implications -> The organization must identify the key processes to determine those
critical to the success of the organization and therefore those that must be protected.
5. System Management approach: The organizations activities must be managed as a system of
t
which the goal of the components is to allow the organization to reach its mission.
rin
ISO 27001 implications -> The organization must put controls in place that protect the
information wherever it is located in the organization.
ep
6. Continual improvement: the continual improvement of the global performance is a permanent
objective of the organization.
rR
ISO 27001 Implications -> The organization will need to continually improve the efficiency of
the ISMS using the information security policy, information security objectives, audit results,
fo
analysis of supervised events, corrective and preventive actions and management review and
validation.
7.
ot
Factual approach to decision making: Effective decisions are based on the analysis of data
and information.
-N
ISO 27001 implications -> Management must be able to make informed decisions in regards
to security. This involves the implementation of metrics and a scoreboard to determine the facts
and carry out event analyses.
l
8. Mutually beneficial supplier relationship: An organization and its suppliers are

ia
interdependent and relations benefiting both parties increases their capacity to create value.
er
ISO 27001 implications -> Security controls to be set in place and determining the risk
acceptance threshold must account for of the business needs and obligations of partners and
at
suppliers.
Source: www.iso.org
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
ISO/IEC JTC 1 SC 27 Subcommittee 6.
7.
t
IT Security techniques 8. Conformity framework - Europe
rin
Security services and
WG1
guideline requirements
ep
ISO/IEC Techniques and security
ISO
rR
JTC1/SCxx WG2
JTC1 mechanisms
fo
IEC JTC1/SC27 WG3 Security evaluation
criteria
ot WG4 Security services and

-N
controls
WG5 Biometric security,

identity and privacy
l
ia
22
er

at
ISO designations cover several scopes and fields of competencies. To handle some of them, ISO has
M
developed a joint body with IEC (International Electrotechnical Commission), dating back to 1987 and called
JTC1 (Joint Technical Committee), dealing specifically with the IT (Information Technologies).
pe
The JTC1 is subdivided into seventeen subcommittees that each deal with a particular scope. SC 27 is the
one holding our complete attention, dealing with the IT Security Techniques scope.
m
SC 27 covers the standardization of the generic techniques and methods for IT security needs. SC 27 is
composed of five Working Groups (WG):
Sa
y WG1 - Requirements, security services and guidelines having as a work area the
information security management system, with the recent definition of the 2700X series, stating
ten standards related to information system security and communication, of which ISO/IEC
27002:2005), ISO/IEC 27001:2005, ISO/IEC 27005:2008
y WG2 Techniques and security mechanisms dealing with cryptology (techniques and
algorithms for example).
y WG3 Security evaluation criteria having the Common Criteria (ISO/IEC 15408) with the main
work scope (specifying the criteria for IT security).
y WG4 - Security services and controls handling the previous scopes of the WG1 not raising
the new 2700X series (ISO/IEC 18028 on security architectures)
y WG5 - Biometric security, identity and privacy dedicated to the biometrics scope, identity and
privacy (ISO/IEC 24760 for example).

1. ISO structure
4. ISO 27000 family
Main ISO Standards 6.
7.
t
ISO 9001 and ISO 14001 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
23
er
From 1947 to date, ISO has published over 17,000 international standards. The ISO work program includes
at
standards related to traditional activities such as agriculture and construction, media devices and the
most recent development in information technologies, such as the digital coding of audiovisual signals for
M
multimedia applications.
ISO 9000 and ISO 14000 families are among the most known ISO standards. The ISO 9000 standard
pe
has become an international reference with respect to the quality requirements in commerce and business
transactions. The ISO 14000 standard, for its part, is used to help organizations meet challenges of an
m
environmental nature.
Sa
ISO 9001:2008 is related to quality management. It contains the good practices that aim to improve customer
satisfaction, achievement of customer requirements and regulatory requirements as well as continuous
improvement actions in those fields.
In December of 2007, 951,486 organizations were certified ISO 9001:2000 (China having the most
organizations certified: 210,773).
ISO 14001:2004 is mainly related to environmental management. It defines the actions that the organization
can implement for the maximum reduction of negative impacts of its activities on the environment and for the
continuous improvement of its environmental performance. In December 2006, 154,572 organizations were
certified ISO 14001:2004 (Japan having the most certified organizations: 30,489).
Source: www.iso.org (Survey 2007)


