Transcript
Page 1: Presentation on iso 27001-2013, Internal Auditing and BCM

July 2014

Summer Internship Presentation

“Know-how of ISO 27001:2013, Internal Auditing and Business Continuity Management”

Company – Ltd.

Submitted By – Shantanu Rai

PRN – 13030241177

Division - D

MBA–ITBM, 2013 – 2015 batch

Page 2: Presentation on iso 27001-2013, Internal Auditing and BCM

Agenda

Introduction to the Project

Analysis of Work Done

Project 1 - Roadmap for Transition to ISO 27001:2013

Project 2 – Process Map for Internal Auditing

Project 3 – Specific Scenario Business Continuity Management Preparedness

Learning and Experience on Business and Technology

Conclusion

July 2014

Page 3: Presentation on iso 27001-2013, Internal Auditing and BCM

Introduction

• Ltd. is a part of Mahindra group conglomerate, is an Indian multinational firm which provides Information technology, network technology solutions and business support service to the telecom industries. The firm works across fifty one countries and provides service to six hundred thirty customers

• The vision of the firm is “We will Rise” and be among the top three leaders in each of the chosen market and segment while fostering innovation and inclusion’

• They are into various services like communication, consulting, enterprise architecture, infrastructure, networks, product life cycle management, testing and Information security. They have an internal information security group to implement well-articulated and meticulous information security

• During my internship I worked with Information security group of the organization which is a support function on three projects.

• The first one was Road map for transition to ISO 27001:2013, the second one was to understand the Process map of Internal Auditing and the third one was a specific Case scenario on Business continuity management preparedness.

Slide No. 1 July 2014

Page 4: Presentation on iso 27001-2013, Internal Auditing and BCM

Project 1 - Roadmap for Transition to ISO 27001:2013

Analysis of Work Done

Slide No. 2 July 2014

• Currently the organization is ISO 27001:2005 compliant and aims to go for the upgraded version of ISO 27001:2013

• This is done by doing the gap analysis and checking the status of the controls. Adding applicable new controls, removing the redundant controls

• It is a part of harmonization change effort from ISO and it is better aligned with business

• The reason for shifting to ISO 27001:2013 is Market Assurance and Governance

Page 5: Presentation on iso 27001-2013, Internal Auditing and BCM

Slide No.3 July 2014

• The roadmap for transition includes preparation of list of documents which are shown in the excel sheet:

• There are sheets for mapping of Controls and Requirements along with deleted and added Controls and Requirements

• The Statement of Applicability which tells status of controls and the reason the control is selected (Legal, Business, Contractual or Risk Related)

• The Gap Assessment sheet gives the idea about the gaps existing in Controls implemented in the organization and to which level are they optimized and what needs to be fulfilled

Page 6: Presentation on iso 27001-2013, Internal Auditing and BCM

Scheduling of Audit

Preparing of Audit

Conducting Audit

Preparing Audit

Report

Follow Up Action

Information Security Monitoring and Compliance

Project 2 – Process Map for Internal Auditing

• Auditing is done in house with help of a tool which schedules the audit automatically

• Frequency of the audit depends upon client’s requirement and project criticality

• Thus the audit cycle and audit plan is fixed between auditor and project manager

• Audit includes the making the checklist for the audit

• The auditor prepares a questionnaire including all the relevant points and the areas which are to be covered while conducting the audit

• The audit is conducted by primary and the secondary auditor who put up the questions to the Project manager or the SPOC responsible for the project

• The questions are asked keeping the current information security policy as a benchmark

• After the audit is conducted the evidence are collected based on which an audit report is prepared

• The audit report includes strengths observed, non-conformities along with corrective and preventive actions which must be taken to avoid any deviation from the normal standard

• The follow up actions are taken by the auditor in order to make sure that the non-conformity is cleared by the project manager in the given span of time

• The report is escalated to higher management in case of repeated non-conformities and appropriate action is taken accordingly

Slide No. 4 July 2014

Page 7: Presentation on iso 27001-2013, Internal Auditing and BCM

Project 3 – Specific Scenario Business Continuity Management Preparedness

• Business Continuity describes the processes and procedures an organization puts in place to ensure that essential functions can continue during and after a business interruption such as a disaster or system downtime

• BCM seeks to prevent interruption of mission-critical services during a business interruption up to the point where full services and operations are fully re-established

• A BCM enables critical services or products to be continually delivered in the event of a business interruption

BCP lays out a process to ensure that critical operations continue to be available during the interruption.

