Docstoc

ISO 27001 - ISMS & Audit Methodology

Document Sample
ISO 27001 - ISMS & Audit Methodology Powered By Docstoc
					02 ISMS & Audit Methodology
Amy Zhu MSN: amyseeger@hotmail.com

Agenda
• ISO 2700x Overview • ISMS Methodology • Common Approach

• ISMS Auditing

10/22/2009

2

ISO 2700x Overview

10/22/2009

3

ISO 2700x Series Standard
ISO/IEC Std. Description

27000 Vocabulary and Definitions 27001 Requirements (BS7799-2)

27002 Code of Practice (ISO 17799: 2005)
27003 Implementation Guidance

27004 Metrics and Measurements
27005 Risk Management (BS7799-3)

10/22/2009

4

ISO/IEC 27001 : 2005
• Information Security Management Systems - Requirement – 11 Domain Areas – 39 Control Objectives
Security Policy Organizing Information Security Asset Management Human Resource Security Physical & Env. Security Access Control Comm. & Operation Management Information Systems Acquisition, Development and Maintenance

– 133 Controls

Information Security Incident Management Business Continuity Management Compliance
10/22/2009 5

ISO 27001 Audit Stages
• Conducted in at least two stages, both to identify compliance to ISO 27001:2005 • Audit Stage 1 – Documentation Review • Audit Stage 2 – Implementation Audit More Reference

10/22/2009

6

ISMS Methodology

10/22/2009

7

PDCA model applied to ISMS process
Maintain and Improve the ISMS Establish the ISMS
- Scope - ISMS policy / Security Org. - Management Authorization - GAP Analysis - RA approach / RA / RTP options - SOA - C&CO

Implement the Improvements Corrective Act. and Preventive Act. -

Management Review ISMS Metrics -> Control Effectiveness Review RA Internal Audit -

- Risk Treatment Plan - Implement selected C&CO - Define Measurements - Training and Awareness

Info. Sec. Req. & Exp.

Monitor and Improve the ISMS

Implement and Operate the ISMS

Managed Info. Sec.

Continual Improvement of the Management System
10/22/2009 8

Common Approach

10/22/2009

9

High Level Certification Plan
Phase I

Phase II

Plan and Manage Program • Mobilize Program • Launch Program

Implementation

Certification

1 Month

5 Months

10/22/2009

10

ISO Core Team

10/22/2009

11

Security Committee
Role

The Security Committee is a key driver of our organization’s security aspects. The Committee needs to meet and review at planned intervals the effectiveness of the Information Management system. The review shall also include assessing opportunities for improvement and the need for change. The Committee will be the final authority in reviewing and taking appropriate action against all information security related risks.
Frequency At least once in a quarter. However till the time of certification, the Security Committee will meet regularly since the Committee has to approve all documents and play an active role in the Risk assessment Outcomes Key decision made on the effectiveness on ISMS
10/22/2009 12

Risk Assessment - Phases
“Identifying Information Assets, Assigning values to them and Controlling Risks are essential ISO27001 requirements“

Asset Identification and Valuation

Threat Identification

Threat Probability Analysis

Vulnerability identification

Risk Measure Asset Value * Threat Probability * Impact

10/22/2009

13

Asset Identification and Valuation
Categorize Assets - Physical Assets - Information Assets - Software Assets - Services - Voice Information Valuate Assets based on C.I.A.
Confidentiality Ensuring that information is accessible only to those authorised to have access. Integrity Safeguarding the accuracy and completeness of information and processing methods. Availability Ensuring that authorised users have access to information and associated assets when required.

Asset Valuation Tool
10/22/2009 14

Threat Identification
• Target: Identify and define all the threats applicable to the organization / facility • Classification of Threats – Physical – Accidental Error – Unauthorized Access – Malicious Misuse • Outputs: Threats Dictionary for the Organization

10/22/2009

15

Threat Probability Analysis
• Analyze the Threat Probability based on the Occurrences Historical Data • Example:
TL 1 2 3 4 TL = Threat Level Rating Guideline Once per 3 years or more / no occurrence Once per year Once per quarter Once per month