1. ISO structure
4. ISO 27000 family
ISO Standards 6.
7.
t
Other examples 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
24
er
ISO/IEC 20000-1:2005 defines the requirements that an information technology service supplier must apply.
at
This standard applies to service suppliers regardless of the organizations size or form. The standard consists
of two parts. The first part defines the specifications the organization shall apply to obtain certification.
M
The second part (ISO/IEC 20000-2:2005) explains the different practices or recommendations to reach the
objectives previously defined.
pe
ISO 28000:2007 prescribes the requirements applicable to a security management system of the supply
chain. An organization has to define, implement, maintain, and improve a supply chain security management
m
system during each step of production: that is manufacturing, maintenance, storage or transport of goods.
Sa
ISO 31000:2009 is a document at the strategic level, addressing all types of risks, including environmental
security risks. This guide provides a generic guide on the implementation and the maintenance of continual
process of risk management in an organization. It is not intended to be used for certification needs and/or
registration.
ISO/IEC 38500:2008 establishes definitions, principles and a model for the good governance of information
technology in an organization. This standard states six principles to guide decision making: responsibility,
strategy, acquisition, operation, conformity and human behaviour. The objective pursued by the standard is
to favour the efficiency, profitability and conformity of data processing in any organization.


1. ISO structure
4. ISO 27000 family
Integrated Management System 6.
7.
t
PAS 99:2006, Annex B 8. Conformity framework - Europe
rin
ISO ISO ISO ISO
PAS 99:2006
ep
9001:2000 14001:2004 20000:2005 27001:2005
4.1 General
4.1 4.1 3 4.1, 4.2
requirements
rR
4.2 Management
5.1, 5.3 4. 2 3.1, 4..4.1 5.1
system policy
5.2, 5.3(b), 5.4.1,
4.3 Planning
5.4.2, 5.5, 7.2.1, 7.2.2, 4.3, 4.4.1, 4.4.7 4.1, 4.2, 5.0, 8.2 4.2
fo
8.3
4.4.1, 4.4.2, 4.4.3,
4.4 Implementation 4.2, 5.3(d), 5.5.1, 4.2, 6.0, 3.1, 3.2, 4.2.2, 4.2.4(c), 4.3,
4.4.4, 4.4.5, 4.4.6,
5.5.3, 6, 7 3.3, 7
and operation
4.5 Performance
8.1, 8.2.2, 8.2.4, 8.3
4.5.4
ot
4.5.1, 4.5.2, 4.5.3,
4.3
5.2.1, 5.2.2
4.2.3, 4.2.4, 6
-N
evaluation 4.5.5
4.6 Improvement 8.5.1, 8.5.2, 8.5.3 4.5.3 4.4, 4.2.4(b), 8.2, 8.3 4.2.4, 8.1, 8.2, 8.3
4.7 Management review 5.6.1, 5.6.2, 5.6.3 4.6 3.1(g) 7.1, 7.2, 7.3
l
ia
25
er
PAS 99:2006
at
PAS 99 (Publicly Available Specification) is a reference framework helping organizations wanting to

M
implement a management system by integrating more than one of the following standards: ISO 9001, ISO
14001, ISO 27001, ISO 20000, ISO 22000, or OHSAS 18001 (Occupational Health and Safety Assessment
Series). The objective of the implementation of PAS 99 is to simplify the setting up (deployment) of several
pe
management systems originating from different standards by avoiding conflicts between systems and in
reducing document doublets and over documentation (align and incorporate ISMS to requirements of other
m
management systems).
Sa


1. ISO structure
4. ISO 27000 family
Security Standards 6.
7.
t
Examples 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
26
er
ISO/IEC 15408:2005-2008 : Under the general title Common Criteria, the scope of this standard is to be
at
used as a basis to evaluate the security properties of products and systems of Information Technology (IT).
It contains the following parts:
M
Part 1: Introduction and general model (2005)

pe
Part 2: Functional security requirements (2008)

