02 ISMS & Audit MethodologyAmy Zhu

MSN: amyseeger@hotmail.com

04/08/2023 2

Agenda

• ISO 2700x Overview• ISMS Methodology• Common Approach• ISMS Auditing

04/08/2023 3

ISO 2700x Overview

04/08/2023 4

ISO 2700x Series Standard

ISO/IEC Std. Description

27000 Vocabulary and Definitions

27001 Requirements (BS7799-2)

27002 Code of Practice (ISO 17799: 2005)

27003 Implementation Guidance

27004 Metrics and Measurements

27005 Risk Management (BS7799-3)

04/08/2023 5

ISO/IEC 27001 : 2005

• Information Security Management Systems - Requirement– 11 Domain Areas– 39 Control Objectives– 133 Controls

Security Policy

Organizing Information Security

Asset Management

Human Resource Security

Physical & Env. Security

Comm. & Operation

Management

Information Systems

Acquisition, Development

and MaintenanceAccess Control

Information Security Incident Management

Business Continuity Management

Compliance

04/08/2023 6

ISO 27001 Audit Stages

• Conducted in at least two stages, both to identify compliance to ISO 27001:2005

• Audit Stage 1 – Documentation Review• Audit Stage 2 – Implementation Audit

More Reference

04/08/2023 7

ISMS Methodology

04/08/2023 8

PDCA model applied to ISMS process

Maintain and Improve the ISMS

Establish the ISMS

Monitor and Improve the ISMS

Implement and Operate the ISMS

- Scope- ISMS policy / Security Org.- Management Authorization- GAP Analysis- RA approach / RA / RTP options- SOA- C&CO

- Risk Treatment Plan- Implement selected C&CO- Define Measurements- Training and Awareness

Management Review -ISMS Metrics -> Control Effectiveness -

Review RA -Internal Audit -

Implement the Improvements -Corrective Act. and Preventive Act. -

Info. Sec.Req. & Exp.

ManagedInfo. Sec.

Continual Improvement of the Management System

04/08/2023 9

Common Approach

04/08/2023 10

High Level Certification Plan

Phase I Phase II

Plan and Manage Program

• Mobilize Program• Launch Program

Certification

1 Month 5 Months

Implementation

04/08/2023 11

ISO Core Team

Organization Lead

Functional Leads

(Support Groups)

SPOCs

Service Delivery Leads

(Projects)

SPOCs

Qurlity Team

04/08/2023 12

Security Committee

Role

The Security Committee is a key driver of our organization’s security aspects. The Committee needs to meet and review at planned intervals the effectiveness of the Information Management system. The review shall also include assessing opportunities for improvement and the need for change. The Committee will be the final authority in reviewing and taking appropriate action against all information security related risks.

Frequency

At least once in a quarter. However till the time of certification, the Security Committee will meet regularly since the Committee has to approve all documents and play an active role in the Risk assessment

Outcomes

Key decision made on the effectiveness on ISMS

04/08/2023 13

Risk Assessment - Phases

Asset Identification and

Valuation

Threat Identification

Threat Probability Analysis

Vulnerability identification

Risk MeasureAsset Value *

Threat Probability * Impact

“Identifying Information Assets, Assigning values to them and Controlling Risks are essential ISO27001 requirements“

04/08/2023 14

Asset Identification and Valuation

Categorize Assets Valuate Assets based on C.I.A.

- Physical Assets- Information Assets- Software Assets- Services- Voice Information

ConfidentialityEnsuring that information is accessible only to those authorised to have access.IntegritySafeguarding the accuracy and completeness of information and processing methods.AvailabilityEnsuring that authorised users have access to information and associated assets when required.

