ISMS Internal Auditor Course.ppt
-
Upload
abhinavthedhiman -
Category
Documents
-
view
155 -
download
7
description
Transcript of ISMS Internal Auditor Course.ppt
![Page 1: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/1.jpg)
COMS Vantage Committed to Systems
Internal ISMS Auditor Course
COMS 1
![Page 2: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/2.jpg)
COMS Vantage Committed to Systems2
Learning ObjectivesTo be able to: Have knowledge of concepts of Information & Information Security
Management System
Understand the requirements of ISO 27001 : 2005 in auditing terms
Understand of Risk Assessment Methodology
Plan and conduct an IMS audit
Report the audit
Undertake audit follow-up activities
![Page 3: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/3.jpg)
COMS Vantage Committed to Systems
Course ContentDAY 1 Concepts and Philosophy of ISMS Framework ISO 27001:2005 Requirements Concepts and Principles of Auditing Audit Planning (Audit Schedule & Audit Checklist)
DAY 2 Audit Execution Audit Reporting (Identification of Non-conformances & Preparing
Non-conformance Report) Audit Closing (Verification of Corrective Actions) Examination
3Committed to Systems
![Page 4: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/4.jpg)
COMS Vantage Committed to Systems4
Course Structure
Tutorial sessions
Practical exercises
Quiz
Examination
![Page 5: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/5.jpg)
COMS Vantage Committed to Systems
Concepts and Philosophy of ISMS Framework
5
![Page 6: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/6.jpg)
COMS Vantage Committed to Systems6
Exercise 1 : ISMS Definition
Complete Exercise 1 on definition of ISMS related terms
![Page 7: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/7.jpg)
COMS Vantage Committed to Systems7
Information
Information
is an asset which, like other business assets, has value to an organisation and consequently needs to be suitably
protected.
![Page 8: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/8.jpg)
COMS Vantage Committed to Systems8
Types of Information
Internal Information that you would not want your
competitors to know
Customer/client Information that they would not wish you to divulge
Shared Information that may be shared with other trading
partners/persons
![Page 9: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/9.jpg)
COMS Vantage Committed to Systems9
Types of Information
Company financial data (business performance) Company business plan & strategies Employee data Credit card and bank account numbers Passwords Designs, patents, technical research Bids for contracts, market research, competitive analysis Intelligence (on criminals, hostile nations, etc) Security information (risk assessment, network diagram,
facilities plans)
![Page 10: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/10.jpg)
COMS Vantage Committed to Systems10
Information Lifecycle
Create Store Distribute (to authorized persons) Modify (by authorized persons) Archive Delete (electronic) or Dispose (paper, disk, etc)
Information may need protection through its entire lifecycle including deletion or disposal
![Page 11: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/11.jpg)
COMS Vantage Committed to Systems11
Information Security
Information Security means preservation of confidentiality, integrity and availability of information; other properties, such as authenticity, accountability, non-repudiation, and
reliability may also be managed.
![Page 12: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/12.jpg)
COMS Vantage Committed to Systems
Information Security - a Definition
Information security is preservation of;
Confidentiality – ensuring that information is available only
to those with authorised access
Integrity – safeguarding the accuracy and completeness of
information and information processing methods & facilities
Availability – ensuring authorised users have access to
information when required
In some organizations integrity and/or availability maybe more important than confidentiality
![Page 13: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/13.jpg)
COMS Vantage Committed to Systems
Information Security – Why?
In today’s fast-paced, global business environment, access to information is critical to an organisation’s success. Timely, accurate and complete information is a necessary business asset to an organisation, and like any other business asset, information needs to be understood and appropriately secured.
![Page 14: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/14.jpg)
COMS Vantage Committed to Systems14
Information Security Risks
Some categories of risk : Loss Corruption Theft Unauthorized disclosure Accidental disclosure Unauthorized modification Unavailability or denial of service Lack of integrity Intrusion and subversion of system resources
![Page 15: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/15.jpg)
COMS Vantage Committed to Systems
Non – IT Information Security Risks
Paper documents: on desks, in waste bins, left on photocopiers
Whiteboards and flipcharts Telephone conversations overheard Conversations on public transport Social engineering
![Page 16: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/16.jpg)
COMS Vantage Committed to Systems
Information Security - Aim
Information Security aims to : To minimize business damage by preventing and
minimizing the impact of security incidents Reduce the likelihood of a security incident occurring Prevent information security incident from occurring Detect an incident occurring, or its effect Respond to an event to minimize business damage Ensure Business Continuity Ensure preservation of confidentiality, integrity and
availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved
![Page 17: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/17.jpg)
COMS Vantage Committed to Systems
Business Effects of Information Security
Maintain stakeholder confidence in the organization
Preserve business position
Ensure business continuity
![Page 18: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/18.jpg)
COMS Vantage Committed to Systems
Why Are We Here?
