SlideShare a Scribd company logo

The optimization method of the integrated management systems audit program v2+

Илья Лившиц
Илья Лившиц

The optimization method of the integrated management systems audit program

Engineering
1 of 8
Download to read offline
UDC 004.056 The optimization method of the Integrated Management System audit program I.I. Livshitz, D.V. Yurkin, A.A. Minyaev JSC “Gasinformservice” Kronshtadskaya 10 A, St. Petersburg, 198096, Russia Abstract. Nowadays the application of integrated management systems (IMS) attracts the attention of top management from various organizations such as refineries, instrument-making, air entities and defense. However, there is an important problem of running the audits in IMS and realization of complex checks of different ISO standards in full scale with the essential reducing of available resources. Key words: IT-Security, Integrated Management Systems, standard, audit, IT-security management system. 1. Introduction Recently, the application of integrated management systems (IMS) attracts more top management. Nowadays there is an important problem of running the audits in IMS and particularly, realization of complex checks of different ISO standards in full scale with the essential reducing of available resources. In a greater degree this problem is illustrative of supporting IT-Security audit program, as far as negative consequences can lead to essential damage. The realization of IT-Security management systems gets more application in practice. Moving to analysis based on risks provides the increasing of interest to rational exploitation of modern risk-oriented ISO standards. Studying the problem with realization of IMS audits makes the essential interest also the search of ways of IMS audit program optimization that are based on principles of continuous adaptation in the process of incoming data during one micro cycle of audit. It is supposed that new method of audit program optimization will let us to provide more rational acceptance of the IT-Security control solution. 2. Problem description To provide stable development of modern organizations in the context of risks of different origin, it is appear to be reasonable to apply risk-oriented standard and implement the IMS [1, 7, 9]. From the point of view of controlling the IMS audits in supposed method we should notice the necessity of solution of next important practical tasks [4]: 1. The task of resources allocation for audit program; 2. The task of account of factors that influence on the depth of audit-leak program, incidents, the appearance of criminal actions, revealed earlier mismatches and in this way the volume definition of audit program; 3. The task of collection of verifiable information; 4. The task to provide the auditors with special knowledge and skills either to invite engineers; It is necessary to admit that we should be aware of recommendations PAS-99 in IMS [9], that allows to take into account the specific requirements of carrying out combined audits, the account of risks, flexible controlling of IMS audit program volume with the account of last results and the importance of processes [4, 5]. 3. Principles of organization of flexible audits The suggested method of optimization of the IMS audit program is based on next basic principles:
1. We input the concept of integral evaluation (IE) of IT-Security that includes the specific group index of evaluation of all submitted for IT-Security audit processes - RISMS. This group index defines with the help of specific indexes – RPR, multiplied on their weight coefficient in dependence of process importance in the IT-Security organization for the concrete object of evaluation (OE). 2. After running the basic IT-Security audit, its condition is valued for the purpose of accordance with demands of audit criteria, and also its influence on IT-Security integral evaluation of concrete object of evaluation. 3. Next IT-Security audits are held by the given method that uses flexible approach: those processes, that have the most priority in the IT-Security for the concrete object of evaluation, and where the essential mismatches of last audit were revealed, are exposed of more detailed check. 4. Frequency and detail, which must be differentiated for different checked processes, comports with IT-Security too. For example, definite groups of processes, that have priority meaning in integral evaluation (for example, it depends on the model of actual threats of IT-Security), are exposed more detailed and often with audits. The processes, that have the lowest priority in the integral evaluation for the concrete object of evaluation, are checked seldom and less detailed. 5. The depth of check and frequency of audits, each time for k-audit in micro cycle PDCA, defines in dependence of oncoming function of integral evaluation for the concrete object of evaluation to some stated objective index – Rtarget for complex evaluation of concrete object of evaluation security. In addition we should note the importance of implementation of new standard, ISO 55000 [6- 8] – as many assets are not ruled in a proper manner. Accordingly, the appliance of demands of one implemented standard (for example, modern ISO 27001) substantially relieves the solution of standard problems of security, that are solved simultaneously, therefore they must be checked simultaneously within the context of combined audits of all MS in organization (for example, ISO 9001, ISO 50001, ISO 27001) [1-4, 5-8]. 4. Statement of the problem For the evaluation of a degree of providing IT-Security system conformance on the IMS audits to presented requirements of IT-Security we use private and group IT-Security indexes. For the purposes of realizing IMS audits in the aspect of providing IT-Security we suggest to use the index of effectiveness of MS IT-Security RISMS , which we can calculate in each cycle of k-audit using the additive formula with the account of α-weight coefficients and index of effectiveness of each concrete process of IT-Security – RPR : i n i iISMS RR Pr 1 •= ∑= α (1) in this case : 1 1 =∑= n i iα In its turn, indexes of effectiveness of each concrete i-process of IT-Security – RPR are calculated by additive formula with the account of β-weight coefficients and indexes of IT- Security metrics for each concrete i-process of IT-Security – KKPI: PKIj m j j KR i •= ∑=1 Pr β (2) in this case: 1 1 =∑= m j jβ
The coefficients of relevancy of private indexes of IT-Security, that are used by calculation of IT-Security group indexes, must be equal to 1 that provides ritualization of all indexes in additive formula above (1) and (2). Accordingly, the final index of effectiveness of MS IT- Security RISMS must maximize reaching 1: 1Pr 1 →•= ∑= i n i iISMS RR α (3) In the process of IMS audits, the constant measuring of current nonconformance for k-audit RISMS is measured as discrepancy with the objective (maximal) index: [ ]∑= −•=−=∆ n i iiISMS RRR 1 Pr )1(1 α (4) Regarding the results of all audits, that are carried out in a strict accordance with IMS audit program, we fill in the following matrix with the account of IT-Security processes – PR, IT- Security audits – k-audits and IT-Security metrics – KPI. 5. Basic optimization cycle of IMS audit program In terms of known audit standards (in particular [4,5]), we offer a method of multistage optimization of IMS audit processes for the complex industrial objects (CIO), which let us to provide the system of coordination, distribution of recourses and system of effective reduction of results of IMS audits till the person who takes decision. This method consists of scientifically grounded and object-oriented immediate functioning of IT-Security subsystem within IMS and it differs from existing methods with cyclic continuous evaluation of effectiveness on the basis of optimal system of IT-Security numeral indexes (metrics). The offered method consists of two connected cycles of optimization of IMS audits program that differs with the existence of: 1. Basic optimization cycle, which characterizes the effective carrying out of IMS audits in terms of evaluation of efficiency for each PRi- IT-Security process, each KPIj – IT- security metric, and also it defines cycles of resources optimization in audits program: of depth (“Scope”), size of auditor’s sample, number of involved auditors (engineers) and etc. 2. Fast block of evaluation of efficiency of correction measures and corrective actions in current k-audit, that touches the changes each of next process of IT-Security and next k+1 audit program. It is also provided fast transfer to evaluation of efficiency indexes of IMS – RISMS in k-audit and k+1 audit for the constant and effective optimization of all IMS audit program. Let’s consider the basic optimization cycle of IMS audit program that was built with the account of audit’s formal ISO standards requirements and ISAGO standards supported with new components (see fig. 1): - Formation efficiency evaluation of each k-audit; - Formation of fast efficiency evaluation of correction(corrective actions); - Formation of quick back link in the current audit cycle; - Formation of system reaction – complication or easing depending on current integral evaluation in current audit cycle; - Formation of integral evaluation of IMS security. Preconditions (data inputs) for the start of basic optimization cycle of audit program are given: - T0 – basis period of IT-Security audits; - S0 – basic (planned) price of IT-Security audits; - V0 – basic volume of IT-Security audits (number of units); - F0 – basic list of functional questions of IT-Security audits; - O0 – basic list of attended IT-Security audit objects.