Part 3: Assurance of security requirements (2008)
m
ISO/IEC TR 18044:2004: Information Technologies Security Techniques Information security incident

management. This standard is a guide in matters of incident management of information security aimed at
Sa
persons involved in the security of information systems.
BS 25999-2:2007 defines the requirements that an organization must apply to certify a Business Continuity
Management System (BCMS). The first part (BS 25999-1:2006) is a code of practices that explains the
different practices or recommendations to establish a BCMS. BS 25999-1:2006 establishes the procedures,
principles and terminology of the BCM. It defines a basis for the understanding, the development and the
implementation of business continuity in an organization, whatever its size or sector. Its methodology is
based on the total lifecycle of the BCM and the business being its engine.


1. ISO structure
4. ISO 27000 family
History of the ISO/IEC 27001 Series 6.
7.
t
1990 2011 8. Conformity framework - Europe
rin
2008
ep
2007
2005
2000
1998
rR
1995
1990 ISO/IEC 27006
ISO 27005
Information
New Version of Certification security risk
ISO 17799
fo
ISO/IEC 17799 organization management
BS7799-2 ISO 27001
Best practices requirements
BS7799-1 ISMS publication
code
Code of best certification
Code of best schema
practises
(Published by a
group of
companies)
practices
ot
l -N
ia
27
er
4. ISO 27000 family

at
Beginning of the1990s
M
y An industry need expressed in terms of better practices and controls to support trade and
government in the implementation and improvement of information security
pe
y Ministry of Commerce and Industry (United Kingdom) forms a work group grouping together
directors with experience in information security
y Publication of a collective work of advice on the management of information security
m
1992
Sa
y Published as a guide of good practices of the industry (September)

y Originally published as a British Standard Institute (BSI) publication
y Constitutes the basis of the British Standard: BS 7799-1
1995
y Committee Revision Code, approved for publication
y BS 7799-1:2005 published as a United Kingdom standard
1996 - 1997
y Identification of a need to increase the level of confidence in the BS 7799 standard
y The industry request a means for certification of the code

y A steering committee is formed:

o United Kingdom Accreditation Service(UKAS)
o International Register of Certified Auditors ((IRCA)
o British Department of Trade and Industry (DTI)
1998
y Launch of the ISMS certification model (Published as BS 7799-2:1998 ) of the United Kingdom
1999
t
rin
y Revision of BS 7799-1:1999 (updates and addition of new controls):
o E-commerce
o Mobile informatics
ep
o Third-party agreements
o Suppression of specific references to United Kingdom
rR
y BS 7799-2:1999 (Alignment of controls to BS7799-1)
2000
fo
y Publication of ISO/IEC 17799:2000
2002
y Launch of BS 7799-2:2002 ot
-N
y The main updates are:
o Plan-Do-Check-Act (PDCA) Model
o Improved definitions and clarification of links between:
Risk evaluation process
l
ia
Selection of controls
Contents of applicability declaration
er
Importance of ISMS continuous improvement

Clarification of the conditions of documentation and production of reports
at
o ISO/IEC 17799 controls included as an annex to the standard

o Annex demonstrating the connection between BS7799-2, ISO 9001 and ISO 14001
M
2005
pe
y Publication of the new version of ISO/IEC 17799:2005

y Publication of ISO/IEC 27001:2005, which replaces BS7799-2, and contains:
m
o ISMS specifications
o ISO 17799 controls in standard annex
Sa
o Annex demonstrating the connection between ISO 9001 and ISO 14001
2007
y Publication of ISO/IEC 27002:2005 replacing ISO/IEC 17799:2005 (No change in the content,
just identification number)
y Publication of ISO/IEC 27006:2007 for certification organizations
2008
y Publication of ISO/IEC 27005:2008 for information security risk management
2009
y Publication of ISO/IEC 27000:2009 for vocabulary related to ISMS