Asset Valuation Tool

04/08/2023 15

Threat Identification

• Target: Identify and define all the threats applicable to the organization / facility

• Classification of Threats– Physical– Accidental Error– Unauthorized Access– Malicious Misuse

• Outputs: Threats Dictionary for the Organization

04/08/2023 16

• Analyze the Threat Probability based on the Occurrences Historical Data• Example:

Threat Probability Analysis

TL Guideline1 Once per 3 years or more / no occurrence 2 Once per year3 Once per quarter4 Once per month

TL = Threat Level Rating 　

04/08/2023 17

Vulnerability Identification & Mapping

• Mapping All the Applicable Vulnerability to the Threats• Evaluate the Impact for every Threat/Vulnerability Pair• Example:

Impact Value Threat / Vulnerability Characteristic1 Occurrence of this threat will have

negligible business impact2 Occurrence of this threat will have minor

business impact3 Occurrence of this threat will have major

business impact4 Occurrence of this threat will have vital

business impact

04/08/2023 18

Risk Assessment and Risk Treatment

• Risk = Asset Value * Threat Probability * Impact Value• Define an Risk Acceptance Level

e.g. All ‘High’ Level risk shall be treated ;

All ‘Medium, Low’ level risk should be monitored and the improvement areas shall be identified

• Risk Treatment Plan – Mitigate the Risk• Re-Assess the Residual Risk after mitigation actions• Periodically Review the Risk Assessment

04/08/2023 19

ISMS Auditing

04/08/2023 20

Requirement for Internal Audit

• ISO 27001:2005 Clause 6 – Internal ISMS Audit– Planned Intervals– Conform to Standard– Information Security Requirements– Effective Implementation– Perform as expected– Audit Program – status and importance– Procedure– Actions taken without undue delay– Follow up activities – verification of actions taken– Report Results

04/08/2023 21

What do we mean byAudit?

04/08/2023 22

Audit – 审核• Systematic, Independent and Documented process for obtaining

evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

• 一个系统的、独立的和文档话的过程，用以获得客观 证据并客观评估其已符合审核标准的程度 。

BS EN ISO 19011:2002

Definition 3.1

04/08/2023 23

BS EN 19011:2002 – Scope 适用范围• It is applicable to all organizations needing to conduct internal or external

audits of quality and/or environmental management systems or to manage an audit programme.

• 适用于所有的需要对其质量和 / 或环境管理体系实施内部或外部审核的组织，或者管理一个审核过程。

04/08/2023 24

Management Systems Auditing管理系统审核

• Guideline Standard published in one part contains seven Clauses:– Clause 1, 2 and 3 - Scope, normative references and terms and

definitions– Clause 4 – Describes principles of auditing– Clause 5 – Guidance on establishing and managing audit programme– Clause 6 – Guidance on conducting audits– Clause 7 Guidance on auditor competence

04/08/2023 25

Type of Audit

• 1st Party Audit (Internal) – when we audit our own system

• 2nd Party Audit (External) – when we audit a supplier, or when we are audited by a customer

• 3rd Party Audit (External) – when we are audited by an independent registration body, BSI and others.

04/08/2023 26

The Audit Process

• Enquiry / Application 问询 / 申请• Pre-Assessment (optional) 预审（可选）• Desktop Review / Document Review (Stage 1) – 文审

6 Weeks Interval Maximum (BSI) 最大间隔 6 周• Initial Assessment / Implementation Audit (Stage 2) – 正审• Certification 证书• Continuing Assessment (Every 6 month) • Every 3rd Year Partial Stage 1 + Entire Stage 2 (UKAS / CNAB)

04/08/2023 27

Audit Objectives 审核的目标• Determining the extent of conformity of the ISMS or parts of it, against

audit criteria 根据审核依据，对系统符合 ISMS 要求的程度作出判断

• Evaluating the capability of the ISMS to ensure compliance with applicable laws, regulations and contractual requirements 评估管理 体系符合法律法规要求的能力

• Evaluating the effectiveness of the ISMS in meeting specified objectives评估管理系统符合规定目标

• Identifying areas of potential improvement of the ISMS鉴别 ISMS 系统 有改善空间的方面

04/08/2023 28

The Scope of the Audit 审核范围• The audit Scope describes the extent and boundaries of the audit in

terms of physical locations, organizational units, activities, processes, and information assets, assets risk assessments, where relevant , the time period covered by the audit

• 审核范围描述审核在实体地点 、组织单元 、业务活动、流程、信息资产、资产风险以及审核时间等方面的范围和界限。

04/08/2023 29

Audit Criteria 审核准则• Audit criteria may (will) include applicable security policies and

procedures, standards (BS7799-2: 2005, ISO 27001) legal and regulatory requirements, management system requirements, contract requirements, industry/business sector or codes of conduct/practice, etc.

