The document provides an overview of information security management systems (ISMS) audits using ISO 27001:2013. It discusses ISO and the 27000 series of standards, including ISO 27001 for certification and ISO 27002 for non-certification. The document outlines the key sections and clauses of ISO 27001, including mandatory and discretionary controls. It also introduces process-based ISMS using the PDCA model and discusses topics that will be covered in more depth, such as audit definitions, principles, types, and the audit process.

1. ISMS Audit using ISO 27001:2013
Obrina Candra
August, 2015

2. ISMS Audit Using
ISO 27001:2013
supported by :

3. Contents Outline
1. Introduction to Information Security Management Systems (and the
ISO 27000 series of standards)
2. Process-based ISMS
3. Audit : definitions, principles and types
4. Audit process (audit plan, preparing for the on-site audit (audit stage
1), developing checklists, conducting the on-site audit (audit stage 2))
5. Audit review
6. Report and follow-up

4. Introduction to the ISO 27000 series of standards

5. what is ISO?
ISO, founded in 1947, is a worldwide federation of
national standards bodies from some 100 countries, with
one standards body representing each member country.
The American National Standards Institute (ANSI), for
example, represents the United States.
According to ISO, "ISO" is not an abbreviation. It is a
word, derived from the Greek isos, meaning "equal",
The name ISO is used around the world to denote the
organization, thus avoiding the assortment of
abbreviations that would result from the translation of
"International Organization for Standardization" into the
different national languages of members. Whatever the
country, the short form of the organization's name is
always ISO.

6. what is ISO?
• International Organization for Standardization is the world's largest developer and publisher
of International Standards.
• ISO is a network of the national standards institutes of 160 countries, one member per country (ANSI in
US, SNI in Indo), with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
• ISO is a non‐governmental organization that forms a bridge between the public and private sectors.
• ISO and IEC (the International Electrotechnical Commission) form the specialized system for worldwide
standardization.
• National bodies that are members of ISO or IEC participate in the development of International
Standards through technical committees established by the respective organization to deal with
particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual
interest.
• n the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC
JTC 1.
• International Standards are drafted in accordance with the rules given in the ISO/IEC Directives.
• The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.

7. 27001
27002
27000
27004
27011
27799
Applicability
Telecommunications
Health
Financial services
Inter-sector and
Inter organizational
27003
27005
Risk Management
31000
Guide 73
27006
Certification
27007
27008
19011
Guidelines for ISMS
auditing
17021
Governance
Measurements
Code of practice
Requirements
Implementation guidance
27001+20000-1
Overview and vocabulary
Requirements for bodies
audit and certification
Guidance for auditors
on controls - TR
Guidelines for
auditing management system
Conformity assessment
- ISMS
Vocabulary
Principles and
guidelines
27016 Organizational economics
27018
Cloud Computing service
17000
Conformity Assessment –
Vocabulary and general principals
31010
Risk assessment
techniques 27001
+
industry vertical
27010
27009
27013
27014
27015
Process control system - TR
27019
27017
Data protection control of
public cloud computing service
27x Extended Range
ISO/IEC 27001 family of standards last update : 10/2013

8. Introduction
ISMS are intended to provide organisations with
the elements of an effective information security
system in order to achieve the best practice in
information security and to maintain economic
goals.
ISO 27001, ISO 27002 are recognisable standards
against which ISMS can be audited and
certificated

9. ISO 27001 (certification)
•ISO 27001 specifies how to establish an Information
Security Management System (ISMS).
•The adoption of an ISMS is a strategic decision.
•The design and implementation of an organization’s
ISMS is influenced by its business, its security risks
and control requirements, the processes employed
and the size and structure of the organization: a
simple situation requires a simple ISMS.
•The ISMS will evolve systematically in response to
changing risks.
•Compliance with ISO27001 can be formally assessed
and certified. A certified ISMS builds confidence in
the organization’s approach to information security
management among stakeholders.

10. Benefit of ISO 27001 Cert
•Achieve marketing
advantage
•Lower cost
•Better organization
•Comply with legal
requirements or
regulations

11. ISO 27002 (non-certification)
• ISO 27002 is a “Code of Practice” recommending a
large number of information security controls.
• the standard are generic, high-level statements of
business requirements for securing or protecting
information assets.
• the standard are meant to be implemented in the
context of an ISMS, in order to address risks and
satisfy applicable control objectives systematically.
• Compliance with ISO 27002 implies that the
organization has adopted a comprehensive, good
practice approach to securing information.

