You are on page 1of 40

llllllllll

lllllllllllllllllllllllllllllllllllllll llll ll lll ll lllllll lll lllll lllllll lll lll ll lll lll lll lllll llll lllll ll lllll ll ll llllllllll llllll llllll llllllll llllllllllll llll lllllll llllll lllll lll llllll lllll llllll lllllll lllllll llll lllllll ll lll lll llll lll lll lllll ll llllll llll lllllllll ll lll lllll lll lllllll ll ll llllll lllllllllllll llllllll llll ll llll lllllllllll ll lllllllll

Certified ISO/IEC 27001
Lead Auditor







Instructor Guide



Information Security Training
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t

Copyright

ISO 27001 Lead Auditor, Classroom course, release 5.0.0

Copyright and Trademark Information for Partners/Stakeholders.
ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change
without notice. Furthermore, this material contains proprietary information that is
protected by copyright. No part of this material may be photocopied, reproduced,
or translated to another language without the prior consent of
ITpreneurs Nederland B.V.
The language used in this course is US English. Our sources of reference for
grammar, syntax, and mechanics are from The Chicago Manual of Style, The
American Heritage Dictionary, and the Microsoft Manual of Style for Technical
Publications.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 1

FoIIow Us
Before you start the course, please take a moment to:

"Like us on Facebook
http://www.facebook.com/ITpreneurs

"Follow us on Twitter
http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus
http://gpIus.to/ITpreneurs

"Link with us" on Linkedin
http://www.Iinkedin.com/company/ITpreneurs

"Watch us" on YouTube
http://www.youtube.com/user/ITpreneurs








S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
T
h
i
s

p
a
g
e

h
a
s

b
e
e
n

l
e
f
t

b
l
a
n
k

i
n
t
e
n
t
i
o
n
a
l
l
y
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 3
Contents
Certified ISO/IEC 27001 Lead Auditor
Day 1 ------------------------------------------------------------ 5

Day 2 ------------------------------------------------------------ 123

Day 3 ------------------------------------------------------------ 243

Day 4 ------------------------------------------------------------ 329

Appendix A: Case Study --------------------------------------- 425

Appendix B: Exercises List ---------------------------------- 449

Appendix C: Correction Key ---------------------------------- 483

Appendix D: Release Notes ----------------------------------- 503

nstructor Feedback Form ------------------------------------- 505










S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
T
h
i
s

p
a
g
e

h
a
s

b
e
e
n

l
e
f
t

b
l
a
n
k

i
n
t
e
n
t
i
o
n
a
l
l
y
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 5
Day 1

SO 27001 Lead Auditor


S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 6
DAY 1
Certified SO 27001
Lead Auditor

ScheduIe for Day 1
Section 1: Course objectives and structure
Section 2: Standard and regulatory framework
Section 3: Certification process
Section 4: Fundamental principles of information security
Section 5: nformation Security Management System (SMS)
Normative references used in this training
Main standards
SO 17021:2011, Conformity assessment Requirements for bodies providing audit
and certification of management systems.
SO 17024:2003, Conformity assessment General requirements for bodies operating
certification of persons.
SO 19011:2011, Guidelines for auditing management systems.
SO/EC 27000:2009, nformation technology Security techniques nformation
security management systems Overview and vocabulary.
SO/EC 27001:2005, nformation Security Management Systems Requirements.
SO/EC 27002:2005, nformation technology Security techniques Code of practice
for information security management.
SO/EC 27003:2010, nformation technology Security techniques nformation
security management system implementation guidance.
SO/EC 27005:2011, nformation technology Security techniques nformation
security risk management.
SO/EC 27006:2011, nformation technology Security techniques Requirements for
bodies providing audit and certification of information security management systems.
SO/EC 27007:2011, nformation technology Security techniques Guidelines for
information security management systems auditing.
SO/EC TR 27008:2011, nformation technology Security techniques Guidelines
for auditors on information security controls.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 7
2. Other standard references
SO Guide 73:2009, Risk management Vocabulary.
SO 9000:2005, Quality management systems Fundamentals and vocabulary.
SO 9001:2008, Quality management systems Requirements.
SO 14001:2004, Environmental management systems Requirements with guidance
for use.
SO/EC 17011:2004, Conformity assessment General requirements for accreditation
bodies accrediting conformity assessment bodies.
OHSAS 18001:2007, Occupational Health and Safety Management Systems
Requirements.
SO/EC 20000-1:2011, nformation Technology Service Management. nformation
technology Part 1: Service management system requirements.
SO/EC 20000-2:2012, nformation technology Service management Part 2:
Guidance on the application of service management systems.
SO 22000:2005, Food safety management systems Requirements for any
organization in the food chain.
SO 22301:2012, Societal security Business continuity management systems
Requirements.
SO/EC 27004:2009, nformation technology Security techniques nformation
security management Measurement.
SO 28000:2007, Specification for security management systems for the supply chain.
SO 31000:2009, Risk Management Principles and Guidelines.

2005 PECB
Version 7.3
Ren St-Germain / Eric Lachapelle (Editors)
Document number: SMSLAD1V7.3
Documents provided to participants are strictly reserved for training purposes and are
copyrighted by PECB. Unless otherwise specified, no part of this publication may be, without
PECB's written permission, reproduced or used in any way or format or by any means
whether it be electronic or mechanical including photocopy and microfilm.