• 审核的准则应该包括适用的安全方针和流程、标准，相关法律法规要求，管理体系要求、合同要求、行业 / 商业区域或行为 / 实践准则等。

04/08/2023 30

The Benefits of Audit

• Verifying conformance with security policies and procedures• Providing (un-biased) information for security forum and management

review• Increasing security awareness• Reducing Risk of security incidents/breaches• Identifying improvement opportunities

04/08/2023 31

Auditor’s Responsibilities

• Complying with company requirements• Assist with preparing audit schedule• Conducting the audit• Recording and reporting the findings• Conducting follow-up audits• Maintain independence and confidentiality• Maintain audit records

04/08/2023 32

Planning the Audit

04/08/2023 33

Audit Programme

• An audit programme shall be planned taking into consideration the status and importance of the process and areas to be audited as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined.

• 审核过程应该被策划，考虑被审核方面和流程的重要性和当前状态，也应该考虑上次审核结果。定义审核准则、范围、频度和方法。

04/08/2023 34

Planning and Preparation

• Six Stage of an Audit– 1. Scheduling– 2. Planning and Preparation– 3. Conducting the audit, recording the findings– 4. Reporting the Resultes– 5. Recording and agreeing proposed corrective / preventive / treatment

actions and timescales– 6. Following up actions

04/08/2023 35

Audit Planning

• Determine the Objectives 确定目标 （符合性？ or 有效性？）• Identify specified requirements• Determine audit duration and resources needed 确定审核持续时间和所

需资源• Select the team • Contact the Auditee – agree the dates• Draw up audit plan• Brief the team• Prepare Checklist

04/08/2023 36

Decisions at the Planning Stage

• Determine and agree the scope• What the objectives are• Criteria.. legal / regulatory / ISO27001 etc.• Frequency – status and importance• Consider the timing• Auditors – trained / competent

04/08/2023 37

Audit Duration

• Depends on

– Size of the department / area to be audited– Information processes and assets within the scope of the audit– Resources required

You need to define it Based on Your Experience

04/08/2023 38

Audit Preparation

04/08/2023 39

Preparing for the Audit

• Prior to audit you should be fully aware of the following:– Audit Objectives and Scope– Audit Criteria and any reference documents– Identification of any information processes and assets to be audited– Confirmation of interviewees

• Identify the need for guides (if appropriate)• Audit methodology

04/08/2023 40

Audit Preparation - Information

• Previous audit findings• Security Policy statement• Security Manual / Procedures / guidelines• Statement of Applicability• Security incidents since last audit• Specialist knowledge identified

04/08/2023 41

Audit Documents

• Audit Procedures• Audit Agenda• Audit Summary Report forms• Non-conformity report forms (Risk Treatment / Action Taken)• Prepared checklists (*important)

04/08/2023 42

Benefits of the Checklists

• Maintain clear audit objectives• Evidence of planning• Maintain audit pace and continuity• Reduce risk of auditors’ bias• Manages audit workload• Record samples of activities in the audit

04/08/2023 43

Checklist – Audit Starting Point

• Review Security Policy amendments• Confirm scope• Review Risk Assessment for changes• Review the SOA for implemented controls• How are these controls being applied within the department (policies or

procedures etc.)• How are they monitored for effectiveness• How are security incidents indentified and reported• Evidence of continual improvements

04/08/2023 44

Checklist – Clear Screen/Desk Policy

• How long is it before Screen clears?• Are the screens password protected?• Look for evidence of compliance/awareness of need for the controls• Observe screens and desks for unattended information being displayed

Where are these referenced in the ISMS

04/08/2023 45

Exercise – Preparing an Audit Checklist

• Stage I & Stage II checklist• In your groups prepare an Audit Checklist based on a Top manager

responsibility• List the questions you would ask, in relation to the Top Manager during

the interview

04/08/2023 46

Conducting the Audit

04/08/2023 47

Audit Activities

• Opening Meeting (formal/informal)• Collect and confirm factual information• Record and document findings• Communicate findings• Report audit findings to person responsible

