Best Practices in Auditing ISO/IEC 27001

Best Practices in Auditing ISO
27001
Edited and Presented by
Eng. Kefah El-Ghobbas
B.Sc Mech Engineer – EOQ Quality Systems Manager
PECB Trainer

Kefah El-Ghobbas
Trainer & Consultant
Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence'
through ‘Business Process Re-engineering' with over 20 years of
experience.
Contact Information
+971 4 396 2323 k.elghobbas@aljadarat-trainingcentre.ae
www.aljadarat-trainingcenter.ae https://ae.linkedin.com/in/kefah-el-ghobbas-46323a15

Content of Webinar
Domain One : Introduction to ISMS
Domain Two : Auditing of ISO 27001
Domain Three : ISMS Auditing Assignment
Domain Four : Auditors Requirements
Eng. Kefah El-Ghobbas 3

Domain One
Introduction to ISMS

Information
It is set or group of data has been processed in
a way that it has definite meaning
Data
Is
a set of values of qualitative or quantitative va
riables.
Data

Information as an asset
1. The information is essential to an
organization’s business and it needs to be
protected.
2. Interconnectivity leads to information
being exposed to growing number and
wider variety of threats and vulnerabilities.
Leads To
Protection is vital in the increasingly interconnected
business environment.

Forms of Information
Forms of information-
printed, written, stored electronically,
transmitted by post, email.

Why Do we need to protect
our Information?
1. High dependency on Information &
Communications Technology
2. A successful business must have the right
information at the right time in order to
make well-informed decisions
3. All types of information, whether paper-
based or on a computer disk, is at risk
4. Protection of information is a major
challenge
1. PC/Network Failure, Hackers, Viruses/Spyware,
Fraud, Unknown/Unsolicited contacts

Why Do we need to protect
our Information?
Main Purpose
1. Getting the information in right time
through the authenticated channels.
2. Prevent the information to be deleted, or
modified from unauthorized persons.

Information Security Objectives
ensuring that information is available to
only those authorized to have access
Safeguarding the accuracy
and completeness of
information & processing
methods
ensuring that information
and vital services are
available to authorized
users when required.

Major Components of ISMS
…the major steps towards achieving
ISO 27001:2005 compliance

Why we develop a Security Risk
Management Process?
Developing a formal security risk management process
can address the following:
Threat response time
Regulatory compliance
Infrastructure management costs
Risk prioritization and management
Security risk management: A process for identifying, prioritizing,
and managing risk to an acceptable level within the organization

Comparing Approaches
to Risk Management
Many organizations have approached security risk
management by adopting the following:
The adoption of a process that reduces the
risk of new vulnerabilities in your organization
Proactive
approach
A process that responds to security events as
they occur
Reactive
approach

Comparing Approaches
to Risk Prioritization
Approach Benefits Drawbacks
Quantitative
Risks prioritized by financial impact;
assets prioritized by their financial
values
Results facilitate management of
risk by return on security investment
Results can be expressed in
management-specific terminology
Impact values assigned to risks
are based upon subjective
opinions of the participants
Very time-consuming
Can be extremely costly
Qualitative
Enables visibility and understanding
of risk ranking
Easier to reach consensus
Not necessary to quantify threat
frequency
Not necessary to determine financial
values of assets
Insufficient granularity between
important risks
Difficult to justify investing in
control as there is no basis for
a cost-benefit analysis
Results dependent upon the
quality of the risk management
team that is created

Microsoft Security Risk Management
Process
Implementing
Controls
3
Conducting
Decision Support
2
Measuring Program
Effectiveness
4 Assessing Risk
1

Risk Management vs. Risk Assessment
Risk Management Risk Assessment
Goal
Manage risks across
business to acceptable
level
Identify and prioritize
risks
Cycle
Overall program across all
four phases
Single phase of risk
management program
Schedule Scheduled activity Continuous activity
Alignment
Aligned with budgeting
cycles
Not applicable

Communicating Risk
Well-Formed Risk Statement
Impact
What is the impact to the
business?
Probability
How likely is the threat given the
controls?
Asset
What are you
trying to protect?
Threat
What are you
afraid of
happening?
Vulnerability
How could the
threat occur?
Mitigation
What is currently
reducing the
risk?