1 Formation of audit program begining end αi , βj , K KPI pr j 2 Formation of k-Audit plan 3 Formation the monitoring by j- metrics K KPI for Pr i - processing in k-audit ОЗ 6 Formation of mismatches of k-audit 7 Formation of plan of corrective actions for k-audit The analysis of integral evaluation The basic conditions for audits planning: T0, S0, V0, F0, O0 The evaluation of corrective efficiency K KPI pr j R ISMS ∆ R PR i, ∆ K KPI pr j 5 Realization of cycle of audit program, planning k+1 аудита R ISMS (corr) 8 Completion of audits program Changing “complication” of conditions for planning audits: Tk+1, Sk+1, Vk+1, Fk+1, Ok+1 RISMS <> 1 RISMS (corr) <> 1 Changing (easing) the conditions for planning audits: Tk+1, Sk+1, Vk+1, Fk+1, Ok+1 R PR i , R ISMS 4 Formation of evaluation of Pr i – processing and R ISMS of integral evaluation in k-audit Fig.1 – Basic optimization cycle of IMS audit program The description of basic optimization cycle of IMS audit program is given in table 1. Table 1 - The description of basic optimization cycle of IMS audit program № Action Result 1. Formation of audit program RISMS ≥ RISMS tar Formulas (1),(2) Specified: -α- weight coefficient of IT-Security process (for group metric); -β- weight coefficient of IT-Security metric process (for private metric); -k- number of IT-Security audits in program of audits; - RISMS – current integral evaluation of IT-Security MS efficiency; - RISMS tar- target integral evaluation of IT-Security MS efficiency; -Δ- possible deviation (formula 4); - KPRi – target index of i-process efficiency;
-K KPIj - target index of j-metric efficiency for i-process 2. Formation of k-audit plan Confirmation of k-audit plan 3. Carrying out the k-audit Report on the results of k-audit 4. Formation of monitoring the results of k-audit: Therefore KPRi and K KPIj Filling the database of audit with KPRi and K KPIj indexes 5. Formation RISMS evaluation – k-audit integral evaluation Filling the database of audit with RISMS for k-audit 6. Evaluation of RISMS degree of progress by the k- audit results of RISMS tar target index Filling the database of audit with RISMS for k-audit 7. In case, if RISMS ≥ RISMS tar, i.e fixed index of efficiency is reached, it is carried out the informing of program audit manager about possible “softening” of k+1 audit planning conditions. Next go on to the step 13 to realization (continuation) of audit program and carrying out the k+1 audit. Report on the results of k-audit 8. In case if RISMS < RISMS tar, , i.e fixed index of efficiency cannot be reached, it is carried out the formation of list of mismatches on k-audit. Carrying out the k+1 audit can be stopped by the audit program manager’s decision with the aim of reducing the expenses. Report on the results of k-audit 9. Because of formed list of mismatches on the last step it is formed the correction plan and the corrective actions for the determined mismatches on the k-audit. Filling the database of audit with KPRi and K KPIj indexes for k-audit, which characterizes the degrees of deviation on target index of PRi - IT- Security process on the whole and KKPIj private indexes. 10. The evaluation of efficiency correction and corrective actions with mismatches, determined on the results of k-audit. Filling the database of audit with RISMS (corr) for k-audit 11. In case, if RISMS ≥ RISMS tar, i.e is reached the fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit, then there is carried out the informing of audit program manager and in case of absence other mismatches for the period of realization of corrective measures, the end of the audit program. Report on the results of k-audit 12. In case, if RISMS(corr) < RISMS tar, i.e fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit cannot be reached, , then there is carried out the informing of audit program manager about possible complication of planning audit conditions. Next go on to the step 13 to realization (continuation) of audit program and carrying out the k+1 audit. Report on the results of k-audit 13. In case, if the efficiency of corrective measures for all defined mismatches on the k+1 audit is confirmed, then there is carried out the move to the following realization (continuation) of audit program and carrying out the k+1 audit. The realization of audit program.
6. The quick block of efficiency evaluation of IMS audit program. The quick block of efficiency evaluation of correction measures and corrective actions in the current k-audit, which touch the changes of next process and also the following in the k+1 audit program and quick move to the evaluation of efficiency indexes of IT-Security MS – RISMS, is shown in the fig.2. The description of quick block of efficiency evaluation of IMS audit program is given in table 2. 1 Formation of mismatches list On k-audit begining end αi , βj , K KPI pr j 4 Formation of corrective actions plan of k-audit 5 Carrying out k+1 audit witch changed characteristic (R ISMS (corr) = 1) The analysis of integral evaluations of k and k+1 audits The basic conditions for audits planinig: T0, S0, V0, F0, O0 7 Realization of cycle of audit program 6 Efficiency evaluation of audit program Efficiency evaluation of correction k-audit R ISMS (corr) k, Ti+1, Si+1 , Vi+1, Fi+1, Oi+1 RISMS (corr) k <> 1 RISMS (corr) k+1 > RISMS (corr) k Changing (complication) conditions for audits programing: Ti+1, Si+1, Vi+1, Fi+1, Oi+1 Recount R ISMS 2 Formation of mismatches list Pr i – processing in k-audit 3 Formation of mismatches list on j-metrics K KPI for Pr i - process in k-audit Recount βj Recount αi Recount K KPI pr j Changing conditions for improving Pr – i process: Ti+1, Si+1, Vi+1, Fi+1, Oi+1 RISMS (corr) k+1 <= RISMS (corr) k R ISMS (corr) k, R ISMS (corr) k+1 Fig.2 - The quick block of efficiency evaluation of IMS audit program Table 2 - The description of quick block of efficiency evaluation of IMS audit program № Action Result 1. Formation of audit program Specified: -α- weight coefficient of IT-Security process (for group metric); -β- weight coefficient of IT-Security metric process (for private metric); -k- number of IT-Security audits in program of audits; - RISMS – current integral evaluation of IT-
Security MS efficiency; - RISMS tar- target integral evaluation of IT- Security MS efficiency; -γ- number of audits in audits program; -Δ- possible deviation (formula 4); - KPRi – target index of i-process efficiency; -K KPIj - target index of j-metric efficiency for i-process 2. In case if, there are defined mismatches on basic audit criteria, there is formed the list of k-audit mismatches. The list of k-audit mismatches. 3. Each defined mismatch subsequently matches up with certain PR IT-Security i- process. It is carried out the recount of weight coefficient (group) of IT-Security PR i- process. Filling the database of audit with new α index. 4. Each defined mismatch subsequently matches up with j-metric and KPRi index for certain IT-Security PR i-process. It is carried out the recount of β weight coefficient (private) for the metrics of IT- Security PR i-processes. Filling the database of audit with new β index. 5. It is carried out the plan formation of corrective actions on k-audit. It is carried out the recount of PR i- objective index of i-process efficiency. Filling the database of audit with new KPRi index. 6. The efficiency evaluation of correction and corrective actions on k-audit. Filling the database of audit with RISMS (corr) index for k-audit and new values T1, S1 ,V1, F1 ,O1 7. In case, if RISMS(corr) < RISMS tar, i.e fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit cannot be reached, , then there is carried out the informing of audit program manager about possible complication of planning audit conditions. Next go on to the step 5 to plan formation of corrective actions for k-audit and recount of group (α) and private (β) coefficients for each mismatch. Report on the results of k-audit 8. In case, if RISMS ≥ RISMS tar, i.e is reached the fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit, then there is carried out the realization of next audit: k+1 audit with the account of new changed parameters by the results of successful realization of corrective actions on last audit. Report on the results of k-audit 9. The analysis of integral evaluations for k and k+1 audit: RISMS(corr)k ,and RISMS(corr)k+1 Filling the database of audit with RISMS (corr) index for k-audit and RISMS(corr)k+1 for k+1- audit 10. In case, if RISMS(corr)k+1 ≤ RISMS(corr)k , it is carried out the informing of audit program manager about possible complication of Report on the results of k-audit
planning audit conditions. Evidently, that it will increase the expenses on carrying out the audits in the following. Next go on to the step 5 to plan formation of corrective actions for k-audit and recount of group (α) and private (β) coefficients for each mismatch. 11. In case, if RISMS(corr)k+1 > RISMS(corr)k , it is carried out the informing of audit program manager about possible return to basic condition of audit planning. Next go on to the step 5 to plan formation of corrective actions for k+1-audit and recount of group (α) and private (β) coefficients for each mismatch Report on the results of k-audit 12. In case of increasing of efficiency degree of program RISMS(corr)k+1 > RISMS(corr)k , there is carried out the evaluation of audit program, which includes economic aspect (minimization S-parameter). Report on the results of k-audit 7. Conclusions Given method of ISMS audit program optimization is based on the modern risk-oriented standards and let to provide the constant optimization of carrying out the IT-Security audits on the basis of joined flexible adaptive algorithms. References 1. ISO/IEC 27001:2013. Information technology. Security techniques. Information security management systems // Requirements, International Organization for Standardization. 2013. 23 p. 2. ISO/IEC 27000:2014. Information technology. Security techniques. Information security management systems // Overview and vocabulary, International Organization for Standardization. 2014. 31 p. 3. ISO/IEC 27004:2009. Information technology. Security techniques. Information security management systems // Measurement, International Organization for Standardization. 2009. 55p. 4. ISO19011:2011.Guidelines for auditing management systems; 5. ISO 17021:2011. Conformity assessment -Requirements for bodies providing audit and certification of management systems; 6. ISO 55000:2014 Asset management – Overview, principles and terminology // International Organization for Standardization, 2014. – 19 pages. 7. ISO 55001:2014 Asset management – Management systems – Requirements // International Organization for Standardization, 2014. – 14 pages. 8. ISO 55002:2014 Asset management – Management systems – Guidelines for the application of ISO 55001 // International Organization for Standardization, 2014. – 32 pages. 9. PAS-99:2012 «Specification of common management system requirements as a framework for integration»

