Documente Academic
Documente Profesional
Documente Cultură
t
ISMS Auditor/Lead
rin
Auditor Training
ep
Course ISO 27001
rR
fo
ot
l -N
ia
Instructor Guide
er
Version 4.3.1
at
M
pe
m
Sa
t
rin
This training material is sold subject to the condition that it, or any part of it, shall not by way of
trade or otherwise, be sold, lent, re-sold, displayed, advertised or otherwise circulated, without
the publishers prior written consent, in any form of binding, cover or title other than that in which
ep
it is published and without a similar condition including this condition being imposed on the
subsequent purchaser(s).
rR
Version 4.3.1
fo
Training materials are based on PECBs Training Provider and Examiner Certification
ot
Scheme. Documents provided to participants are strictly reserved for training purposes and are
copyrighted by ITpreneurs. ITpreneurs Nederland B.V. is affiliated to Veridion. Unless otherwise
-N
specified, no part of this publication may be, without ITpreneurs written permission, reproduced
or used in any way or format or by any means whether it be electronic or mechanical including
photocopy and microfilm.
l
ia
er
at
M
pe
m
Sa
t
Section 1: Course Objective and Structure 4
rin
1. Meet and greet 5
2. General points 6
ep
3. Training objectives and structure 7
4. Instructional approach 9
rR
5. What is PECB? 14
Section 2: Standard and Regulatory Framework 21
1. ISO structure 22
fo
2. Fundamental ISO principles 23
3. Information Security Standards 27
4. ISO 27000 family
5. ISO 27001 Advantages
ot 32
42
-N
6. Legal and regulatory conformity 44
7. Conformity framework - United States 45
8. Conformity framework - Europe 47
l
1. Certification process 53
er
2. Certification schema 55
3. Accreditation authority 56
at
4. Certification body 58
5. Personnel Certification body 60
M
2. Information security 64
3. Vulnerability 68
m
4. Threat 70
5. Risk 71
Sa
i
MODULE 2: AUDIT RULES, PREPARATION AND LAUNCHING OF AN AUDIT 129
Course Agenda 131
Section 6: Fundamental Audit Concepts and Principles 134
1. What is an audit? 135
2. The actors 141
3. Audit criteria 142
4. Audit types 144
5. Audit objectives 145
7. Responsibility of auditors 164
t
8. Ways to reinforce ethics 165
rin
Section 7: The approach based on evidence and risk 170
1. Evidence Based Approach 171
ep
2. Type of audit evidence 173
3. Quality of an audit evidence 181
rR
4. Risk Based Audit Approach 186
5. Materiality dimension of an information system 187
6. Reasonable assurance 191
fo
Section 8: Preparation of the audit 193
1. The audit team 194
2. Defining the audit objectives
3. Defining the scope
ot 196
197
-N
4. Determining the feasibility of the audit 201
5. Engagement letter 207
6. Initial contact 209
l
Section 10: Preparing and initiating stage 2 audit (on-site audit) 233
1. Stage 2 audit objectives 234
Sa
ii
MODULE 3: ON-SITE AUDIT ACTIVITIES 253
Course Agenda 255
Section 11: Communication during the audit 258
1. Behaviour during on-site visits 259
2. Communication during the audit 260
3. Team meetings 263
4. Observer and guide roles 264
5. Conflict management 266
6. Cultural aspects of the audit 269
7. Communication with management 271
t
Section 12: Audit procedures 278
rin
1. Information gathering 279
2. Observation 284
ep
3. Documentation review 287
4. Interview 288
rR
5. Analysis 301
6. Technical verification 314
7. Audit Procedure 318
fo
Section 13: Audit test plan creation 322
1. Creating audit test plans 323
2. Audit test plan examples
ot
Section 14: Writing conclusions and nonconformity reports
326
335
-N
1. Drafting audit findings 336
2. Nonconformity definition 338
3. Major nonconformity 339
l
5. Anomaly 345
er
6. Observation 346
7. Documenting a nonconformity 347
at
iii
Section 17: Follow-up audit 399
1. Follow-up audit 400
2. Submission of action plans 401
3. Content of action plans 402
4. Evaluation of action plans 403
5. Alternatives to follow-up audits 405
Section 18: Follow-ups to Initial audit 409
1. Surveillance activities 410
2. Surveillance audit 413
t
3. Recertification audit 415
rin
4. Extending the scope 417
5. Transferring a certificate 418
ep
6. Suspending a certificate 419
7. Using the ISO trademark 421
rR
Section 19: Managing an audit program 424
1. Audit program 425
2. Audit resources 426
fo
3. Creating audit tools 427
4. Audit procedures 428
5. Records of the audit program
6. Follow-up and review
ot 429
438
-N
7. Managing combined audits 439
Section 20: The competence and evaluation of auditors 442
1. Competencies of auditors 443
l
iv
Instructor | Introduction to Information Security and ISO/IEC 27001:2005
Course Agenda
Day 1
Module 1 : Introduction to Information Security and ISO/IEC 27001:2005
Section Name Start End Total Time
(in hours)
