15
www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] 1 ISO 27001 Audit evidence acquisition THE NEXT GENERATION SECURITY AUDIT TOOL Contents Introduction ............................................................................................................................................ 3 IS Audit overview .................................................................................................................................... 4 Contact details ........................................................................................................................................ 4 The IS Auditor.......................................................................................................................................... 5 Audit calendar ................................................................................................................................. 5 Scheduling an audit ......................................................................................................................... 6 Audit alert ....................................................................................................................................... 6 The IS Audit operation ............................................................................................................................ 7 Security Policy ..................................................................................................................................... 7 The policy dashboard ...................................................................................................................... 7 Each policy with an automatic review date reminder .................................................................... 7 Organization of information security.................................................................................................. 8 Policies ............................................................................................................................................ 8 The internal organisation structure ................................................................................................ 8 The key personnel ........................................................................................................................... 8 Asset Management ............................................................................................................................. 9 Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management .......................................................................................................................................................... 10 Supporting policies procedures and guidelines ............................................................................ 10 Documents with automatic review dates ..................................................................................... 10 Information systems acquisition, development and maintenance .................................................. 11 Project risk assessment ................................................................................................................. 12 Residual risk .................................................................................................................................. 12 Information security incident management ..................................................................................... 13 Incident register ............................................................................................................................ 13 Compliance ....................................................................................................................................... 14 Compliance dashboard ................................................................................................................. 14

Iso 27001 Audit Evidence Acquisitionv3

Tags:

Embed Size (px)

DESCRIPTION

This tool is designed to assist Information security auditors to carry out effective IS audit across their estate and also provides evidence to support the audit.

Citation preview

  • 1. www.riesgoriskmanagement.com [email protected] ISO 27001 Audit evidence acquisition THE NEXT GENERATION SECURITY AUDIT TOOL Contents Introduction ............................................................................................................................................ 3 IS Audit overview .................................................................................................................................... 4 Contact details ........................................................................................................................................ 4 The IS Auditor.......................................................................................................................................... 5Audit calendar ................................................................................................................................. 5Scheduling an audit ......................................................................................................................... 6Audit alert ....................................................................................................................................... 6 The IS Audit operation ............................................................................................................................ 7Security Policy ..................................................................................................................................... 7The policy dashboard ...................................................................................................................... 7Each policy with an automatic review date reminder .................................................................... 7Organization of information security .................................................................................................. 8Policies ............................................................................................................................................ 8The internal organisation structure ................................................................................................ 8The key personnel ........................................................................................................................... 8Asset Management ............................................................................................................................. 9Human resources security, Physical and Environmental Security, Communications and OperationsManagement, Network Security Management, Access Control & Business Continuity Management.......................................................................................................................................................... 10Supporting policies procedures and guidelines ............................................................................ 10Documents with automatic review dates ..................................................................................... 10Information systems acquisition, development and maintenance .................................................. 11Project risk assessment ................................................................................................................. 12Residual risk .................................................................................................................................. 12Information security incident management ..................................................................................... 13Incident register ............................................................................................................................ 13Compliance ....................................................................................................................................... 14Compliance dashboard ................................................................................................................. 141

2. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comReporting noncompliance ................................................................................................................. 15 The end ............................................................................................................................................. 15 2 3. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] IntroductionAs an Auditor, quite often in your audit of your information security estate, you are concerned with assuring yourself that there is enough evidence to support a compliance statement that has been made. The process can be tedious and often adversarial causing significant amount of time being invested that may be so unnecessarily.This tool is designed to assist both the Internal Audit team as well as the business units in meeting their obligations by integrating the compliance obligation into operations, the business unit by going through the normal operation therefore exhibit the level of compliance to the standard. www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance. The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps.Evidence reflects an organisations behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters.The solution is a web based tool that sits on the clients site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet. 3 4. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] Audit overview The diagram above depicts how the Auditor (Internal or external) is registered on the tool and he/she is able to schedule an audit per business unit or for the entire organisation. It also depicts how evidence is acquired in relation to the ISO27001 standard.From each of the modules, the Audit can view the behaviour of the audit target in the findings and can gather evidence to support the findings. Auditor can then register non compliances in the areas where they exist and the non compliance is reported against policy or asset and the relevant business unit in order for ownership to be taken and action implemented.The Auditor can then recommend the steps to address the non compliances, once the business units carry out the fixes, the Auditor is notified and if satisfied can close off the non compliance.Once a non compliance is closed off it is archived, non compliances that have no fixes will remain on the dashboard against the business unit, and policy or asset unit it is fixed. If the non compliance represents a risk to the organisation, it can also be reported in the risk register until a fix is applied. Contact details For more information about acquiring the solution please contactBen [email protected] - 02075929747 4 5. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] IS AuditorThe IS Audit Department can set up accounts for Internal and external auditors, especially for the external auditor, access to evidence is only granted for the period which the Audit is to be carried out.The internal Auditor will always have access however, if an external auditor wants to carry out an audit, access will only be granted for the specified audit period only. An Auditor can schedule audits with business units using the Audit calendarAudit calendar5 6. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comScheduling an audit Once an audit scheduled an Audit alert is sent to the business unit informing them of the Audit due to take place.Audit alert 6 7. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comThe IS Audit operation :Security PolicyThe key questions asked and answered by the tool include: Where is the policy When was it published How was it disseminated When was it last updated Who is responsible for the policyThe policy dashboard Each policy with an automatic review date reminder7 8. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comOrganization of information security o Internal Organizationo External Parties Policies The internal organisation structure The key personnel The following key accounts are enabled - Information security manager- Policy manager- Freedom of information manager (if public sector- Data protection officer- Administrator8 9. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] Managemento Responsibility for assets o Information classificationThis view depicts the number of assets per business units regardless of thegeographical location, it also show the Asset ID, risk index, classification and assetowner and the number of risks associated with the asset and any Audit entries againstthe audit. Each business unit will be able to maintain its own asset register and the informationsecurity team that handles security incidents and the risk register can report securityincidents and risks associated with the asset.9 10. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comHuman resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity ManagementWe have grouped these modules together due to the fact that the same audit principle applies, the diagram below breaks each one down and will show if there are group policies orSupporting policies procedures and guidelines For each document uploaded there is an automatic date associated as well as a review period, in order to prevent documents from been irrelevant and redundant there is also a review period, the Auditor can check to see if there has been a review or not.Documents with automatic review dates10 11. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comInformation systems acquisition, development and maintenance o Security requirements of information systemso Correct processing in applicationso Cryptographic controlso Security of system fileso Security in development and support processeso Technical Vulnerability ManagementThe auditor can review the project risk management process in action to reveal how risk management is handled by the organisation. We provide a project risk management solution to address this element.If the organisation considers projects involving ISD & M as assets, then our information asset register can be used in this scenario as well with the following.- Projects register assets o Project management office will be a separate business unit o Register each project as an asset o The information security team will be able to assess each project and raised risks and potential mitigation- Risk assessment carried out for each project asset o The information security team will be the appropriate team to carry out risk assessment11 12. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] o The Information security team is notified when a new project is registered asan asset and they will be able to carry out the risk assessment for the project,give it a risk rating and link its associated documents - Risk assessment - CIA assessment for the project is recordedo Risks assessment will be carried in accordance with the industry standard,confidentiality, integrity and availability (CIA)Project risk assessment Residual risk The residual risk associated with the asset is recorded and kept on the central register. 12 13. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] security incident management Incident register The risk register diagram below depicts the number of incidents raised by all the business units in the organisation and the number of them that have been resolved and those that are active. Reporting information security events and weaknesses Management of information security incidents and improvements The incident register will show all the record of incidents that were reported by the business units and the resolutions 13 14. www.riesgoriskmanagement.com www.informationsecurityauditors.com [email protected] Compliance dashboard In built is an indicative element for the Auditor to assess the main areas on the business unit or organisations failure to comply with this module.The module requires: Compliance with legal requirements Compliance with security policies and standards, and technical compliance Information Systems audit considerationsThe compliance box to the right of the picture above will turn to pass when the following are in place:- All policies are uploaded - All policies have been reviewed and non outstanding - Departmental policies have been uploaded - A responsibility is assigned to each procedure - No outstanding incidents - No outstanding audit risks14 15. www.riesgoriskmanagement.com www.informationsecurityauditors.cominfo@riesgoriskmanagement.comReporting noncompliance Once the audit is completed the Auditor will be able to report on each non compliance that were discovered against a business unit, information Asset, policy or areas.The idea behind the process is to ensure that each none compliance is reported to the most appropriate person to take action on the non compliance. All the non compliances together make up the report. More and more non compliances, finding and recommendations can be recorded against the Audit providing a one source of all the history of the non compliance.The activity log provides a running commentary of actions that have been taken by the Auditor or the business unit to resolve the non compliance. The end15


ISO 27001 Global Report - Consultia · ISO 27001 Global Report 2015 ISO 27001 certification is the norm 84% of organisations that have implemented an ISO 27001-compliant information