12. a brief history of the 2700x series

13. 27001:2005 Vs 27001:2013
Context'of'the'
Organiza0on'
'
Leadership'
Planning'
Opera0on'
Improvement'
Performance'
Evalua0on'
Support'
ISO/IEC'27001:2013'
Management'
Responsibility'
'
Management'Review'
Establish'
ISMS'
Implement'
ISMS'
Improve'
ISMS'
Monitor'
ISMS'
Doc.''
Req.'
Internal''
Audit'
ISMS''
Improve'
ISO/IEC'27001:2005'
Mgmt.'
Review'
Structure'simplified'

14. 27001:2005 Vs 27001:2013
ISO/IEC 27001:2005
! 132 “shall” statements
(section 4-8)
! Annexure A
! 11 clauses
! 39 categories
! 133 controls
ISO/IEC 27001:2013
! 125 “shall” statements
(section 4-10)
! Annexure A
! 14 clauses
! 35 categories
! 114 controls
Number'of'requirements'reduced'

15. Process-based ISMS

16. ISO 27001 Structures
• Sections 0 to 3 are
introductory and are not
mandatory for
implementation
• Sections 4 to 10 contains
requirements that must be
implemented in an
organization if it wants to
comply
• Annex A contains 114
controls that must be
implemented if applicable
Section 0
Introduction
Section 1
Scope
Section 2
Normative
references
Section 3
Terms and
definitions
Section 4
Context of the
organization
Section 5
Leadership
Section 6
Planning
Section 7
Support
Section 8
Operation
Section 9
Performance
evaluation
Section 10
Improvement
Annex A

17. PDCA Model applied to ISMS Processes
Interested
Parties
Interested
Parties
Information
Security
Requirements
& Expectations
Managed
Information
Security
Establish
ISMS
Implement &
Operate ISMS
Maintain &
Improve ISMS
Monitor &
Review ISMS
Plan
Do
Check
Act
Development,
Maintenance and
Improvement Cycle

19. Mandatory controls
• The importance of mandatory
clauses is punctuated by the fact
that during ISMS audits if the
auditor discovers that any single
one of the mandatory clauses are
not supported by evidence, missing
or is deemed ineffective it is
considered a major non-
conformity. This mean it is reason
enough for the auditor not to
recommended the organization for
certification.
• In the event that the audit is part of
the ongoing continuous assessment
review the organization could be
decertified. Its that important!
• Clauses 4 – 10 require a gap
assessment initially to identify the
missing mandatory controls. Zero
exclusions are permitted and
that’s why a Gap Assessment is the
best approach.

20. Mandatory controls (sample)
the organization must define the scope of the ISMS (clause 4.3)
top mgmt and managers must show leadership to the ISMS (clause 5.1)
the ISMS policy should be appropriate to the purpose of the organization (clause 5.2) -must be
documented and communicated
the mgmt must ensure the responsibilities and authorities for security roles must be assigned &
communicated (clause 5.3)
there must be risk assessment and risk treatment plan established (clause 6.1, 6.1.3)
there must be an information security objectives that meets the organization’s business goals and
risk management process (clause 6.2)
competency needs must be identified, reviewed and managed so that personnel can perform their
roles effectively (clause 7.2)
etc…

21. Discretionary controls
• Within Annex A a series of control
objectives have been listed. These control
objectives have been designed to address
known risks.
• These controls are initially risk assessed
during implementation /adoption for fit
within each individual organization.
• The risk assessment provides evidence for
applicability and /or justification for
exclusion. The results are listed within the
Statement of Applicability (SoA).
• The SoA is a controlled document that gets
included with the Registration Auditors
recommendations which the auditor submits
to ISO for final gating and approval.
• During the ISMS internal and external
audits if a weaknesses is discovered within
the controls it will require a corrective
action plan and /or preventive action
(CAPA) plan. The CAPA is listed within the
Risk Treatment Plan and monitored until
completed and then validated before its
formally closed.
• Please note that while a single weakness
may be tolerated a cluster of failed
controls within the same domain will
result in a major nonconformity and
potential decertification.

22. Discretionary controls (sample)
labelling of information (A8.2.2)
handling of assets (A8.2.3)
management of removable media (A8.3.1)
disposal of media (A8.3.2)
secure log-on (A9.2.3)
working in secure areas (A11.1.5)
installation of software on operational system (A12.5.1)
information transfer (A13.2.1)
system change control (A14.2.2)
response to information security incidents (A16)
information security continuity (A17.1.2)
intellectual property rights (A18.1.2)
etc…

23. Audit : definitions, principles and types

24. My#Life#as#an#Information#Security#Consultant#

25. Definition
ISO 19011 define audit as a :
“Systematic process, independent and documented for
obtaining audit evidence and evaluate objectively, in order
to establish to what extent are audit criteria met”.