t
rin
2 Standard and Regulatory Framework 9:00 10:30 1:30
ep
4 Fundamental Principles of Information Security 11:00 12:00 1:00
rR
Lunch 12:00 1:00 1:00
fo
5 Information Security Management System (ISMS) 2:30 5:30 3:00
t
rin
2. General points
3. Training objectives and structure
ep
4. Instructional approach
rR
5. What is PECB?
fo
ot
l -N
ia
3
er
at
M
pe
m
Sa
t
rin
ep
rR
fo
ot
l -N
ia
4
er
y Name
y Current position
pe
y Previous positions
y Knowledge of and experience with ISO/IEC 27001:2005
m
t
rin
ep
rR
Smoking Meals Timetable and breaks
fo
ot
-N
Mobiles Absences
l
ia
5
er
2. General points
at
t
Knowledge
rin
Explain the components of an Information Security Management
ep
1 System based on ISO/IEC 27001:2005 and its principal processes
rR
Explain the goal, content and correlation between ISO/IEC
fo
2 27001:2005 and ISO/IEC 27002:2005 as well as with other standards
and regulatory frameworks
ot
-N
Explain an auditors role: plan, lead and follow-up an ISMS audit in
3 accordance with ISO 19011:2009
l
ia
6
er
This training is focused on the acquisition of knowledge related to audit techniques applied to information
M
security, and not on the acquisition of an expertise in information security. Minimal knowledge of information
security is however required for successful completion of the course.
pe
To obtain more in-depth knowledge of the management of information security, it is recommended you take
the course ISO/IEC 27001:2005 implementation.
m
At the end of the course, participants will obtain knowledge on How to audit and not only on the Why audit
Sa
t
Competencies
rin
ep
Interpret ISO/IEC 27001:2005 requirements for the purpose of an
1 ISMS audit
rR
Interpret and audit the requirements in accordance with several
fo
2 standards and regulatory frameworks
ot
Acquire the basic competencies of an auditor to: Plan an audit, Lead
-N
3 an audit, Draft reports, and Follow up an audit in compliance with
ISO 19011:2009
l
ia
7
er
The objective of this training is to ensure that the candidate can actively participate to an ISO/IEC
at
27001:2005 certification audit the day following the end of the training.
M
This training is focused on the reality of conducting an audit. The case study and role-plays act as simulations
of situations as close to reality in the field as possible. Tools and audit templates provided in this training are
based on those currently used by certification organisations.
pe
m
Sa
t
Student oriented
rin
ep
rR
fo
ot
l -N
ia
8
er
4. Instructional approach
at
Remember, this course is yours: you are the main players of its success.
m
Homework and exercises are essential in the acquisition of the competencies necessary to conduct an audit.
Thus it is very important to do them conscientiously. In addition, these homeworks and exercises are used
to prepare students for the final exam.
t
On best practices in Audit
rin
ep
rR
ISO 19011:2009 International Federation Generally accepted
of Accountants audit standards
fo
ot
-N
Institute of internal Information Systems Audit
auditors and Control Association
l
ia
9
er
ISO 19011:2009: provides advice on audit principles, audit program management, management systems
at
audit, as well as advice on the competencies of auditors. It applies to all organizations needing to conduct
internal and external audits or to manage an audit program. The application of the ISO 19011 standard to
M
the other types of audits is possible: It is sufficient, in this type of case, to give special attention to identifying
the competencies required of the audit team members.
pe
Reference: www.iso.org
International Federation of Accountants - IFAC: This is the world accounting organization. It operates
m
with its 157 members and associates in 122 countries to protect public interest by encouraging high quality
practices by the accounting world. Standards developed by IFAC provide guidelines and advice in the
Sa
following fields: audit, insurance, control and services related to quality, to training, ethics and accounting.
Reference: www.ifac.org
Generally Accepted Auditing Standards - GAAS: These are 10 audit standards, developed by the AICPA
(American Institute of Certified Public Accountants), including general standards, standards by activity sector
and report standards, with interpretations. They were developed by AICPA in 1947 and have undergone a
few minor changes since then.
Reference: www.aicpa.org
ISACA standards and guidelines: The Information Systems Audit and Control Association (ISACA) has
developed several standards and guidelines to provide advice on the audit of information systems. Founded
in 1967, ISACA has over 65,000 members. Its two professional certifications, CISA (Certified Information
Systems Auditor) and CISM (Certified Information Security Manager), enjoy international recognition.
Reference: www.isaca.org
Professional practices of the Internal Auditors Institute: The provide advice on conducting internal
audits. They are the result of a careful analysis, consultations and deliberations on the fundamental principles
concerning the performance of internal audit services by members of the IIA (Institute of Internal Auditor) and
t
the CIA (Certified Internal Auditor).
rin
Reference: www.theiia.org
ep
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa
t
rin
ep
rR
fo
ot
l -N
ia
10
er
ITpreneurs provides participants with a series of templates developed by our team of auditors, based on
at
best practices in the field. ITpreneurs, hereby grants you a non proprietary and personal perpetual license
to: (1) install the tools and templates, (2) use them internally, and (3) make a backup copy for the purpose
M
of archiving.
By using these tools and templates, you recognize that you have read, understood and that you agree to
pe
be bound by these general conditions. The material provided in the course is protected by Canadian and
worldwide copyright laws. Except where explicitly specified, the material cannot be copied, reproduced,
m
distributed, republished, downloaded, shown, mailed or transmitted, by any way or means, without having
previously received written authorization from ITpreneurs. ITpreneurs does not guarantee error-free use
Sa
of this material and does not guarantee that the information accessible and included in the examples are
precise and complete. To buy a professional license for commercial use, do not hesitate to contact an
ITpreneurs representative.