10/22/2009

16

Vulnerability Identification & Mapping
• Mapping All the Applicable Vulnerability to the Threats • Evaluate the Impact for every Threat/Vulnerability Pair • Example:
Impact Value 1 2 Threat / Vulnerability Characteristic Occurrence of this threat will have negligible business impact Occurrence of this threat will have minor business impact Occurrence of this threat will have major business impact Occurrence of this threat will have vital business impact

3
4

10/22/2009

17

Risk Assessment and Risk Treatment
• Risk = Asset Value * Threat Probability * Impact Value • Define an Risk Acceptance Level e.g. All ‘High’ Level risk shall be treated ;

All ‘Medium, Low’ level risk should be monitored and the improvement areas shall be identified
• Risk Treatment Plan – Mitigate the Risk • Re-Assess the Residual Risk after mitigation actions • Periodically Review the Risk Assessment

10/22/2009

18

ISMS Auditing

10/22/2009

19

Requirement for Internal Audit
• ISO 27001:2005 Clause 6 – Internal ISMS Audit – Planned Intervals – Conform to Standard

– Information Security Requirements
– Effective Implementation – Perform as expected – Audit Program – status and importance – Procedure – Actions taken without undue delay – Follow up activities – verification of actions taken – Report Results

10/22/2009

20

What do we mean by Audit?

10/22/2009

21

Audit – 审核
• Systematic, Independent and Documented process for obtaining evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. • 一个系统的、独立的和文档话的过程,用以获得客观 证据并客观评估其已 符合审核标准的程度 。 BS EN ISO 19011:2002

Definition 3.1

10/22/2009

22

BS EN 19011:2002 – Scope 适用范围
• It is applicable to all organizations needing to conduct internal or external audits of quality and/or environmental management systems or to manage an audit programme. • 适用于所有的需要对其质量和/或环境管理体系实施内部或外部审核的组织, 或者管理一个审核过程。

10/22/2009

23

Management Systems Auditing管理系统审核
• Guideline Standard published in one part contains seven Clauses: – Clause 1, 2 and 3 - Scope, normative references and terms and definitions – Clause 4 – Describes principles of auditing – Clause 5 – Guidance on establishing and managing audit programme – Clause 6 – Guidance on conducting audits – Clause 7 Guidance on auditor competence

10/22/2009

24

Type of Audit
• 1st Party Audit (Internal) – when we audit our own system • 2nd Party Audit (External) – when we audit a supplier, or when we are audited by a customer • 3rd Party Audit (External) – when we are audited by an independent registration body, BSI and others.

10/22/2009

25

The Audit Process
• Enquiry / Application 问询/申请 • Pre-Assessment (optional) 预审(可选) • Desktop Review / Document Review (Stage 1) – 文审

6 Weeks Interval Maximum (BSI) 最大间隔6周
• Initial Assessment / Implementation Audit (Stage 2) – 正审 • Certification 证书 • Continuing Assessment (Every 6 month) • Every 3rd Year Partial Stage 1 + Entire Stage 2 (UKAS / CNAB)

10/22/2009

26

Audit Objectives 审核的目标
• Determining the extent of conformity of the ISMS or parts of it, against audit criteria 根据审核依据,对系统符合ISMS要求的程度作出判断 • Evaluating the capability of the ISMS to ensure compliance with applicable laws, regulations and contractual requirements 评估管理 体系符合法律法规要求的能力 • Evaluating the effectiveness of the ISMS in meeting specified objectives 评估管理系统符合规定目标 • Identifying areas of potential 鉴别ISMS系统 有改善空间的方面 improvement of the ISMS

10/22/2009

27

The Scope of the Audit 审核范围
• The audit Scope describes the extent and boundaries of the audit in terms of physical locations, organizational units, activities, processes, and information assets, assets risk assessments, where relevant , the time period covered by the audit

• 审核范围描述审核在实体地点 、组织单元 、业务活动、流程、信息资产、 资产风险以及审核时间等方面的范围和界限。

10/22/2009

28

Audit Criteria 审核准则
• Audit criteria may (will) include applicable security policies and procedures, standards (BS7799-2: 2005, ISO 27001) legal and regulatory requirements, management system requirements, contract requirements, industry/business sector or codes of conduct/practice, etc.