List of acronyms and abbreviations use in this training
ANSI: American National Standards nstitute
BS: British Standard
BCMS: Business continuity management system
CERT: Computer Emergency Response Team
CMS: Content Management System
CobiT: Control Objectives for Business and related Technology
COSO: Committee of Sponsoring Organizations of the Treadway Commission
CPD: Continuing Professional Development
DMS: Document Management System
EA: European Co-operation for Accrditation
EDM: Electronic Document Management System
EMS: Environment management system
FISMA: Federal nformation Security Management Act
GAAS: Generally Accepted Auditing Standards
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 8
GLBA: Gramm-Leach-Bliley Act
HIPAA: Health nsurance Portability and Accountability Act
IAF: nternational Accreditation Forum
IFAC: nternational Federation of Accountants
IMS2: ntegrated mplementation Methodology for Management Systems and Standards
ISMS: nformation security management system
ISO: nternational Standards Organization
ITIL: nformation Technology nfrastructure Library
LA: Lead auditor
LI: Lead mplementer
NC: Non-conformity
NIST: National nstitute of Standards and Technology
OHSAS: Occupational Health and Safety Assessment Series
OECD: Organization for Economic Co-operation and Development
PCI-DSS: Payment Card ndustry Data Security Standard
PDCA: Plan-Do-Check-Act
QMS: Quality management system
PECB: Professional Evaluation and Certification Board
ROI: Return on nvestment
ROSI: Return on Security nvestment
SMS: Service management system
SoA: Statement of applicability
SOX: Sarbanes-Oxley Act
2
Certified SO 27001 Lead
Auditor Training
Section 1
a. Meet and greet
b. GeneraI information
c. Training objectives
d. EducationaI approach
e. Examination and certification
f. PECB
g. ScheduIe for the training
Course objectives and structure






S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 9
3
Activity
Meet and greet

To break the ice, participants introduce themselves stating:
Name;
Current position;
Knowledge of and experience with information security;
Knowledge of and experience with SO 27001 and other standards of the 27000 family
(27002, 27003, 27004, 27005, etc.);
Knowledge and experience with other management systems (SO 9001, SO 14001, SO
20000, SO 22301, etc.);
Auditing knowledge and experience;
Course expectations and objectives.


Duration of activity: 20 minutes


S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 10

4
Smoking area
Meals Timetable and breaks
Use of mobile phones
and recording devices
Absences
General nformation
Use of a computer and
access to the nternet

For simplification, only the masculine is used throughout this training and is not meant to
offend anyone.
n case of emergency, please be aware of exits.
Agree on course schedule and two breaks (be on time).
Set your cell phone on vibration and if you need to take a call, please do it outside the
classroom.
Recording devices are prohibited because they may restrict free discussions.


S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 11

5
Understand the operation of an nformation Security
Management System based on SO 27001 and its principal
processes
Understand the goal, content and correlation between SO
27001, SO 27002 and other standards and regulatory
frameworks
Understand an auditor's role: to plan, lead and follow-up on a
management system audit in accordance with SO 19011
1
2
3
Training Objectives
Acquiring knowledge

The training is designed to allow candidates to acquire and/or enhance their competency to
audit an information security management system. From an educational view, competency
consists of the following 3 elements:
Knowledge;
Skill;
Behavior (attitude).

This training is focused on the acquisition of knowledge related to audit techniques applied
to information security, and not on the acquisition of an expertise in information security.
Minimal knowledge of information security is however required for successful completion of
the course.

To obtain more in-depth knowledge of the implementation and the management of an SMS,
it is recommended to take the Certified SO 27001 Lead mplementer course.

At the end of the course, participants will obtain knowledge and develop the competency on
How to audit and not only on the Why audit and What to do during an audit.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 12

6
Training Objectives
Development of competencies
nterpret the requirements of SO 27001 in the context of an
SMS audit
Acquire the competencies of an auditor to: plan an audit, lead
an audit, draft reports, and follow up on an audit in compliance
with SO 19011
Strengthen personal skills necessary for an auditor to act with
due professional care during an audit
1
2
3

Regarding the development of skills, the objective of this training is to ensure that the
candidate can activeIy participate in an ISO 27001 certification audit or an internaI
audit the day foIIowing the end of the training. This training is focused on the daily
realities of the conduct of an audit. The case study and role-plays act as simulations of
situations that are as close as possible to the reality in the field.
Regarding attitude, several exercises will allow the candidate to strengthen his personal
skills necessary for an auditor to act with due professional care during the implementation of
audit activities such as decision-making ability, teamwork, openness of mind, etc.
Important note: The Certified ISO 27001 Lead Auditor training is intended for both
internaI auditors as externaI auditors. Auditing techniques and the competencies needed
for auditors are common to all types of audits. The peculiarities of the different types of
audits will be explained during the training. nternal audits will be handled in a dedicated
section of day 4.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 13

7
Educational Approach
Students at the center

This course is primarily based on:
Trainer lead sessions, where questions are welcomed.
Student involvement: exercises, case studies, role-plays, notes, reactions, discussions
(participant experiences).
Remember, this course is yours: you are the main pIayers of its success.
Students are encouraged to take additional notes.
Homework and exercises are essential in the acquisition of the competencies necessary to
conduct an audit. Thus it is very important to do them conscientiously. Moreover, even if they
are not scored, homework and exercises prepare participants for the certification exam.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 14