Information security management: the key to confidence and trust for business
CustomerRequirements
BusinessRequirements
Government Laws and Regulations
![Page 19: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/19.jpg)
COMS Vantage Committed to Systems
Interested Parties
IT department Line managers Senior managers Company Boards Government Business and Trading Partners Customers
![Page 20: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/20.jpg)
COMS Vantage Committed to Systems
Managers Must Understand
Poor information security outcomes are commonly the
result of poor management and not poor technical
controls
![Page 21: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/21.jpg)
COMS Vantage Committed to Systems
Information Security is Not all about Technology
Business Service 3Business Service 3
Business Service 1Business Service 1
Business Service 2Business Service 2
IT DependentIT Dependent IT IndependentIT Independent
80%80% 20%20%
50% 50% 50%50%
20%20% 80%80% Business Service 3Business Service 3
Business Service 1Business Service 1
Business Service 2Business Service 2
IT DependentIT Dependent IT IndependentIT Independent
80%80% 20%20%
50% 50% 50%50%
20%20% 80%80%
(Source: Office of E-Government. (2002). PowerPoint presentation)
![Page 22: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/22.jpg)
COMS Vantage Committed to Systems
Information Security Management System
Information Security Management System (ISMS) is : That part of the overall management system, based on a
business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
A management process
Not a technological process
![Page 23: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/23.jpg)
COMS Vantage Committed to Systems
What is an ISMS
An ISMS is a set of processes designed to produce
predictable information security outcomes (well managed
security risks)
Implementation must cover Requirements and policies Planning implementation Implementation and operations Monitoring and reviewing Improving the management system
![Page 24: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/24.jpg)
COMS Vantage Committed to Systems
Information Security Framework
(Source: Government of Western Australia: Department of Industry and Technology. (2002). Pamphlet - Managing Risks in the Internet Economy - An Executive’s Guide. p.5).
![Page 25: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/25.jpg)
COMS Vantage Committed to Systems
Benefits of an ISMS
An operational framework for operation
- Focus on outcomes
- Outcomes are predictable
Basis for stakeholder trust
- The general public
- Clients and customers
- Business partners, suppliers, service providers &
outsources
- Line management & senior management
![Page 26: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/26.jpg)
COMS Vantage Committed to Systems
ISO 27001:2005 Requirements
26
![Page 27: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/27.jpg)
COMS Vantage Committed to Systems27
ISO/IEC 27001:2005
Information Technology – Security Techniques – Information Security Management Systems – Requirements
Requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an ISMS
Information security is a Management process, more than just IT
ISO 27001 can be used for assessment and certification
![Page 28: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/28.jpg)
COMS Vantage Committed to Systems28
ISO/IEC 27002:2005
Information Technology – Security Techniques – Code of practice for information security management
Provides guidance on good practice for Information Security Management Prime objectives A common basis for organisations Confidence in inter-organisational dealings
Defines a set of control objectives, controls and implementation guidance
It cannot be used for assessment and certification
![Page 29: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/29.jpg)
COMS Vantage Committed to Systems29
PDCA model & ISMS Processes
InterestedParties
ManagedManagedInformationInformationSecuritySecurity
InterestedParties
InformationInformationsecuritysecurityrequirementsrequirementsandandexpectationsexpectations
Monitorandreviewthe ISMS
EstablishISMS
Implementandoperatethe ISMS
Maintainandimprovethe ISMS
Plan
Do
Check
Act
![Page 30: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/30.jpg)
COMS Vantage Committed to Systems30
ISO 27001:20050 Introduction1 Scope2 Normative references3 Terms & definitions
Clauses 4 to 8
Annex A Control objectives & controlsA.5 to A.15
Annex B OECD principlesAnnex C Correspondence between standards
Clauses within ISO 27001:2005
![Page 31: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/31.jpg)
COMS Vantage Committed to Systems31
Plan - Do - Check - Act Cycle
PDCA model used in the ISO/IEC 27001: 2005
Process approach for Establish ISMS (Plan) Implement and operate ISMS (Do) Monitor and review ISMS (Check) Maintain and improve ISMS (Act)
![Page 32: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/32.jpg)
COMS Vantage Committed to Systems32
ISO 27001:2005, Clauses 4 to 8 Clause 4 : Information Security Management System
Clause 5 : Management Responsibility
Clause 6 : Internal ISMS Audits
Clause 7 : Management Review of the ISMS
Clause 8 : ISMS Improvement
Annex A – Controls (A.5 to A.15)
![Page 33: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/33.jpg)
COMS Vantage Committed to Systems33
Clause 4 - Information Security Management System
4.3DocumentationRequirements
4.2Establish &
Manage ISMS
4.1General
Requirements
4.2.1 Establish ISMS4.2.2 Implement & operate ISMS4.2.3 Monitor & review ISMS4.2.4 Maintain & improve ISMS
4.3.1 General4.3.2 Document control4.3.3 Record control
![Page 34: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/34.jpg)
COMS Vantage Committed to Systems34
Clause 4.2.1 Establish the ISMS (Plan)
Scope and boundaries
Policy - objectives, business and legal or regulatory requirements, strategy, criteria, approved by management
![Page 35: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/35.jpg)
COMS Vantage Committed to Systems35
Scope and Boundaries of ISMSScope to be described in terms of Characteristics of the business Organization Location Information Assets Technology
Boundaries to include interface with Other organisations Third party suppliers Partners Other IT systems
![Page 36: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/36.jpg)
COMS Vantage Committed to Systems36
ISMS PolicyStatement of management commitment & set out organisation’s approach to managing information security Definition of information security, objectives & scope Statement of management intent, supporting goals & principles Include framework for setting control objectives & controls Brief explanation of security policies, principles and standards
Compliance with legislative, regulatory & contractual requirements
Security education, training & awareness requirements Business continuity management Consequences of information security policy violations
Definition of general & specific responsibilities References to documentation supporting policy Communicated throughout the organisation
![Page 37: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/37.jpg)
COMS Vantage Committed to Systems37
Clause 4.2.1 Establish the ISMS (Plan) (cont)
Define the risk assessment approach of the organization Identify risks (assets and owners, threats, vulnerabilities,
