| Date post: | 17-Nov-2014 |
| Category: | Documents |
| View: | 160 times |
| Download: | 3 times |
02 ISMS & Audit MethodologyAmy Zhu MSN: [email protected]/01/2010
Agenda
14/01/2010
ISO 2700x Overview
14/01/2010
ISO 2700x Series StandardISO/IEC Std. 27000 27001 27002 27003 27004 27005 Description Vocabulary and Definitions Requirements (BS7799-2) Code of Practice (ISO 17799: 2005) Implementation Guidance Metrics and Measurements Risk Management (BS7799-3)14/01/2010
ISO/IEC 27001 : 2005Security Policy Organizing Information Security Asset Management Human Resource Security Physical & Comm . & Information Env . Operation Systems Security Management Acquisition , Development and Access Control MaintenanceInformation Security Incident Management
Business Continuity Management Compliance
14/01/2010
ISO 27001 Audit Stages
14/01/2010
ISMS Methodology
14/01/2010
PDCA model applied to ISMS processMaintain and Improve the ISMS Establish the ISMS- Scope -ISMS policy / Security Org. -Management Authorization -GAP Analysis -RA approach / RA / RTP options -SOA -C&CO
Implement the Improvements Corrective Act. and Preventive Act. -
Management Review ISMS Metrics -> Control Effectiveness Review RA Internal Audit -
- Risk Treatment Plan -Implement selected C&CO -Define Measurements -Training and Awareness
Info. Sec. Req. & Exp.
Monitor and Improve the ISMS Implement and Operate the ISMS
Managed Info. Sec.
Continual Improvement of the Management System14/01/2010
Common Approach
14/01/2010
High Level Certification PlanPhase I Phase II
Plan and Manage Program Mobilize Program Launch Program
Implementation
Certification
1 Month
5 Months
14/01/2010
ISO Core Team
14/01/2010
Security Committee
Role The is a key driver of our organizations security aspects. The Committee needs to meet and review at planned intervals the effectiveness of the Information Management system. The review shall also include assessing opportunities for improvement and the need for change. The Committee will be the final authority in reviewing and taking appropriate action against all information security related risks. Frequency At least once in a quarter. However till the time of certification, the Security Committee will meet regularly since the Committee has to approve all documents and play an active role in the Risk assessment Outcomes Key decision made on the effectiveness on ISMS
14/01/2010
Risk Assessment - PhasesIdentifying Information Assets, Assigning values to them and Controlling Risks are essential ISO27001 requirements
Asset Identification and Valuation
Threat Identification
Threat Probability Analysis
Vulnerability identification
Risk Measure Asset Value * Threat Probability * Impact
14/01/2010
Asset Identification and ValuationCategorize Assets Physical Assets Information Assets Software Assets Services Voice Information
Valuate Assets based on C.I.A.Confidentiality Ensuring that information is accessible only to those authorised to have access. Integrity Safeguarding the accuracy and completeness of information and processing methods. Availability Ensuring that authorised users have access to information and associated assets when required.
Asset Valuation Tool14/01/2010
Threat Identification
14/01/2010
Threat Probability Analysis
TL 1 2 3 4 TL = Threat Level Rating
Guideline Once per 3 years or more / no occurrence Once per year Once per quarter Once per month
14/01/2010
Vulnerability Identification & Mapping
Impact Value 1 2 3 4
Threat / Vulnerability Characteristic threat will Occurrence of this have negligible business impact Occurrence of this threat will have minor businessthreat will Occurrence of this impact have major businessthreat will Occurrence of this impact have vital business impact
14/01/2010
Risk Assessment and Risk Treatment
14/01/2010
ISMS Auditing
14/01/2010
Requirement for Internal Audit
14/01/2010
What do we mean by Audit?
14/01/2010
Audit
14/01/2010
BS EN 19011:2002 Scope
14/01/2010
Management Systems Auditing
14/01/2010
Type of Audit
14/01/2010
The Audit Process
14/01/2010
Audit Objectives
14/01/2010
The Scope of the Audit
14/01/2010
Audit Criteria
14/01/2010
The Benefits of Audit
14/01/2010
Auditors Responsibilities
14/01/2010
Planning the Audit
14/01/2010
Audit Programme
14/01/2010
Planning and Preparation
14/01/2010
Audit Planning
14/01/2010
Decisions at the Planning Stage
14/01/2010
Audit Duration
You need to define it Based on Your Experience
14/01/2010
Audit Preparation
14/01/2010
Preparing for the Audit
14/01/2010
Audit Preparation - Information
14/01/2010
Audit Documents
14/01/2010
Benefits of the Checklists
14/01/2010
Checklist Audit Starting Point
14/01/2010
Checklist Clear Screen/Desk Policy
14/01/2010
Exercise Preparing an Audit Checklist
14/01/2010
Conducting the Audit
14/01/2010
Audit Activities
14/01/2010
Opening Meeting
14/01/2010
Collecting the Facts
14/01/2010
Establish the Facts
14/01/2010
Audit Evidence
14/01/2010
Evidence
14/01/2010
Techniques for Qustioning
14/01/2010
Recording the Facts
14/01/2010
Documenting the Findings
14/01/2010
Evaluating
14/01/2010
Finding Classification - 1
14/01/2010
Finding Classification - 2
14/01/2010
Finding Classification - 3
14/01/2010
The name does not matter , they are all Opportunities for Improvement
14/01/2010
Recording the Results
14/01/2010
Documenting Non-Conformities
14/01/2010
Non-Conformity Report
14/01/2010
Reporting the Audit
14/01/2010
Exercise NC report
14/01/2010
Audit Report Meeting
14/01/2010
Close Meeting
Avoid Confrontation
14/01/2010
Conduct of Meeting
14/01/2010
Follow-up Options
But Always Record your Actions
14/01/2010
Successive Audits
14/01/2010
Reporting
14/01/2010
Q & A
14/01/2010
of 72
