• Save
02 ISMS ISO27001   Common
Upcoming SlideShare
Loading in...5
×
 

02 ISMS ISO27001 Common

on

  • 4,763 views

-ISMS Methodology

-ISMS Methodology
-Audit Methods

Statistics

Views

Total Views
4,763
Views on SlideShare
4,749
Embed Views
14

Actions

Likes
11
Downloads
0
Comments
0

4 Embeds 14

http://www.linkedin.com 8
http://www.slideshare.net 4
http://www.lmodules.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Self check – Daily, Routinely, System Monitoring etc. Independent Review – Processes, Internal Audit etc. Management Review – System, review the effective
  • Duration depending on the scope
  • Physical Threat Physical threat to a computer system could be as a result of loss of the whole computer system, damage of hardware, damage to the computer software, theft of the computer system, vandalism, natural disaster such as flood, fire, war, earthquakes etc. Acts of terrorism such as the attack on the world trade centre is also one of the major threats to computer which can be classified as physical threat. Another good example of a physical threat to computer system is the flooding of the city of New Orleans (Hurricane Katrina) during which valuable information was lost and billions of computer data were destroyed. Accidental error This is also an important security issue which computer security experts should always put into consideration when designing security measures for a system. Accidental errors could occur at any time in a computer system but having proper checks in place should be the major concern of the designer. Accidental error includes corruption of data caused by programming error, user or operator error. Unauthorized access Dada stored on the computer system has to be accessed for it to be translated into useful information. This also poses a great security threats to the computer system due to unauthorized person's having access to the system. Not only this, information can be accessed via a remote system in the process of being transmitted from one point to the other via network media which includes wired and wireless media. Considering an example of an organization in which a member of staff at a particular level of hierarchy within the establishment is only allowed access to specific area according to the policy of the organization. If this employee by other means not set in the organization policy gain access to the restricted data area on the computer, this can be termed an un authorized access. Malicious misuse Any form of tampering of the computer system which includes penetration, Trojan horses’ viruses and any form of illegal alteration of the computer system which also includes the generation of illegal codes to alter the standard codes within the system can be termed as malicious misuse. This could also lead to a great financial loss and should be prevented in all cases.
  • Checklist 的作用 1. 估算工作量,防止遗漏 2. 标准化审核过程,方便记录审核发现
  • Workload 评估 审核的连续性,避免遗漏