impacts) Analyse and evaluate the risks Identify and evaluate options for treatment of risks Select control objectives & controls for the treatment of
risks (select from Annex A) Obtain management approval of proposed residual risks Obtain management authorization to implement and
operate the ISMS Prepare a Statement of Applicability
![Page 38: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/38.jpg)
COMS Vantage Committed to Systems38
Identify a suitable risk assessment methodology Develop criteria for accepting risks and identify
acceptable levels of risk (5.1f) Ensure that risk assessments produce comparable and
reproducible results Method is decided by organization and audited against
its information security scope, boundaries and policy
Risk Assessment Approach
![Page 39: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/39.jpg)
COMS Vantage Committed to Systems39
Risk Assessment
Risk (and decision on which risks to mitigate with
controls) depends on : Asset value Threat Vulnerability Likelihood and frequency of threat exploiting vulnerability Impact on organization of successful exploitation
![Page 40: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/40.jpg)
COMS Vantage Committed to Systems40
Asset Identification & Classification
Identify: Assets within the scope of the ISMS (Primary Assets &
Supporting Assets)
- Documents /Data
- Physical/ Hardware
- Software
- People
- Services ( e.g. Lighting, Airconditioning, DG etc) Classification – V. Confidential, Confidential, Internal &
Public Asset owners & Users
![Page 41: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/41.jpg)
COMS Vantage Committed to Systems41
Asset Value
Asset Value : Confidentiality X Integrity X Availability
Ranking of Assets done based on Asset Value : Low Medium High Critical
![Page 42: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/42.jpg)
COMS Vantage Committed to Systems42
Identification of Threats and Vulnerabilities
Threat A potential cause of an
unwanted incident which may result in harm to a system or organization.
e.g. Network failure
Vulnerability A weakness of an asset or
group of assets, which can be exploited by a threat.
A vulnerability in itself does not cause harm, it is merely a condition or set of conditions that may allow a threat to affect an asset .
e.g. No system monitoring
![Page 43: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/43.jpg)
COMS Vantage Committed to Systems43
Assessment of Threats and Vulnerabilities
Assess the likelihood that combination of threats and vulnerabilities occur
Threats and vulnerabilities may be assessed Separately Together
![Page 44: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/44.jpg)
COMS Vantage Committed to Systems44
Security Risk – Calculations
Risk =
Asset Value x Threat Value x Vulnerability Value x Probability x Impact Value
*Impact Value is Impacts that losses of confidentiality, integrity or availability may have on the assets
![Page 45: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/45.jpg)
COMS Vantage Committed to Systems45
Identify and Evaluate options for the Treatment of Risks
Manage and treat risks appropriately within business context :
Apply appropriate controls Accept risks Avoid risk Transfer risk
![Page 46: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/46.jpg)
COMS Vantage Committed to Systems46
Exercise 2 : Information Risk Assessment
Complete Exercise 2 to test understanding of Information Risk Methodology.
![Page 47: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/47.jpg)
COMS Vantage Committed to Systems47
Control Objectives and Controls(Annexure A of ISO 27001:2005)
11 Control Objectives
39 Sub-Control Objectives
133 Controls
![Page 48: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/48.jpg)
COMS Vantage Committed to Systems
Control Objectives & Controls (Annexure A of ISO 27001:2005 Standard)
A.5 Security PolicyA.5.1 Information Security Policy
A.6 Organization of Information SecurityA.6.1 Internal organizationA.6.2 External parties
A.7 Asset ManagementA.7.1 Responsibility for assetsA.7.2 Information classification
A.8 Human Resources Security A.8.1 Prior to employmentA.8.2 During employmentA.8.3 Termination or change of employment
![Page 49: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/49.jpg)
COMS Vantage Committed to Systems
Annexure A of ISO 27001:2005 Standard
A.9 Physical and Environmental SecurityA.9.1 Secure areasA.9.2 Equipment security
A.10 Communications and operations managementA.10.1 Operational procedures and responsibilitiesA.10.2 Third party service delivery management A.10.3 System planning and acceptanceA.10.4 Protection against malicious and mobile codeA.10.5 Back-upA.10.6 Network security managementA.10.7 Media handlingA.10.8 Exchange of informationA.10.9 Electronic commerce servicesA.10.10 Monitoring
![Page 50: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/50.jpg)
COMS Vantage Committed to Systems
Annexure A of ISO 27001:2005 Standard
A.11 Access ControlA.11.1 Business requirement for access controlA.11.2 User access managementA.11.3 User responsibilityA.11.4 Network access controlA.11.5 Operating system access controlA.11.6 Application and information access controlA.11.7 Mobile computing and teleworking
A.12 Information systems acquisition, Development and MaintenanceA.12.1 Security requirements of information systemsA.12.2 Correct processing in applications A.12.3 Cryptographic controlsA.12.4 Security of system filesA.12.5 Security in development and support processesA.12.6 Technical vulnerability management
![Page 51: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/51.jpg)
COMS Vantage Committed to Systems
Annexure A of ISO 27001:2005 Standard
A.13 Information Security Incident ManagementA.13.1 Reporting information security events and weaknessesA.13.2 Management of information security incidents and improvements
A.14 Business Continuity ManagementA.14.1 Information security aspects of business continuity management
A.15 ComplianceA.15.1 Compliance with legal requirements A.15.2 Compliance with security policies and standards, and technical complianceA.15.3 Information system audit considerations
![Page 52: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/52.jpg)
COMS Vantage Committed to Systems52
Selection of Security Controls
Additional control objectives and controls organisation might consider that additional control objectives and
controls are necessary
Not all the controls will be relevant to every situation Consider local environmental or technological constraints In a form that suits every potential user in an organisation
Review controls already in place Remove Improve
Implement additional controls
![Page 53: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/53.jpg)
COMS Vantage Committed to Systems53
Residual risk
The risk remaining after risk treatment Assess how much controls will reduce risk Reduced residual risk
Acceptable or unacceptable Implement more controls May have to accept Obtain Management Approval of proposed residual risk
![Page 54: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/54.jpg)
COMS Vantage Committed to Systems54
Statement of ApplicabilityDefinitionDocumented statement describing the control objectives and controls that are relevant and applicable to the organisation’s ISMS.