1. ISO structure
4. ISO 27000 family
ISO/IEC 27000 Family 6.
7.
t
rin
Requirements Vocabulary
ISO 27000
Vocabulary
ep
rR
ISO 27001 ISO 27006
ISMS Certification organization
requirements requirements
fo
ISO 27002 ISO 27003 ISO 27004 ISO 27005 ISO 27007-27008
General
guides
Code of Implementation Metrics Risk Audit guides

practices guide management
ot
Industry
ISO 27011 ISO 27799 ISO 270XX

-N
guides
Telecommunications Health others

l
ia
28
er
Resulting from International workgroup reflections dedicated to the information security scope, the ISO/IEC
at
27000 family is progressively published since 2005. ISO/IEC 27001:2005 is the only certifiable standard of
the ISO/IEC 27000 family. The other standards are guidelines.
M
y ISO/IEC 27000:2009: This information security standard develops the basic concepts as well as
the vocabulary that applies when analysing Information Security Management Systems
pe
y ISO/IEC 27001:2005 This information security standard defines the requirements of the
Information Security Management Systems (ISMS)
m
y ISO/IEC 27002:2005 (previously ISO/IEC 17799): Guide of best practices for the management
of information security. This standard defines objectives and recommendations in terms
Sa
of information security and anticipate meeting global concerns of organizations relating to

information security for their overall activities.
y ISO/IEC 27003:2009: Guide for implementing or setting up an ISMS.
y ISO/IEC 27004:20XX: Guide of metrics to facilitate ISMS management; it provides a method
to define the objectives for implementation and efficiency criteria, of follow-up and evolution
measurements all through the process.
y ISO/IEC 27005:2008: Guide for information security risk management which complies with the
concepts, models and general processes specified in ISO 27001.
y ISO/IEC 27006:2007: Guide for organizations auditing and certifying ISMSs.

y ISO/IEC 27007:20XX and ISO/IEC 27008:20XX: Guide for auditing ISMSs.

y ISO/IEC 27011:2009: Guidelines for the use of ISO/IEC 27002:2005 in telecommunication
industry.
y ISO/IEC 27799:2009: Guidelines for the use of ISO/IEC 27002:2005 in health services.
t
rin
ep
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
ISO/IEC 27001:2005 6.
7.
t
rin
Specifies requirements for ISMS
management
ep
(clause 4 to 8)
Clause written using the verb shall
rR
Annex A: 11 sections containing the control
objectives and the 133 ISO 27002 controls
Organization can obtain certification
fo
ot
l -N
ia
29
er
ISO/IEC 27001:2005 is:

at
y A structured methodology in matters of information security, internationally recognized.

M
y A process defined to evaluate, implement, maintain and manage information security.

y A complete set of controls including best practices in information security.
y Developed by industry for the industry.
pe
ISO/IEC 27001:2005, clause 0.1 - General

m
This International Standard has been prepared to provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The
Sa
adoption of an ISMS should be a strategic decision for an organization. The design and implementation of
an organizations ISMS is influenced by their needs and objectives, security requirements, the processes
employed and the size and structure of the organization. These and their supporting systems are expected
to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs
of the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be used in order to assess conformance by interested internal and external
parties.


1. ISO structure
4. ISO 27000 family
ISO/IEC 27002:2005 6.
7.
t
rin
New number for ISO 17799
Guide for code of practice information security
ep
management
Reference document
rR
Composed of 11 domains, 39 control
objectives and 133 controls
Organization can not obtain certification
fo
ot
l -N
ia
30
er
Revised in 2005, ISO/IEC 17799:2005 is a guide of best practices information security management. In
at
2007, it became ISO/IEC 27002:2005 to be integrated into the ISO/IEC 27000 family.
M
ISO/IEC 27002:2005, clause 1 Scope

This International Standard establishes guidelines and general principles for initiating, implementing,
pe
maintaining, and improving information security management in an organization. The objectives outlined
in this International Standard provide general guidance on the commonly accepted goals of information
m
security management.
The control objectives and controls of this International Standard are intended to be implemented to meet the
Sa
requirements identified by a risk assessment. This International Standard may serve as a practical guideline
for developing organizational security standards and effective security management practices and to help
build confidence in inter-organizational activities.


1. ISO structure
4. ISO 27000 family
ISO 27002 Domains 6.
7.
t
ISO 27001, Annex A 8. Conformity framework - Europe
rin
A5 Security policy
ep
A6 Organization of information security
A7 Asset management
rR
A8 Human resources security
A9 Physical and environmental security
fo
A 10 Communications and operations management
A 11 Access control
A 12
A 13
ot
Information systems acquisition, development and maintenance
Information security incident management
-N
A 14 Business continuity management
A 15 Compliance
l
ia
31
er
Security objectives and controls listed in the annex A are aligned on those listed in the clauses of ISO/IEC
at
27002:2005, domains 5 to 15.