Recommended

It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
Hemang Doshi
 
Security Audit Information – Physical
Security Audit Information – PhysicalSecurity Audit Information – Physical
Security Audit Information – PhysicalPLN9 Security Services Pvt. Ltd.
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
Arshad A Javed
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 

Recommended

It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
Cisa exam mock test questions-1
Cisa exam mock test questions-1Cisa exam mock test questions-1
Cisa exam mock test questions-1
Hemang Doshi
 
Security Audit Information – Physical
Security Audit Information – PhysicalSecurity Audit Information – Physical
Security Audit Information – PhysicalPLN9 Security Services Pvt. Ltd.
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
Arshad A Javed
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
Ahmad Tariq Bhatti
 
E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
Dolly Juhu
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
Aviva Spectrum™
 
Rbi masterclass fleming summit_ss
Rbi masterclass fleming summit_ssRbi masterclass fleming summit_ss
Rbi masterclass fleming summit_ss
Ganeshraju
 
Introduction asme pcc3 inspection planning using risk based methods
Introduction asme pcc3 inspection planning using risk based methods Introduction asme pcc3 inspection planning using risk based methods
Introduction asme pcc3 inspection planning using risk based methods
johnfletcher1957
 
1 q is-auditprocess
1 q is-auditprocess1 q is-auditprocess
1 q is-auditprocessAlamelu Babu
 
Computer system overview
Computer system overviewComputer system overview
Computer system overview
Vikrant Singh Parmar
 
Best practice for risk based inspection
Best practice for risk based inspectionBest practice for risk based inspection
Best practice for risk based inspection
Osama Lari
 
Rbi
RbiRbi
Rbi
Mohammad Javad Ranjbar
 
Arrelic Offering | RBI
Arrelic Offering | RBIArrelic Offering | RBI
Arrelic Offering | RBI
Arrelic
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
essbaih
 
MCGlobalTech Managed Security Compliance Program
MCGlobalTech Managed Security Compliance ProgramMCGlobalTech Managed Security Compliance Program
MCGlobalTech Managed Security Compliance Program
William McBorrough
 
Risk-Based Inspection (RBI) by aminul islam
Risk-Based Inspection (RBI) by aminul islamRisk-Based Inspection (RBI) by aminul islam
Risk-Based Inspection (RBI) by aminul islam
Md.Aminul Islam ,CMRP,CSSBB
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized Environment
VadivelM9
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
Nicholas Kaptingei
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .
Anand Pandya
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
William McBorrough
 
Risk Based Inspection
Risk Based InspectionRisk Based Inspection
Risk Based InspectiontrainingproducerPH
 
ISO27001
ISO27001ISO27001
ISO27001Ruchit Ahuja
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
FitCEO, Inc. (FCI)
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 

More Related Content

What's hot

E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
Dolly Juhu
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
Aviva Spectrum™
 
Rbi masterclass fleming summit_ss
Rbi masterclass fleming summit_ssRbi masterclass fleming summit_ss
Rbi masterclass fleming summit_ss
Ganeshraju
 
Introduction asme pcc3 inspection planning using risk based methods
Introduction asme pcc3 inspection planning using risk based methods Introduction asme pcc3 inspection planning using risk based methods
Introduction asme pcc3 inspection planning using risk based methods
johnfletcher1957
 
1 q is-auditprocess
1 q is-auditprocess1 q is-auditprocess
1 q is-auditprocessAlamelu Babu
 
Computer system overview
Computer system overviewComputer system overview
Computer system overview
Vikrant Singh Parmar
 
Best practice for risk based inspection
Best practice for risk based inspectionBest practice for risk based inspection
Best practice for risk based inspection
Osama Lari
 
Rbi
RbiRbi
Rbi
Mohammad Javad Ranjbar
 
Arrelic Offering | RBI
Arrelic Offering | RBIArrelic Offering | RBI
Arrelic Offering | RBI
Arrelic
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
essbaih
 
MCGlobalTech Managed Security Compliance Program
MCGlobalTech Managed Security Compliance ProgramMCGlobalTech Managed Security Compliance Program
MCGlobalTech Managed Security Compliance Program
William McBorrough
 
Risk-Based Inspection (RBI) by aminul islam
Risk-Based Inspection (RBI) by aminul islamRisk-Based Inspection (RBI) by aminul islam
Risk-Based Inspection (RBI) by aminul islam
Md.Aminul Islam ,CMRP,CSSBB
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized Environment
VadivelM9
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
Nicholas Kaptingei
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .
Anand Pandya
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
William McBorrough
 

What's hot (18)

E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...E Com Security solutions hand book on Firewall security management in PCI Com...
E Com Security solutions hand book on Firewall security management in PCI Com...
 
03.2 application control
03.2 application control03.2 application control
03.2 application control
 
Coso Monitoring - Templates
Coso Monitoring - TemplatesCoso Monitoring - Templates
Coso Monitoring - Templates
 
Rbi masterclass fleming summit_ss
Rbi masterclass fleming summit_ssRbi masterclass fleming summit_ss
Rbi masterclass fleming summit_ss
 
Introduction asme pcc3 inspection planning using risk based methods
Introduction asme pcc3 inspection planning using risk based methods Introduction asme pcc3 inspection planning using risk based methods
Introduction asme pcc3 inspection planning using risk based methods
 
1 q is-auditprocess
1 q is-auditprocess1 q is-auditprocess
1 q is-auditprocess
 
Computer system overview
Computer system overviewComputer system overview
Computer system overview
 
Best practice for risk based inspection
Best practice for risk based inspectionBest practice for risk based inspection
Best practice for risk based inspection
 
Rbi
RbiRbi
Rbi
 
Arrelic Offering | RBI
Arrelic Offering | RBIArrelic Offering | RBI
Arrelic Offering | RBI
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
MCGlobalTech Managed Security Compliance Program
MCGlobalTech Managed Security Compliance ProgramMCGlobalTech Managed Security Compliance Program
MCGlobalTech Managed Security Compliance Program
 
Risk-Based Inspection (RBI) by aminul islam
Risk-Based Inspection (RBI) by aminul islamRisk-Based Inspection (RBI) by aminul islam
Risk-Based Inspection (RBI) by aminul islam
 
Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized Environment
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
 
Risk Based Inspection
Risk Based InspectionRisk Based Inspection
Risk Based Inspection
 

Similar to The optimization method of the integrated management systems audit program v2+

TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
FitCEO, Inc. (FCI)
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Method of forming numerical metrics of information security v2+
Method of forming numerical metrics of information security v2+Method of forming numerical metrics of information security v2+
Method of forming numerical metrics of information security v2+
Илья Лившиц
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
ClashWithGROUDON
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
akquinet enterprise solutions GmbH
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
Kaspersky
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
IRJET Journal
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controlsMulyadi Yusuf
 

Similar to The optimization method of the integrated management systems audit program v2+ (20)

ISO27001
ISO27001ISO27001
ISO27001
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
 
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdfCybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
 
Method of forming numerical metrics of information security v2+
Method of forming numerical metrics of information security v2+Method of forming numerical metrics of information security v2+
Method of forming numerical metrics of information security v2+
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
The information security audit
The information security auditThe information security audit
The information security audit
 
Profile_Kishore Sundar
Profile_Kishore SundarProfile_Kishore Sundar
Profile_Kishore Sundar
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controls
 

More from Илья Лившиц

64 71-125-18 8.-livshits
64 71-125-18 8.-livshits64 71-125-18 8.-livshits
64 71-125-18 8.-livshits
Илья Лившиц
 