ISO documents provided to participants are strictly reserved to this training session and are copyright
protected by ISO. No part of this publication may be reproduced by any means or use in any way whether
it be electronic our mechanical, including photocopies and microfilms, without written permission from ISO
(see address below) or a member to the ISO organization located in the country of the person of the related
organization.
Copies of the different ISO standards can be bought on the www.iso.org site or from the accreditation
authority of each country.
t
rin
ep
rR
fo
100% Final exam
ot
-N
11
er
at
M
pe
m
Sa
t
Main services
rin
Personal certification (auditor or implementer)
ep
rR
fo
ot
l -N
ia
12
er
5. What is PECB?
at
PECB Inc. is a personnel certification body for various standards, including ISO 9001, ISO 14001, ISO/IEC
M
t
Advantages
rin
ep
Qualifying oneself to conduct audits for a registrar
rR
Formal and independent recognition of personal
competencies
fo
ot
Certified professionals usually earn
-N
salaries higher than those of non-certified
professionals
l
ia
13
er
y An internationally recognized certification can help you maximise your career potential and
at
certified auditors have an average salary considerably higher than their non-certified
counterparts.
m
Sa
t
Students who successfully complete the exams in this
rin
course will receive a:
Certificate of Attainment of the
ep
ISMS auditor/lead auditor course
rR
fo
ot
l -N
ia
14
er
The certificate of attainment of the ISMS auditor/lead auditor course is valid for a period of 3 years starting
at
from the last day of training. This delay does not take into account the final exam date and allows the student
to be registered as certified auditor by PECB .
M
y Upon passing the Lead Auditor Exam, the candidate can get registered with PECB to become:
o A Provisional Auditor Required: No experience required
pe
For more information about these requirements, please visit either www.pecb.org or https://www.pecb.org/
en/certifications/iso-27001-and-information-security-certifications/iso-27001-lead-auditor
In case one fails to pass the exam or continuous assessment (but meets the attendance conditions) the
student will receive certificate of attendance.
t
Comments, questions and complaints
rin
ep
Sending a
complaint
rR
Participant ITpreneurs
fo
Answer in
writing
ot
-N
Appeal PECB
l
ia
15
er
To ensure your satisfaction and the continuous improvement of this training, ITpreneurss Training
at
Department has set in place a complaint management system. If you are dissatisfied with the training ( tutor,
equipment...), do not hesitate to contact us.
M
servicedesk@itsmcampus.com
m
Sa
t
rin
ep
rR
fo
ot
l -N
ia
16
er
3. Certification process
9. Stage 1 audit
t
Day 4: Closing the Audit
rin
15. Documentation of the audit and quality review
ep
16. Closing an audit
rR
18. Initial audit follow-ups
fo
20. The competence and evaluation of auditors
t
rin
ep
rR
fo
ot
l -N
ia
17
er
Section summary:
at
1. The main objective of this training is to acquire the knowledge and competencies to participate
M
3. Final exam is an open-book 3-hour exam and is focused on the candidates understanding of
m
1. ISO structure
t
rin
2. Fundamental ISO principles
3. Information Security Standards
ep
4. ISO 27000 family
rR
5. ISO 27001 Advantages
6. Legal and regulatory conformity
fo
7. Conformity framework - United States
8. Conformity framework - Europe ot
l -N
ia
18
er
During this training, we will adopt the following convention: standards will often be referenced as ISO XXXX
at
in the slide instead of their official designation ISO/IEC XXXXX:20XX without specifying their publication
date, each referring to its latest version.
M
pe
m
Sa
t
8. Conformity framework - Europe
rin
ISO is a network of national standardization
bodies of over 160 countries
ep
The final results of ISO works are published
as international standards
rR
Over 17,000 standards have been published
since 1947
fo
ot
l -N
ia
19
er
1. ISO structure
at
History
M
The International Standards Organisation, more commonly called ISO, was created in 1947. It is a non-
pe
governmental organisation that holds a special position between the public sector and the private sector. Its
members are include national standards organizations who often are part of government structures in their
countries or who are mandated by these governments.
m
On the other hand, other members only have their roots in the private sector created by national partnerships
Sa
of industry associations.
Goals/Advantages
The role of ISO is to facilitate international coordination and the uniformization of industrial standards.
To reach these objectives, ISO has published technical standards. These standards contribute to the
development, manufacturing and delivery of products and services that are more effective, safer and clearer.
They facilitate fair trade between countries. In addition, they bring a technical foundation for health, security,
and environmental legislation to governments ; and they help transfer technologies to developing countries.
ISO standards are also used to protect consumers and general users of products and services. These
standards are also used to simplify their lives.
Source : www.iso.org
t
8. Conformity framework - Europe
rin
ep
1. Equal representation: 1 vote per country
rR
2. Voluntary membership: ISO does not have the authority
to implement its standards
Basic principles of
fo
3. Business orientation: only develops standards that fill
ISO standards market needs
ot
4. Consensus approach: looking for a large consensus
among the different stakeholders
-N
5. International cooperation: over 160 member countries
l
ia
20
er
1. Equal representation: Every ISO member (full-fledged member) has the right to participate in
the development of any standard it judges important to the economy of its country. Whatever
pe
the size or strength of the economy, each participating member can claim their right to vote. ISO
activities are thus carried out in a democratic structure where member countries are on the same
footing in terms of their influence on work orientation.
m
2. Voluntary: ISO standards are voluntary. As a non-governmental organization, ISO has no legal
Sa
authority for their implementation. A percentage of ISO standards more particularly those
related to health, security and the environment have been adopted in several countries as part
of the regulatory framework, or are mentioned in the legislation for which they act as technical
basis. Such adoptions are sovereign decisions by regulatory organizations or governments of
the affected countries.
