More Related Content


BCS ISO 27001 LA Lecture Fahad Zaman.pdf

  1. © © A Road Towards ISO 27001 Lead Auditor Certification • Presented by- Fahad Zaman Chowdhury Joint Secretary (Admin) Bangladesh Computer Society & Joint Director (ICT) Bangladesh Bank 1
  2. © My Profile Professional: Joint Director (ICT), Bangladesh Bank Member, Bangladesh Bank CIRT Cyber Security Practitioner Panelist, AFI Cyber Security Program, Malaysia Academic: MSc (CS, University of Malaya, Malaysia), MBA (Finance, DU), BSc (EEE, KUET) Certification: ISO 27001 LA, CDFOM, ECSA Academic/research Interests Information Security, Network Security, Game Theory, Security of Pervasive and Ubiquitous Computing Awards/fellowships/grants 1. Secured best paper award in 8th IEEE Control and System Graduate Research Colloquium (ICSGRC) 2017, Conference held in Shah Allam, Malaysia 2. Won IEEE quiz award in IEEE student congress organized by IEEE Malaysia Section & Asia Pacific University, Malaysia 2
  3. © My Profile (Contd.) Publications And Presentations 1.EDoS Eye: A Game Theoretic Approach to Mitigate Economic Denial of Sustainability Attack in Cloud Computing by Fahad Zaman Chowdhury, Mohd Yamani Idna Bin Idris , Miss Laiha Mat Kiah and M A Manazir Ahsan. In proceeding of 8th IEEE Control & System Graduate Research Colloquium (ICSGRC) 2017, Malaysia. 2. Economic Denial of Sustainability Mitigation Approches in Cloud- Analysis and Open Challenges by Fahad Zaman Chowdhury, Mohd Yamani Idna Bin Idris , Miss Laiha Mat Kiah and M A Manazir Ahsan. In proceeding of International Conference on Electrical Engineering and Computer Science (ICECOS) 2017, Indonesia. 3.An efficient fuzzy keyword matching technique for searching through encrypted cloud data by M A Manazir Ahsan, Fahad Zaman Chowdhury, Musarat Sabilah, Ainuddin Wahid Bin Abdul Wahab, Mohd Yamani Idna Bin Idris. In proceeding of 2017 International Conference on Research and Innovation in Information Systems (ICRIIS), Malaysia. 4. Seminar on "A Dynamic Game Modeling of EDoS Eye" presented in Post Graduate Research Excellence Symposium (PGRES) 2017 organized by faculty of computer science and information technology, University of Malaya, Malaysia. Memberships/affiliations 1. Joint Secretary (Admin), Bangladesh Computer Society 2. Member, Institute of Engineers Bangladesh (IEB) 3. Life Member, Bangladesh Computer Society 4. Member, Engineers Club, Dhaka 5. Former Ex-Co Member, IEEE UM Student branch Online Profile 1 (Google Scholar) 2. (Linkedin) 3. (ResearchGate) 3
  4. © © Road Towards ISO 27001 Lead Auditor Certification 4
  5. © Topic 5 Conducting Audit Audit Findings Audit Reporting Audit Follow-Up
  6. © Conducting Audit 6 Auditing is a Fact-Finding Process Not A Fault-Finding Process
  7. © Conducting Audit 7 ü Objective of an Audit ü Benefits of Audit ü Types of Audit ü Stages of the Audit (Stage 1 & Stage 2 ) ü Surveillance Audits ü Re-Certification Audits ü Principles of Auditing (Integrity, Fair presentation, Due Professional Care, Confidentiality, Independence, Evidence based approach) ü Responsibilities of a Lead Auditor ü Traits/Attributes of an Auditor ü Knowledge and Skills of Auditor
  8. © Conducting Audit 8 Colleacting and Verifying Information: Sources of information Collecting by means of appropriate sampling Audit Evidence Evaluating against audit criteria Audit findings Reviewing Audit Conclusions
  9. © Conducting Audit 9 Auditor’s Task : Verify Interviews Questions Observation Examination
  10. © Conducting Audit 10 • What do Auditors Examine? Documentation Records Hardware Software Processes People
  11. © Audit Findings 11 Audit Findings : ü Indicate conformity and non-conformity ü Lead to identification of opportunities for improvement or recording good practices ü Can be tremed compliance or non-compliance if the criteria selected based on legal or regulatory requirements
  12. © Audit Findings 12 Fulfilment of a requirement Factual evidence of a condition in accordance with a specified requirement Non fulfilment of a requirement Factual evidence of a condition not in accordance with a specified requirement
  13. © Audit Findings 13 Major Non-conformity: ü A significance non-conformance with specified requirements or ISMS requirements ü Failure of System ü Significance number of minor failures
  14. © Audit Reporting 14 ü Record the findings during the audit time and compile it to make it presentable or reportable ü Review with the auditee/ audit representative when in doubt ü Classify or grade the non-conformity ü Reach to a conclusion of the audit ü Conduct a closing meeting
  15. © Audit Follow-Up 15 Audit follow-up is required ü To verify and assess the effectiveness of the corrective/preventive actions by the organization. ü Involves: Verifying, Closing and/or Escalating Follow-up audit can vary based on the severety of the problem: ü A limited re-audit ü A renew of the new/amended documentation ü Include in the next audit
  16. © Audit Follow-Up 16 Role of auditee ü Understand the non-conformity raised ü Investigate the cause ü Identify action ü Select most appropriate actions and develop action plan ü Take corrective actions ü Internal verification of completion ü Inform auditor about implementation and plan for follow-up
  17. © Audit Follow-Up 17 Role of auditor ü Review corrective action plan ü Verifiy corrective actions ü Close out and confirm compliance report
  18. © Question and Answer 18
  19. © © Thank You All 19