Contents of Statement of Applicability Control objectives and controls selected Reasons for selection Control objectives and controls currently implemented Exclusion of any control objectives and controls to be listed in
Annex A and the justification for their exclusion
The statement of applicability provides a summary of decisions concerning risk treatment. Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.
![Page 55: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/55.jpg)
COMS Vantage Committed to Systems55
Statement of Applicability
Why a control has not been fully implemented Risk – not justified by risk exposure Budget – financial constraints Environment – influence on safeguards, climate, space etc Technology – some measures are not technically feasible Culture – sociological constraints Time – some requirements cannot be implemented now. N/A – not applicable Others – ?
![Page 56: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/56.jpg)
COMS Vantage Committed to Systems56
Select Control Objectives and Controls for the Treatment of Risks
Select and implement Control Objectives and Controls To meet requirements identified by risk assessment and
risk treatment process
Take into account of criteria for accepting risks (4.2.1c)
Legal, regulatory and contractual requirements
Control objectives & controls selected from Annex A of ISO 27001:2005
![Page 57: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/57.jpg)
COMS Vantage Committed to Systems57
Clause 4.2.2 Implement and operate the ISMS (Do)
Formulate and implement risk treatment plan Implement controls Training and awareness (Also covered in clause 5.2.2) Manage operations & resources Implement procedures
![Page 58: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/58.jpg)
COMS Vantage Committed to Systems58
Clause 4.2.3 Monitor and review the ISMS (Check)
Execute monitoring and review procedures and other controls Undertake regular reviews of the effectiveness of the ISMS Measure effectiveness of controls Review risk assessments at planned intervals Review level of residual risk and identified acceptable risk Conduct Internal ISMS Audits at planned intervals (Clause 6) Undertake Management Review of the ISMS (Clause 7) Update security plans Record actions and events
![Page 59: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/59.jpg)
COMS Vantage Committed to Systems59
Clause 4.2.4 Maintain and improve the ISMS (Act)
Also covered in Clause 8 Implement the identified improvements in the ISMS Appropriate corrective and preventive action Communicate actions and improvements Ensure improvements achieve their intended
objectives
![Page 60: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/60.jpg)
COMS Vantage Committed to Systems60
Clause 5 - Management Responsibility
5.1 Management commitment Management shall provide evidence of commitment
5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training awareness and competency
- employees, people (outside scope) interfacing
with company, customers, suppliers/ third party
service providers
![Page 61: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/61.jpg)
COMS Vantage Committed to Systems61
Training and AwarenessTraining is to be provided for : Understanding and complying with the information security policy
and objectives Understanding security responsibilities What to do regarding:
Reporting security incidents, weaknesses Applying virus protection Doing backups Complying with relevant Local and International legislation Correct use of company equipment Correct use of e-mail and the internet and others
![Page 62: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/62.jpg)
COMS Vantage Committed to Systems62
Monitoring of ISMS
Execute monitoring procedures and other controls: Promptly detect errors Promptly identify attempted and successful security
breaches and incidents Security activities delegated to people or implemented by
information technology are performing as expected Help detect security events
Prevent security incidents Determine whether actions taken to resolve a breach of
security were effective
![Page 63: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/63.jpg)
COMS Vantage Committed to Systems63
Monitoring of ISMS Undertake regular reviews of effectiveness of ISMS
ISMS policy and objectives Security controls
Take into account Security audits Incidents Effective measurements Suggestions and feedback from interested parties
Measure the effectiveness of controls Verify security requirements are met
![Page 64: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/64.jpg)
COMS Vantage Committed to Systems64
Clause 6 – Internal ISM Audits
Conduct internal audits at planned intervals
Audit programme planned taking into consideration the status and importance of processes to be audited as well as the result of previous audits
Responsibilities for audit planning, conducting and reporting is defined in procedure
Auditee is responsible for taking timely corrective action
![Page 65: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/65.jpg)
COMS Vantage Committed to Systems65
Clause 7 - Management Review Undertake planned reviews of effectiveness of ISMS (atleast once a year) Review inputs
ISMS policy and objectives Audit results Suggestions and feedback from interested parties Threats and vulnerabilities not adequately addressed Result from effective measurements
Review outputs Improvement of effectiveness of ISMS Update Risk Assessment & Risk Treatment Plan Modification of procedures & controls Resource needs Improvements in measuring effectiveness of controls
![Page 66: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/66.jpg)
COMS Vantage Committed to Systems66
Clause 8 – ISMS Improvements
Continual Improvement Corrective Action
Preventive Action
![Page 67: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/67.jpg)
COMS Vantage Committed to Systems67
Exercise 3: Quiz on ISO 27001:2005
Complete the Quiz on ISO 27001 to test your understanding of the standard.
