©
©
A Road Towards ISO 27001 Lead Auditor Certification
• Presented by-
Fahad Zaman Chowdhury
Joint Secretary (Admin)
Bangladesh Computer Society
&
Joint Director (ICT)
Bangladesh Bank
1

©
My Profile
Professional: Joint Director (ICT), Bangladesh Bank
Member, Bangladesh Bank CIRT
Cyber Security Practitioner
Panelist, AFI Cyber Security Program, Malaysia
Academic:
MSc (CS, University of Malaya, Malaysia), MBA (Finance, DU), BSc (EEE, KUET)
Certification: ISO 27001 LA, CDFOM, ECSA
Academic/research Interests
Information Security, Network Security, Game Theory, Security of Pervasive and Ubiquitous Computing
Awards/fellowships/grants
1. Secured best paper award in 8th IEEE Control and System Graduate Research Colloquium (ICSGRC) 2017, Conference held in Shah
Allam, Malaysia
2. Won IEEE quiz award in IEEE student congress organized by IEEE Malaysia Section & Asia Pacific University, Malaysia 2

©
My Profile (Contd.)
Publications And Presentations
1.EDoS Eye: A Game Theoretic Approach to Mitigate Economic Denial of Sustainability Attack in Cloud Computing by Fahad Zaman
Chowdhury, Mohd Yamani Idna Bin Idris , Miss Laiha Mat Kiah and M A Manazir Ahsan. In proceeding of 8th IEEE Control & System
Graduate Research Colloquium (ICSGRC) 2017, Malaysia.
2. Economic Denial of Sustainability Mitigation Approches in Cloud- Analysis and Open Challenges by Fahad Zaman Chowdhury, Mohd
Yamani Idna Bin Idris , Miss Laiha Mat Kiah and M A Manazir Ahsan. In proceeding of International Conference on Electrical Engineering and
Computer Science (ICECOS) 2017, Indonesia.
3.An efficient fuzzy keyword matching technique for searching through encrypted cloud data by M A Manazir Ahsan, Fahad Zaman
Chowdhury, Musarat Sabilah, Ainuddin Wahid Bin Abdul Wahab, Mohd Yamani Idna Bin Idris. In proceeding of 2017 International Conference
on Research and Innovation in Information Systems (ICRIIS), Malaysia.
4. Seminar on "A Dynamic Game Modeling of EDoS Eye" presented in Post Graduate Research Excellence Symposium (PGRES) 2017
organized by faculty of computer science and information technology, University of Malaya, Malaysia.
Memberships/affiliations
1. Joint Secretary (Admin), Bangladesh Computer Society
2. Member, Institute of Engineers Bangladesh (IEB)
3. Life Member, Bangladesh Computer Society
4. Member, Engineers Club, Dhaka
5. Former Ex-Co Member, IEEE UM Student branch
Online Profile
1 https://scholar.google.com/citations?user=CaTbyOFiZQUC&hl=en (Google Scholar)
2. https://bd.linkedin.com/in/fahad-zaman-chowdhury-644a5427 (Linkedin)
3. https://www.researchgate.net/profile/Fahad_Chowdhury2 (ResearchGate)
3

©
©
Road Towards
ISO 27001
Lead Auditor
Certification
4

©
Topic
5
Conducting Audit
Audit Findings
Audit Reporting
Audit Follow-Up

©
Conducting Audit
6
Auditing is a Fact-Finding Process
Not
A Fault-Finding Process

©
Conducting Audit
7
ü Objective of an Audit
ü Benefits of Audit
ü Types of Audit
ü Stages of the Audit (Stage 1 & Stage 2 )
ü Surveillance Audits
ü Re-Certification Audits
ü Principles of Auditing (Integrity, Fair presentation, Due Professional Care,
Confidentiality, Independence, Evidence based approach)
ü Responsibilities of a Lead Auditor
ü Traits/Attributes of an Auditor
ü Knowledge and Skills of Auditor

©
Conducting Audit
8
Colleacting and Verifying Information:
Sources of information
Collecting by means of appropriate sampling
Audit Evidence
Evaluating against audit criteria
Audit findings
Reviewing
Audit Conclusions

©
Conducting Audit
9
Auditor’s Task :
Verify
Interviews
Questions
Observation
Examination

©
Conducting Audit
10
• What do Auditors Examine?
Documentation Records Hardware
Software Processes People

©
Audit Findings
11
Audit Findings :
ü Indicate conformity and non-conformity
ü Lead to identification of opportunities for improvement or recording good practices
ü Can be tremed compliance or non-compliance if the criteria selected based on legal
or regulatory requirements

©
Audit Findings
12
Fulfilment of a
requirement
Factual evidence of a
condition in
accordance with a
specified requirement
Non fulfilment of
a requirement
Factual evidence of a
condition not in
accordance with a
specified requirement

©
Audit Findings
13
Major Non-conformity:
ü A significance non-conformance with specified requirements or ISMS requirements
ü Failure of System
ü Significance number of minor failures

©
Audit Reporting
14
ü Record the findings during the audit time and compile it to make it
presentable or reportable
ü Review with the auditee/ audit representative when in doubt
ü Classify or grade the non-conformity
ü Reach to a conclusion of the audit
ü Conduct a closing meeting

©
Audit Follow-Up
15
Audit follow-up is required
ü To verify and assess the effectiveness of the corrective/preventive
actions by the organization.
ü Involves: Verifying, Closing and/or Escalating
Follow-up audit can vary based on the severety of the problem:
ü A limited re-audit
ü A renew of the new/amended documentation
ü Include in the next audit

©
Audit Follow-Up
16
Role of auditee
ü Understand the non-conformity raised
ü Investigate the cause
ü Identify action
ü Select most appropriate actions and develop action plan
ü Take corrective actions
ü Internal verification of completion
ü Inform auditor about implementation and plan for follow-up

©
Audit Follow-Up
17
Role of auditor
ü Review corrective action plan
ü Verifiy corrective actions
ü Close out and confirm compliance report

©
Question and
Answer
18

©
©
Thank You All
19