M
Lists of security objectives and controls contained in Annex A are not comprehensive. An organization can
consider necessary to include additional security objectives and controls.
pe
m
Sa


1. ISO structure
4. ISO 27000 family
ISO 27009+ 6.
7.
t
rin
Within the 27000 series, ISO 27009
and the subsequent numbers are reserved for the
ep
creation of specific standards:
for industries (telecommunication, health,
automobile)
rR
for specific domains related to information security
(application security, cyber security, security incident
fo
management, etc.)
ot
l -N
ia
32
er
Here are some of the standards already published or under development:

at
y ISO/IEC 27010: Information security management guidelines for inter-sector communications

ISO/IEC 27011:2008: Information security management guidelines for telecommunications
M
organizations based on ISO/IEC 27002

y ISO/IEC 27031: ICT (Information and Communication Technology) readiness for business
pe
continuity
y ISO/IEC 27032: Guidelines for cybersecurity.
m
y ISO/IEC 27033: IT Network security (ISO/IEC 27033-1 to ISO/IEC 27033-7)

y ISO/IEC 27034: Guidelines for application security
Sa
y ISO/IEC 27035: Information security incident management

y ISO/IEC 27036: Guidance for auditors on ISMS controls
y ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of
digital evidence


1. ISO structure
4. ISO 27000 family
Exercise 1 6.
7.
t
Reasons to adopt ISO 27001 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
33
er
Please read the following parts of the case study provided for this course:
at
y History of the business enterprise

M
y Organization of the business enterprise
Basing yourself on this information, determine and explain the three greatest advantages for implementing
pe
the ISO/IEC 27001 standard for this organization and how Thalia can measure these advantages thanks to
metrics.
m
Duration of the exercise: 30 minutes

Sa
Comments: 15 minutes

Answer
Advantage 1: Improving information security management by putting in place a global management framework.
yCase study quote: Unfortunately, the growth of the software activity has produced serious
management, organization and operation problems.
How Thalia can measure this advantage: Put in place indicators measuring the number of incidents, the
number of hours of unavailability of the information network, monthly costs of incidents, etc.
Advantage 2: Regaining their clients trust thanks to a third party certification.
t
yCase study quote: These problems include the loss of important information, the loss of several
rin
contracts, and more important still, the loss in confidence of some customers.
How Thalia can measure this advantage: Put in place indicators using marketing studies to measure:
ep
the percentage of confidence, the percentage of satisfaction, etc.
Advantage 3: Marketing dierentiation when faced with increasingly significant competition
rR
y Case study quote: In addition, the number of new competitors and similar products on the market has
rapidly increased, and has started to slow the growth of the companys software activity.
How Thalia can measure this advantage: Measure brand awareness, percentage in sales growth, etc.
fo
ot
l -N
ia
er
at
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
ISO 27001 Advantages 6.
7.
t
rin
1. Improvement of security
ep
rR
2. Good governance
ADVANTAGES
fo
3. Conformity
4. Cost reduction ot
-N
5. Marketing
l
ia
34
er

at
Improvement of security:
M
y Improvement of information security

y The standard covers the IT activities as well as the organization, the personnel and the
pe
equipments
y Independent review of your information security management system
m
y Better awareness to information security

y Mechanisms of the systems success measurements
Sa
Good governance:
y Awareness and empowerment of personnel
y Decrease of lawsuit risks against upper management in virtue of the due care and the due
diligence principles
y The opportunity to identify ones weaknesses and to correct
y Upper management accepts accountability for information security