2 fruct hybrid_livshitz_v7_17-03-2018
2 fruct hybrid_livshitz_v7_17-03-20182 fruct hybrid_livshitz_v7_17-03-2018
2 fruct hybrid_livshitz_v7_17-03-2018
Илья Лившиц
 
1 fruct genesis_livshitz_v6_17-03-2018
1 fruct genesis_livshitz_v6_17-03-20181 fruct genesis_livshitz_v6_17-03-2018
1 fruct genesis_livshitz_v6_17-03-2018
Илья Лившиц
 
Гибридная методика оценки безопасности ИТ
Гибридная методика оценки безопасности ИТГибридная методика оценки безопасности ИТ
Гибридная методика оценки безопасности ИТ
Илья Лившиц
 
Токсичные активы
Токсичные активыТоксичные активы
Токсичные активы
Илья Лившиц
 
On the issue of conformity assessment services of electronic information secu...
On the issue of conformity assessment services of electronic information secu...On the issue of conformity assessment services of electronic information secu...
On the issue of conformity assessment services of electronic information secu...
Илья Лившиц
 
доклад тэк лившиц+маликов_v2_09-03-2016
доклад тэк лившиц+маликов_v2_09-03-2016доклад тэк лившиц+маликов_v2_09-03-2016
доклад тэк лившиц+маликов_v2_09-03-2016
Илья Лившиц
 
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБ
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБПротиводействие угрозам "нулевого дня" посредством мгновенных аудитов ИБ
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБ
Илья Лившиц
 
Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...
Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...
Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...
Илья Лившиц
 
Обеспечение информационной безопасности сервисов доверенной третьей стороны
Обеспечение информационной безопасности сервисов доверенной третьей стороныОбеспечение информационной безопасности сервисов доверенной третьей стороны
Обеспечение информационной безопасности сервисов доверенной третьей стороны
Илья Лившиц
 
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...Методика выполнения комплексных аудитов промышленных объектов для обеспечения...
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...
Илья Лившиц
 
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...
Илья Лившиц
 
Определение бюджета для реализации проекта системы менеджмента информационной...
Определение бюджета для реализации проекта системы менеджмента информационной...Определение бюджета для реализации проекта системы менеджмента информационной...
Определение бюджета для реализации проекта системы менеджмента информационной...
Илья Лившиц
 
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...Применение риск-ориентированных стандартов для обеспечения комплексной безопа...
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...
Илья Лившиц
 
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...
Илья Лившиц
 
Исследование зависимости сертификации по международным стандартам ISO от типо...
Исследование зависимости сертификации по международным стандартам ISO от типо...Исследование зависимости сертификации по международным стандартам ISO от типо...
Исследование зависимости сертификации по международным стандартам ISO от типо...
Илья Лившиц
 
Подходы к применению модели интегрированной системы менеджмента для проведени...
Подходы к применению модели интегрированной системы менеджмента для проведени...Подходы к применению модели интегрированной системы менеджмента для проведени...
Подходы к применению модели интегрированной системы менеджмента для проведени...
Илья Лившиц
 
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...
Илья Лившиц
 
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙ
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙРИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙ
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙ
Илья Лившиц
 

More from Илья Лившиц (19)

64 71-125-18 8.-livshits
64 71-125-18 8.-livshits64 71-125-18 8.-livshits
64 71-125-18 8.-livshits
 
2 fruct hybrid_livshitz_v7_17-03-2018
2 fruct hybrid_livshitz_v7_17-03-20182 fruct hybrid_livshitz_v7_17-03-2018
2 fruct hybrid_livshitz_v7_17-03-2018
 
1 fruct genesis_livshitz_v6_17-03-2018
1 fruct genesis_livshitz_v6_17-03-20181 fruct genesis_livshitz_v6_17-03-2018
1 fruct genesis_livshitz_v6_17-03-2018
 
Гибридная методика оценки безопасности ИТ
Гибридная методика оценки безопасности ИТГибридная методика оценки безопасности ИТ
Гибридная методика оценки безопасности ИТ
 
Токсичные активы
Токсичные активыТоксичные активы
Токсичные активы
 
On the issue of conformity assessment services of electronic information secu...
On the issue of conformity assessment services of electronic information secu...On the issue of conformity assessment services of electronic information secu...
On the issue of conformity assessment services of electronic information secu...
 
доклад тэк лившиц+маликов_v2_09-03-2016
доклад тэк лившиц+маликов_v2_09-03-2016доклад тэк лившиц+маликов_v2_09-03-2016
доклад тэк лившиц+маликов_v2_09-03-2016
 
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБ
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБПротиводействие угрозам "нулевого дня" посредством мгновенных аудитов ИБ
Противодействие угрозам "нулевого дня" посредством мгновенных аудитов ИБ
 
Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...
Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...
Обеспечение информационной безопасности в соответствии с требованиями СТО БР ...
 
Обеспечение информационной безопасности сервисов доверенной третьей стороны
Обеспечение информационной безопасности сервисов доверенной третьей стороныОбеспечение информационной безопасности сервисов доверенной третьей стороны
Обеспечение информационной безопасности сервисов доверенной третьей стороны
 
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...Методика выполнения комплексных аудитов промышленных объектов для обеспечения...
Методика выполнения комплексных аудитов промышленных объектов для обеспечения...
 
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...
Внедрение систем энергоменеджмента в соответствии с требованиями ISO 50001:20...
 
Определение бюджета для реализации проекта системы менеджмента информационной...
Определение бюджета для реализации проекта системы менеджмента информационной...Определение бюджета для реализации проекта системы менеджмента информационной...
Определение бюджета для реализации проекта системы менеджмента информационной...
 
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...Применение риск-ориентированных стандартов для обеспечения комплексной безопа...
Применение риск-ориентированных стандартов для обеспечения комплексной безопа...
 
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...
К ВОПРОСУ ОЦЕНКИ РЕЗУЛЬТАТИВНОСТИ ПРИ ВНЕДРЕНИИ СИСТЕМ МЕНЕДЖМЕНТА ИНФОРМАЦИО...
 
Исследование зависимости сертификации по международным стандартам ISO от типо...
Исследование зависимости сертификации по международным стандартам ISO от типо...Исследование зависимости сертификации по международным стандартам ISO от типо...
Исследование зависимости сертификации по международным стандартам ISO от типо...
 