ISO itself does not regulate, or legislate. However, although ISO standards are voluntary,
they can become a market requirement, as is the case with ISO 9001 or with freight container
dimensions, the traceability of food products, etc.
3. Business orientation: ISO only develops standards for which a market demand exists. Work
is carried out by experts in the related industrial, technical and business sectors. These experts
may be joined by other experts holding the appropriate knowledge such as public organizations,
academic world and testing laboratories.
5. International cooperation: ISO standards are technical agreements that bring, at the
t
rin
international level, technological compatibility structures. Developing a technical consensus on
an international scale is a major activity. 3,000 technical ISO groups are identified (technical
committees, subcommittees, work groups, etc.) within which 50,000 experts take part in
ep
developing standards annually.
Source: www.iso.org
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa
t
8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
21
er
and future needs of clients should be understood, their requirements be satisfied, and their
expectations be anticipated.
M
ISO 27001 Implications -> Security controls to be set in place and determination of the risk
acceptance threshold must account for business needs and client concerns.
pe
2. Leadership: Top management establish the purpose and orientations (policies) of the
organization. It is agreed that they create and maintain an internal environment where people
m
ISO 27001 Implications -> Without a clear demonstration of leadership, the implementation of a
system as complex as ISO 27001 is doomed to failure.
3. Personnel involvement: People at all levels are the essence of an organization and total
involvement on their part allows the use of their skills in its favor.
ISO 27001 Implications -> An information security programme could not reach its objectives
without the involvement of the majority of stakeholders and having them understand their
responsibilities.
4. Process approach: This is the idea that any activity of an organization can be designed as an
interrelated series of actions. The Process approach allows to target improvement interventions
and to quantify/measure the performance of the organization.
ISO 27001 Implications -> The organization must identify the key processes to determine those
critical to the success of the organization and therefore those that must be protected.
t
which the goal of the components is to allow the organization to reach its mission.
rin
ISO 27001 implications -> The organization must put controls in place that protect the
information wherever it is located in the organization.
ep
6. Continual improvement: the continual improvement of the global performance is a permanent
objective of the organization.
rR
ISO 27001 Implications -> The organization will need to continually improve the efficiency of
the ISMS using the information security policy, information security objectives, audit results,
fo
analysis of supervised events, corrective and preventive actions and management review and
validation.
7.
ot
Factual approach to decision making: Effective decisions are based on the analysis of data
and information.
-N
ISO 27001 implications -> Management must be able to make informed decisions in regards
to security. This involves the implementation of metrics and a scoreboard to determine the facts
and carry out event analyses.
l
interdependent and relations benefiting both parties increases their capacity to create value.
er
ISO 27001 implications -> Security controls to be set in place and determining the risk
acceptance threshold must account for of the business needs and obligations of partners and
at
suppliers.
Source: www.iso.org
M
pe
m
Sa
t
IT Security techniques 8. Conformity framework - Europe
rin
Security services and
WG1
guideline requirements
ep
ISO/IEC Techniques and security
ISO
rR
JTC1/SCxx WG2
JTC1 mechanisms
fo
IEC JTC1/SC27 WG3 Security evaluation
criteria
22
er
ISO designations cover several scopes and fields of competencies. To handle some of them, ISO has
M
developed a joint body with IEC (International Electrotechnical Commission), dating back to 1987 and called
JTC1 (Joint Technical Committee), dealing specifically with the IT (Information Technologies).
pe
The JTC1 is subdivided into seventeen subcommittees that each deal with a particular scope. SC 27 is the
one holding our complete attention, dealing with the IT Security Techniques scope.
m
SC 27 covers the standardization of the generic techniques and methods for IT security needs. SC 27 is
composed of five Working Groups (WG):
Sa
y WG1 - Requirements, security services and guidelines having as a work area the
information security management system, with the recent definition of the 2700X series, stating
ten standards related to information system security and communication, of which ISO/IEC
27002:2005), ISO/IEC 27001:2005, ISO/IEC 27005:2008
y WG2 Techniques and security mechanisms dealing with cryptology (techniques and
algorithms for example).
y WG3 Security evaluation criteria having the Common Criteria (ISO/IEC 15408) with the main
work scope (specifying the criteria for IT security).
y WG4 - Security services and controls handling the previous scopes of the WG1 not raising
the new 2700X series (ISO/IEC 18028 on security architectures)
y WG5 - Biometric security, identity and privacy dedicated to the biometrics scope, identity and
privacy (ISO/IEC 24760 for example).
Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 27
ISO 27001 | Lead Auditor
t
ISO 9001 and ISO 14001 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
23
er
From 1947 to date, ISO has published over 17,000 international standards. The ISO work program includes
at
standards related to traditional activities such as agriculture and construction, media devices and the
most recent development in information technologies, such as the digital coding of audiovisual signals for
M
multimedia applications.
ISO 9000 and ISO 14000 families are among the most known ISO standards. The ISO 9000 standard
pe
has become an international reference with respect to the quality requirements in commerce and business
transactions. The ISO 14000 standard, for its part, is used to help organizations meet challenges of an
m
environmental nature.