![Page 68: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/68.jpg)
COMS Vantage Committed to Systems
ISMS Documentation
68
![Page 69: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/69.jpg)
COMS Vantage Committed to Systems04/17/23
Documentation Structure
Level - ILevel - I
Level - IILevel - II
Level - III Level - III
Level - IVLevel - IV
IMS MANUAL
(Apex Document)
STANDARD OPERATING PROCEDURE POLICIES
FORMATS,
Log-Books, Registers
Dep1Dep1 Dep2Dep2 Dep3Dep3 Dep4Dep4 Dep5Dep5 Dep6Dep6
CHECKLISTS, GUIDELINES ETC,
![Page 70: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/70.jpg)
COMS Vantage Committed to Systems
ISMS Documentation
The ISMS Documentation includes: Documented statements of a ISMS policy and ISMS
objectives Information Security Manual Information Security Risk Assessment Statement of Applicability Information Security Policies Procedures Formats/ Logs/ Records
70
![Page 71: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/71.jpg)
COMS Vantage Committed to Systems
Concepts & Principles of Auditing
71
![Page 72: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/72.jpg)
COMS Vantage Committed to Systems72
Audit
Systematic, independent and documented
process for obtaining audit evidence and
evaluating it objectively to determine the
extent to which agreed criteria are fulfilled.
ISO 9000:2005
![Page 73: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/73.jpg)
COMS Vantage Committed to Systems73
Objective Evidence
Data supporting the existence or verity of something – ISO 9000:2005
May be obtained through
- Records
- Observation
- Measurement or test
- Stated or verbal
Can be verified
![Page 74: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/74.jpg)
COMS Vantage Committed to Systems74
Specified Requirements
Organization system requirements Manuals Policies & Procedures
ISO 27001 standard requirements
Legal requirements-statutory, regulatory or industry body
![Page 75: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/75.jpg)
COMS Vantage Committed to Systems75
Audit Purpose
To collect objective evidence to permit an informed judgement about the status and effectiveness of the integrated management system.
![Page 76: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/76.jpg)
COMS Vantage Committed to SystemsCOMS 76
Principles of Auditing
Ethical Conduct • Trust, integrity, confidentiality, discretion
Fair Presentation • Audit findings and conclusions are accurate and truthful
Due Professional Care
• Exercise care according to the confidence placed in them by their clients
• Competence is essential
Independence • Auditors are independent of the activities being audited and are free from bias or conflict of interest
• Conclusions will be objective and based only on audit evidence
Evidence-Based Approach
• Audit evidence is based on samples of information
• Conclusions are verifiable
![Page 77: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/77.jpg)
COMS Vantage Committed to SystemsCOMS 77
CORPORADV MANAGEMENT SERVICES
Conformity vs. Compliance
Conformity:
• Fulfillment of a requirement
• Nonconformity can lead to suspension or revocation of registration
• Voluntary
Compliance:
• Fulfillment of legal/statutory requirements
• Noncompliance can lead to fines/incarceration
• Mandatory
![Page 78: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/78.jpg)
COMS Vantage Committed to Systems
Types of Audit
Internal External
1st Party
2nd Party
3rd Party
Audit one’s own company
QMS
Audit of a supplier by a customer
Audit by an Independentbody
![Page 79: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/79.jpg)
COMS Vantage Committed to Systems
Other Types of Audit
Pre-assessment Certification Surveillance Process Product
![Page 80: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/80.jpg)
COMS Vantage Committed to SystemsCOMS 80
Reasons for Internal Audits
Requirement of all management system standards
Source of information for use by management
Powerful tool for continual improvement through: Employee involvement Communication Employee awareness, etc.
![Page 81: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/81.jpg)
COMS Vantage Committed to Systems81
Benefits of Auditing
Verifies conformity to requirements Increases awareness and understanding Provides a measurement of effectiveness of the
system to management Reduces risk of system failure Identifies improvement opportunities Precipitates the corrective action cycle Precipitates the preventive action cycle
![Page 82: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/82.jpg)
COMS Vantage Committed to Systems82
Key Stages in the Internal Auditing processPERC
Closing
Reporting
Execution
Planning
Audit Process - Overview
![Page 83: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/83.jpg)
COMS Vantage Committed to Systems
Audit Planning & Preparation
83
![Page 84: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/84.jpg)
COMS Vantage Committed to Systems84
Audit Planning
Audit Schedule
Audit Checklist
![Page 85: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/85.jpg)
COMS Vantage Committed to SystemsCOMS 85
Audit Schedule
Audit Schedule is based on : Frequency of audit (as mentioned in procedure) Processes/ area to be audited Duration of audit Qualified internal auditors Audit Team to have applicable technical expertise Independence of audit team (Cross functional
audit)
![Page 86: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/86.jpg)
COMS Vantage Committed to Systems86
Audit Schedule-1
P = Planned A = Additional
Processes J F M A M J J A S O N D
Marketing P P
P P
P A P
P P
IT Technology P A
System Administration
P
HR A P
Administration P
![Page 87: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/87.jpg)
COMS Vantage Committed to SystemsCOMS 87
Audit Schedule - 2Day 1Time Processes Auditors
1000 – 1300 Software Dev A & B
Real Estate Dev C & D
1400 - 1700 BPO E & F
Educational Portal G & H
Day 21000 – 1300 Executive Search I & J
IT K & L
1400 - 1700 HR M & N
Administration O & P
cc : To all Department Heads and Auditors
![Page 88: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/88.jpg)
COMS Vantage Committed to Systems88
Checklists
Checklist or Aide Memoir s a systematic set of questions/ prompts about the auditee’s IMS system, which enable the auditor to maintain a consistent approach, and to ensure that no important points are missed.