Подходы к применению модели интегрированной системы менеджмента для проведени...
Подходы к применению модели интегрированной системы менеджмента для проведени...Подходы к применению модели интегрированной системы менеджмента для проведени...
Подходы к применению модели интегрированной системы менеджмента для проведени...
 
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...
МЕТОДИКА ЧИСЛЕННОЙ ОЦЕНКИ УЯЗВИМОСТЕЙ И УГРОЗ ИНФОРМАЦИОННОЙ БЕЗОПАСНОСТИ ДЛЯ...
 
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙ
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙРИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙ
РИСК-ОРИЕНТИРОВАННЫЕ СТАНДАРТЫ ДЛЯ СИСТЕМ МЕНЕДЖМЕНТА ПРОМЫШЛЕННЫХ ПРЕДПРИЯТИЙ
 

Recently uploaded

Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
Kamal Acharya
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Teleport Manpower Consultant
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
Robbie Edward Sayers
 
addressing modes in computer architecture
addressing modes in computer architectureaddressing modes in computer architecture
addressing modes in computer architecture
ShahidSultan24
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
Kamal Acharya
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
PrashantGoswami42
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSETECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
DuvanRamosGarzon1
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
obonagu
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 

Recently uploaded (20)

Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
addressing modes in computer architecture
addressing modes in computer architectureaddressing modes in computer architecture
addressing modes in computer architecture
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSETECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 