There are five main ways to invoke BCM. There are drills conducted at regular interval in order to test the resumption of operations at time of disaster. Also to make sure that the BCM plan is reviewed and updated to reflect current operating environment. There were five types of drills conducted as :

1. Call Tree Drill2. Table Top Drill3. Project Rehearsal4. Environment Rebuilt Drill5. Data Restoration Drill

Slide No. 5 July 2014

Page 8: Presentation on iso 27001-2013, Internal Auditing and BCM

Business Continuity Plan for a given scenario

Step 1 - Resource Distribution

Step 2 - Critical Process Priority

Step 3 - Calculations of BCM variables

Step 4 - Stetting of Infrastructure

Step 5 - Incidence Response Activities

Step 6 - Business Resumption Plan/

Post Disaster Activities

• It is for back up of different location or different resources

• If site A the main location is down then one can shift to site B which would be in different city and if site B is down one can shift to site C which might be in different nation thus continuing the business without any interruption

• It is done to identify most critical process of the project or the organization and utmost priority is given to it for respond time and resolution time

• Respond and resolution time is set as per the SLA

• There must be an incident response team in order to report the incident happened

• Incidents are classified on the basis of the severity

• It defines key responsibilities of the people involved at the time of incident. It also tells whom and how to communicate the incident

• Plan to bring the business back to normal

• Establish a damage assessment team

• Calculation of impact of the disaster

• Submission of the disaster report in the documented form

• Establish team to work on restoration of all the loss

• The calculation of the variables like RTO, MAO and MBCO will give an estimate of how much time it will take to respond and resolve a ticket

• It tells all the hardware and software must be uniquely identified

• All the critical infrastructure items must have a back and redundant item in case of breakdown

Slide No. 6 July 2014

Page 9: Presentation on iso 27001-2013, Internal Auditing and BCM

Learnings and Experience on Business and Technology

Road Map for transition to ISO 27001:2013 Process Map for Internal AuditingSpecific scenario BCM preparedness

• Understanding the key difference between the two policies

• By doing the gap assessment analysis one could trace the gaps in the existing policy

• By preparing the statement of applicability one can see the status of all controls and at which level they are optimized in the organization

• They can add the controls which are not documented and managed in the organization and remove the one which is not needed in the organization

• It encompasses all the activities going in the organization

• One gets the idea of preparation of audit checklist, methodology of conducting the audit, putting up the questionnaires, collecting evidences and observation and report writing. It also tells about corrective and preventive action given by the auditor to the auditee

• It gives clear idea of risks which could breach the security if the audits are not conducted in the respective manner

• The case scenario related to business continuity management gave an idea about the resilience of the firm

• The calculation of RTO, MBCO, MAO and other BCM variables gives idea how to lay the BCM plan according to the SLA and other agreement which has been set by the supplier

• By framing the business continuity plan one can get the idea how the resources are distributed as a part of back up at different locations, setting infrastructure, incident reporting, how to resume the business after the disaster has happened, estimation of the losses and other post disaster activities which must be taken

Slide No. 7 July 2014

Page 10: Presentation on iso 27001-2013, Internal Auditing and BCM

• Preparation of mapping sheets, gap assessment sheet, control monitoring matrix and statement of applicability gave an idea how to go for upgraded ISO/IEC 27001:2013 version

• By conducting IT Internal Auditing we learnt the process to scrutinize the live projects in the organization, write audit report and give corrective and preventive action to the auditee

• The case scenario related to Business Continuity Management gave an idea about the resilience of the firm. It gave an idea of the various ways through which one can conduct the business continuity drills and invoke continuity plan in case of any disaster

Conclusion

Slide No. 8 July 2014

THANK YOU


Recommended