8
Generally accepted
audit standards
nternational Federation
of Accountants
nformation Systems Audit and
Control Association
SO 19011
Course Based
On audit best practices
nstitute of internal
auditors

ISO 19011 provides guidance on audit principles, audit programme management,
management systems audit, as well as guidance on the competencies of auditors. t applies
to all organizations needing to conduct internal and external audits or to manage an audit
programme. The application of SO 19011 to other types of audits is possible: it is sufficient,
in this type of case, to give special attention to identifying the competencies required by the
audit team members.
Reference: www.iso.org
InternationaI Federation of Accountants - IFAC: This is the world accounting
organization. t operates with its 157 members and associates in 122 countries to protect
public interest by encouraging high quality practices by the accounting world. Standards
developed by FAC provide guidelines and advice in the following fields: audit, insurance,
control and services related to quality, to training, ethics and accounting.
Reference: www.ifac.org
GeneraIIy Accepted Auditing Standards - GAAS: These are several audit standards,
developed by the ACPA (American nstitute of Certified Public Accountants), including
general standards, standards by activity sector and report standards, with interpretations.
They were developed by ACPA in 1947 and have undergone a few minor changes since
then.
Reference: www.aicpa.org
ISACA standards and guideIines: The nformation Systems Audit and Control Association
(SACA) has developed several standards and guidelines to provide advice on the audit of
information systems. Founded in 1967, SACA has over 65 000 members. Two of its main
professional certifications, CSA (Certified nformation Systems Auditor) and CSM (Certified
nformation Security Manager), enjoy international recognition.
Reference: www.isaca.org
ProfessionaI practices of the InternaI Auditors Institute: The provide advice on
conducting internal audits. They are the result of a careful analysis, consultations and
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 15

deliberations on the fundamental principles concerning the performance of internal audit
services by members of the A (nstitute of nternal Auditor) and the CA (Certified nternal
Auditor).
Reference: www.theiia.org
9
Examination
Competency domains
1
Fundamental principles of information security
2
nformation Security Management System
3
Fundamental concepts and principles of auditing
4
Preparation of an SO 27001 audit
5
Conducting an SO 27001 audit
6
Concluding an SO 27001 audit
7
Managing an SO 27001 audit programme
1
2
3
4
5
6
7

The objective of the certification examination is to ensure that auditor candidates have
mastered audit concepts and techniques so that they are able to participate in audit
assignments. The PECB examination committee shall ensure that the development and
adequacy of the exam questions is maintained based upon current professional practice.
The questions are developed and maintained by a committee of information security
specialists that are all SO 27001 Lead Auditor certified.
The exam onIy contains essay questions. The duration of the exam is 3 hours. The
minimum passing score is 70%.
All notes and reference documents may be used during the exam excluding the use of a
computer.
The exam is available in several languages. When taking the exam, please ask the trainer or
check on the PECB website to know the list of available languages.
All seven competency domains are covered by the examination. To read a detailed
description of each competency domain, please visit the PECB website.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 16

10
Certified SO 27001 Lead Auditor
Prerequisites for Certification
Pass the exam
Adhere to the PECB Code of Ethics
5 years professional experience
2 years security experience
300 hours audit activity
1
2
3
4
5
6
Professional references
Certified ISO 27001
Lead Auditor

Passing the exam is not the onIy pre-requisite to obtain the credentiaI of "Certified
ISO 27001 Lead Auditor". This credential will endorse both the passing the exam and the
validation of the professional experience records. Unfortunately, many people claim they are
SO 27001 Lead Auditor-qualified following a successful exam, although they don't have the
required experience level.
The set of criteria and the certification process are expIained at the Iast day of the
training.
A candidate with lesser experience can apply for the credential of "Certified SO/EC 27001
Auditor or "Certified SO/EC 27001 Provisional Auditor.
Important note: Certification fees are included in the examination price. The candidate will
therefore not have to pay any additional costs when applying for certification at their
corresponding experience level and receive one of the other professional credentials, i.e.
Certified SO/EC 27001 Provisional Auditor, Certified SO/EC 27001 Auditor or Certified
SO/EC 27001 Lead Auditor.



S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 17

11
Certificates
Candidates who met all the prerequisites for
certification will receive a certificate:

After passing the exam, the candidate has a maximum period of three years to apply for one
of the professional credentials related to the SO 27001 certification scheme.
When the candidate is certified, he will receive, via electronic mail, from PECB a certificate
valid for three years. To maintain his certification, the applicant must demonstrate every year
that he is satisfying the requirements for the assigned credential and abiding to PECB's
Code of Ethics. To learn more about certificate maintenance and renewal procedure please
visit PECB Website. At the end of the training, more details will be given.
An electronic version (in .PDF) course completion certificate which is valid of 31 CPD
(Continuing Professional Development) credits will be issued (sent via email) to participants
after the training.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 18

12
What is PECB?
Main services:
1. Certification of personnel
(Auditor and mplementer)
2. Certification of training organizations
3. Certification of trainers
Professional Evaluation and Certification Board