02 ISMS ISO27001   Common 02 ISMS ISO27001 Common Presentation Transcript

  • 02 ISMS & Audit Methodology Amy Zhu MSN: amyseeger@hotmail.com
  • Agenda
    • ISO 2700x Overview
    • ISMS Methodology
    • Common Approach
    • ISMS Auditing
  • ISO 2700x Overview
  • ISO 2700x Series Standard ISO/IEC Std. Description 27000 Vocabulary and Definitions 27001 Requirements (BS7799-2) 27002 Code of Practice (ISO 17799: 2005) 27003 Implementation Guidance 27004 Metrics and Measurements 27005 Risk Management (BS7799-3)
  • ISO/IEC 27001 : 2005
    • Information Security Management Systems - Requirement
      • 11 Domain Areas
      • 39 Control Objectives
      • 133 Controls
    Security Policy Organizing Information Security Asset Management Human Resource Security Physical & Env. Security Comm. & Operation Management Information Systems Acquisition, Development and Maintenance Access Control Information Security Incident Management Business Continuity Management Compliance
  • ISO 27001 Audit Stages
    • Conducted in at least two stages, both to identify compliance to ISO 27001:2005
    • Audit Stage 1 – Documentation Review
    • Audit Stage 2 – Implementation Audit
    • More Reference
  • ISMS Methodology
  • PDCA model applied to ISMS process
    • - Scope
    • ISMS policy / Security Org.
    • Management Authorization
    • GAP Analysis
    • RA approach / RA / RTP options
    • SOA
    • C&CO
    • - Risk Treatment Plan
    • Implement selected C&CO
    • Define Measurements
    • Training and Awareness
    Management Review - ISMS Metrics -> Control Effectiveness - Review RA - Internal Audit - Implement the Improvements - Corrective Act. and Preventive Act. - Info. Sec. Req. & Exp. Managed Info. Sec. Continual Improvement of the Management System Maintain and Improve the ISMS Establish the ISMS Monitor and Review the ISMS Implement and Operate the ISMS
  • Common Approach
  • High Level Certification Plan Phase I Phase II
    • Plan and Manage Program
    • Mobilize Program
    • Launch Program
    Certification 1 Month 5 Months Implementation
  • ISO Core Team
  • Security Committee
    • Role
    • The Security Committee is a key driver of our organization’s security aspects. The Committee needs to meet and review at planned intervals the effectiveness of the Information Management system. The review shall also include assessing opportunities for improvement and the need for change. The Committee will be the final authority in reviewing and taking appropriate action against all information security related risks.
    • Frequency
    • At least once in a quarter. However till the time of certification, the Security Committee will meet regularly since the Committee has to approve all documents and play an active role in the Risk assessment
    • Outcomes
    • Key decision made on the effectiveness on ISMS
  • Risk Assessment - Phases
    • “ Identifying Information Assets, Assigning values to them and Controlling Risks are essential ISO27001 requirements“
  • Asset Identification and Valuation Asset Valuation Tool Categorize Assets Valuate Assets based on C.I.A.
    • Physical Assets
    • Information Assets
    • Software Assets
    • Services
    • Voice Information
    Confidentiality Ensuring that information is accessible only to those authorised to have access. Integrity Safeguarding the accuracy and completeness of information and processing methods. Availability Ensuring that authorised users have access to information and associated assets when required.
  • Threat Identification
    • Target: Identify and define all the threats applicable to the organization / facility
    • Classification of Threats
      • Physical
      • Accidental Error
      • Unauthorized Access
      • Malicious Misuse
    • Outputs: Threats Dictionary for the Organization
    • Analyze the Threat Probability based on the Occurrences Historical Data
    • Example:
    Threat Probability Analysis TL Guideline 1 Once per 3 years or more / no occurrence 2 Once per year 3 Once per quarter 4 Once per month TL = Threat Level Rating  
  • Vulnerability Identification & Mapping
    • Mapping All the Applicable Vulnerability to the Threats
    • Evaluate the Impact for every Threat/Vulnerability Pair
    • Example:
    Impact Value Threat / Vulnerability Characteristic 1 Occurrence of this threat will have negligible business impact 2 Occurrence of this threat will have minor business impact 3 Occurrence of this threat will have major business impact 4 Occurrence of this threat will have vital business impact
  • Risk Assessment and Risk Treatment
    • Risk = Asset Value * Threat Probability * Impact Value
    • Define an Risk Acceptance Level
      • e.g. All ‘High’ Level risk shall be treated ;
      • All ‘Medium, Low’ level risk should be monitored and the improvement areas shall be identified
    • Risk Treatment Plan – Mitigate the Risk
    • Re-Assess the Residual Risk after mitigation actions
    • Periodically Review the Risk Assessment
  • ISMS Auditing
  • Requirement for Internal Audit
    • ISO 27001:2005 Clause 6 – Internal ISMS Audit
      • Planned Intervals
      • Conform to Standard
      • Information Security Requirements
      • Effective Implementation
      • Perform as expected
      • Audit Program – status and importance
      • Procedure
      • Actions taken without undue delay
      • Follow up activities – verification of actions taken
      • Report Results
  • What do we mean by Audit?
  • Audit – 审核
    • Systematic, Independent and Documented process for obtaining evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
    • 一个系统的、独立的和文档话的过程,用以获得客观 证据并客观评估其已符合审核标准的程度 。
    • BS EN ISO 19011:2002
    • Definition 3.1
  • BS EN 19011:2002 – Scope 适用范围