26. Principles
ethical conduct
professional, fair (unbiased), responsible
fair presentation
presents appropriately (words, gesture, etc), truthful and accurate in findings
due professional care
competence in the field of the audit
independence
free from conflict of interest
evidence–based approach
do not make assumptions, stick to the audit evidence
confidentiality
careful and discreet towards the informations provided by the audit

27. Types of audit
• Internal audits (1st party) sponsored by by the organization with the
aim of improvement of the ISMS.
• External audit (2nd party) audits carried out by an organisation on its
supplier (partners, vendors) using, either internal personnel, or external
entity entrusted with doing it.
• Certification audit (third party) independent from the
organizationwith the aim to release the certificate of conformity with the
requirements taken as a audit criteria (ISO 27001).

28. Audit Process

29. the big picture
What is
happening
What
changes
are needed
What
should be
happening

30. the medium picture

31. the process
1. Audit planning
2. Stage 1 audit
3. Stage 2 audit

32. audit planning
1. define audit objectives
2. define audit scope
3. select audit criteria
4. select sampling method
5. select audit team
6. define observers and guides (if necessary)
7. define resources needed

33. stage 1 audit
1. Initiation of audit
2. Auditee’s application (self-assessment document)
3. Document review
4. Planning work documents (forms, procedures, etc)
5. Organisation’s unit and processes to be audited
6. Estimation of time
7. Work schedule

34. developing a checklist
1. Appropriately phrased questions
2. Use open questions (avoid yes/no answers)
3. Dig deep

35. developing a checklist

36. developing a checklist

37. stage 2 audit (on-site audit)
1. Opening meeting
2. Collecting information by appropriate sampling
3. Questioning techniques (calm, polite, reassuring)
4. Stick to the plan (time, resource)
5. Documentation (collect evidence, take notes)
6. Control the audit (avoid confrontation and intimidation)

38. Sampling technique
Random Sample = each record in the population has an equal chance of being
selected for inclusion in the sample
e.g. Population = 200 hip replacements
10% random sample= any 20 cases in the population
Stratified Random Sample = Identifying a subset of the population and randomly
sampling that subset.
e.g. Patients aged over 65 with a hip replacement
Population = 200 hip replacements
10% random stratified sample= any 20 cases in the population where the patient is
aged over 65 years
Targeted Sample = Sample includes only a particular section of the population e.g.
Patients aged over 65 with a hip replacement
Population = 200 hip replacements
Targeted sample= All cases in the population where the patient is aged over 65
years

39. stage 2 audit (on-site audit)
techniques :
1. Questioning - people
2. Observing - process, equipment
3. Documenting - audit finding, evidence
4. Checking - assets

40. Audit Review

41. audit review
1. Audit team review meeting
2. Listing of audit findings (with evidence, if any)
3. Finding statement
4. Corrective Action Request (CAR) form
5. Classification of CARs (major - minor)
6. Opportunity of improvement
7. Audit conclusion

42. audit findings
1. Non-Conformity (NC) -> non-fulfillment of requirement
(mandatory req = major NC; discretionary req = minor NC)
2. Opportunity of Improvement (OFI) -> non-fulfillment of
controls
3. Observation -> negligence, e.g. one-day of log is missing

43. finding statement
1. clear statement of the finding (NC/OFI)
2. the evidence which the finding is based
3. summary of the requirement (clause/annex)

44. finding statement

45. CARs example

46. Major CARs
1. Major CARs must be corrected before certification of ISO 27001
can be recommended
2. Minor CARs allows certification to proceed
3. Corrective actions described in CARs usually verified at the
following surveillance visit
4. If not closed, a Minor CARs will be re-classified as Major
5. Audit should be positive and constructive, therefore, effective
corrective action is more important.

47. Report and follow-up

48. Reporting & follow-up
1. Conducting a closing meeting (presenting the finding)
2. Reporting on the audit (approval, distribution, retention)
3. Audit follow-up (surveillance visits, revised CARs) will be initiated
by the audit
4. Audit close-out (signing-off all forms)

49. that’s all folks..

50. Workshops
A. Audit evidence/audit trails
B. Continual improvement
C. Risk assessment
D. ISMS audit questionnaire
E. Document review
F. Planning the audit
G. Interpretation of the standard
H. Case study