Iso 27001 Audit Evidence Acquisition

2,897 views

Published on

www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance.
The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps.
Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters.
The solution is a web based tool that sits on the client’s site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,897
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
231
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Iso 27001 Audit Evidence Acquisition

  1. 1. ISO 27001 audit evidence acquisition ISO 27001 Audit evidence acquisition THE NEXT GENERATION SECURITY AUDIT TOOL Contents Introduction ............................................................................................................................................ 3 IS Audit overview .................................................................................................................................... 4 Contact details ........................................................................................................................................ 4 The IS Auditor.......................................................................................................................................... 5 Audit calendar ..................................................................................................................................... 5 Audit scheduling ................................................................................................................................. 6 Audit schedule alert ............................................................................................................................ 6 The IS Audit operation ............................................................................................................................ 7 ISO policies and our solutions ............................................................................................................. 7 Organization of information security ...................................................................................................... 8 Policy dashboard ................................................................................................................................. 8 IS Policy with review dates.................................................................................................................. 8 Organisation chart .............................................................................................................................. 9 Procedure document supporting policy ............................................................................................. 9 Asset Management ................................................................................................................................. 9 Asset management policies .............................................................................................................. 10 Information asset register................................................................................................................. 10 Human resources security .................................................................................................................... 10 HR Security policies and procedures................................................................................................. 11 Physical and Environmental Security .................................................................................................... 11 Physical & environment security policies and procedures ............................................................... 11 Communications and Operations Management................................................................................... 11 Communications and operations management policies and procedures ........................................ 12 Access Control ....................................................................................................................................... 12 Access control policies and procedure ............................................................................................. 13 Information systems acquisition, development and maintenance ...................................................... 13 Information security incident management ......................................................................................... 14 www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  2. 2. ISO 27001 audit evidence acquisition Incident register ................................................................................................................................ 14 Business Continuity Management ........................................................................................................ 14 Compliance ........................................................................................................................................... 14 Reporting noncompliance ..................................................................................................................... 15 Non compliance – findings and recommendations .......................................................................... 15 www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  3. 3. ISO 27001 audit evidence acquisition Introduction www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance. The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps. Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters. The solution is a web based tool that sits on the client’s site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet. www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  4. 4. ISO 27001 audit evidence acquisition IS Audit overview Contact details For more information about acquiring the solution please contact Ben Oguntala Ben.oguntala@riesgoriskmanagement.com Telephone - +44 7812 039 867 www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  5. 5. ISO 27001 audit evidence acquisition The IS Auditor The IS Audit Department can set up accounts for Internal and external auditors, especially for the external auditor, access to evidence is only granted for the period which the Audit is to be carried out. Access for Auditors limited to the Audit period only An Auditor can schedule audits with business units using the Audit calendar , once scheduled an Audit alert is sent to the business unit informing them of the Audit to take place. Audit calendar www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  6. 6. ISO 27001 audit evidence acquisition Audit scheduling Audit schedule alert www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  7. 7. ISO 27001 audit evidence acquisition The IS Audit operation ISO policies and our solutions The evidence the tool gathers for ISO 27001 include:  Security Policy o Information security policy o Our solution  Where is the policy  Included  When was it published  Included  How was it disseminated  Included  When was it last updated  Included  Who is responsible for the policy  Included www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  8. 8. ISO 27001 audit evidence acquisition Organization of information security o Internal Organization o External Parties Policy dashboard IS Policy with review dates www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  9. 9. ISO 27001 audit evidence acquisition Organisation chart Procedure document supporting policy Asset Management o Responsibility for assets o Information classification www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  10. 10. ISO 27001 audit evidence acquisition Asset management policies Information asset register Human resources security o Prior to employment o During employment o Termination or change of employment www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  11. 11. ISO 27001 audit evidence acquisition HR Security policies and procedures Physical and Environmental Security o Secure Areas o Equipment Security Physical & environment security policies and procedures Communications and Operations Management o Operational Procedures and responsibilities o Third party service delivery management o System planning and acceptance o Protection against malicious and mobile code o Backup www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  12. 12. ISO 27001 audit evidence acquisition Communications and operations management policies and procedures Access Control o Business Requirement for Access Control o User Access Management o User Responsibilities o Network Access Control o Operating system access control o Application and Information Access Control o Mobile Computing and teleworking www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  13. 13. ISO 27001 audit evidence acquisition Access control policies and procedure Information systems acquisition, development and maintenance  Same as above www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  14. 14. ISO 27001 audit evidence acquisition Information security incident management o Reporting information security events and weaknesses o Management of information security incidents and improvements Incident register Business Continuity Management o Information security aspects of business continuity management Same as above Compliance o Compliance with legal requirements o Compliance with security policies and standards, and technical compliance o Information Systems audit considerations www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com
  15. 15. ISO 27001 audit evidence acquisition Reporting noncompliance Once the audit is completed the Auditor will be able to report on each non compliance that were discovered against a business unit, information Asset, policy or areas. The idea behind the process is to ensure that each none compliance is reported to the most appropriate person to take action on the non compliance. All the non compliances together make up the report. Non compliance – findings and recommendations More and more non compliances, finding and recommendations can be recorded against the Audit providing a one source of all the history of the non compliance. The activity log provides a running commentary of actions that have been taken by the Auditor or the business unit to resolve the non compliance. www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com info@riesgoriskmanagement.com

×