Conformity:
y To other ISO standards (see ISO/IEC 27001:2005, Annex C)
y To OECD (Organisation for Economic Co-operation and Development) principles (see ISO/IEC
27001:2005, Annex B)
y To industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard),
Basel II (for banking industry)
y To national and regional laws
t
Cost reduction:
rin
y Decision makers often ask to justify the profitability of projects and demand concrete and
measurable return-benefits. A new financial evaluation concept has emerged to treat specifically
the information security field, that is Return on Security Investment (ROSI). ROSI is a concept
ep
derived from Return on Investment (ROI). It can be interpreted as the security projects financial
profit taking into account its total cost over a given period of time.
rR
Marketing:
y Differentiation, provides a competitive advantage
y Satisfaction of client requirements
fo
y Consolidation of market, supplier and partner confidence in the organization
ot
l -N
ia
er
at
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
Legal Conformity 6.
7.
t
rin
The organization must comply to the
applicable laws and regulations
ep
In most countries, the implementation of an
ISO standard is a voluntary decision of the
organization, not a legal condition ISO 27001 can be
rR
In all cases, laws take precedence over used to comply to
standards several laws and
fo
regulations
ot
l -N
ia
35
er
6. Legal and regulatory conformity

at
ISO/IEC 27002:2005, domain 15 - Conformity

M
15.1 Compliance with legal requirements

pe
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements. The design, operation, use, and management of information systems may be subject to
m
statutory, regulatory, and contractual security requirements.
Advice on specific legal requirements should be sought from the organizations legal advisers, or suitably
Sa
qualified legal practitioners. Legislative requirements vary from country to country and may vary for
information created in one country that is transmitted to another country (i.e. trans-border data flow).
15.1.1 Identification of applicable legislation
Control: All relevant statutory, regulatory, and contractual requirements and the organizations approach to
meet these requirements should be explicitly defined, documented, and kept up to date for each information
system and the organization.
Implementation guidance: The specific controls and individual responsibilities to meet these requirements
should be similarly defined and documented.


1. ISO structure
4. ISO 27000 family
ISO 27001 and Regulatory Framework 6.
7.
t
Examples United-States 8. Conformity framework - Europe
rin
Requirement Origin Description
ep
Sarbanes-Oxley Federal law Public Company Accounting Reform and Investor Protection
Law Act
rR
HIPAA Federal law Protection of information in the health industry
GLBA Federal law Protection of information in the finance industry
fo
FISMA Federal law Information system protection measures used by federal
agencies
SB 1386 California law ot
Disclosure obligation in case of breach of security affecting
-N
customer data
NIST 800-53 Department of IS security standard of the Department of Commerce and its
Commerce partners
l
ia
36
er
7. Conformity framework - United States

at
Sarbanes-Oxley Act (2002)

M
The Sarbanes-Oxley Act or SOX was introduced following different financial scandals revealed in the
pe
United-States at the beginning of the years 2000, such as the Enron or the Worldcom affaire. It brings
crucial legislative changes concerning the financial governance and administration of companies to protect
stockholders. SOX is based on the establishment of controls based on the conceptual framework such as
m
COSO (Committee of Sponsoring Organizations of the Treadway) for example.

Sa
HIPAA (1996)
HIPAA (Health Insurance Portability and Accountability Act) is an act that aims to protect information related
to the health industry activities. Standards set in place concern the administrative and financial transactions,
personal information security, code sets, and certain unique health marks.
GLBA (1999)
The function of the Gramm-Leach-Bliley Act is to make American financial institutions more competitive.
Some clauses of this act force financial institutions to ensure a minimum level of protection of information
touching its customers and to implement controls to protect the security of information.

Federal Information Security Management Act (2002)

FISMA (legislation on information security management) imposes a series of processes that must be followed
for any information system used by the American Federal Government, its contractors or suppliers.
SB 1386 (2002)
California Senate Bill 1386 forces organizations doing business in California and who hold personal
information to inform any California resident of any security breach that can affect their personal information.
t
NIST 800-53 (2006)
rin
NIST 800-53 (National Institute for Standards and Technology) provides guidelines to secure information
ep
systems within the federal government by choosing and specifying security controls. These guidelines apply
to every part of an information system that processes, stores, or transmits federal information. It is issued by
the U.S. Department of Commerce.
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
ISO 27001 and Regulatory Frameworks 6.
7.
t
Examples - Europe 8. Conformity framework - Europe
rin
ep
Directive Parliament and Protection of individuals with regard to the processing of
95/46/EC European Council personal data and on the free movement of such data
rR
Directive Parliament and Protection of personal data and privacy in electronic
2002/58/EC European Council communications
Regulation Parliament and Protection of personal data by European bodies
fo
45/2001 European Council
Decision Parliament and Applicable definitions and sanctions concerning attacks
92/242/CEE European Council targeting information systems
Directive Parliament and otCommunity Framework for electronic signatures and certain
-N
1999/93/EC European Council certification services
Directive Parliament and Harmonization of copyright to evolutions in technologies
2001/29/EC European Council
l
ia
37
er