Founded in 2005, PECB is a personnel certification body for various standards, including
SO 9001 (Quality), SO 14001 (Environment), OHSAS 18001 (Health & Safety), SO 20000
(T Service), SO 22000 (Food safety), SO 22301 (Business continuity), SO 26000 (Social
Responsibility), SO 27001 (nformation security), SO 27005 (nformation security risk) and
SO 28000 (Supply Chain Security).
Our mission is to provide our cIients with comprehensive individuaI examination and
certification services. PECB deveIops, maintains and continuaIIy improves high
quaIity recognized certification programs. PECB is accredited by ANSI under ISO/IEC
17024 (accreditation ID: 1003). PECB is the onIy personneI certification body certified
ISO 9001 and ISO 27001.
The purpose of PECB, as stated in its Bylaws, is to develop and promote professional
standards for certification and to administer credible certification programs for individuals
who practice in disciplines involving the audit and the implementation of a compliant
management system. This principal purpose includes:
Establishing the minimum requirements necessary to qualify certified professionals;
Reviewing and verifying the qualifications of applicants for eligibility to sit for the
certification examinations;
Developing and maintaining reliable, valid, and current certification examinations;
Granting certificates to qualified candidates, maintaining certificant records, and
publishing a directory of the holders of valid certificates;
Establishing requirements for the periodic renewal of certification and determining
compliance with those requirements;
Ascertaining that certificants meet and continue to meet the PECB Code of Ethics;
Representing its members, where appropriate, in matters of common interest;
Promoting the benefits of certification to employers, public officials, practitioners in
related fields, and the public.



S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 19

13
Qualifying oneself to conduct audits for a
certification body
Formal and independent recognition of personal
competencies
Certified professionals usually earn
salaries higher than those of non-certified
professionals
Why Become a Certified Auditor?
Advantages

An internationally recognized certification can help you maximize your career potentiaI
and reach you professional objectives.
An international certification is the formaI recognition of competencies of an individual.
According to salary surveys published by the several magazines in the last five years,
certified auditors have an average saIary considerabIy higher than their non-certified
counterparts.



S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 20

14
Customer Service
Comments, questions and complaints
Training
Provider
Training
Participant
2. Answer in
writing
Answer
1. Submit a
complaint
Submit a
3. Appeal
4. Final
arbitration
PECB

n order to ensure your satisfaction and continually improve the training, examination and
certification processes, PECB Customer Service has established a support ticket system for
handling complaints and services for our clients.
As a first step, we invite you to discuss the situation with the trainer. f necessary, do not
hesitate to contact the head of the training organization where you are registered. n all
cases, we remain at your disposal to arbitrate any dispute that might arise between you and
these parties.
To send comments, questions or complaints, please open a ticket on PECB's website in the
Contact Us section.

f you have suggestions for improving PECB's training materials, we'd like to hear from you.
We read and evaluate the input we get from our members. Please open a ticket directed to
Training Department on PECB's website in the Contact Us section.
n case of dissatisfaction with the training (trainer, training room, equipment,...), the
examination or the certification processes, please open a ticket under "Make a complaint
category on PECB's website in the Contact Us section.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 21

15 15
Schedule for the Week

Day 1: Introduction to information security and ISO 27001
Course objectives and structure
Standard and regulatory framework
Certification process
Fundamental principles of information security
nformation Security Management System (SMS)

Day 2: Audit principIes, preparation and Iaunching of an audit
Fundamental audit concepts and principles
Audit approach based on evidence and risk
nitiating the audit
Stage 1 audit
Preparing the stage 2 audit (on-site audit)
Stage 2 audit (Part 1)

Day 3: On-site audit activities
Stage 2 audit (Part 2)
Communication during the audit
Audit procedures
Creating audit test plans
Drafting audit findings and non-conformity reports

Day 4: CIosing the audit
Documentation of the audit and quality review
Closing the audit
Evaluating action plans by the auditor
Beyond the initial audit
Managing an internal audit programme
Competence and evaluation of auditors
Closing the training

Day 5: FinaI exam

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 22

16
QUESTONS?

Section summary:
The main objective of this training is to acquire the competency (knowledge, skills and
behavior) to participate in an SO 27001 internal audit or certification audit.
Success of the training is based on participant involvement (experience feedback,
discussions, role-play, exercises, etc.).
The objective of the certification examination is to ensure that auditor candidates have
mastered audit concepts and techniques so that they are able to participate in audit
assignments. The exam only contains essay questions. The duration of the exam is 3
hours. The minimum passing score is 70%. The exam is available in several languages.
Passing the exam is only one of the prerequisites to obtain the professional credential
"Certified SO 27001 Lead Auditor. This professional credential endorses both the
passing the exam and the validation of the professional experience records.
PECB (Professional Evaluation and Certification Board) is a certification organization for
persons. The first objective of PECB, as included in its statutes, is to develop and
promote professional standards for certification and to administer credible certification
programs for persons who work in disciplines involving verification and implementation
of a compliant management system.









