www.riesgoriskmanagement.com www.informationsecurityauditors.com
                                     info@riesgoriskmanag...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                                 info@riesgoriskmanagemen...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                              info@riesgoriskmanagement.c...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                              info@riesgoriskmanagement.c...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                              info@riesgoriskmanagement.c...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                               info@riesgoriskmanagement....
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                             info@riesgoriskmanagement.co...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                             info@riesgoriskmanagement.co...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                          info@riesgoriskmanagement.com

...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                             info@riesgoriskmanagement.co...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                             info@riesgoriskmanagement.co...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                              info@riesgoriskmanagement.c...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                              info@riesgoriskmanagement.c...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                              info@riesgoriskmanagement.c...
www.riesgoriskmanagement.com www.informationsecurityauditors.com
                             info@riesgoriskmanagement.co...
Upcoming SlideShare
Loading in …5
×

Iso 27001 Audit Evidence Acquisitionv3

1,214 views

Published on

This tool is designed to assist Information security auditors to carry out effective IS audit across their estate and also provides evidence to support the audit.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,214
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
80
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Iso 27001 Audit Evidence Acquisitionv3

  1. 1. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com ISO 27001 Audit evidence acquisition THE NEXT GENERATION SECURITY AUDIT TOOL Contents Introduction ............................................................................................................................................ 3 IS Audit overview .................................................................................................................................... 4 Contact details ........................................................................................................................................ 4 The IS Auditor.......................................................................................................................................... 5 Audit calendar ................................................................................................................................. 5 Scheduling an audit ......................................................................................................................... 6 Audit alert ....................................................................................................................................... 6 The IS Audit operation ............................................................................................................................ 7 Security Policy ..................................................................................................................................... 7 The policy dashboard ...................................................................................................................... 7 Each policy with an automatic review date reminder .................................................................... 7 Organization of information security .................................................................................................. 8 Policies ............................................................................................................................................ 8 The internal organisation structure ................................................................................................ 8 The key personnel ........................................................................................................................... 8 Asset Management ............................................................................................................................. 9 Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management .......................................................................................................................................................... 10 Supporting policies procedures and guidelines ............................................................................ 10 Documents with automatic review dates ..................................................................................... 10 Information systems acquisition, development and maintenance .................................................. 11 Project risk assessment ................................................................................................................. 12 Residual risk .................................................................................................................................. 12 Information security incident management ..................................................................................... 13 Incident register ............................................................................................................................ 13 Compliance ....................................................................................................................................... 14 Compliance dashboard ................................................................................................................. 14 1
  2. 2. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Reporting noncompliance ................................................................................................................. 15 The end ............................................................................................................................................. 15 2
  3. 3. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Introduction As an Auditor, quite often in your audit of your information security estate, you are concerned with assuring yourself that there is enough evidence to support a compliance statement that has been made. The process can be tedious and often adversarial causing significant amount of time being invested that may be so unnecessarily. This tool is designed to assist both the Internal Audit team as well as the business units in meeting their obligations by integrating the compliance obligation into operations, the business unit by going through the normal operation therefore exhibit the level of compliance to the standard. www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance. The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps. Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters. The solution is a web based tool that sits on the client’s site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet. 3