A checklist should not be a list of questions to ask the
auditee. It is simply a “prompt” for aspects of the system
which require review
![Page 89: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/89.jpg)
COMS Vantage Committed to Systems89
Checklists
Checklists may be :
Generic
Or
Tailored
![Page 90: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/90.jpg)
COMS Vantage Committed to Systems90
Checklists- Benefits
A well constructed aide memoir will help to:
Keep audit objectives clear Provide evidence of audit planning Maintain audit pace and continuity Reduce auditor bias Reduce workload during audit
![Page 91: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/91.jpg)
COMS Vantage Committed to Systems91
Checklist Drawbacks
Checklists tend to lose value if they are:
Tick (√) lists Questionnaires Too focused Inflexible
Prepare them as aides-memoir
![Page 92: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/92.jpg)
COMS Vantage Committed to Systems92
Checklists Preparation - Inputs
Company Policies and Procedures Process information Customer requirements Applicable legal requirements Codes of practice Management priorities Previous incidents and accidents Previous audits reports Known problems
![Page 93: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/93.jpg)
COMS Vantage Committed to Systems
Sample Checklist FormatProcess/Deptt: Auditee:
Auditor/s: Date:
S.No. Requirements Standard Clause No.
Objective Evidence
![Page 94: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/94.jpg)
COMS Vantage Committed to Systems94
Exercise 4 : Audit Checklist
In your teams, prepare checklist for an ISMS audit.
Checklist may be prepared for your department.
![Page 95: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/95.jpg)
COMS Vantage Committed to Systems
Audit Execution
95
![Page 96: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/96.jpg)
COMS Vantage Committed to Systems96
Audit System
Various roles of an auditor: A catalyst Management instrument An interface with
supplierscustomerscolleagues
A ‘consultant’ (NOT 3rd Party)
![Page 97: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/97.jpg)
COMS Vantage Committed to Systems97
Some Attributes of a Good Auditor
Open minded
Diplomatic
Decisive
Perceptive
Observant
Tenacious
Self-reliant
Ethical
Any More?
![Page 98: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/98.jpg)
COMS Vantage Committed to Systems98
Auditor Qualification
Auditors must be competent in –
Reasoning of nonconformities
Evaluating effectiveness of corrective action
![Page 99: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/99.jpg)
COMS Vantage Committed to Systems
Managing Communications
Put auditee at ease Ask questions and listen Have the appropriate body language Smile and show eye contact Avoid interruptions Avoid sarcastic & condescending remarks Give praise and feedback Acknowledge and show interest Be tactful and polite Show patience and understanding Thank the auditee on completing the audit
![Page 100: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/100.jpg)
COMS Vantage Committed to Systems
Personality Types
The Everything is Absolutely Fine
Stick to the Bare Facts
Detail, Detail, Detail
I Always Have the Right and Best Answer
![Page 101: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/101.jpg)
COMS Vantage Committed to Systems101
Managing Communications
Effective communication
Questioning
Listening
Body Language
![Page 102: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/102.jpg)
COMS Vantage Committed to Systems102
Resolving Differences
Types of conflict Dealing with conflict
![Page 103: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/103.jpg)
COMS Vantage Committed to Systems
Conduct of the Audit Meet the auditee
Explain what you want to see
Sampling audit
Investigate to the depth necessary
No problems found, move on
Don’t keep on auditing until problems are found
![Page 104: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/104.jpg)
COMS Vantage Committed to Systems
Sampling Why ?..............Reduces time and costs
Sample/ sample frame
Representative
Random
Chosen by the auditor
Permission sought
![Page 105: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/105.jpg)
COMS Vantage Committed to Systems105
Audit Execution
The Audit Process
Gathering information
Validating the findings
Evaluating the findings
![Page 106: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/106.jpg)
COMS Vantage Committed to Systems
Procedure for Gathering Evidence
Question
ObserveCheck
![Page 107: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/107.jpg)
COMS Vantage Committed to Systems
Collecting & Verifying informationSources of information
Collecting by appropriate
sampling and verifying
Evaluating against audit
criteria
Reviewing
Audit conclusions
Audit Evidence
Audit Findings
![Page 108: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/108.jpg)
COMS Vantage Committed to Systems
Sources of Information
Interviews Documents (procedures, instructions, specifications, etc) Records Data Summaries (analysis and performance) Reports (customer feedback, supplier ratings) Databases Observations (of activities and conditions)
![Page 109: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/109.jpg)
COMS Vantage Committed to Systems
Conducting Interviews
Interviews are an important means of collecting information
and should be carried out in a manner adapted to the
situation and the person interviewed
May start with asking the auditee
to describe the work Avoid misleading questions Listen carefully & make notes Summarize the results of interview
& discuss with auditee
![Page 110: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/110.jpg)
COMS Vantage Committed to Systems
Questions
Open questions
- Encourage auditee to speak
Probing questions
Closed questions