Determining Your Organization’s
Risk Management Maturity Level
Publications to help you determine your organization’s risk
management maturity level include:
ISO Code of Practice for Information
Security Management (ISO 17799)
International Standards
Organization
Control Objectives for Information and
Related Technology (CobiT)
IT Governance Institute
Security Self-Assessment Guide for
Information Technology Systems
(SP-800-26)
National Institute of
Standards and Technology

Performing a Risk Management
Maturity Self-Assessment
Level State
0 Non-existent
1 Ad hoc
2 Repeatable
3 Defined process
4 Managed
5 Optimized

Executive
Sponsor
“What's
important?”
IT Group
“Best control solution”
Information
Security Group
“Prioritize risks”
Defining Roles and Responsibilities
Operate and
support security
solutions
Design and build
security solutions
Define security
requirements
Assess risks
Determine
acceptable risk
Measure security
solutions

Domain Two
Auditing of ISO 27001

Scope of ISO 27001:2013 –
Information Security Management System
1. ISMS provides a framework to establish,
implement, operate, monitor, review,
maintain and improve the information
security within an organization.
2. Implement effective information security
that really meets business requirements.
3. Manage risks to suit the business activity.
4. Manage incident handling activities.

ISO 27000 Standard Family
ISO/IEC 27001:2005 –
is a standard specification for an Information Security
Management Systems (ISMS) which instructs you how
to apply ISO/IEC 27002 and how to build, operate,
maintain and improve an ISMS.
ISO/IEC 27002:2007 –
is a code of practice and can be regarded as a
comprehensive catalogue of good security things to
do

ISO 27001
Purposes:-
1. Protection of information from a wide range of threats in
order to ensure business continuity, minimize business
risk, maximize return on investments and business
opportunities.
2. Implementing a suitable set of controls, policies,
processes, procedures, organizational structures and
software and hardware functions – to ensure that the
specific security and business objectives are met.

Rev 1.0 Kefah El-Ghobbas 25
What is the auditing?
ISO 19011 defines an audit as :
A systematic, independent , and
documented process for obtaining audit
evidence and evaluating it objectively to
determine the extent to which audit
criteria are fulfilled.

Audit Guideline
ISO 19011
Guideline on quality and/or environmental management
systems auditing.
Contains :
1. The principles of auditing
2. Management of audit program
3. Audit activities
4. The competence of quality management systems

Auditing ISO 27001
We do use ISO 19011 section 4 as principles of
auditing. ISMS audits relevancies such as:-
1. frequent changes to the risks (i.e. the threats,
vulnerabilities and/or impacts), controls and
environment.
2. maintain knowledge of the state of the art
(e.g. emerging information security threats and
currently-exploited vulnerabilities) and the
organizational situation (e.g. changing business
processes and relationships, technology
changes).

Factors influences Audit Program
1. Scope, objective, and duration of each audit;
2. Frequency of audits to be conducted;
3. Number, status, importance, complexity, similarity, and
locations of the activities to be audited;
4. Standards, statutory, regulatory and contractual
requirements, policies, procedures and other audit
criteria;
5. Need for accreditation and certification;
6. Results of previous audits or previous audit program
review;
7. Language, culture and social issues;
8. Significant changes to any functional area.

Responsibility of Managing Auditing Program
1. Assign the audit responsibility to persons who has a
specific understanding of audit principles, auditor
competence and the application technique.
2. The auditor must have appropriate management skills
as well as technical and business understanding
relevant of the activities to be audited.

Resources Required by Program
1. Financial resources to develop, implement, manage and improve audit
activities;
2. Audit technique;
3. Processes to achieve and maintain auditor competence and to improve
auditor performance;
4. Availability of auditors and technical experts;
5. The extent of the audit program;
6. Traveling time, accommodation and other auditing needs.

