02 ISMS & Audit Methodology

Amy Zhu
MSN: amyseeger@hotmail.com
14/01/2010
Agenda

14/01/2010
ISO 2700x
Overview

14/01/2010
 ISO 2700x Series Standard
ISO/IEC Std. Description

27000 Vocabulary and Definitions

27001 Requirements (BS7799-2)

27002 Code of Practice (ISO 17799: 2005)

27003 Implementation Guidance

27004 Metrics and Measurements

27005 Risk Management (BS7799-3)

14/01/2010
ISO/IEC 27001 : 2005

Security Policy
Organizing Information Security
Asset Management
Human Physical & Comm . & Information
Resource Env . Operation Systems
Security Security Management Acquisition ,
Development
Access Control and
Maintenance

Information Security Incident Management

Business Continuity Management

Compliance

14/01/2010
 ISO 27001 Audit Stages

14/01/2010
ISMS Methodology

14/01/2010
 PDCA model applied to ISMS process
Maintain and Improve the ISMS Establish
the ISMS
- Scope
-ISMS policy / Security Org.
-Management Authorization
-GAP Analysis
Implement the Improvements - -RA approach / RA / RTP options
Corrective Act. and Preventive Act. - -SOA
-C&CO

Management Review - - Risk Treatment Plan

ISMS Metrics -> Control Effectiveness - -Implement selected C&CO
Review RA - -Define Measurements
Internal Audit - -Training and Awareness

Info. Sec.
Req. & Exp. Managed
Monitor and Improve the ISMS Implement and Operate the Info. Sec.
ISMS

Continual Improvement of the Management System

14/01/2010
Common Approach

14/01/2010
 High Level Certification Plan
Phase I Phase II

Plan and Manage Program

•Mobilize Program Implementation Certification
•Launch Program

1 Month 5 Months

14/01/2010
ISO Core Team

14/01/2010
 Security Committee
 Role
 The is a key driver of our organization’s security aspects.
The Committee needs to meet and review at planned intervals the
effectiveness of the Information Management system. The review shall also
include assessing opportunities for improvement and the need for change. The
Committee will be the final authority in reviewing and taking appropriate action
against all information security related risks.
 Frequency
 At least once in a quarter. However till the time of certification, the
Security Committee will meet regularly since the Committee has to approve all
documents and play an active role in the Risk assessment
 Outcomes
 Key decision made on the effectiveness on ISMS
•

14/01/2010
 Risk Assessment - Phases

“Identifying Information Assets, Assigning values to them and

Controlling Risks are essential ISO27001 requirements“

Risk Measure
Asset
Threat Threat Probability Vulnerability Asset Value *
Identification and
Identification Analysis identification Threat Probability
Valuation
* Impact

14/01/2010
 Asset Identification and Valuation
Categorize
 Assets
Physical Assets Valuate Assets based on C.I.A.
Confidentiality
Ensuring that information is accessible only
Information Assets to those authorised to have access.
Software Assets
Integrity
Safeguarding the accuracy and
Services completeness of information and processing
methods.
Voice Information
Availability
Ensuring that authorised users have access
to information and associated assets when
required.

Asset Valuation Tool

14/01/2010
Threat Identification

14/01/2010
 Threat Probability Analysis

TL Guideline
1 Once per 3 years or more / no
2 occurrence
Once per year
3 Once per quarter
4 Once per month
TL = Threat Level 　
Rating

14/01/2010
Vulnerability Identification & Mapping

Impact Value Threat / Vulnerability

1 Characteristic
Occurrence of this threat will
2 have negligible
Occurrence business
of this threatimpact
will
3 have minor business
Occurrence impactwill
of this threat
4 have major business
Occurrence impactwill
of this threat
have vital business impact

14/01/2010
Risk Assessment and Risk Treatment

14/01/2010
ISMS Auditing

14/01/2010
Requirement for Internal Audit

14/01/2010
What do we mean
by
Audit?

14/01/2010
 Audit – 审核

•
•

14/01/2010
 BS EN 19011:2002 – Scope 适用范围

14/01/2010
Management Systems Auditing 管理系统审
核

14/01/2010
 Type of Audit

•
•

14/01/2010
The Audit Process

14/01/2010
Audit Objectives 审核的目标

14/01/2010
The Scope of the Audit 审核范围

14/01/2010
Audit Criteria 审核准则

14/01/2010
The Benefits of Audit

14/01/2010
Auditor’s Responsibilities

14/01/2010
Planning the Audit

14/01/2010
Audit Programme

14/01/2010
Planning and Preparation

14/01/2010
Audit Planning

14/01/2010
Decisions at the Planning Stage

14/01/2010
 Audit Duration

You need to define it Based on Your

Experience

14/01/2010
Audit Preparation

14/01/2010
Preparing for the Audit

14/01/2010
Audit Preparation - Information

14/01/2010
Audit Documents

14/01/2010
Benefits of the Checklists

14/01/2010
Checklist – Audit Starting Point

14/01/2010
 Checklist – Clear Screen/Desk Policy

14/01/2010
Exercise – Preparing an Audit Checklist

14/01/2010
Conducting the Audit

14/01/2010
Audit Activities

14/01/2010
Opening Meeting

14/01/2010
 Collecting the Facts

14/01/2010
Establish the Facts

14/01/2010
Audit Evidence

14/01/2010
 Evidence

14/01/2010
 Techniques for Qustioning

14/01/2010
Recording the Facts

14/01/2010
 Documenting the Findings

14/01/2010
Evaluating

14/01/2010
Finding Classification - 1

14/01/2010
Finding Classification - 2

14/01/2010
Finding Classification - 3

14/01/2010
 The name does not
matter , they are all
‘ Opportunities for
Improvement ’

14/01/2010
Recording the
Results

14/01/2010
Documenting Non-Conformities

14/01/2010
Non-Conformity Report

14/01/2010
 Reporting the Audit

14/01/2010
Exercise – NC report

14/01/2010
Audit Report Meeting

14/01/2010
 Close Meeting

•
 Avoid Confrontation

14/01/2010
Conduct of Meeting

14/01/2010
 Follow-up Options

•
 But Always Record your Actions

14/01/2010
Successive Audits

14/01/2010
Reporting

14/01/2010
Q & A

14/01/2010