Sa
ISO 9001:2008 is related to quality management. It contains the good practices that aim to improve customer
satisfaction, achievement of customer requirements and regulatory requirements as well as continuous
improvement actions in those fields.
In December of 2007, 951,486 organizations were certified ISO 9001:2000 (China having the most
organizations certified: 210,773).
ISO 14001:2004 is mainly related to environmental management. It defines the actions that the organization
can implement for the maximum reduction of negative impacts of its activities on the environment and for the
continuous improvement of its environmental performance. In December 2006, 154,572 organizations were
certified ISO 14001:2004 (Japan having the most certified organizations: 30,489).
t
Other examples 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
24
er
ISO/IEC 20000-1:2005 defines the requirements that an information technology service supplier must apply.
at
This standard applies to service suppliers regardless of the organizations size or form. The standard consists
of two parts. The first part defines the specifications the organization shall apply to obtain certification.
M
The second part (ISO/IEC 20000-2:2005) explains the different practices or recommendations to reach the
objectives previously defined.
pe
ISO 28000:2007 prescribes the requirements applicable to a security management system of the supply
chain. An organization has to define, implement, maintain, and improve a supply chain security management
m
system during each step of production: that is manufacturing, maintenance, storage or transport of goods.
Sa
ISO 31000:2009 is a document at the strategic level, addressing all types of risks, including environmental
security risks. This guide provides a generic guide on the implementation and the maintenance of continual
process of risk management in an organization. It is not intended to be used for certification needs and/or
registration.
ISO/IEC 38500:2008 establishes definitions, principles and a model for the good governance of information
technology in an organization. This standard states six principles to guide decision making: responsibility,
strategy, acquisition, operation, conformity and human behaviour. The objective pursued by the standard is
to favour the efficiency, profitability and conformity of data processing in any organization.
t
PAS 99:2006, Annex B 8. Conformity framework - Europe
rin
ISO ISO ISO ISO
PAS 99:2006
ep
9001:2000 14001:2004 20000:2005 27001:2005
4.1 General
4.1 4.1 3 4.1, 4.2
requirements
rR
4.2 Management
5.1, 5.3 4. 2 3.1, 4..4.1 5.1
system policy
5.2, 5.3(b), 5.4.1,
4.3 Planning
5.4.2, 5.5, 7.2.1, 7.2.2, 4.3, 4.4.1, 4.4.7 4.1, 4.2, 5.0, 8.2 4.2
fo
8.3
4.4.1, 4.4.2, 4.4.3,
4.4 Implementation 4.2, 5.3(d), 5.5.1, 4.2, 6.0, 3.1, 3.2, 4.2.2, 4.2.4(c), 4.3,
4.4.4, 4.4.5, 4.4.6,
5.5.3, 6, 7 3.3, 7
and operation
4.5 Performance
8.1, 8.2.2, 8.2.4, 8.3
4.5.4
ot
4.5.1, 4.5.2, 4.5.3,
4.3
5.2.1, 5.2.2
4.2.3, 4.2.4, 6
-N
evaluation 4.5.5
4.6 Improvement 8.5.1, 8.5.2, 8.5.3 4.5.3 4.4, 4.2.4(b), 8.2, 8.3 4.2.4, 8.1, 8.2, 8.3
4.7 Management review 5.6.1, 5.6.2, 5.6.3 4.6 3.1(g) 7.1, 7.2, 7.3
l
ia
25
er
PAS 99:2006
at
implement a management system by integrating more than one of the following standards: ISO 9001, ISO
14001, ISO 27001, ISO 20000, ISO 22000, or OHSAS 18001 (Occupational Health and Safety Assessment
Series). The objective of the implementation of PAS 99 is to simplify the setting up (deployment) of several
pe
management systems originating from different standards by avoiding conflicts between systems and in
reducing document doublets and over documentation (align and incorporate ISMS to requirements of other
m
management systems).
Sa
t
Examples 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
26
er
ISO/IEC 15408:2005-2008 : Under the general title Common Criteria, the scope of this standard is to be
at
used as a basis to evaluate the security properties of products and systems of Information Technology (IT).
It contains the following parts:
M
BS 25999-2:2007 defines the requirements that an organization must apply to certify a Business Continuity
Management System (BCMS). The first part (BS 25999-1:2006) is a code of practices that explains the
different practices or recommendations to establish a BCMS. BS 25999-1:2006 establishes the procedures,
principles and terminology of the BCM. It defines a basis for the understanding, the development and the
implementation of business continuity in an organization, whatever its size or sector. Its methodology is
based on the total lifecycle of the BCM and the business being its engine.