ISO 27001 Global Report - Consultia · ISO 27001 Global Report 2015 ISO 27001 certification is the norm 84% of organisations that have implemented an ISO 27001-compliant information

Documents
Audit & Certification of ISO 27001:2013 ISMS · Audit & Certification of ISO 27001:2013 ISMS Bidding documents containing detailed terms and conditions, method of procurement, procedure

Audit & Certification of ISO 27001:2013 ISMS · Audit & Certification of ISO 27001:2013 ISMS Bidding documents containing detailed terms and conditions, method of procurement, procedure

Documents
ISO/IEC 27001:2013 - BSI Group 27001/Documents/ISO... · What is ISO/IEC 27001? • Benefits • ISO/IEC 27001: 2013 clause by clause • Top tips from our clients • Your ISO/IEC

ISO/IEC 27001:2013 - BSI Group 27001/Documents/ISO... · What is ISO/IEC 27001? • Benefits • ISO/IEC 27001: 2013 clause by clause • Top tips from our clients • Your ISO/IEC

Documents
ISO 27001 Introduction - lpm.ulm.ac.idlpm.ulm.ac.id/download/Introduction ISMS ISO 27001.pdf · •2005 ISO 27001 specification was published –contains Audit Requirements, with

ISO 27001 Introduction - lpm.ulm.ac.idlpm.ulm.ac.id/download/Introduction ISMS ISO 27001.pdf · •2005 ISO 27001 specification was published –contains Audit Requirements, with

Documents
ISO 27001- Compliant Audit for GSP Application 2017doitc.rajasthan.gov.in/administrator/RelatedDocument/RFP_ISO_27001... · ISO 27001- Compliant Audit for GSP Application 5 | P a

ISO 27001- Compliant Audit for GSP Application 2017doitc.rajasthan.gov.in/administrator/RelatedDocument/RFP_ISO_27001... · ISO 27001- Compliant Audit for GSP Application 5 | P a

Documents
ISO 27001 ET 27002 • IMPLÉMENTATION • AUDIT ...multimedia.fnac.com/multimedia/editorial/pdf/9782212135947.pdf · iso 27001 et 27002 • implÉmentation • audit • certification

ISO 27001 ET 27002 • IMPLÉMENTATION • AUDIT ...multimedia.fnac.com/multimedia/editorial/pdf/9782212135947.pdf · iso 27001 et 27002 • implÉmentation • audit • certification

Documents
CERTIFIED ISO 27001 LEAD IMPLEMENTER ANSI Accredited … · Control, monitor and measure an ISMS and the certification audit of the ISMS in accordance with ISO 27001 Monitoring the

CERTIFIED ISO 27001 LEAD IMPLEMENTER ANSI Accredited … · Control, monitor and measure an ISMS and the certification audit of the ISMS in accordance with ISO 27001 Monitoring the

Documents
Iso 27001 10_apr_2006

Iso 27001 10_apr_2006

Technology
Audit Committee, 15 June 2016 BSI ISO 9001 & ISO 27001 ... · PDF fileAudit Committee, 15 June 2016 BSI ISO 9001 & ISO 27001 audit reports Executive summary and recommendations Introduction

Audit Committee, 15 June 2016 BSI ISO 9001 & ISO 27001 ... · PDF fileAudit Committee, 15 June 2016 BSI ISO 9001 & ISO 27001 audit reports Executive summary and recommendations Introduction

Documents
Mapping between the requirements of ISO/IEC 27001:2005 …...3 ISO/IEC 27001 - Information Security Management - Mapping guide Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 Note

Mapping between the requirements of ISO/IEC 27001:2005 …...3 ISO/IEC 27001 - Information Security Management - Mapping guide Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 Note

Documents
Mapping between the requirements of ISO/IEC 27001:2005 and ... · ISO/IEC 27001 Mapping guide Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 Introduction

Mapping between the requirements of ISO/IEC 27001:2005 and ... · ISO/IEC 27001 Mapping guide Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013 Introduction

Documents
C106: DEMO OF THE INFORMATION SECURITY .... ISO 27001-2013 Audit checklist report (clause wise) 6. Sample copy of certified ISO/IEC 27001:2013auditor training certificate:- The sample

C106: DEMO OF THE INFORMATION SECURITY .... ISO 27001-2013 Audit checklist report (clause wise) 6. Sample copy of certified ISO/IEC 27001:2013auditor training certificate:- The sample

Documents
Comparison of Controls between ISO/IEC 27001:2013 & ISO ... between 27001 2013 Vs 200… · Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Comparison of Controls between ISO/IEC 27001:2013 & ISO ... between 27001 2013 Vs 200… · Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Documents
ISO 27001 IntroTraining