S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 23

17
Certified SO 27001 Lead
Auditor Training
Section 2
a. What is ISO?
b. FundamentaI ISO principIes
c. Management system standards
d. Integrated management system
e. Information security standards
f. ISO 27000 famiIy
g. ISO 27001 advantages
h. LegaI and reguIatory conformity
Standard and regulatory framework

During this training, we will adopt the following convention: standards wiII often be
referenced as "ISO XXXX" in the sIide instead of their officiaI designation "ISO/IEC
XXXXX:20XX" without specifying their publication date, each referring to its latest version.
SO documents are copyright protected. Each participant has a responsibility to possess a
legal copy of the standards required for this course. f a standard is included or was given to
you for the period of this training, you must follow the conditions for use stated by SO.
No part of this publication may be reproduced by any means or use in any way whether it be
electronic our mechanical, including photocopies and microfilms, without written permission
from SO (see address below) or a member of the SO organization located in the country of
the person of the related organization.
Copies of the different SO standards can be bought online on the SO website
(www.iso.org) or from the accreditation authority of each country. For example, you can buy
SO standards from ANS (webstore.ansi.org).
Note on terminology: Depending on the standard, there are different terms used to refer to
specific part of a standard like clause, section, paragraph or chapter. n this course we will
use "clause" to express any reference to a specific part of a norm or standard.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 24

18
What is SO?
SO is a network of national standardization bodies
from over 160 countries
The final results of SO works are published as
international standards
Over 19 000 standards have been published since
1947

History
n 1946, delegates from 25 countries met in London and decided to create a new
international organization, of which the object would be "to facilitate the international
coordination and unification of industrial standards". The new organization officially began
operations on 23 February 1947, in Geneva, Switzerland.
The nternational Standards Organization (SO) is a non-governmental organization that
holds a special position between the public sector and the private sector. ts members
include national standards organizations who often are part of government structures in their
countries or who are mandated by these governments.
Other members belong to the private sector as national partnerships of industry
associations.
GoaIs/Advantages
The role of SO is to facilitate international coordination and the standardization of industrial
standards. To reach these objectives, SO publishes technical standards. These standards
contribute to the development, manufacturing and delivery of products and services that are
more effective, safer and clearer. They facilitate fair trade between countries. n addition,
they bring a technical foundation for health, security, and environmental legislation to
governments; and they help transfer technologies to developing countries. SO standards
are also used to protect consumers and general users of products and services. These
standards are also used to simplify their lives.


Note on terminology: Because "nternational Organization for Standardization" would have
different acronyms in different languages ("OS" in English, "ON" in French for Organisation
internationale de normalisation), its founders decided to give it also a short, all-purpose
name. They chose "SO", derived from the Greek isos, meaning "equal".
Source: www.iso.org
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 25

How ISO standards are deveIoped?
The national delegations of experts of a committee meet to discuss, debate and argue until
they reach consensus on a draft agreement. The "organizations in liaison also take part in
this work. n some cases, advanced work within these organizations means that substantial
technical development and debate has already occurred, leading to some international
recognition and in this case, a document may be submitted for "fast-track" processing. n
both cases, the resulting document is circulated as a Draft nternational Standard (DS) to all
SO's member bodies for voting and comment.
f the voting is in favor, the document, with eventual modifications, is circulated to the SO
members as a Final Draft nternational Standard (FDS). f that vote is positive, the
document is then published as an nternational Standard. (There is no FDS stage in the
case of documents processed through the fast track procedure of the joint technical
committee SO/EC JTC 1, nformation technology.)
Every working day of the year, an average of seven SO technical meetings takes place
around the world. n between meetings, the experts continue the standards' development
work by correspondence. ncreasingly, their work is carried out by electronic means, which
speeds up the development of standards and cuts travel costs.
nternational Standards are developed by a six-step process:
Stage 1: ProposaI stage
The first step in the development of an nternational Standard is to confirm that a particular
nternational Standard is needed. A new work item proposal (NP) is submitted for vote by the
members of the relevant TC or SC to determine the inclusion of the work item in the
programme of work.
The proposal is accepted if a majority of the P-members of the TC/SC votes in favor and if at
least five P-members declare their commitment to participate actively in the project. At this
stage a project leader responsible for the work item is normally appointed.
Stage 2: Preparatory stage
Usually, a working group of experts, the chairman (convener) of which is the project leader,
is set up by the TC/SC for the preparation of a working draft. Successive working drafts may
be considered until the working group is satisfied that it has developed the best technical
solution to the problem being addressed. At this stage, the draft is forwarded to the working
group's parent committee for the consensus-building phase.
Stage 3: Committee stage
As soon as a first committee draft is available, it is registered by the SO Central Secretariat.
t is distributed for comment and, if required, voting, by the P-members of the TC/SC.
Successive committee drafts may be considered until consensus is reached on the technical
content. Once consensus has been attained, the text is finalized for submission as a draft
nternational Standard (DS).
Stage 4: Enquiry stage
The draft nternational Standard (DS) is circulated to all SO member bodies by the SO
Central Secretariat for voting and comment within a period of five months. t is approved for
submission as a final draft nternational Standard (FDS) if a two-thirds majority of the P-
members of the TC/SC are in favor and not more than one-quarter of the total number of
votes cast are negative. f the approval criteria are not met, the text is returned to the
originating TC/SC for further study and a revised document will again be circulated for voting
and comment as a draft nternational Standard.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 26