The optimization method of the integrated management systems audit program v2+

  • 1. UDC 004.056 The optimization method of the Integrated Management System audit program I.I. Livshitz, D.V. Yurkin, A.A. Minyaev JSC “Gasinformservice” Kronshtadskaya 10 A, St. Petersburg, 198096, Russia Abstract. Nowadays the application of integrated management systems (IMS) attracts the attention of top management from various organizations such as refineries, instrument-making, air entities and defense. However, there is an important problem of running the audits in IMS and realization of complex checks of different ISO standards in full scale with the essential reducing of available resources. Key words: IT-Security, Integrated Management Systems, standard, audit, IT-security management system. 1. Introduction Recently, the application of integrated management systems (IMS) attracts more top management. Nowadays there is an important problem of running the audits in IMS and particularly, realization of complex checks of different ISO standards in full scale with the essential reducing of available resources. In a greater degree this problem is illustrative of supporting IT-Security audit program, as far as negative consequences can lead to essential damage. The realization of IT-Security management systems gets more application in practice. Moving to analysis based on risks provides the increasing of interest to rational exploitation of modern risk-oriented ISO standards. Studying the problem with realization of IMS audits makes the essential interest also the search of ways of IMS audit program optimization that are based on principles of continuous adaptation in the process of incoming data during one micro cycle of audit. It is supposed that new method of audit program optimization will let us to provide more rational acceptance of the IT-Security control solution. 2. Problem description To provide stable development of modern organizations in the context of risks of different origin, it is appear to be reasonable to apply risk-oriented standard and implement the IMS [1, 7, 9]. From the point of view of controlling the IMS audits in supposed method we should notice the necessity of solution of next important practical tasks [4]: 1. The task of resources allocation for audit program; 2. The task of account of factors that influence on the depth of audit-leak program, incidents, the appearance of criminal actions, revealed earlier mismatches and in this way the volume definition of audit program; 3. The task of collection of verifiable information; 4. The task to provide the auditors with special knowledge and skills either to invite engineers; It is necessary to admit that we should be aware of recommendations PAS-99 in IMS [9], that allows to take into account the specific requirements of carrying out combined audits, the account of risks, flexible controlling of IMS audit program volume with the account of last results and the importance of processes [4, 5]. 3. Principles of organization of flexible audits The suggested method of optimization of the IMS audit program is based on next basic principles:
  • 2. 1. We input the concept of integral evaluation (IE) of IT-Security that includes the specific group index of evaluation of all submitted for IT-Security audit processes - RISMS. This group index defines with the help of specific indexes – RPR, multiplied on their weight coefficient in dependence of process importance in the IT-Security organization for the concrete object of evaluation (OE). 2. After running the basic IT-Security audit, its condition is valued for the purpose of accordance with demands of audit criteria, and also its influence on IT-Security integral evaluation of concrete object of evaluation. 3. Next IT-Security audits are held by the given method that uses flexible approach: those processes, that have the most priority in the IT-Security for the concrete object of evaluation, and where the essential mismatches of last audit were revealed, are exposed of more detailed check. 4. Frequency and detail, which must be differentiated for different checked processes, comports with IT-Security too. For example, definite groups of processes, that have priority meaning in integral evaluation (for example, it depends on the model of actual threats of IT-Security), are exposed more detailed and often with audits. The processes, that have the lowest priority in the integral evaluation for the concrete object of evaluation, are checked seldom and less detailed. 5. The depth of check and frequency of audits, each time for k-audit in micro cycle PDCA, defines in dependence of oncoming function of integral evaluation for the concrete object of evaluation to some stated objective index – Rtarget for complex evaluation of concrete object of evaluation security. In addition we should note the importance of implementation of new standard, ISO 55000 [6- 8] – as many assets are not ruled in a proper manner. Accordingly, the appliance of demands of one implemented standard (for example, modern ISO 27001) substantially relieves the solution of standard problems of security, that are solved simultaneously, therefore they must be checked simultaneously within the context of combined audits of all MS in organization (for example, ISO 9001, ISO 50001, ISO 27001) [1-4, 5-8]. 4. Statement of the problem For the evaluation of a degree of providing IT-Security system conformance on the IMS audits to presented requirements of IT-Security we use private and group IT-Security indexes. For the purposes of realizing IMS audits in the aspect of providing IT-Security we suggest to use the index of effectiveness of MS IT-Security RISMS , which we can calculate in each cycle of k-audit using the additive formula with the account of α-weight coefficients and index of effectiveness of each concrete process of IT-Security – RPR : i n i iISMS RR Pr 1 •= ∑= α (1) in this case : 1 1 =∑= n i iα In its turn, indexes of effectiveness of each concrete i-process of IT-Security – RPR are calculated by additive formula with the account of β-weight coefficients and indexes of IT- Security metrics for each concrete i-process of IT-Security – KKPI: PKIj m j j KR i •= ∑=1 Pr β (2) in this case: 1 1 =∑= m j jβ