    • It is applicable to all organizations needing to conduct internal or external audits of quality and/or environmental management systems or to manage an audit programme.
    • 适用于所有的需要对其质量和 / 或环境管理体系实施内部或外部审核的组织,或者 管理一个审核过程 。
  • Management Systems Auditing 管理系统审核
    • Guideline Standard published in one part contains seven Clauses:
      • Clause 1, 2 and 3 - Scope, normative references and terms and definitions
      • Clause 4 – Describes principles of auditing
      • Clause 5 – Guidance on establishing and managing audit programme
      • Clause 6 – Guidance on conducting audits
      • Clause 7 Guidance on auditor competence
  • Type of Audit
    • 1 st Party Audit (Internal) – when we audit our own system
    • 2 nd Party Audit (External) – when we audit a supplier, or when we are audited by a customer
    • 3 rd Party Audit (External) – when we are audited by an independent registration body, BSI and others.
  • The Audit Process
    • Enquiry / Application 问询 / 申请
    • Pre-Assessment (optional) 预审(可选)
    • Desktop Review / Document Review (Stage 1) – 文审
    • 6 Weeks Interval Maximum (BSI) 最大间隔 6 周
    • Initial Assessment / Implementation Audit (Stage 2) – 正审
    • Certification 证书
    • Continuing Assessment (Every 6 month)
    • Every 3 rd Year Partial Stage 1 + Entire Stage 2 ( UKAS / CNAB )
  • Audit Objectives 审核的目标
    • Determining the extent of conformity of the ISMS or parts of it, against audit criteria 根据审核依据,对系统符合 ISMS 要求的程度作出判断
    • Evaluating the capability of the ISMS to ensure compliance with applicable laws, regulations and contractual requirements 评估管理 体系符合法律法规要求的能力
    • Evaluating the effectiveness of the ISMS in meeting specified objectives 评估管理系统符合规定目标
    • Identifying areas of potential improvement of the ISMS 鉴别 ISMS 系统 有改善空间的方面
  • The Scope of the Audit 审核范围
    • The audit Scope describes the extent and boundaries of the audit in terms of physical locations, organizational units, activities, processes, and information assets, assets risk assessments, where relevant , the time period covered by the audit
    • 审核范围描述审核在实体地点 、组织单元 、业务活动、流程、信息资产、资产风险以及审核时间等方面的范围和界限。
  • Audit Criteria 审核准则
    • Audit criteria may (will) include applicable security policies and procedures, standards (BS7799-2: 2005, ISO 27001) legal and regulatory requirements, management system requirements, contract requirements, industry/business sector or codes of conduct/practice, etc.
    • 审核的准则应该包括适用的安全方针和流程、标准,相关法律法规要求,管理体系要求、合同要求、行业 / 商业区域或行为 / 实践准则等。
  • The Benefits of Audit
    • Verifying conformance with security policies and procedures
    • Providing (un-biased) information for security forum and management review
    • Increasing security awareness
    • Reducing Risk of security incidents/breaches
    • Identifying improvement opportunities
  • Auditor’s Responsibilities
    • Complying with company requirements
    • Assist with preparing audit schedule
    • Conducting the audit
    • Recording and reporting the findings
    • Conducting follow-up audits
    • Maintain independence and confidentiality
    • Maintain audit records
  • Planning the Audit
  • Audit Programme
    • An audit programme shall be planned taking into consideration the status and importance of the process and areas to be audited as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined.
    • 审核过程应该被策划,考虑被审核方面和流程的重要性和当前状态,也应该考虑上次审核结果。定义审核准则、范围、频度和方法。
  • Planning and Preparation
    • Six Stage of an Audit
      • 1. Scheduling
      • 2. Planning and Preparation
      • 3. Conducting the audit, recording the findings
      • 4. Reporting the Results
      • 5. Recording and agreeing proposed corrective / preventive / treatment actions and timescales
      • 6. Following up actions
  • Audit Planning
    • Determine the Objectives 确定目标 (符合性? or 有效性?)
    • Identify specified requirements
    • Determine audit duration and resources needed 确定审核持续时间和所需资源
    • Select the team
    • Contact the Auditee – agree the dates
    • Draw up audit plan
    • Brief the team
    • Prepare Checklist
  • Decisions at the Planning Stage
    • Determine and agree the scope
    • What the objectives are
    • Criteria.. legal / regulatory / ISO27001 etc.
    • Frequency – status and importance
    • Consider the timing
    • Auditors – trained / competent
  • Audit Duration
    • Depends on
      • Size of the department / area to be audited
      • Information processes and assets within the scope of the audit
      • Resources required
    You need to define it Based on Your Experience
  • Audit Preparation
  • Preparing for the Audit
    • Prior to audit you should be fully aware of the following:
      • Audit Objectives and Scope
      • Audit Criteria and any reference documents
      • Identification of any information processes and assets to be audited
      • Confirmation of interviewees
        • Identify the need for guides (if appropriate)
        • Audit methodology
  • Audit Preparation - Information
    • Previous audit findings
    • Security Policy statement
    • Security Manual / Procedures / guidelines
    • Statement of Applicability
    • Security incidents since last audit
    • Specialist knowledge identified
  • Audit Documents
    • Audit Procedures
    • Audit Agenda
    • Audit Summary Report forms
    • Non-conformity report forms (Risk Treatment / Action Taken)
    • Prepared checklists (*important)
  • Benefits of the Checklists
    • Maintain clear audit objectives
    • Evidence of planning
    • Maintain audit pace and continuity
    • Reduce risk of auditors’ bias
    • Manages audit workload
    • Record samples of activities in the audit
  • Checklist – Audit Starting Point
    • Review Security Policy amendments
    • Confirm scope
    • Review Risk Assessment for changes
    • Review the SOA for implemented controls