Stage 5: ApprovaI stage
The final draft nternational Standard (FDS) is circulated to all SO member bodies by the
SO Central Secretariat for a final Yes/No vote within a period of two months. f technical
comments are received during this period, they are no longer considered at this stage, but
registered for consideration during a future revision of the nternational Standard. The text is
approved as an nternational Standard if a two-thirds majority of the P-members of the
TC/SC is in favor and not more than one-quarter of the total number of votes cast are
negative. f these approval criteria are not met, the standard is referred back to the
originating TC/SC for reconsideration in light of the technical reasons submitted in support of
the negative votes received.
Stage 6: PubIication stage
Once a final draft nternational Standard has been approved, only minor editorial changes, if
and where necessary, are introduced into the final text. The final text is sent to the SO
Central Secretariat which publishes the nternational Standard.
Reference: www.iso.org
19
1. EquaI representation: 1 vote per country
2. VoIuntary membership: SO does not have the
authority to force adoption of its standards
3. Business orientation: SO only develops
standards for which a market demand exists
4. Consensus approach: looking for a large
consensus among the different stakeholders
5. InternationaI cooperation: over 160 member
countries plus liaison bodies
1. Equ
2. V
auth
3.
sta
4. C
con
5. Inter
countri
Basic
principIes of
ISO
standards
Basic Principles SO Standards

ISO basic principIes
1. EquaI representation: Every SO member (full-fledged member) has the right to
participate in the development of any standard it deems important to the economy of its
country. Whatever the size or strength of the economy, each participating member can claim
their right to vote. SO activities are thus carried out in a democratic structure where member
countries are on the same footing in terms of their influence on work orientation.
2. VoIuntary: Adoption of SO standards is voluntary. As a non-governmental organization,
SO has no legal authority for their implementation. A percentage of SO standards more
particularly those related to health, security and the environment have been adopted in
several countries as part of the regulatory framework, or are mentioned in the legislation for
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 27

which they act as a technical basis. Such adoptions are sovereign decisions by regulatory
organizations or governments.
SO itself does not regulate, or legislate. However, although SO standards are voluntary,
they can become a market requirement, as is the case with SO 9001 or with freight
container dimensions, the traceability of food products, etc.
3. Business orientation: SO only develops standards for which a market demand exists.
Work is carried out by experts in the related industrial, technical and business sectors.
These experts may be joined by other experts holding the appropriate knowledge such as
public organizations, academic world and testing laboratories. SO launches the
development of new standards in response to sectors and stakeholders that express a
clearly established need for them.
An industry sector or other stakeholder group typically communicates its requirement for a
standard to one of SO's national members. The latter then proposes the new work item to
the relevant SO technical committee developing standards in that area. New work items
may also be proposed by organizations in liaison with such committees. When work items do
not relate to existing committees, proposals may also be made by SO members to set up
new technical committees to cover new fields of activity.
4. Consensus approach: SO standards are based on a representative consensus
approach of the different stakeholders (experts, industries, researchers, governments, etc.).
This ensures a larger circulation and a greater application. SO standards are developed by
technical committees, (subcommittees or project committees) comprising experts from the
industrial, technical and business sectors which have asked for the standards, and which
subsequently put them to use. These experts may be joined by representatives of
government agencies, testing laboratories, consumer associations, non-governmental
organizations and academic circles.
Proposals to establish new technical committees are submitted to all SO national member
bodies, who may opt to be participating (P), observer (O) or non-members of the committee.
The secretariat (i.e. the body providing the administrative support to the work of the
committee) is allocated by the Technical Management Board (which itself reports to the SO
Council), usually to the SO member body which made the proposal. The secretariat is
responsible for nominating an individual to act as chair of the technical committee. The chair
is formally appointed by the Technical Management Board.
Experts participate as national delegations, chosen by the SO national member body for the
country concerned. National delegations are required to represent not just the views of the
organizations in which their participating experts work, but those of other stakeholders too.
National delegations are usually based on and supported by national mirror committees to
which the delegations report.
According to SO rules, the national member body is expected to take account of the views
of all parties interested in the standard under development. This enables them to present a
consolidated, national consensus position to the technical committee.
nternational and regional organizations from both business and the public sector may apply
for liaison status to participate in developing a standard, or to be informed about the work.
Such "organizations in liaisons are accepted through voting by the relevant SO committee.
They may comment on successive drafts, propose new work items or even propose
documents for "fast tracking , but they have no voting rights.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 28

5. InternationaI cooperation: SO standards are technical agreements that bring, at the
international level, technological compatibility structures. Developing a technical consensus
on an international scale is a major activity. 3 000 technical SO groups are identified
(technical committees, subcommittees, work groups, etc.) within which 50 000 experts take
part in developing standards annually.
Source: www.iso.org
20
Eight SO Management Principles

Customer focus: Organizations depend on their customers and therefore should
understand current and future customer needs, should meet customer requirements and
strive to exceed customer expectations.
Management system impIications
Researching and understanding customer needs and expectations.
Ensuring that the objectives of the organization are linked to customer needs and
expectations.
Communicating customer needs and expectations throughout the organization.
Systematically managing customer relationships.
Ensuring a balanced approach between satisfying customers and other interested
parties (such as owners, employees, suppliers, financiers, local communities and
society as a whole).
Leadership: Leaders establish unity of purpose and direction of the organization. They
should create and maintain the internal environment in which people can become fully
involved in achieving the organization's objectives.
Management system impIications
Considering the needs of all interested parties including customers, owners,
employees, suppliers, financiers, local communities and society as a whole.
Establishing a clear vision of the organization's future.
Setting challenging goals and targets.
Creating and sustaining shared values, fairness and ethical role models at all levels
of the organization.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 29