t
1990 2011 8. Conformity framework - Europe
rin
2008
ep
2007
2005
2000
1998
rR
1995
1990 ISO/IEC 27006
ISO 27005
Information
New Version of Certification security risk
ISO 17799
fo
ISO/IEC 17799 organization management
BS7799-2 ISO 27001
Best practices requirements
BS7799-1 ISMS publication
code
Code of best certification
Code of best schema
practises
(Published by a
group of
companies)
practices
ot
l -N
ia
27
er
Beginning of the1990s
M
y An industry need expressed in terms of better practices and controls to support trade and
government in the implementation and improvement of information security
pe
y Ministry of Commerce and Industry (United Kingdom) forms a work group grouping together
directors with experience in information security
y Publication of a collective work of advice on the management of information security
m
1992
Sa
1996 - 1997
y Identification of a need to increase the level of confidence in the BS 7799 standard
y The industry request a means for certification of the code
1998
y Launch of the ISMS certification model (Published as BS 7799-2:1998 ) of the United Kingdom
1999
t
rin
y Revision of BS 7799-1:1999 (updates and addition of new controls):
o E-commerce
o Mobile informatics
ep
o Third-party agreements
o Suppression of specific references to United Kingdom
rR
y BS 7799-2:1999 (Alignment of controls to BS7799-1)
2000
fo
y Publication of ISO/IEC 17799:2000
2002
y Launch of BS 7799-2:2002 ot
-N
y The main updates are:
o Plan-Do-Check-Act (PDCA) Model
o Improved definitions and clarification of links between:
Risk evaluation process
l
ia
Selection of controls
Contents of applicability declaration
er
2005
pe
o ISMS specifications
o ISO 17799 controls in standard annex
Sa
o Annex demonstrating the connection between ISO 9001 and ISO 14001
2007
y Publication of ISO/IEC 27002:2005 replacing ISO/IEC 17799:2005 (No change in the content,
just identification number)
y Publication of ISO/IEC 27006:2007 for certification organizations
2008
y Publication of ISO/IEC 27005:2008 for information security risk management
2009
y Publication of ISO/IEC 27000:2009 for vocabulary related to ISMS
Copyright 2011, ITpreneurs Nederland B.V. All rights reserved. 33
ISO 27001 | Lead Auditor
t
8. Conformity framework - Europe
rin
Requirements Vocabulary
ISO 27000
Vocabulary
ep
rR
ISO 27001 ISO 27006
ISMS Certification organization
requirements requirements
fo
ISO 27002 ISO 27003 ISO 27004 ISO 27005 ISO 27007-27008
General
guides
ot
Industry
28
er
Resulting from International workgroup reflections dedicated to the information security scope, the ISO/IEC
at
27000 family is progressively published since 2005. ISO/IEC 27001:2005 is the only certifiable standard of
the ISO/IEC 27000 family. The other standards are guidelines.
M
y ISO/IEC 27000:2009: This information security standard develops the basic concepts as well as
the vocabulary that applies when analysing Information Security Management Systems
pe
y ISO/IEC 27001:2005 This information security standard defines the requirements of the
Information Security Management Systems (ISMS)
m
y ISO/IEC 27002:2005 (previously ISO/IEC 17799): Guide of best practices for the management
of information security. This standard defines objectives and recommendations in terms
Sa
t
rin
ep
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa
t
8. Conformity framework - Europe
rin
Specifies requirements for ISMS
management
ep
(clause 4 to 8)
Clause written using the verb shall
rR
Annex A: 11 sections containing the control
objectives and the 133 ISO 27002 controls
Organization can obtain certification
fo
ot
l -N
ia
29
er
This International Standard has been prepared to provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The
Sa
adoption of an ISMS should be a strategic decision for an organization. The design and implementation of
an organizations ISMS is influenced by their needs and objectives, security requirements, the processes
employed and the size and structure of the organization. These and their supporting systems are expected
to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs
of the organization, e.g. a simple situation requires a simple ISMS solution.
This International Standard can be used in order to assess conformance by interested internal and external
parties.
t
8. Conformity framework - Europe
rin
New number for ISO 17799
Guide for code of practice information security
ep
management
Reference document
rR
Composed of 11 domains, 39 control
objectives and 133 controls
Organization can not obtain certification
fo
ot
l -N
ia
30
er
Revised in 2005, ISO/IEC 17799:2005 is a guide of best practices information security management. In
at
2007, it became ISO/IEC 27002:2005 to be integrated into the ISO/IEC 27000 family.
M
maintaining, and improving information security management in an organization. The objectives outlined
in this International Standard provide general guidance on the commonly accepted goals of information
m
security management.
The control objectives and controls of this International Standard are intended to be implemented to meet the
Sa
requirements identified by a risk assessment. This International Standard may serve as a practical guideline
for developing organizational security standards and effective security management practices and to help
build confidence in inter-organizational activities.
t
ISO 27001, Annex A 8. Conformity framework - Europe
rin
A5 Security policy
ep
A6 Organization of information security
A7 Asset management
rR
A8 Human resources security
A9 Physical and environmental security
fo
A 10 Communications and operations management
A 11 Access control
A 12
A 13
ot
Information systems acquisition, development and maintenance
Information security incident management
-N
A 14 Business continuity management
A 15 Compliance
l
ia
31
er
Security objectives and controls listed in the annex A are aligned on those listed in the clauses of ISO/IEC
at
Lists of security objectives and controls contained in Annex A are not comprehensive. An organization can
consider necessary to include additional security objectives and controls.
pe
m
Sa
t
8. Conformity framework - Europe
rin
Within the 27000 series, ISO 27009
and the subsequent numbers are reserved for the
ep
creation of specific standards:
for industries (telecommunication, health,
automobile)
rR
for specific domains related to information security
(application security, cyber security, security incident
fo
management, etc.)
ot
l -N
ia
32
er
continuity
y ISO/IEC 27032: Guidelines for cybersecurity.
m
t
Reasons to adopt ISO 27001 8. Conformity framework - Europe
rin
ep
rR
fo
ot
l -N
ia
33
er
Please read the following parts of the case study provided for this course:
at
Basing yourself on this information, determine and explain the three greatest advantages for implementing
pe
the ISO/IEC 27001 standard for this organization and how Thalia can measure these advantages thanks to
metrics.
m
Comments: 15 minutes
Answer
Advantage 1: Improving information security management by putting in place a global management framework.
yCase study quote: Unfortunately, the growth of the software activity has produced serious
management, organization and operation problems.