• 审核的准则应该包括适用的安全方针和流程、标准,相关法律法规要求, 管理体系要求、合同要求、行业/商业区域或行为/实践准则等。

10/22/2009

29

The Benefits of Audit
• Verifying conformance with security policies and procedures • Providing (un-biased) information for security forum and management review • Increasing security awareness • Reducing Risk of security incidents/breaches • Identifying improvement opportunities

10/22/2009

30

Auditor’s Responsibilities
• Complying with company requirements • Assist with preparing audit schedule • Conducting the audit

• Recording and reporting the findings
• Conducting follow-up audits • Maintain independence and confidentiality • Maintain audit records

10/22/2009

31

Planning the Audit

10/22/2009

32

Audit Programme
• An audit programme shall be planned taking into consideration the status and importance of the process and areas to be audited as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined.

• 审核过程应该被策划,考虑被审核方面和流程的重要性和当前状态,也应 该考虑上次审核结果。定义审核准则、范围、频度和方法。

10/22/2009

33

Planning and Preparation
• Six Stage of an Audit – 1. Scheduling – 2. Planning and Preparation

– 3. Conducting the audit, recording the findings
– 4. Reporting the Resultes – 5. Recording and agreeing proposed corrective / preventive / treatment actions and timescales – 6. Following up actions

10/22/2009

34

Audit Planning
• Determine the Objectives 确定目标 (符合性?or 有效性?) • Identify specified requirements • Determine audit duration and resources needed 确定审核持续时间和所需 资源 • Select the team • Contact the Auditee – agree the dates • Draw up audit plan • Brief the team • Prepare Checklist

10/22/2009

35

Decisions at the Planning Stage
• Determine and agree the scope • What the objectives are • Criteria.. legal / regulatory / ISO27001 etc.

• Frequency – status and importance
• Consider the timing • Auditors – trained / competent

10/22/2009

36

Audit Duration
• Depends on – Size of the department / area to be audited

– Information processes and assets within the scope of the audit
– Resources required

You need to define it Based on Your Experience

10/22/2009

37

Audit Preparation

10/22/2009

38

Preparing for the Audit
• Prior to audit you should be fully aware of the following: – Audit Objectives and Scope – Audit Criteria and any reference documents

– Identification of any information processes and assets to be audited
– Confirmation of interviewees • Identify the need for guides (if appropriate) • Audit methodology

10/22/2009

39

Audit Preparation - Information
• Previous audit findings • Security Policy statement • Security Manual / Procedures / guidelines

• Statement of Applicability
• Security incidents since last audit • Specialist knowledge identified

10/22/2009

40

Audit Documents
• Audit Procedures • Audit Agenda • Audit Summary Report forms

• Non-conformity report forms (Risk Treatment / Action Taken)
• Prepared checklists (*important)

10/22/2009

41

Benefits of the Checklists
• Maintain clear audit objectives • Evidence of planning • Maintain audit pace and continuity

• Reduce risk of auditors’ bias
• Manages audit workload • Record samples of activities in the audit

10/22/2009

42

Checklist – Audit Starting Point
• Review Security Policy amendments • Confirm scope • Review Risk Assessment for changes

• Review the SOA for implemented controls
• How are these controls being applied within the department (policies or procedures etc.) • How are they monitored for effectiveness • How are security incidents indentified and reported • Evidence of continual improvements

10/22/2009

43

Checklist – Clear Screen/Desk Policy
• How long is it before Screen clears? • Are the screens password protected? • Look for evidence of compliance/awareness of need for the controls

• Observe screens and desks for unattended information being displayed
Where are these referenced in the ISMS

10/22/2009

44

Exercise – Preparing an Audit Checklist
• Stage I & Stage II checklist • In your groups prepare an Audit Checklist based on a Top manager responsibility • List the questions you would ask, in relation to the Top Manager during the interview

10/22/2009

45

Conducting the Audit

10/22/2009

46

Audit Activities
• Opening Meeting (formal/informal) • Collect and confirm factual information • Record and document findings

• Communicate findings
• Report audit findings to person responsible

10/22/2009

47

Opening Meeting
• Process/documented agenda maintain records • Introduce Audit objective / scope / plan • Escort and resource needed

10/22/2009

48

Collecting the Facts
• Samples of evidence – Randomly Selected – Chosen by Auditor

– Facts agreed with interviewees
Don’t Make Assumptions

10/22/2009

49

Establish the Facts
• Collect all the details – Exact observation – What (is the requirement)