  4. 4. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com IS Audit overview The diagram above depicts how the Auditor (Internal or external) is registered on the tool and he/she is able to schedule an audit per business unit or for the entire organisation. It also depicts how evidence is acquired in relation to the ISO27001 standard. From each of the modules, the Audit can view the behaviour of the audit target in the findings and can gather evidence to support the findings. Auditor can then register non compliances in the areas where they exist and the non compliance is reported against policy or asset and the relevant business unit in order for ownership to be taken and action implemented. The Auditor can then recommend the steps to address the non compliances, once the business units carry out the fixes, the Auditor is notified and if satisfied can close off the non compliance. Once a non compliance is closed off it is archived, non compliances that have no fixes will remain on the dashboard against the business unit, and policy or asset unit it is fixed. If the non compliance represents a risk to the organisation, it can also be reported in the risk register until a fix is applied. Contact details For more information about acquiring the solution please contact Ben Oguntala Ben.oguntala@riesgoriskmanagement.com Telephone - 02075929747 4
  5. 5. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com The IS Auditor The IS Audit Department can set up accounts for Internal and external auditors, especially for the external auditor, access to evidence is only granted for the period which the Audit is to be carried out. The internal Auditor will always have access however, if an external auditor wants to carry out an audit, access will only be granted for the specified audit period only. An Auditor can schedule audits with business units using the Audit calendar Audit calendar 5
  6. 6. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Scheduling an audit Once an audit scheduled an Audit alert is sent to the business unit informing them of the Audit due to take place. Audit alert 6
  7. 7. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com The IS Audit operation : Security Policy The key questions asked and answered by the tool include:  Where is the policy  When was it published  How was it disseminated  When was it last updated  Who is responsible for the policy The policy dashboard Each policy with an automatic review date reminder 7
  8. 8. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Organization of information security o Internal Organization o External Parties Policies The internal organisation structure The key personnel The following key accounts are enabled - Information security manager - Policy manager - Freedom of information manager (if public sector - Data protection officer - Administrator 8
  9. 9. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Asset Management o Responsibility for assets o Information classification This view depicts the number of assets per business units regardless of the geographical location, it also show the Asset ID, risk index, classification and asset owner and the number of risks associated with the asset and any Audit entries against the audit. Each business unit will be able to maintain its own asset register and the information security team that handles security incidents and the risk register can report security incidents and risks associated with the asset. 9
  10. 10. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management We have grouped these modules together due to the fact that the same audit principle applies, the diagram below breaks each one down and will show if there are group policies or Supporting policies procedures and guidelines For each document uploaded there is an automatic date associated as well as a review period, in order to prevent documents from been irrelevant and redundant there is also a review period, the Auditor can check to see if there has been a review or not. Documents with automatic review dates 10
  11. 11. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Information systems acquisition, development and maintenance o Security requirements of information systems o Correct processing in applications o Cryptographic controls o Security of system files o Security in development and support processes o Technical Vulnerability Management The auditor can review the project risk management process in action to reveal how risk management is handled by the organisation. We provide a project risk management solution to address this element. If the organisation considers projects involving ISD & M as assets, then our information asset register can be used in this scenario as well with the following. - Projects register assets o Project management office will be a separate business unit o Register each project as an asset o The information security team will be able to assess each project and raised risks and potential mitigation - Risk assessment carried out for each project asset o The information security team will be the appropriate team to carry out risk assessment 11
  12. 12. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com o The Information security team is notified when a new project is registered as an asset and they will be able to carry out the risk assessment for the project, give it a risk rating and link its associated documents - Risk assessment - CIA assessment for the project is recorded o Risks assessment will be carried in accordance with the industry standard, confidentiality, integrity and availability (CIA) Project risk assessment Residual risk The residual risk associated with the asset is recorded and kept on the central register. 12
  13. 13. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Information security incident management Incident register The risk register diagram below depicts the number of incidents raised by all the business units in the organisation and the number of them that have been resolved and those that are active.  Reporting information security events and weaknesses  Management of information security incidents and improvements  The incident register will show all the record of incidents that were reported by the business units and the resolutions 13
  14. 14. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Compliance Compliance dashboard In built is an indicative element for the Auditor to assess the main areas on the business unit or organisation’s failure to comply with this module. The module requires:  Compliance with legal requirements  Compliance with security policies and standards, and technical compliance  Information Systems audit considerations The compliance box to the right of the picture above will turn to pass when the following are in place: - All policies are uploaded - All policies have been reviewed and non outstanding - Departmental policies have been uploaded - A responsibility is assigned to each procedure - No outstanding incidents - No outstanding audit risks 14
  15. 15. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Reporting noncompliance Once the audit is completed the Auditor will be able to report on each non compliance that were discovered against a business unit, information Asset, policy or areas. The idea behind the process is to ensure that each none compliance is reported to the most appropriate person to take action on the non compliance. All the non compliances together make up the report. More and more non compliances, finding and recommendations can be recorded against the Audit providing a one source of all the history of the non compliance. The activity log provides a running commentary of actions that have been taken by the Auditor or the business unit to resolve the non compliance. The end 15

×