Establishing trust and eliminating fear.
Providing people with the required resources, training and freedom to act with
responsibility and accountability.
nspiring, encouraging and recognizing people's contributions.
Involvement of people: People at all levels are the essence of an organization and their
full involvement enables their abilities to be used for the organization's benefit.
Management system impIications
People understanding the importance of their contribution and role in the
organization.
People identifying constraints to their performance.
People accepting ownership of problems and their responsibility for solving them.
People evaluating their performance against their personal goals and objectives.
People actively seeking opportunities to enhance their competence, knowledge and
experience.
People freely sharing knowledge and experience.
People openly discussing problems and issues.

Process approach: A desired result is achieved more efficiently when activities and
related resources are managed as a process.
Management system impIications
Systematically defining the activities necessary to obtain a desired result.
Establishing clear responsibility and accountability for managing key activities.
Analyzing and measuring of the capability of key activities.
dentifying the interfaces of key activities within and between the functions of the
organization.
Focusing on the factors such as resources, methods, and materials that will
improve key activities of the organization.
Evaluating risks, consequences and impacts of activities on customers, suppliers
and other interested parties.

System approach to management: Identifying, understanding and managing
interrelated processes as a system contributes to the organization's effectiveness and
efficiency in achieving its objectives.
Management system impIications
Structuring a system to achieve the organization's objectives in the most effective
and efficient way.
Understanding the interdependencies between the processes of the system.
Structured approaches that harmonize and integrate processes.
Providing a better understanding of the roles and responsibilities necessary for
achieving common objectives and thereby reducing cross-functional barriers.
Understanding organizational capabilities and establishing resource constraints
prior to action.
Targeting and defining how specific activities within a system should operate.
Continually improving the system through measurement and evaluation.
6. Continual improvement: Continual improvement of the organization's overall
performance should be a permanent objective of the organization.
Management system impIications
Employing a consistent organization-wide approach to continual improvement of the
organization's performance.
Providing people with training in the methods and tools of continual improvement.
Making continual improvement of products, processes and systems an objective for
every individual in the organization.
Establishing goals to guide, and measures to track, continual improvement.
Recognizing and acknowledging improvements.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 30

Factual approach to decision making: Effective decisions are based on the analysis
of data and information.
Management system impIications
Ensuring that data and information are sufficiently accurate and reliable.
Making data accessible to those who need it.
Analyzing data and information using valid methods.
Making decisions and taking action based on factual analysis, balanced with
experience and intuition.
Mutually beneficial supplier relationships: An organization and its suppliers are
interdependent and a mutually beneficial relationship enhances the ability of both to
create value.
Management system impIications
Establishing relationships that balance short-term gains with long-term
considerations.
Pooling of expertise and resources with partners.
dentifying and selecting key suppliers.
Clear and open communication.
Sharing information and future plans.
Establishing joint development and improvement activities.
nspiring, encouraging and recognizing improvements and achievements by
suppliers.

Source: www.iso.org


S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 31

21
Management System Standards
Primary standards against which an organization can be
certified
ISO 9001
Quality
ISO 14001
Environment
OHSAS 18001
Health and Safety
at work
ISO 20000
T Service
ISO 22000
Food Safety
ISO 22301
Business
continuity
ISO 27001
nformation
security
ISO 28000
Supply Chain
Security

Since 1947 SO has published over 19 000 international standards. SO publishes standards
related to traditional activities such as agriculture and construction, media devices and the
most recent development in information technologies, such as the digital coding of
audiovisual signals for multimedia applications.
SO 9000 and SO 14000 families are among the best known SO standards. The SO 9000
standard has become an international reference in regard to the quality requirements in
commerce and business transactions. The SO 14000 standard, for its part, is used to help
organizations meet challenges of an environmental nature.
ISO 9001 is related to quality management. t contains the good practices that aim to
improve customer satisfaction, achievement of customer requirements and regulatory
requirements as well as continuous improvement actions in those fields. n December of
2009, 1 064 785 organizations were SO 9001 certified (China having the most certified
organizations: 257 076).

ISO 14001 is mainly related to environmental management. t defines the actions that the
organization can implement for the maximum reduction of negative impacts of its activities
on the environment and for the continuous improvement of its environmental performance. n
December 2009, 223 149 organizations were SO 14001 certified (China having the most
certified organizations: it had in 2009, 55 316; Japan is second with 39 556 certified
organizations).