– Where (was it happening)
– When (did it happen) – Who (was doing it) – Why (is it a non-conformity)

10/22/2009

50

Audit Evidence
• Can be obtained from several sources including: – Interviews with asset and process owners / managers – Documents within the information security management system

– Records
– Reports from various sources including customers – All audit evidence must be verified by the auditor

10/22/2009

51

Evidence
• Records, Statement of fact or other information, which are relevant to the audit criteria and verificable BS EN ISO 19011 Clause 3.3

10/22/2009

52

Techniques for Qustioning
• Key Information gathering questions – What – Why

– Where
– When – How – Who Most Important ‘Please Show Me’

10/22/2009

53

Recording the Facts
• As Objective evidence – For investigation now – For investigation later

– For use by colleague
• Must be legible • Must be traceable • Must be retrievable

10/22/2009

54

Documenting the Findings
• Includes – Audit summary report – Non-Conformity identified

– Observation and recommendations
– Risk Treatment action plan/ schedule

10/22/2009

55

Evaluating
• For Compliance with – Security policies / procedures – Customer / Contract requirements

– Legal / Regulatory / Statutory requirements
– Documented ISMS – Company standards – ISO 27001:2005 (BS 7799-2: 2005)

10/22/2009

56

Finding Classification - 1
• Non-Conformity – NC – A situation where there is a likelihood that a security incident/breach may occur, or where the benefits of ISO27001:2005 are not being realized, because of the absence of, or lack of adherence to a security policy / procedure

10/22/2009

57

Finding Classification - 2
• Major Non-Conformity – Major NC • A non-conformity of such severity that its existence would indicate that a security breach could impact on the customer or have financial implications for the company because the requirements of an appropriate clause of ISO27001:2005 has not been adequately addressed.

10/22/2009

58

Finding Classification - 3
• Observation • A situation where, based on your experience, a security control should be implemented or additional measures could be taken, to improve the ISMS in some way

10/22/2009

59

The name does not matter, they are all ‘Opportunities for Improvement’
10/22/2009 60

Recording the Results

10/22/2009

61

Documenting Non-Conformities
• Non-Conformity report – Unique reference – Where NC was found

– Date Recorded
– What was the requirement – What is the Objective evidence

10/22/2009

62

Non-Conformity Report
• Clear – No ambiguities • Complete – Includes all identifiers / facts • Correct – indisputable facts

• Concise – if possible
• Referenced – To ISO 27001:2005 clause

10/22/2009

63

Reporting the Audit
• Dates of the audit • Departments visited • Audit scope and basis

• Key people seen
• Procedure / Policy / SOA references • Summary of findings (Positive and Negative) • Distribution list • <Audit Summary Report> • <Non-Conformity Report>

10/22/2009

64

Exercise – NC report
• Using the NC Report Forms and the Standard, write a NC Report

10/22/2009

65

Audit Report Meeting

10/22/2009

66

Close Meeting
• Summarize findings • Review observations • Agree Commitment for corrective actions

• Agree timescales

Avoid Confrontation

10/22/2009

67

Conduct of Meeting
• Control the meeting • Speak with authority • Listen with care

• Maintain good manners
• Watch body language • Finish with Clear Objectives • * Exercise – Close Meeting

10/22/2009

68

Follow-up Options
• Verification at Location of audit finding • Review of documentation • Verification at next Audit

• Agree with next audit

But Always Record your Actions

10/22/2009

69

Successive Audits
• For successive audits give consideration at the planning stage to varying the approach: – Asset Group – Security Policies / Procedures – Auditors – Department

10/22/2009

70

Reporting
• Using the Audit Summary and NC Reports to produce a closing presentation to agree the NC Findings and next Actions • Remember: • * Finding NC is easy. Getting them to agree that they are NCs and when they are going to be fixed is the difficult part for internal audits.

10/22/2009

71

Q&A

10/22/2009

72


				
DOCUMENT INFO
Shared By:
Stats:
views:12768
posted:10/23/2009
language:English
pages:72
Description: ISO 27001 - ISMS & Audit Methodology This deck was prepared by me for Knowledge Transfer inside our team, and i've already remove the sensitive information, just keep the common information related to the ISMS Methodology and the IS audit related topics. Agenda -ISO 2700x Overview -ISMS Methodology -Common Approach -ISMS Auditing