04/08/2023 48

Opening Meeting

• Process/documented agenda maintain records• Introduce Audit objective / scope / plan• Escort and resource needed

04/08/2023 49

Collecting the Facts

• Samples of evidence– Randomly Selected– Chosen by Auditor– Facts agreed with interviewees

Don’t Make Assumptions

04/08/2023 50

Establish the Facts

• Collect all the details– Exact observation– What (is the requirement)– Where (was it happening)– When (did it happen)– Who (was doing it)– Why (is it a non-conformity)

04/08/2023 51

Audit Evidence

• Can be obtained from several sources including:– Interviews with asset and process owners / managers– Documents within the information security management system– Records– Reports from various sources including customers– All audit evidence must be verified by the auditor

04/08/2023 52

Evidence

• Records, Statement of fact or other information, which are relevant to the audit criteria and verificable

BS EN ISO 19011

Clause 3.3

04/08/2023 53

Techniques for Qustioning

• Key Information gathering questions– What– Why– Where– When– How– Who

Most Important ‘Please Show Me’

04/08/2023 54

Recording the Facts

• As Objective evidence– For investigation now– For investigation later– For use by colleague

• Must be legible• Must be traceable• Must be retrievable

04/08/2023 55

Documenting the Findings

• Includes– Audit summary report– Non-Conformity identified– Observation and recommendations– Risk Treatment action plan/ schedule

04/08/2023 56

Evaluating

• For Compliance with– Security policies / procedures– Customer / Contract requirements– Legal / Regulatory / Statutory requirements– Documented ISMS– Company standards– ISO 27001:2005 (BS 7799-2: 2005)

04/08/2023 57

Finding Classification - 1

• Non-Conformity – NC– A situation where there is a likelihood that a security incident/breach

may occur, or where the benefits of ISO27001:2005 are not being realized, because of the absence of, or lack of adherence to a security policy / procedure

04/08/2023 58

Finding Classification - 2

• Major Non-Conformity – Major NC• A non-conformity of such severity that its existence would indicate that a

security breach could impact on the customer or have financial implications for the company because the requirements of an appropriate clause of ISO27001:2005 has not been adequately addressed.

04/08/2023 59

Finding Classification - 3

• Observation• A situation where, based on your experience, a security control should be

implemented or additional measures could be taken, to improve the ISMS in some way

04/08/2023 60

The name does not matter, they are all

‘Opportunities for Improvement’

04/08/2023 61

Recording the Results

04/08/2023 62

Documenting Non-Conformities

• Non-Conformity report– Unique reference– Where NC was found– Date Recorded– What was the requirement– What is the Objective evidence

04/08/2023 63

Non-Conformity Report

• Clear – No ambiguities• Complete – Includes all identifiers / facts• Correct – indisputable facts• Concise – if possible• Referenced – To ISO 27001:2005 clause

04/08/2023 64

Reporting the Audit

• Dates of the audit• Departments visited• Audit scope and basis• Key people seen• Procedure / Policy / SOA references• Summary of findings (Positive and Negative)• Distribution list

• <Audit Summary Report>• <Non-Conformity Report>

04/08/2023 65

Exercise – NC report

• Using the NC Report Forms and the Standard, write a NC Report

04/08/2023 66

Audit Report Meeting

04/08/2023 67

Close Meeting

• Summarize findings• Review observations• Agree Commitment for corrective actions• Agree timescales

Avoid Confrontation

04/08/2023 68

Conduct of Meeting

• Control the meeting• Speak with authority• Listen with care• Maintain good manners• Watch body language• Finish with Clear Objectives• * Exercise – Close Meeting

04/08/2023 69

Follow-up Options

• Verification at Location of audit finding• Review of documentation• Verification at next Audit• Agree with next audit

But Always Record your Actions

04/08/2023 70

Successive Audits

• For successive audits give consideration at the planning stage to varying the approach:– Asset Group– Security Policies / Procedures– Auditors – Department

04/08/2023 71

Reporting

• Using the Audit Summary and NC Reports to produce a closing presentation to agree the NC Findings and next Actions

• Remember:• * Finding NC is easy. Getting them to agree that they are NCs and when

they are going to be fixed is the difficult part for internal audits.

04/08/2023 72

Q & A