  • 3. The coefficients of relevancy of private indexes of IT-Security, that are used by calculation of IT-Security group indexes, must be equal to 1 that provides ritualization of all indexes in additive formula above (1) and (2). Accordingly, the final index of effectiveness of MS IT- Security RISMS must maximize reaching 1: 1Pr 1 →•= ∑= i n i iISMS RR α (3) In the process of IMS audits, the constant measuring of current nonconformance for k-audit RISMS is measured as discrepancy with the objective (maximal) index: [ ]∑= −•=−=∆ n i iiISMS RRR 1 Pr )1(1 α (4) Regarding the results of all audits, that are carried out in a strict accordance with IMS audit program, we fill in the following matrix with the account of IT-Security processes – PR, IT- Security audits – k-audits and IT-Security metrics – KPI. 5. Basic optimization cycle of IMS audit program In terms of known audit standards (in particular [4,5]), we offer a method of multistage optimization of IMS audit processes for the complex industrial objects (CIO), which let us to provide the system of coordination, distribution of recourses and system of effective reduction of results of IMS audits till the person who takes decision. This method consists of scientifically grounded and object-oriented immediate functioning of IT-Security subsystem within IMS and it differs from existing methods with cyclic continuous evaluation of effectiveness on the basis of optimal system of IT-Security numeral indexes (metrics). The offered method consists of two connected cycles of optimization of IMS audits program that differs with the existence of: 1. Basic optimization cycle, which characterizes the effective carrying out of IMS audits in terms of evaluation of efficiency for each PRi- IT-Security process, each KPIj – IT- security metric, and also it defines cycles of resources optimization in audits program: of depth (“Scope”), size of auditor’s sample, number of involved auditors (engineers) and etc. 2. Fast block of evaluation of efficiency of correction measures and corrective actions in current k-audit, that touches the changes each of next process of IT-Security and next k+1 audit program. It is also provided fast transfer to evaluation of efficiency indexes of IMS – RISMS in k-audit and k+1 audit for the constant and effective optimization of all IMS audit program. Let’s consider the basic optimization cycle of IMS audit program that was built with the account of audit’s formal ISO standards requirements and ISAGO standards supported with new components (see fig. 1): - Formation efficiency evaluation of each k-audit; - Formation of fast efficiency evaluation of correction(corrective actions); - Formation of quick back link in the current audit cycle; - Formation of system reaction – complication or easing depending on current integral evaluation in current audit cycle; - Formation of integral evaluation of IMS security. Preconditions (data inputs) for the start of basic optimization cycle of audit program are given: - T0 – basis period of IT-Security audits; - S0 – basic (planned) price of IT-Security audits; - V0 – basic volume of IT-Security audits (number of units); - F0 – basic list of functional questions of IT-Security audits; - O0 – basic list of attended IT-Security audit objects.
  • 4. 1 Formation of audit program begining end αi , βj , K KPI pr j 2 Formation of k-Audit plan 3 Formation the monitoring by j- metrics K KPI for Pr i - processing in k-audit ОЗ 6 Formation of mismatches of k-audit 7 Formation of plan of corrective actions for k-audit The analysis of integral evaluation The basic conditions for audits planning: T0, S0, V0, F0, O0 The evaluation of corrective efficiency K KPI pr j R ISMS ∆ R PR i, ∆ K KPI pr j 5 Realization of cycle of audit program, planning k+1 аудита R ISMS (corr) 8 Completion of audits program Changing “complication” of conditions for planning audits: Tk+1, Sk+1, Vk+1, Fk+1, Ok+1 RISMS <> 1 RISMS (corr) <> 1 Changing (easing) the conditions for planning audits: Tk+1, Sk+1, Vk+1, Fk+1, Ok+1 R PR i , R ISMS 4 Formation of evaluation of Pr i – processing and R ISMS of integral evaluation in k-audit Fig.1 – Basic optimization cycle of IMS audit program The description of basic optimization cycle of IMS audit program is given in table 1. Table 1 - The description of basic optimization cycle of IMS audit program № Action Result 1. Formation of audit program RISMS ≥ RISMS tar Formulas (1),(2) Specified: -α- weight coefficient of IT-Security process (for group metric); -β- weight coefficient of IT-Security metric process (for private metric); -k- number of IT-Security audits in program of audits; - RISMS – current integral evaluation of IT-Security MS efficiency; - RISMS tar- target integral evaluation of IT-Security MS efficiency; -Δ- possible deviation (formula 4); - KPRi – target index of i-process efficiency;
  • 5. -K KPIj - target index of j-metric efficiency for i-process 2. Formation of k-audit plan Confirmation of k-audit plan 3. Carrying out the k-audit Report on the results of k-audit 4. Formation of monitoring the results of k-audit: Therefore KPRi and K KPIj Filling the database of audit with KPRi and K KPIj indexes 5. Formation RISMS evaluation – k-audit integral evaluation Filling the database of audit with RISMS for k-audit 6. Evaluation of RISMS degree of progress by the k- audit results of RISMS tar target index Filling the database of audit with RISMS for k-audit 7. In case, if RISMS ≥ RISMS tar, i.e fixed index of efficiency is reached, it is carried out the informing of program audit manager about possible “softening” of k+1 audit planning conditions. Next go on to the step 13 to realization (continuation) of audit program and carrying out the k+1 audit. Report on the results of k-audit 8. In case if RISMS < RISMS tar, , i.e fixed index of efficiency cannot be reached, it is carried out the formation of list of mismatches on k-audit. Carrying out the k+1 audit can be stopped by the audit program manager’s decision with the aim of reducing the expenses. Report on the results of k-audit 9. Because of formed list of mismatches on the last step it is formed the correction plan and the corrective actions for the determined mismatches on the k-audit. Filling the database of audit with KPRi and K KPIj indexes for k-audit, which characterizes the degrees of deviation on target index of PRi - IT- Security process on the whole and KKPIj private indexes. 10. The evaluation of efficiency correction and corrective actions with mismatches, determined on the results of k-audit. Filling the database of audit with RISMS (corr) for k-audit 11. In case, if RISMS ≥ RISMS tar, i.e is reached the fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit, then there is carried out the informing of audit program manager and in case of absence other mismatches for the period of realization of corrective measures, the end of the audit program. Report on the results of k-audit 12. In case, if RISMS(corr) < RISMS tar, i.e fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit cannot be reached, , then there is carried out the informing of audit program manager about possible complication of planning audit conditions. Next go on to the step 13 to realization (continuation) of audit program and carrying out the k+1 audit. Report on the results of k-audit 13. In case, if the efficiency of corrective measures for all defined mismatches on the k+1 audit is confirmed, then there is carried out the move to the following realization (continuation) of audit program and carrying out the k+1 audit. The realization of audit program.