at
Parliament and the European Council have issued several guidelines, regulations and decisions related to
M
information security. These guidelines are strongly based on the protection of European consumer-citizen
rights. All guidelines have been transposed in the national legislations of member states.
pe
Directive 95/46/EC
m
Directive related to the protection of individuals with regard to the processing of personal data and on the
free movement of such data. This Directive applies to data processed by automated means (e.g. a computer
Sa
database of customers) and data contained in or intended to be part of non automated filing systems
(traditional paper files).
Directive 2002/58/EC
Directive concerning the processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications). This Directive tackles a
number of issues of varying degrees of sensitivity, such as the retention of connection data by the Member
States for police surveillance purposes (data retention), the sending of unsolicited electronic messages, the
use of cookies and the inclusion of personal data in public directories.

Regulation (EC) n45/2001

Regulation concerning the protection of individuals with regard to the processing of personal data by the
Community institutions and bodies and on the free movement of such data. The text includes provisions
which guarantee a high level of protection of personal data processed by the Community institutions and
bodies. It also provides for the establishment of an independent supervisory body to monitor the application
of these provisions.
Decision 92/242/EEC
t
rin
Decision concerning attacks against information systems. The member states recognized the definitions and
the applicable sanctions for several criminal acts: illegal access to information systems, and illegal system
interference illegal data interference. The Member States will have to make provision for such offences to be
ep
punished by effective, proportionate and dissuasive criminal penalties.
rR
This Directive establishes the legal framework at European level for electronic signatures and certification
services. The aim is to make electronic signatures easier to use and help them become legally recognised
within the Member States., and to secure transborder recognition of signatures and certificates third party
fo
countries. The main provision of the Directive states that an advanced electronic signature based on a
qualified certificate satisfies the same legal requirements as a handwritten signature. It is also admissible as
evidence in legal proceedings.
ot
-N
This Directive aims to adapt legislation on copyright and related rights to technological developments and
particularly to the information society. The Directive deals with three main areas: reproduction rights, the right
of communication and distribution rights.
l
ia
Source: www.europa.eu
er
at
M
pe
m
Sa


1. ISO structure
4. ISO 27000 family
ISO 27001 other Framework Standards 6.
7.
t
Examples International and industry repositories 8. Conformity framework - Europe
rin
ep
OCDE Principles OCDE OCDE guidelines regulating the security of
information systems and networks
rR
PCI-DSS Industry Protection of data for credit cards and their holders
standard
Basel II Basel Protection and information security in the banking
fo
committee sector
COBIT ISACA and ITGI ot
Best governance practices in information
technologies
-N
ITIL British Trade Best practices guide for the management of IT
Office services
l
ia
38
er
OCDE Principles(2002)
at
OCDE (Organization for Economic Cooperation and Development) has developed guidelines regulating
M
the security of information systems and networks based on nine principles: awareness, accountability,
reaction, ethics, democracy, risk assessment, security design and implementation, security management
and reassessment
pe
Payment Card Industry Data Security Standard (2004)

m
The PCI standard (data security standard for the payment card industry) consists in a series of technical
and operational controls whose goal is to protect organizations against frauds and other menaces related
Sa
to credit cards. This standard applies to any organization who stores, processes or transmits information on
credit card holders.
Basel II (2004)
Second committee of banking control, the Basel agreements, that issue recommendations concerning
banking legislations and regulations. The goal of this committee is the creation of international standards for
the regulation of banking institutions and systems. Basel II issues 10 principles concerning security which
appear in ISO 27001 such as identification, risk assessment and management, internal audit or even still the
emergency plan.