Audit Program Procedure
Procedures need to be developed and implemented :-
1. to address responsibilities and requirements for
planning and conducting audits,
2. the selection of auditors,
3. the methods of reporting and maintaining records;

Audit Program records
Records should be maintained to demonstrate the
effectiveness of operation of the audit program.
The minimum records requirements:
1. Results of the audit program review;
2. Audit plan;
3. Audit reports;
4. Nonconformity reports;
5. Report of corrective actions
6. Auditor personnel records, covering area, such as
performance evaluation, audit team selection,
qualifications and training.

Monitoring and Reviewing the audit program
The audit program needs to be monitored
periodically in order to assess:
1. Whether the audit objectives are being
met;
2. The effectiveness of the audit program;
3. Any opportunity for improvement.

Summery of Audit Program
Audit
Program
Define Program:
•Objectives / extent
•Procedures
•Resources
•responsibilities
Implement Program:
•Evaluating auditors
•Selecting audit teams
•Directing audit activities
•recording
Monitoring and review
Improvement
Action

Auditors Roles and Responsibilities
Lead Auditor:-
1. Prepare Audit Plan;
2. Brief the team;
3. Review working documents to ensure adequacy;
4. Make final decisions for all phases of the audit;
5. Report critical nonconformities to the auditee immediately;
6. Report any major obstacles encountered during the audit;
7. Represent the audit team at opening and closing
meetings;
8. Submit the audit report.Eng. Kefah El-Ghobbas 35

Auditors Roles & Responsibilities
Auditors :-
1. Prepare any work documents (including
check-list) necessary to carry out those
tasks;
2. Review all relevant information related
to their assigned tasks;
3. Report deficiencies and audit findings to
team leader;

Domain Three
ISMS Auditing Assignment

Information Security
audit assignment

audit assignment
Phase : Scoping and pre-audit survey:-
1. Determine the main area(s) of focus for the audit
and any areas that are explicitly out-of-scope,
based normally on an initial risk-based assessment
plus discussion with those who commissioned the
ISMS audit.
2. Information sources include general research on
the industry and the organization, previous ISMS
audit reports, and ISMS documents such as the
Statement of Applicability, Risk Treatment Plan and
ISMS Policy.
Make Sure that scope of certificate is aligned with the
auditing scope.

audit assignment
Phase : Scoping and pre-audit survey:-
3. Pay particular attention to:-
• information security risks and controls associated
with information conduits to other entities
(organizations, business units etc.) that fall outside
the scope of the ISMS,
• checking the adequacy of information security-
related clauses in Service Level Agreements or
contracts with IT service suppliers.
4. The primary output is an agreed ISMS audit
scope, charter, engagement letter or similar.

audit assignment
Phase : Planning and Preparation
1. The overall ISMS scope is broken down into greater
detail, typically by generating an ISMS audit
workplan/checklist.
2. The overall timing and resourcing of the audit is
negotiated and agreed by management of both the
organization being audited and the ISMS auditors, in
the form of an audit plan.
3. Audit plans often also include “checkpoints”, that is
specific opportunities for the auditors to provide
informal interim updates to their management contacts
including preliminary notification of any observed
inconsistencies or potential nonconformities etc.

audit assignment
Phase : Planning and Preparation
2. Interim updates also provide opportunities
for the auditors to raise any concerns over
limited access to information or people,
and for management to raise any concerns
over the nature of the audit work.
3. The output of this phase is the(customized)
audit work plan/checklist and an audit plan
agreed with management.

audit assignment
Fieldwork:-
1. Audit evidence is gathered by the auditor/s
working methodically through the work
plan or checklist, for example :-
•interviewing staff, managers and other
stakeholders associated with the ISMS,
•reviewing ISMS documents, printouts and data
(including records of ISMS activities such as
security log reviews),
•observing ISMS processes in action and
checking system security configurations etc.

