Presentation on iso 27001-2013, Internal Auditing and BCM

  • View

  • Download

Embed Size (px)


Presentation of Summer internship

Text of Presentation on iso 27001-2013, Internal Auditing and BCM

  • July 2014 Summer Internship Presentation Know-how of ISO 27001:2013, Internal Auditing and Business Continuity Management Company Ltd. Submitted By Shantanu Rai PRN 13030241177 Division - D MBAITBM, 2013 2015 batch
  • Agenda Introduction to the Project Analysis of Work Done Project 1 - Roadmap for Transition to ISO 27001:2013 Project 2 Process Map for Internal Auditing Project 3 Specific Scenario Business Continuity Management Preparedness Learning and Experience on Business and Technology Conclusion July 2014
  • Introduction Ltd. is a part of Mahindra group conglomerate, is an Indian multinational firm which provides Information technology, network technology solutions and business support service to the telecom industries. The firm works across fifty one countries and provides service to six hundred thirty customers The vision of the firm is We will Rise and be among the top three leaders in each of the chosen market and segment while fostering innovation and inclusion They are into various services like communication, consulting, enterprise architecture, infrastructure, networks, product life cycle management, testing and Information security. They have an internal information security group to implement well-articulated and meticulous information security During my internship I worked with Information security group of the organization which is a support function on three projects. The first one was Road map for transition to ISO 27001:2013, the second one was to understand the Process map of Internal Auditing and the third one was a specific Case scenario on Business continuity management preparedness. Slide No. 1 July 2014
  • Project 1 - Roadmap for Transition to ISO 27001:2013 Analysis of Work Done Slide No. 2 July 2014 Currently the organization is ISO 27001:2005 compliant and aims to go for the upgraded version of ISO 27001:2013 This is done by doing the gap analysis and checking the status of the controls. Adding applicable new controls, removing the redundant controls It is a part of harmonization change effort from ISO and it is better aligned with business The reason for shifting to ISO 27001:2013 is Market Assurance and Governance
  • Slide No.3 July 2014 The roadmap for transition includes preparation of list of documents which are shown in the excel sheet: There are sheets for mapping of Controls and Requirements along with deleted and added Controls and Requirements The Statement of Applicability which tells status of controls and the reason the control is selected (Legal, Business, Contractual or Risk Related) The Gap Assessment sheet gives the idea about the gaps existing in Controls implemented in the organization and to which level are they optimized and what needs to be fulfilled
  • Scheduling of Audit Preparing of Audit Conducting Audit Preparing Audit Report Follow Up Action Information Security Monitoring and Compliance Project 2 Process Map for Internal Auditing Auditing is done in house with help of a tool which schedules the audit automatically Frequency of the audit depends upon clients requirement and project criticality Thus the audit cycle and audit plan is fixed between auditor and project manager Audit includes the making the checklist for the audit The auditor prepares a questionnaire including all the relevant points and the areas which are to be covered while conducting the audit The audit is conducted by primary and the secondary auditor who put up the questions to the Project manager or the SPOC responsible for the project The questions are asked keeping the current information security policy as a benchmark After the audit is conducted the evidence are collected based on which an audit report is prepared The audit report includes strengths observed, non- conformities along with corrective and preventive actions which must be taken to avoid any deviation from the normal standard The follow up actions are taken by the auditor in order to make sure that the non-conformity is cleared by the project manager in the given span of time The report is escalated to higher management in case of repeated non- conformities and appropriate action is taken accordingly Slide No. 4 July 2014
  • Project 3 Specific Scenario Business Continuity Management Preparedness Business Continuity describes the processes and procedures an organization puts in place to ensure that essential functions can continue during and after a business interruption such as a disaster or system downtime BCM seeks to prevent interruption of mission-critical services during a business interruption up to the point where full services and operations are fully re-established A BCM enables critical services or products to be continually delivered in the event of a business interruption BCP lays out a process to ensure that critical operations continue to be available during the interruption. There are five main ways to invoke BCM. There are drills conducted at regular interval in order to test the resumption of operations at time of disaster. Also to make sure that the BCM plan is reviewed and updated to reflect current operating environment. There were five types of drills conducted as : 1. Call Tree Drill 2. Table Top Drill 3. Project Rehearsal 4. Environment Rebuilt Drill 5. Data Restoration Drill Slide No. 5 July 2014
  • Business Continuity Plan for a given scenario Step 1 - Resource Distribution Step 2 - Critical Process Priority Step 3 - Calculations of BCM variables Step 4 - Stetting of Infrastructure Step 5 - Incidence Response Activities Step 6 - Business Resumption Plan/ Post Disaster Activities It is for back up of different location or different resources If site A the main location is down then one can shift to site B which would be in different city and if site B is down one can shift to site C which might be in different nation thus continuing the business without any interruption It is done to identify most critical process of the project or the organization and utmost priority is given to it for respond time and resolution time Respond and resolution time is set as per the SLA There must be an incident response team in order to report the incident happened Incidents are classified on the basis of the severity It defines key responsibilities of the people involved at the time of incident. It also tells whom and how to communicate the incident Plan to bring the business back to normal Establish a damage assessment team Calculation of impact of the disaster Submission of the disaster report in the documented form Establish team to work on restoration of all the loss The calculation of the variables like RTO, MAO and MBCO will give an estimate of how much time it will take to respond and resolve a ticket It tells all the hardware and software must be uniquely identified All the critical infrastructure items must have a back and redundant item in case of breakdown Slide No. 6 July 2014
  • Learnings and Experience on Business and Technology Road Map for transition to ISO 27001:2013 Process Map for Internal Auditing Specific scenario BCM preparedness Understanding the key difference between the two policies By doing the gap assessment analysis one could trace the gaps in the existing policy By preparing the statement of applicability one can see the status of all controls and at which level they are optimized in the organization They can add the controls which are not documented and managed in the organization and remove the one which is not needed in the organization It encompasses all the activities going in the organization One gets the idea of preparation of audit checklist, methodology of conducting the audit, putting up the questionnaires, collecting evidences and observation and report writing. It also tells about corrective and preventive action given by the auditor to the auditee It gives clear idea of risks which could breach the security if the audits are not conducted in the respective manner The case scenario related to business continuity management gave an idea about the resilience of the firm The calculation of RTO, MBCO, MAO and other BCM variables gives idea how to lay the BCM plan according to the SLA and other agreement which has been set by the supplier By framing the business continuity plan one can get the idea how the resources are distributed as a part of back up at different locations, setting infrastructure, incident reporting, how to resume the business after the disaster has happened, estimation of the losses and other post disaster activities which must be taken Slide No. 7 July 2014
  • Preparation of mapping sheets, gap assessment sheet, control monitoring matrix and statement of applicability gave an idea how to go for upgraded ISO/IEC 27001:2013 version By conducting IT Internal Auditing we learnt the process to scrutinize the live projects in the organization, write audit report and give corrective and preventive action to the auditee The case scenario related to Business Continuity Management gave an idea about the resilience of the firm. It gave an idea of the various ways through which one can conduct the business continuity drills and invoke continuity plan in case of any disaster Conclusion Slide No. 8 July 2014 THANK YOU