COBIT (1994+)
Developed by the ISACA and the ITGI, CobiT (Control Objectives for Business and related Technology) is a
reference frame to manage the governance of information systems. CobiT provides information technology
managers, auditors and users with indicators, processes and best practices to help them maximize
advantages stemming from the information technologies recourse and the elaboration of the governance
and the control of a company.
t
ITIL (1980+)
rin
Enacted by the Office of Government Commerce (OGC), Information Technology Infrastructure Library is a
set of works listing best practices for IT Service Management (ITSM).
ep
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa

Section Summary and Questions
t
rin
ep
rR
fo
ot
l -N
ia
39
er
Section summary:
at
1. ISO is a network of national standards bodies of over 160 countries who publish standards.
M
2. The eight ISO management principles are: client orientation, leadership, personal implication,
process approach, management system approach, continuous improvement, factual approach,
pe
mutually beneficial supplier approach.
3. The two main management system standards are ISO 9001:2008 (quality) and ISO 14001:2004
m
(environment).
4. ISO 27000 is a family of standards in information security.

Sa
5. ISO/IEC 27001:2005 specifies the requirements for the management of an ISMS and
organizations can obtain certification.
6. ISO/IEC 27002:2005 is a code of practices for the management of information security and
organizations cannot obtain certification for this standard.
7. In most countries, the implementation of an ISO standard is a voluntary decision made by the
organization, not a legal condition.
8. ISO/IEC 27001:2005 can be used to comply to several laws, regulatory frameworks, industry
standards and contractual agreements in full or in part.

Sec1310cl Iso27001 Lead Auditor Ig.v4.3.1 Itp Demo

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Sec1310cl Iso27001 Lead Auditor Ig.v4.3.1 Itp Demo

Încărcat de

Drepturi de autor:

Formate disponibile

Information Security Training

Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.

ISO27001CL_Lead Auditor_IG_Cover page.indd 1 5/26/2011 3:20:11 PM

Copyright 2011 by ITpreneurs Nederland B.V. All rights reserved.

ISO27001CL_Lead Auditor_IG_Cover page.indd 2 5/26/2011 3:20:12 PM

Section 3: Certification Process 52

Section 4: Fundamental Principles in Information Security 62

6. Confidentiality, integrity and availability 72

7. Auditing a small organization 210

Section 9: Stage 1 Audit 213

1. Objectives of stage 1 audit 214

3. Audit activities of stage 1 217

5. Evaluation criteria of documents 219

7. Documents mandatory to be audited 225

2. Preparing the audit plan 236

4. Minor nonconformity 342

8. Benefit of the doubt 349

MODULE 4: CLOSING THE AUDIT 355

Section 15: Documentation of audit and quality review 361

2. Audit records 365

4. Documentation of quality review 370

2. Career Path 454

3. Audit register 455

4. Continuous improvement of competencies 457

Section 21: Closing the training 461

2. Preparing for the examination 463

APPENDIX A: CASE STUDY 465

APPENDIX B: EXERCIESES LIST N/A

APPENDIX C: CORRECTION KEY 487

APPENDIX D: RELEASE NOTE 501

INSTRUCTOR FEEDBACK FORM 505

1 Course Objectives and Structure 8:30 9:00 0:30

3 Certification Process 10:30 11:00 0:30

4 Fundamental Principles of Information Security (Contd.) 1:00 2:30 1:30

Total Time 9:00

Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 3

Section 1: Course Objective and Structure

1. Meet and greet

4 Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.

Section 1: Course Objective and Structure

1. Meet and greet

To break the ice, participants introduce themselves stating:

y Knowledge and experience with audit

Duration of activity: 20 minutes

Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 5

Section 1: Course Objective and Structure

For simplification, only the masculine is used throughout this training.

6 Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.

Section 1: Course Objective and Structure

3. Training objectives and structure

and What to do during an audit.

Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 7

Section 1: Course Objective and Structure

8 Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.

Section 1: Course Objective and Structure

This course is primarily based on:

y Trainer lead sessions, where questions are welcomed.

discussions (participant experiences).

Students are encouraged to take additional notes

Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 9

Section 1: Course Objective and Structure

10 Copyright 2011, ITpreneurs Nederland B.V. All rights reserved.

Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 11

Section 1: Course Objective and Structure