audit assignment
Fieldwork:-
2. The auditor reads and makes notes about
documentation relating to and arising from
the ISMS (such as the Statement of
Applicability, Risk Treatment Plan, ISMS
policy etc.).
The documentation comprises audit evidence, with
the audit notes being audit working papers.

audit assignment
Fieldwork:-
3. Technical compliance tests may be
necessary to verify that IT systems are
configured in accordance with the
organization’s information security policies,
standards and guidelines.
Automated configuration checking and vulnerability
assessment tools may speed up the rate at which
technical compliance checks are performed but
potentially introduce their own security issues that need
to be taken into account

audit assignment
Analysis:-
1. The accumulated audit evidence is sorted out
and filed, reviewed and examined in relation
to the risks and control objectives.
2. Sometimes analysis identifies gaps in the
evidence or indicates the need for additional
audit tests, in which case further fieldwork
may be performed unless scheduled time and
resources have been exhausted.
3. However, prioritizing audit activities by risk
implies that the most important areas should
have been covered already.

audit assignment
Reporting :-
A typical ISMS audit report contains the following
elements, some of which may be split into appendices
or separate documents:-
1. Title and introduction naming the organization and
clarifying the scope, objectives, period of coverage
and the nature, timing and extent of the audit work
performed.
2. An executive summary indicating the key audit
findings, a brief analysis and commentary, and an
overall conclusion, typically along the lines of “We
find the ISMS compliant with ISO/IEC 27001 and
worthy of certification”.

audit assignment
Reporting :-
A typical ISMS audit report contains the following
elements, some of which may be split into
appendices or separate documents:-
3. The intended report recipients plus (since the
contents may be confidential) appropriate
document classification or restrictions on
circulation.
4. An outline of the auditors’ credentials, audit
methods etc.

audit assignment
Reporting :-
A typical ISMS audit report contains the following elements, some
of which may be split into appendices or separate documents:-
5. Detailed audit findings and analysis, sometimes with extracts
from the supporting evidence in the audit files where this aides
comprehension.
6. The audit conclusions and recommendations, perhaps initially
presented as tentative proposals to be discussed with
management and eventually incorporated as agreed action
plans depending on local practices;
7. A formal statement by the auditors of any reservations,
qualifications, scope limitations or other caveats with respect
to the audit.

audit assignment
Reporting :-
ensure that ‘everything reportable is
reported and everything reported is
reportable’,

audit assignment
Closure:-
1. Closure involves preparing notes for future
audits and following up to check that the
agreed actions are in fact completed on
time.
2. If the ISMS qualifies for certification the
organization’s ISMS certificate is prepared
and issued.

Domain Four
Auditors Requirements

Auditor Competences
In each of the following areas at least one audit
team member shall take responsibility within the
team:
1. managing the team, planning the audit, and
audit quality assurance processes;
2. audit principles, methods and processes;
3. management systems in general and ISMS in
particular;
4. legislative and regulatory requirements for
information security applicable to the
organization being audited;

Auditor Competences
In each of the following areas at least one audit team
member shall take responsibility within the team:-
5. information security related threats, vulnerabilities
and incidents, particularly in relation to the
organization being audited and comparable
organizations, for example an appreciation of the
likelihood of various types of information security
incident, their potential impacts and the control
methods used to mitigate the risks;
6. ISMS measurement techniques;
7. related and/or relevant ISMS standards, industry
best practices, security policies and procedures;

Auditor Competences
In each of the following areas at least one audit team
member shall take responsibility within the team:-
8. information assets, business impact assessment,
incident management and business continuity;
9. the application of information technology to
business and hence the relevance of and need for
information security; and
10. information security risk management principles,
methods and processes.

THANK YOU
?
Contact Information
+971 4 396 2323 k.elghobbas@aljadarat-trainingcentre.ae
www.aljadarat-trainingcenter.ae https://ae.linkedin.com/in/kefah-el-ghobbas-46323a15

Best Practices in Auditing ISO/IEC 27001

Related slideshows

More Related Content

Best Practices in Auditing ISO/IEC 27001