2. What is ISO Audit?
1
ISO Certification
2
WHY ISO ? Purpose of clauses!
3
Today’s Agenda
4 Audit stages
6 Introduction Controls
5 Introduction to ISO Clauses & Understanding of clauses
3. What is ISO Audit & what it includes?
● Audit of your organization's compliance with one of the standards set forth by the
International Organization for Standardization (ISO).
● To demonstrate complete credibility — and reliability.
● ISO/IEC 27001 standards offer specific requirements to ensure that data management is
secure and the organization has defined an information security management system
(ISMS).
● Implemented management controls, to confirm the security of proprietary data.
4. ISO 27001 certification applies to?
IT Industries
FInance Sector
Healthcare Sector
Government Sector
Telecom Industries
5. Why ISO 27001, Purpose of clauses ?
Why ISO?
● International Best Practises
● Identity of risk & appropriate mitigation
● Customer satisfaction on confidentiality of data
● Performance
● Regulatory compliance requirements
● Safeguarded information assets
● Competency of employees & management process
Purpose of clauses?
- To protect CIA of information/Assets
- To identify and effectively manage their information security risks
6. Audit Stages
■ Plan – Identify the problems and collect useful
information to evaluate security risk.
■ Do – Implement the planned security policies and
procedures.
■ Check – Monitor the effectiveness of ISMS policies
Evaluate tangible outcomes
■ Act – Continual Improvement
8. 4
Context of
Organization
4.1. Organization & context
- Identifications of internal & external issues in organization to identify
the risk & mitigate
4.2. Understand needs & expectation of interested parties
4.3. Determining scope, Documented scope
9. 5
Leadership
5.1 Leadership & commitment:
How they can demonstrate leadership to achieve ISMS, By:
a) ensuring the information security policy and the information security
objectives are established and are compatible with the strategic direction of
the organisation
b) ensuring the integration of the information security management system
requirements into the organisation’s processes;
c) ensuring that the resources needed for the information security
management system are available
d) communicating the importance of effective information security
management and of conforming to the information security management
system requirements;
e) ensuring that the information security management system achieves its
intended outcome
f) continual improvement in the process of implementing ISMS
5.2 Policy
- establishment and maintenance of an information security policy
5.3 Organization’s Roles, responsibilities & Authorities
10. 6
Planning
6.1 Actions to address risks and opportunities
- Build your information security management system (ISMS)
- Implement your risk management policy
- Implement your risk management process
- Manage your risk via a risk register
- Effectively and regularly report to the Management Review Team
6.2 Information security objectives and planning to achieve them
- The organisation shall establish information security objectives at
relevant functions and levels
- The organization shall retain documented information on the
information security objectives. When planning how to achieve its
information security objectives.
6.3 Planning of changes
11. 7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8. Operation
8.1 Operational planning and control
– establishing criteria for processes
– implementing control of the processes in accordance
with the criteria
8.2 Information security risk assessment
8.3 Information security risk treatment
12. 9. Performance Evaluation
9.1 Monitoring, measurement, analysis and
evaluation
9.2 Internal Audit
9.3 Management review
10. Improvement
10.1 Continual improvement measurement,
analysis and evaluation
10.2 Nonconformity and corrective action
14. Physical Controls
Natural disaster
Single entry point
CCTV camera
surveillance
24×7 on-site security
guards
Uninterruptible
Power Supply
Security of
information assets
Authorized Entry point
Internet access
control
15. Organizational control : Threat Intelligence
❖ What is Threat intelligence in ISO & What the purpose is?
Operational
HOW & WHERE?
3
1
2
Tactical
WHAT?
Strategic
WHO & WHY
3 Level of Threat
intelligence
1. Strategic Threat Intelligence: high level
information about the threat landscape
1. Tactical Threat Intelligence: intelligence on
tools, techniques and attack methodologies
1. Operational Threat Intelligence: intelligence
on specific attacks and indicators
Editor's Notes
The only way for an organization to demonstrate complete credibility — and reliability — in regard to information security best practices and processes is to gain certification against the criteria specified in the ISO/IEC 27001 information security standard.
Additionally, it requires that management controls have been implemented, in order to confirm the security of proprietary data.
Plan – Identify the problems and collect useful information to evaluate security risk. Define the policies and processes that can be used to address problem root causes. Develop methods to establish continuous improvement in information security management capabilities.
Do – Implement the planned security policies and procedures. The implementation follows the ISO standards, but actual implementation is based on the resources available to organization.
Check – Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioural aspects associated with the ISMS processes.
Act – Focus on continuous improvement. Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
4. Context of organization : focuses on overall environment of the functions of organization.
Identifications of internal & external issues in organization to identify the risk & mitigate
we can define issues here as factor that can impact the ISMS.
eg : internal factor can be organization’s policies and processes where as external factor can be market competition.
Eg : internal issues: many employees are with less capability in organization
so here, what is the risk? - the risk is employee with less capability can not protect the information .
So when we know what is risk then we can find out how we can mitigate the risk.
Using som procedure/training we can mitigate the risk for information assets.
Eg : External issues : External competition
Suppose your field is getting rapidly innovative and rapidly changes are happening in the market. So it can be a risk to the organization. As organization also should have take steps to keep updated as per market. so , here the action plan can be like : organization can provide training depends on the innovative market.