How Thalia can measure this advantage: Put in place indicators measuring the number of incidents, the
number of hours of unavailability of the information network, monthly costs of incidents, etc.
Advantage 2: Regaining their clients trust thanks to a third party certification.
t
yCase study quote: These problems include the loss of important information, the loss of several
rin
contracts, and more important still, the loss in confidence of some customers.
How Thalia can measure this advantage: Put in place indicators using marketing studies to measure:
ep
the percentage of confidence, the percentage of satisfaction, etc.
Advantage 3: Marketing dierentiation when faced with increasingly significant competition
rR
y Case study quote: In addition, the number of new competitors and similar products on the market has
rapidly increased, and has started to slow the growth of the companys software activity.
How Thalia can measure this advantage: Measure brand awareness, percentage in sales growth, etc.
fo
ot
l -N
ia
er
at
M
pe
m
Sa
t
8. Conformity framework - Europe
rin
1. Improvement of security
ep
rR
2. Good governance
ADVANTAGES
fo
3. Conformity
4. Cost reduction ot
-N
5. Marketing
l
ia
34
er
Improvement of security:
M
equipments
y Independent review of your information security management system
m
Good governance:
y Awareness and empowerment of personnel
y Decrease of lawsuit risks against upper management in virtue of the due care and the due
diligence principles
y The opportunity to identify ones weaknesses and to correct
y Upper management accepts accountability for information security
Conformity:
y To other ISO standards (see ISO/IEC 27001:2005, Annex C)
y To OECD (Organisation for Economic Co-operation and Development) principles (see ISO/IEC
27001:2005, Annex B)
y To industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard),
Basel II (for banking industry)
y To national and regional laws
t
Cost reduction:
rin
y Decision makers often ask to justify the profitability of projects and demand concrete and
measurable return-benefits. A new financial evaluation concept has emerged to treat specifically
the information security field, that is Return on Security Investment (ROSI). ROSI is a concept
ep
derived from Return on Investment (ROI). It can be interpreted as the security projects financial
profit taking into account its total cost over a given period of time.
rR
Marketing:
y Differentiation, provides a competitive advantage
y Satisfaction of client requirements
fo
y Consolidation of market, supplier and partner confidence in the organization
ot
l -N
ia
er
at
M
pe
m
Sa
t
8. Conformity framework - Europe
rin
The organization must comply to the
applicable laws and regulations
ep
In most countries, the implementation of an
ISO standard is a voluntary decision of the
organization, not a legal condition ISO 27001 can be
rR
In all cases, laws take precedence over used to comply to
standards several laws and
fo
regulations
ot
l -N
ia
35
er
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements. The design, operation, use, and management of information systems may be subject to
m
Advice on specific legal requirements should be sought from the organizations legal advisers, or suitably
Sa
qualified legal practitioners. Legislative requirements vary from country to country and may vary for
information created in one country that is transmitted to another country (i.e. trans-border data flow).
Control: All relevant statutory, regulatory, and contractual requirements and the organizations approach to
meet these requirements should be explicitly defined, documented, and kept up to date for each information
system and the organization.
Implementation guidance: The specific controls and individual responsibilities to meet these requirements
should be similarly defined and documented.
t
Examples United-States 8. Conformity framework - Europe
rin
Requirement Origin Description
ep
Sarbanes-Oxley Federal law Public Company Accounting Reform and Investor Protection
Law Act
rR
HIPAA Federal law Protection of information in the health industry
fo
FISMA Federal law Information system protection measures used by federal
agencies
SB 1386 California law ot
Disclosure obligation in case of breach of security affecting
-N
customer data
NIST 800-53 Department of IS security standard of the Department of Commerce and its
Commerce partners
l
ia
36
er
The Sarbanes-Oxley Act or SOX was introduced following different financial scandals revealed in the
pe
United-States at the beginning of the years 2000, such as the Enron or the Worldcom affaire. It brings
crucial legislative changes concerning the financial governance and administration of companies to protect
stockholders. SOX is based on the establishment of controls based on the conceptual framework such as
m
HIPAA (1996)
HIPAA (Health Insurance Portability and Accountability Act) is an act that aims to protect information related
to the health industry activities. Standards set in place concern the administrative and financial transactions,
personal information security, code sets, and certain unique health marks.
GLBA (1999)
The function of the Gramm-Leach-Bliley Act is to make American financial institutions more competitive.
Some clauses of this act force financial institutions to ensure a minimum level of protection of information
touching its customers and to implement controls to protect the security of information.
SB 1386 (2002)
California Senate Bill 1386 forces organizations doing business in California and who hold personal
information to inform any California resident of any security breach that can affect their personal information.
t
NIST 800-53 (2006)
rin
NIST 800-53 (National Institute for Standards and Technology) provides guidelines to secure information
ep
systems within the federal government by choosing and specifying security controls. These guidelines apply
to every part of an information system that processes, stores, or transmits federal information. It is issued by
the U.S. Department of Commerce.