    • How are these controls being applied within the department (policies or procedures etc.)
    • How are they monitored for effectiveness
    • How are security incidents indentified and reported
    • Evidence of continual improvements
  • Checklist – Clear Screen/Desk Policy
    • How long is it before Screen clears?
    • Are the screens password protected?
    • Look for evidence of compliance/awareness of need for the controls
    • Observe screens and desks for unattended information being displayed
    • Where are these referenced in the ISMS
  • Exercise – Preparing an Audit Checklist
    • Stage I & Stage II checklist
    • In your groups prepare an Audit Checklist based on a Top manager responsibility
    • List the questions you would ask, in relation to the Top Manager during the interview
  • Conducting the Audit
  • Audit Activities
    • Opening Meeting (formal/informal)
    • Collect and confirm factual information
    • Record and document findings
    • Communicate findings
    • Report audit findings to person responsible
  • Opening Meeting
    • Process/documented agenda maintain records
    • Introduce Audit objective / scope / plan
    • Escort and resource needed
  • Collecting the Facts
    • Samples of evidence
      • Randomly Selected
      • Chosen by Auditor
      • Facts agreed with interviewees
      • Don’t Make Assumptions
  • Establish the Facts
    • Collect all the details
      • Exact observation
      • What (is the requirement)
      • Where (was it happening)
      • When (did it happen)
      • Who (was doing it)
      • Why (is it a non-conformity)
  • Audit Evidence
    • Can be obtained from several sources including:
      • Interviews with asset and process owners / managers
      • Documents within the information security management system
      • Records
      • Reports from various sources including customers
      • All audit evidence must be verified by the auditor
  • Evidence
    • Records, Statement of fact or other information, which are relevant to the audit criteria and verifiable
    • BS EN ISO 19011
    • Clause 3.3
  • Techniques for Qustioning
    • Key Information gathering questions
      • What
      • Why
      • Where
      • When
      • How
      • Who
      • Most Important ‘Please Show Me’
  • Recording the Facts
    • As Objective evidence
      • For investigation now
      • For investigation later
      • For use by colleague
        • Must be legible
        • Must be traceable
        • Must be retrievable
  • Documenting the Findings
    • Includes
      • Audit summary report
      • Non-Conformity identified
      • Observation and recommendations
      • Risk Treatment action plan/ schedule
  • Evaluating
    • For Compliance with
      • Security policies / procedures
      • Customer / Contract requirements
      • Legal / Regulatory / Statutory requirements
      • Documented ISMS
      • Company standards
      • ISO 27001:2005 (BS 7799-2: 2005)
  • Finding Classification - 1
    • Non-Conformity – NC
      • A situation where there is a likelihood that a security incident/breach may occur, or where the benefits of ISO27001:2005 are not being realized, because of the absence of, or lack of adherence to a security policy / procedure
  • Finding Classification - 2
    • Major Non-Conformity – Major NC
    • A non-conformity of such severity that its existence would indicate that a security breach could impact on the customer or have financial implications for the company because the requirements of an appropriate clause of ISO27001:2005 has not been adequately addressed.
  • Finding Classification - 3
    • Observation
    • A situation where, based on your experience, a security control should be implemented or additional measures could be taken, to improve the ISMS in some way
  • The name does not matter, they are all ‘ Opportunities for Improvement’
  • Recording the Results
  • Documenting Non-Conformities
    • Non-Conformity report
      • Unique reference
      • Where NC was found
      • Date Recorded
      • What was the requirement
      • What is the Objective evidence
  • Non-Conformity Report
    • Clear – No ambiguities
    • Complete – Includes all identifiers / facts
    • Correct – indisputable facts
    • Concise – if possible
    • Referenced – To ISO 27001:2005 clause
  • Reporting the Audit
    • Dates of the audit
    • Departments visited
    • Audit scope and basis
    • Key people seen
    • Procedure / Policy / SOA references
    • Summary of findings ( Positive and Negative )
    • Distribution list
    • <Audit Summary Report>
    • <Non-Conformity Report>
  • Exercise – NC report
    • Using the NC Report Forms and the Standard, write a NC Report
  • Audit Report Meeting
  • Close Meeting
    • Summarize findings
    • Review observations
    • Agree Commitment for corrective actions
    • Agree timescales
    • Avoid Confrontation
  • Conduct of Meeting
    • Control the meeting
    • Speak with authority
    • Listen with care
    • Maintain good manners
    • Watch body language
    • Finish with Clear Objectives
    • * Exercise – Close Meeting
  • Follow-up Options
    • Verification at Location of audit finding
    • Review of documentation
    • Verification at next Audit
    • Agree with next audit
    • But Always Record your Actions
  • Successive Audits
    • For successive audits give consideration at the planning stage to varying the approach:
      • Asset Group
      • Security Policies / Procedures
      • Auditors
      • Department
  • Reporting
    • Using the Audit Summary and NC Reports to produce a closing presentation to agree the NC Findings and next Actions
    • Remember:
    • * Finding NC is easy. Getting them to agree that they are NCs and when they are going to be fixed is the difficult part for internal audits.
  • Q & A