  • 6. 6. The quick block of efficiency evaluation of IMS audit program. The quick block of efficiency evaluation of correction measures and corrective actions in the current k-audit, which touch the changes of next process and also the following in the k+1 audit program and quick move to the evaluation of efficiency indexes of IT-Security MS – RISMS, is shown in the fig.2. The description of quick block of efficiency evaluation of IMS audit program is given in table 2. 1 Formation of mismatches list On k-audit begining end αi , βj , K KPI pr j 4 Formation of corrective actions plan of k-audit 5 Carrying out k+1 audit witch changed characteristic (R ISMS (corr) = 1) The analysis of integral evaluations of k and k+1 audits The basic conditions for audits planinig: T0, S0, V0, F0, O0 7 Realization of cycle of audit program 6 Efficiency evaluation of audit program Efficiency evaluation of correction k-audit R ISMS (corr) k, Ti+1, Si+1 , Vi+1, Fi+1, Oi+1 RISMS (corr) k <> 1 RISMS (corr) k+1 > RISMS (corr) k Changing (complication) conditions for audits programing: Ti+1, Si+1, Vi+1, Fi+1, Oi+1 Recount R ISMS 2 Formation of mismatches list Pr i – processing in k-audit 3 Formation of mismatches list on j-metrics K KPI for Pr i - process in k-audit Recount βj Recount αi Recount K KPI pr j Changing conditions for improving Pr – i process: Ti+1, Si+1, Vi+1, Fi+1, Oi+1 RISMS (corr) k+1 <= RISMS (corr) k R ISMS (corr) k, R ISMS (corr) k+1 Fig.2 - The quick block of efficiency evaluation of IMS audit program Table 2 - The description of quick block of efficiency evaluation of IMS audit program № Action Result 1. Formation of audit program Specified: -α- weight coefficient of IT-Security process (for group metric); -β- weight coefficient of IT-Security metric process (for private metric); -k- number of IT-Security audits in program of audits; - RISMS – current integral evaluation of IT-
  • 7. Security MS efficiency; - RISMS tar- target integral evaluation of IT- Security MS efficiency; -γ- number of audits in audits program; -Δ- possible deviation (formula 4); - KPRi – target index of i-process efficiency; -K KPIj - target index of j-metric efficiency for i-process 2. In case if, there are defined mismatches on basic audit criteria, there is formed the list of k-audit mismatches. The list of k-audit mismatches. 3. Each defined mismatch subsequently matches up with certain PR IT-Security i- process. It is carried out the recount of weight coefficient (group) of IT-Security PR i- process. Filling the database of audit with new α index. 4. Each defined mismatch subsequently matches up with j-metric and KPRi index for certain IT-Security PR i-process. It is carried out the recount of β weight coefficient (private) for the metrics of IT- Security PR i-processes. Filling the database of audit with new β index. 5. It is carried out the plan formation of corrective actions on k-audit. It is carried out the recount of PR i- objective index of i-process efficiency. Filling the database of audit with new KPRi index. 6. The efficiency evaluation of correction and corrective actions on k-audit. Filling the database of audit with RISMS (corr) index for k-audit and new values T1, S1 ,V1, F1 ,O1 7. In case, if RISMS(corr) < RISMS tar, i.e fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit cannot be reached, , then there is carried out the informing of audit program manager about possible complication of planning audit conditions. Next go on to the step 5 to plan formation of corrective actions for k-audit and recount of group (α) and private (β) coefficients for each mismatch. Report on the results of k-audit 8. In case, if RISMS ≥ RISMS tar, i.e is reached the fixed index of efficiency of corrective measures for all determined mismatches on the results of k-audit, then there is carried out the realization of next audit: k+1 audit with the account of new changed parameters by the results of successful realization of corrective actions on last audit. Report on the results of k-audit 9. The analysis of integral evaluations for k and k+1 audit: RISMS(corr)k ,and RISMS(corr)k+1 Filling the database of audit with RISMS (corr) index for k-audit and RISMS(corr)k+1 for k+1- audit 10. In case, if RISMS(corr)k+1 ≤ RISMS(corr)k , it is carried out the informing of audit program manager about possible complication of Report on the results of k-audit
  • 8. planning audit conditions. Evidently, that it will increase the expenses on carrying out the audits in the following. Next go on to the step 5 to plan formation of corrective actions for k-audit and recount of group (α) and private (β) coefficients for each mismatch. 11. In case, if RISMS(corr)k+1 > RISMS(corr)k , it is carried out the informing of audit program manager about possible return to basic condition of audit planning. Next go on to the step 5 to plan formation of corrective actions for k+1-audit and recount of group (α) and private (β) coefficients for each mismatch Report on the results of k-audit 12. In case of increasing of efficiency degree of program RISMS(corr)k+1 > RISMS(corr)k , there is carried out the evaluation of audit program, which includes economic aspect (minimization S-parameter). Report on the results of k-audit 7. Conclusions Given method of ISMS audit program optimization is based on the modern risk-oriented standards and let to provide the constant optimization of carrying out the IT-Security audits on the basis of joined flexible adaptive algorithms. References 1. ISO/IEC 27001:2013. Information technology. Security techniques. Information security management systems // Requirements, International Organization for Standardization. 2013. 23 p. 2. ISO/IEC 27000:2014. Information technology. Security techniques. Information security management systems // Overview and vocabulary, International Organization for Standardization. 2014. 31 p. 3. ISO/IEC 27004:2009. Information technology. Security techniques. Information security management systems // Measurement, International Organization for Standardization. 2009. 55p. 4. ISO19011:2011.Guidelines for auditing management systems; 5. ISO 17021:2011. Conformity assessment -Requirements for bodies providing audit and certification of management systems; 6. ISO 55000:2014 Asset management – Overview, principles and terminology // International Organization for Standardization, 2014. – 19 pages. 7. ISO 55001:2014 Asset management – Management systems – Requirements // International Organization for Standardization, 2014. – 14 pages. 8. ISO 55002:2014 Asset management – Management systems – Guidelines for the application of ISO 55001 // International Organization for Standardization, 2014. – 32 pages. 9. PAS-99:2012 «Specification of common management system requirements as a framework for integration»