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa
t
Examples - Europe 8. Conformity framework - Europe
rin
Requirement Origin Description
ep
Directive Parliament and Protection of individuals with regard to the processing of
95/46/EC European Council personal data and on the free movement of such data
rR
Directive Parliament and Protection of personal data and privacy in electronic
2002/58/EC European Council communications
Regulation Parliament and Protection of personal data by European bodies
fo
45/2001 European Council
Decision Parliament and Applicable definitions and sanctions concerning attacks
92/242/CEE European Council targeting information systems
Directive Parliament and otCommunity Framework for electronic signatures and certain
-N
1999/93/EC European Council certification services
Directive Parliament and Harmonization of copyright to evolutions in technologies
2001/29/EC European Council
l
ia
37
er
Parliament and the European Council have issued several guidelines, regulations and decisions related to
M
information security. These guidelines are strongly based on the protection of European consumer-citizen
rights. All guidelines have been transposed in the national legislations of member states.
pe
Directive 95/46/EC
m
Directive related to the protection of individuals with regard to the processing of personal data and on the
free movement of such data. This Directive applies to data processed by automated means (e.g. a computer
Sa
database of customers) and data contained in or intended to be part of non automated filing systems
(traditional paper files).
Directive 2002/58/EC
Directive concerning the processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications). This Directive tackles a
number of issues of varying degrees of sensitivity, such as the retention of connection data by the Member
States for police surveillance purposes (data retention), the sending of unsolicited electronic messages, the
use of cookies and the inclusion of personal data in public directories.
Decision 92/242/EEC
t
rin
Decision concerning attacks against information systems. The member states recognized the definitions and
the applicable sanctions for several criminal acts: illegal access to information systems, and illegal system
interference illegal data interference. The Member States will have to make provision for such offences to be
ep
punished by effective, proportionate and dissuasive criminal penalties.
Directive 1999/93/EC
rR
This Directive establishes the legal framework at European level for electronic signatures and certification
services. The aim is to make electronic signatures easier to use and help them become legally recognised
within the Member States., and to secure transborder recognition of signatures and certificates third party
fo
countries. The main provision of the Directive states that an advanced electronic signature based on a
qualified certificate satisfies the same legal requirements as a handwritten signature. It is also admissible as
evidence in legal proceedings.
ot
-N
Directive 2001/29/EC
This Directive aims to adapt legislation on copyright and related rights to technological developments and
particularly to the information society. The Directive deals with three main areas: reproduction rights, the right
of communication and distribution rights.
l
ia
Source: www.europa.eu
er
at
M
pe
m
Sa
t
Examples International and industry repositories 8. Conformity framework - Europe
rin
Requirement Origin Description
ep
OCDE Principles OCDE OCDE guidelines regulating the security of
information systems and networks
rR
PCI-DSS Industry Protection of data for credit cards and their holders
standard
Basel II Basel Protection and information security in the banking
fo
committee sector
COBIT ISACA and ITGI ot
Best governance practices in information
technologies
-N
ITIL British Trade Best practices guide for the management of IT
Office services
l
ia
38
er
OCDE Principles(2002)
at
OCDE (Organization for Economic Cooperation and Development) has developed guidelines regulating
M
the security of information systems and networks based on nine principles: awareness, accountability,
reaction, ethics, democracy, risk assessment, security design and implementation, security management
and reassessment
pe
The PCI standard (data security standard for the payment card industry) consists in a series of technical
and operational controls whose goal is to protect organizations against frauds and other menaces related
Sa
to credit cards. This standard applies to any organization who stores, processes or transmits information on
credit card holders.
Basel II (2004)
Second committee of banking control, the Basel agreements, that issue recommendations concerning
banking legislations and regulations. The goal of this committee is the creation of international standards for
the regulation of banking institutions and systems. Basel II issues 10 principles concerning security which
appear in ISO 27001 such as identification, risk assessment and management, internal audit or even still the
emergency plan.
COBIT (1994+)
Developed by the ISACA and the ITGI, CobiT (Control Objectives for Business and related Technology) is a
reference frame to manage the governance of information systems. CobiT provides information technology
managers, auditors and users with indicators, processes and best practices to help them maximize
advantages stemming from the information technologies recourse and the elaboration of the governance
and the control of a company.
t
ITIL (1980+)
rin
Enacted by the Office of Government Commerce (OGC), Information Technology Infrastructure Library is a
set of works listing best practices for IT Service Management (ITSM).
ep
rR
fo
ot
l -N
ia
er
at
M
pe
m
Sa
t
rin
ep
rR
fo
ot
l -N
ia
39
er
Section summary:
at
1. ISO is a network of national standards bodies of over 160 countries who publish standards.
M
2. The eight ISO management principles are: client orientation, leadership, personal implication,
process approach, management system approach, continuous improvement, factual approach,
pe
3. The two main management system standards are ISO 9001:2008 (quality) and ISO 14001:2004
m
(environment).
5. ISO/IEC 27001:2005 specifies the requirements for the management of an ISMS and
organizations can obtain certification.
6. ISO/IEC 27002:2005 is a code of practices for the management of information security and
organizations cannot obtain certification for this standard.
7. In most countries, the implementation of an ISO standard is a voluntary decision made by the
organization, not a legal condition.
8. ISO/IEC 27001:2005 can be used to comply to several laws, regulatory frameworks, industry
standards and contractual agreements in full or in part.