Organizations have to find out all interested parties and they have to know their requirement, needs & expectations and accordingly they can take actions to fulfill the requirements.
Because, when organization will fulfill these requirements to interested parties they will favour back and then organization can achieve its purpose of ISMS.
Eg : employees are interested parties for organization.
So organization have to fulfill their need like - salary should be given in proper period.
You should have documented scope which you have determined.
5. Leadership
emphasises the importance of information security being supported, both visibly and materially, by senior management. This clause identifies specific aspects of the management system where top management are expected to demonstrate both leadership and commitment
5.1 Leadership & commitment
You will write your information security policy and your associated information security policies based on the needs of the business and the risks the business faces. These are defined as part of the process of building your information security management system (ISMS). And objectives which we set should be measurable & realistic in a way to
Eg: Ensuring service availability to our customer of 99.9%
Implementation of ISMS is a change in the organization. There will be requirements that have to be integrated into organization’s process and these should be identified early during analysis.
Humans resource: It is the responsibility of top management to ensure proper resource allocation to the project
Budget : in order to get staff up to training and capability development will be required. For any consultation charges requires a budget which tope management must approve of.
This can be achieved through different ways:
An communication email to all staff
An acceptable usage agreement signed by all staff members
Within the info security policy itself
Top management provide oversight and governance through out the ISMS and not only during implementation phase.
Top management can demonstrate their commitment to continual improvementthrough management review meetings where they review performance of ISMS.
5.2 Policy
It focuses on the establishment and maintenance of an information security policy within an organization's information security management system (ISMS).
The organization is required to establish an information security policy that is appropriate to its context.
The policy should define the organization's overall intentions and direction for information security, including the protection of information assets, compliance with legal and regulatory requirements, and the commitment to continual improvement.
5.3 Organization’s Roles, responsibilities & Authorities
Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organisation.That will ensure that the management system is effective.
6. Planning
this is about having a plan for the information security management system that
addresses actions to address risks and opportunities -
How to plan for risk management
Defining and applying a risk assessment process.
Defining and applying a risk treatment process.
the information security objectives and planning to achieve them - Defining objectives and planning how to achieve them.
Planning for changes - Planning for changes to the information security management system rather than reacting
6.1 Actions to address risks and opportunities
Build your information security management system (ISMS)Using the ISO 27001 Toolkit to fast track your implementation, build your information security management system following the step by step guides and videos.
Implement your risk management policyImplement the risk management policy that sets out what you do for risk management and what your risk appetite is.
Implement your risk management processImplement your risk management process that shows how you manage risk, how you identify risk, how you asses risk, how you accept risk and the different levels of risk acceptance.
Manage your risk via a risk registerImplement a risk register that allows you to fully manage, record and report on risk including residual risk.
Effectively and regularly report to the Management Review TeamEnsure that you report to the Management Review at least once a quarter and follow the structured management team meeting agenda as dictated by the ISO 27001 standard.
6.2 information security objectives and planning to achieve them
The information security objectives shall:a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored
e) be communicated
f) be updated as appropriate.
g) be available as documented information
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine;
h ) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.
6.3 Planning of changes :
When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.
7. Support
7.1 Resources : It focuses to provide sufficient & good level of resource for establishment, implementation, maintenance & continual improvement of ISMS
7.2 Competency : The organisation as a whole has departments that contributes to the success of the organisation that also play into an effective role into information security management system. We can consider HR, legal and regulatory compliance, commercial, and Information Technology (IT) teams.
This Standard defines as:The organisation shall:
a) determine the necessary competence/capability of person(s) doing work under its control that affects its information security performance;b) ensure that these persons are competent on the basis of appropriate education, training, or experience;c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; andd) retain appropriate documented information as evidence of competence.
7.3 Awareness: It focuses on awareness that employee should have :
Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance;
7.4 Communication :
The organisation shall determine the need for internal and external communications relevant to the information security management system including:
a) on what to communicate;b) when to communicate;c) with whom to communicate;
7.5 Information should be documented : documented information determined by the organisation as being necessary for the effectiveness of the ISMS
8. Operational:
8.1 Operational planning & control:
The organisation shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in clause 6.1 this is done by by
– establishing criteria for processes and
– implementing control of the processes in accordance with the criteria
The organization also Plan to achieve information security objective.
Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned.
8.2 Security Risk assessment: The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed
8.3 Security risk treatment : The organisation shall implement the information security risk treatment plan.
Risk treatment : the process of selecting and implementing of measures to modify risk
Eg : installing fire alarms to mitigate the risk of fire within a building
9. Performance evaluation:
9.1 monitoring, measurement, analysis : give guidance on the methods of monitoring, measurement, analysis and evaluation and provides that they should produce comparable results and reproducible results to be considered valid. This was previously a footnote so no material change.
9.2 Internal Audit:
The organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS:
Organisation shall fulfill requirements to achieve ISMS standards
The organisation shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting
9.3 Management Review :
Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the ISMS.
10. Continual improvement:
The organisation shall continually improve the suitability, adequacy and effectiveness of the information security management system.
This applies, If any loops holes found in the process of fulfilling ISMS standards