ISO 27001 IntroTraining

Documents
ISO/IEC 27001:2013 Audit Process Policy Notification/Approval...ISO/IEC 27001:2013 Audit Process Policy Notification/Approval options for next steps on the path to certification. The

ISO/IEC 27001:2013 Audit Process Policy Notification/Approval...ISO/IEC 27001:2013 Audit Process Policy Notification/Approval options for next steps on the path to certification. The

Documents
Audit Interno ISO: Una Guida · gestione, inclusi ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485 e IATF 16949. Questo libro, intitolato “Audit Interno

Audit Interno ISO: Una Guida · gestione, inclusi ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485 e IATF 16949. Questo libro, intitolato “Audit Interno

Documents
ISO 27001 Global Report...ISO 27001 Global Report 2015 96% of respondents say that ISO 27001 plays an important role in improving their company’s cyber security defences 2 ISO 27001

ISO 27001 Global Report...ISO 27001 Global Report 2015 96% of respondents say that ISO 27001 plays an important role in improving their company’s cyber security defences 2 ISO 27001

Documents
C106: DEMO OF THE INFORMATION SECURITY ...index-of.co.uk/Hacking-Coleccion/102 - Iso 27001 2005...ISO: 27001 awareness training presentation kit Audit (Word Files) Chapter-1.0 CONTENTS

C106: DEMO OF THE INFORMATION SECURITY ...index-of.co.uk/Hacking-Coleccion/102 - Iso 27001 2005...ISO: 27001 awareness training presentation kit Audit (Word Files) Chapter-1.0 CONTENTS

Documents
ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an

ISO-27001 for Law Firms - ilta.personifycloud.comilta.personifycloud.com/webfiles/productfiles/1878002/ISO_27001v1.pdf · 16 Benefits of ISO 27001 Certification •ISO 27001 is an

Documents
Audit Committee, 19 March 2015 BSI ISO 9001:2008 Audit ... · BSI ISO 9001:2008 Audit Report Executive summary and recommendations ... becoming registered to ISO 27001 and also the

Audit Committee, 19 March 2015 BSI ISO 9001:2008 Audit ... · BSI ISO 9001:2008 Audit Report Executive summary and recommendations ... becoming registered to ISO 27001 and also the

Documents
ISO 27001 Benefits

ISO 27001 Benefits

Technology
Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Documents
ISO 27001:2013 ISMS Consultancy ISO 27001 ISMS...ISO 27001:2013 ISMS, the following objectives are as follows: 1 ISO/IEC 27001 is widely known, providing requirements for an information

ISO 27001:2013 ISMS Consultancy ISO 27001 ISMS...ISO 27001:2013 ISMS, the following objectives are as follows: 1 ISO/IEC 27001 is widely known, providing requirements for an information

Documents
Are you ready for an ISMS audit based on ISO/IEC 27001? · PDF fileAre you ready for an ISMS audit based on ISO/IEC 27001? This is a sample chapter from Are you ready for an ISMS audit

Are you ready for an ISMS audit based on ISO/IEC 27001? · PDF fileAre you ready for an ISMS audit based on ISO/IEC 27001? This is a sample chapter from Are you ready for an ISMS audit

Documents
Succeed in ISO/IEC 27001 Audit Checks in ISO/IEC 27001 Audit Checks. ... continuously improve an information security management system ... Communication Security

Succeed in ISO/IEC 27001 Audit Checks in ISO/IEC 27001 Audit Checks. ... continuously improve an information security management system ... Communication Security

Documents
Audit Scotland ISO 27001:2013 · ISO 27001:2013 This certificate is valid for the activities specified below: The Information Security Management System (ISMS) covering the delivery

Audit Scotland ISO 27001:2013 · ISO 27001:2013 This certificate is valid for the activities specified below: The Information Security Management System (ISMS) covering the delivery

Documents
ISO/IEC 27001:2013 - BSI Group · What is ISO/IEC 27001? • Benefits • ISO/IEC 27001: 2013 clause by clause • Top tips from our clients • Your ISO/IEC 27001 journey • BSI

ISO/IEC 27001:2013 - BSI Group · What is ISO/IEC 27001? • Benefits • ISO/IEC 27001: 2013 clause by clause • Top tips from our clients • Your ISO/IEC 27001 journey • BSI

Documents
Reports ISO 27001

Reports ISO 27001

Documents
Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Documents
overview of information security breaches in 2012 and how iso 27001 audit can help

overview of information security breaches in 2012 and how iso 27001 audit can help

Documents