Questions should be asked like a funnel – starting with open questions and ending with closed questions
![Page 111: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/111.jpg)
COMS Vantage Committed to Systems
Questioning Techniques Hypothetical
Obvious
Answered
Repetitive
Non-verbal
![Page 112: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/112.jpg)
COMS Vantage Committed to Systems
Open Questions
Six friends (To gather information) Who (does it) What (is done) Where (is it done) Why (is it done) When (does it get done) How (is it done; often is it done)
And seventh friend (For verification) Show me
![Page 113: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/113.jpg)
COMS Vantage Committed to Systems
7 Tips for Interviewing
Use appropriate types of question Adopt a logical approach Follow a natural sequence Actively listen to what is being said Use silence appropriately Seek clarification, where necessary Verify responses, where necessary
![Page 114: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/114.jpg)
COMS Vantage Committed to Systems
Documents Policy & Objectives Plans Policies and procedures / instructions Specifications/ drawings Contracts/ Orders Licenses/ permits
Review documents which describe activities, plans, controls,
Strategies and tests
![Page 115: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/115.jpg)
COMS Vantage Committed to Systems
Records
Records are evidence of an activity performed Test records Training records Performance monitoring records Audit Report Management Review – Minutes of Meetings Non-conformance records Customer Satisfaction records Vendor performance evaluation records
and ……………………………
![Page 116: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/116.jpg)
COMS Vantage Committed to Systems
Observations
Observations of : Activities being performed Housekeeping Condition of infrastructure and hardware Work environment
![Page 117: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/117.jpg)
COMS Vantage Committed to Systems
Control of the Audit Checklist is a servant not a master
Audit the complete scope
If potential audit trails appear, decide: disregard note for later follow up immediately
Might affect the sample size
Might affect the audit programme
![Page 118: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/118.jpg)
COMS Vantage Committed to Systems
Notes
Recording the objective evidence: Admissible statements (Quotes and statements) Document / Record numbers and issue/revision levels Identifiers (Product identification) Surroundings Name of auditee or preferably job titles Issues which may impact other functions
![Page 119: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/119.jpg)
COMS Vantage Committed to Systems
Mental Notes
Workload
Employee behaviour
Management approach
Organization culture
Reactions
![Page 120: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/120.jpg)
COMS Vantage Committed to Systems
Notes
Notes is an evidence of the professionalism of the auditor Evidence of sample size and observation Should be legible & retrievable Shall be an input to the audit report May be used for further investigation & subsequent audits
![Page 121: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/121.jpg)
COMS Vantage Committed to Systems
Verify Facts
Discuss concerns with auditee Auditee may provide correct information Record all the evidence in detail Establish why a nonconformity or otherwise & who
(preferably by job title) Audit focus must be on conformity and effectiveness, not
on finding nonconformities
Therefore, auditors must be competent in – Reasoning of nonconformities Evaluating effectiveness of corrective action
![Page 122: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/122.jpg)
COMS Vantage Committed to Systems122
Good Practices Ask the right person - the person with the responsibility
for what it is you are auditing Don’t talk down or be rude/ sacarstic Ensure questions are clear and understood - avoid
jargon, use plain and simple language, rephrase the question if not understood.
Do not confuse, ask one question at a time. Allow time for auditee to answer any questions you ask Do not take sides, stay impartial, do not jump to
conclusions; always look for the evidence Be polite at all times, regardless of any provocation you
may encounter
![Page 123: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/123.jpg)
COMS Vantage Committed to Systems
Handling Difficult Situations
Time Wasting
Descrimination
Hostility
Avoidance
Finger - pointing
Undermining
Deception
Obstruction
Usurping Control
Flattery
![Page 124: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/124.jpg)
COMS Vantage Committed to Systems
Audit Reporting
124
![Page 125: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/125.jpg)
COMS Vantage Committed to SystemsCOMS 125
Nonconformity
Non fulfilment of a requirement
Specified requirements: Company policies and procedures ISO 27001 standard requirements legal requirements
![Page 126: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/126.jpg)
COMS Vantage Committed to SystemsCOMS 126
Nonconformity
The objective of internal audit is to assess the status of the System from the point of view of adequacy of documents (Intent), compliance and effectiveness.
Non conformities could arise out of two reasons:
- System deficiencies
- Human slip ups
Internal audits should be aimed at
identifying system deficiencies
![Page 127: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/127.jpg)
COMS Vantage Committed to Systems
Reporting Categories
Categories such as Non-conformance or Non-
compliance represent a “non-fulfilment of a specified
requirement”, and for many organisations are given the
highest priority when determining corrective actions.
A lower priority is often given to Observations or Areas
Requiring Attention. These findings are recognised as
being of lower risk to the organisation.
![Page 128: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/128.jpg)
COMS Vantage Committed to Systems
Minor Non-conformance
Violation or failure to meet a requirement of the standard
Any minor lapse in the system
Examples
- Training not planned for two employees from Customer
Care Department
- Background verification not done for x,y & z employee
prior to hiring
![Page 129: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/129.jpg)
COMS Vantage Committed to Systems
Major Non-conformity Complete absence or total breakdown of any clause of the
standard(s) Complete non-compliance of company policy or procedure Non-compliance of legislative requirement A number of nonconformities leading to system breakdown Examples
- Management Review has not been conducted since
more than a year.
- Information Security Policy not defined
![Page 130: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/130.jpg)
COMS Vantage Committed to Systems130
Consider the Seriousness
Three questions to be answered
1. What could go wrong if the nonconformity remains uncorrected?
2. What is the likelihood of such a thing going wrong?
3. How likely is it to be detected if it did go wrong?
A nonconformity with moderate consequences but
High probability could be a Major
A nonconformity with serious consequences but
with negligible probability could be a Minor
![Page 131: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/131.jpg)
COMS Vantage Committed to Systems131
Observation
Observation or Opportunity for Improvement (OFI)
is a situation where there is a weakness where there is
not enough evidence for a nonconformity/issue, but if
allowed to remain, could result in a nonconformity/issue
![Page 132: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/132.jpg)
COMS Vantage Committed to Systems132
Exercise 5 : Identifying Non-conformances
10 statement were presented by an audit team.
Identify if there is a non-conformance. If yes, identify the
ISO 27001:2005 Clause / Control Objective Number .
If no, then state what further action should be taken by the
auditor
![Page 133: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/133.jpg)
COMS Vantage Committed to Systems
Writing Statements of Nonconformity
![Page 134: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/134.jpg)
COMS Vantage Committed to Systems134
Writing Statements of Nonconformity
Use auditee’s terminology
Make it retrievable
Must be factual
Make it complete
Make it concise
![Page 135: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/135.jpg)
COMS Vantage Committed to Systems135
Nonconformity Statement (1)
Procedure KCL-Pl-15 requires that access to server room is only to 2 System Administrators and the IT Head. If required others could access along with the 3 persons with authorised access and they were to enter in the Entry Log Register.
The auditor entered the server room with the System Administrator, however no entry was made in the Entry Log Register.
Nonconformity to Procedure KCL-15 and ISO 27001:2005 clause A.9.1.5
![Page 136: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/136.jpg)
COMS Vantage Committed to Systems136
Nonconformity Statement (2)
Policy for Compliance states that that no software, unless provided by
corporate IT, must be loaded onto the network without the prior
permission of the IT manager
SW department were currently using a new data analysis tool which was sent to them direct from the developers after their agreement to take part in the testing of the new tool in return for a free copy of the finished product.
Nonconformity to Policy for Compliance and ISO 27001, Control 15.1
![Page 137: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/137.jpg)
COMS Vantage Committed to Systems137
Ethos of Auditing
Positive approach
Aim to help improve system
Don’t look for blame
Aid identification of solutions
![Page 138: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/138.jpg)
COMS Vantage Committed to Systems
Audit Report
Date Process/Area of Audit Auditor(s) Auditee NCR Root cause Proposed Corrective Action Corrective Action taken Verification of effectiveness of corrective action Review
![Page 139: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/139.jpg)
COMS Vantage Committed to Systems139
Reporting
After Audit Report is generated , Auditor Submits report to auditee Gets auditee to agree on nonconformance Agrees dates for corrective action Ensures that action is taken effectively
![Page 140: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/140.jpg)
COMS Vantage Committed to Systems140
Exercise 6 : Nonconformance Report
Write the nonconformance report for any nonconformance in Exercise 5
![Page 141: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/141.jpg)
COMS Vantage Committed to Systems
Audit Closing
141
![Page 142: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/142.jpg)
COMS Vantage Committed to Systems142
Conducting Audit Follow-up
The auditor is responsible for :
Identifying the nonconformance
and
Closing the nonconformance
![Page 143: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/143.jpg)
COMS Vantage Committed to Systems143
Conducting Audit Follow-Up
At the conclusion of the follow up audit, the auditor must
make a conclusion as to the completion and effectiveness
of the previously proposed corrective actions :
Has the action been taken and has it been effective?
Has the action not been taken or is it incomplete?
Has the action been taken but is ineffective?
![Page 144: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/144.jpg)
COMS Vantage Committed to Systems
Follow-up ActionReceive NCR
Identify Root Cause
Corrective action plan prepared
Evaluates response
Implements plan
Evaluates effectiveness
Revises plan if necessary
Documents the changes
Verifies implementation & effectiveness
Auditee
Auditee
Auditee
Auditor
Auditee
Auditee
Auditee
Auditee
Auditor
Rec
ord
s m
ade
of
all
acti
on
s ta
ken
![Page 145: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/145.jpg)
COMS Vantage Committed to Systems145
Exercise 7 : Corrective Action
Discuss in your teams corrective actions required for the non-conformances identified in Exercise 5.
![Page 146: ISMS Internal Auditor Course.ppt](https://reader036.fdocuments.us/reader036/viewer/2022081504/55cf9b46550346d033a5669c/html5/thumbnails/146.jpg)
COMS Vantage Committed to Systems146
Thank YouWorking Together For Better
Environment.