OHSAS 18001 (OHSAS = Occupational Health and Safety Assessment Series) identifies
best practices for the rigorous management and effective protection of the occupational
health and safety. n spite of the publication of the SO 18001 standard after various
disagreements within the SO organization to create a management standard for health and
safety, OHSAS 18001 is the de facto standard for health and safety at the enterprise.
OHSAS 18001 is a private norm. t was developed from existing national standards (BS
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 32

8800, UNE 81900, VCA) and standards published by different certification bodies (OHSMS,
SafetyCert, SMS 8800).
ISO 20000-1 defines the requirements that an information technology service provider must
apply. This standard applies to service providers regardless of the organization's size or
type. The standard consists of two parts. The first part defines the specifications the
organization shall apply to obtain certification. The second part (SO 20000-2) explains the
different practices or recommendations to reach the objectives previously defined.

ISO 22000 creates and manages a food safety management system (FSMS). This standard
applies to all organizations that are involved in any aspects of the food supply chain and
want to implement a system to continuously provide safe food. This standard focuses on
personnel competencies, continuous information research about food products (new
legislations, standards, rules.). Organizations must perform a HACCP (Hazard Analysis
Critical Control Point) to identify, analyze and evaluate the risks for food safety. For each risk
that has been defined as significant, the organization must define controls to implement.
ISO 22301 defines the requirements that an organization must apply to certify a Business
Continuity Management System (BCMS). To comply with the requirements of this standard
the organization needs to document a model to develop, implement, operate, monitor,
review, maintain and improve a BCMS to increase the resilience of an organization in case
of a disaster. This standard is compatible with PAS 22399 (Guideline for incident
preparedness and operational continuity management) and BS 25999 (British Standard on
business continuity).

ISO 27001 defines the requirements that an organization must apply to provide a model for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving an
nformation Security Management System (SMS). An SMS is a framework of policies and
procedures that includes all legal, physical and technical controls involved in an
organization's information risk management processes. The SO 27001 standard does not
mandate specific information security controls, but it provides a checklist of controls that
should be considered in the accompanying code of practice, SO 27002. This second
standard describes a comprehensive set of information security control objectives and a set
of generally accepted good practice security controls.

ISO 28000 prescribes the requirements applicable to a security management system of the
supply chain. An organization has to define, implement, maintain, and improve a supply
chain security management system during each step of production: manufacturing,
maintenance, storage or transport of goods.




S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 33

22
ntegrated Management System
Common structure of SO standards
Requirements
ISO
9001:2008
ISO
14001:2004
ISO
20000:2011
ISO
22301:2012
ISO
27001:2005
Objectives of the
management system
5.4.1 4.3.3 4.5.2 6.2 4.2.1
PoIicy of the
management system
5.3 4. 2 4.1.2 5.3 4.2.1
Management
commitment
5.1 4.4.1 4.1 5.2 5
Documentation
requirements
4.2 4.4 4.3 7.5 4.3
InternaI audit 8.2.2 4.5.5 4.5.4.2 9.2 6
ContinuaI
improvement
8.5.1 4.5.3 4.5.5 10 8
Management review 5.6 4.6 4.5.4.3 9.3 7

More and more organizations have to manage several compliance frameworks
simultaneously. To simplify the work, to avoid conflicts and to reduce duplication of
documents, it is recommended to implement an integrated management system. The table
in the slide presents certain requirements that are common to all management systems.
Important note: n June 2009, the Technical Steering Committee of SO adopted a
resolution asking the committees involved in the development of standards to specify the
requirements of a management system (SO 14001, SO 22000, SO 27001, etc.) by
following a common structure of clauses in line with SO 9001. This Directive is applicable to
the versions published after 2011. So the common elements to every management system
will have the same reference. The main objective is to facilitate the combined management
of a normative framework for an organization.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 34

23
Other nformation Security Standards
Examples

As of March 2012, there are 106 published SO standards on information security (JTC 1/SC
27 technical committee) including the following examples:
ISO 9798: This standard specifies a general model including the requirements and
constraints for the use of identity authentication mechanisms. These mechanisms are used
in to demonstrate that an entity is who it claims to be. Details on the different mechanisms
are explained in different parts of this standard.
ISO 11770: This standard defines a general model for key management independent of the
cryptographic algorithm used. This standard addresses both the automatic and manual key
and the required sequence of operations. However, it does not specify details on the
interface protocols needed for the operations.
ISO 15408: Under the general title Common Criteria, the scope of this standard is the use of
it as a basis to evaluate the security properties of products and systems of nformation
Technology (T). A free copy can be downloaded from the SO website.
t contains the following parts:
Part 1: ntroduction and general model;
Part 2: Security functional components;
Part 3: Security assurance components.

ISO 21827 specifies the Systems Security Engineering - Capability Maturity Model (SSE-
CMM), which describes the essential characteristics of an organization's security
engineering process that must exist to ensure good security. SO 21827 does not prescribe
a particular process or sequence, but captures practices generally observed in industry. The
objective is to facilitate an increase of maturity of the security engineering processes within
the organization.
ISO 24761 specifies the structure and elements of a mechanism for authentication using
biometrics in the verification process.
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 35

ISO 27033 provides an overview of network security and related definitions. t defines and
describes the concepts associated with network security. The various parts of SO 27033
address specific topics related to network security.
24
1990
1995
2000
2007
2008+
SO 27006
Certification
organization
requirements
Publication of
other standards
of the
27000 family
Revision to
SO 27001 &
SO 27002
in progress
BS7799-1
Code of best
practices
BS7799-2
SMS
certification
schema
Code of best
practises
(Published by a
group of
companies)
SO 17799
Best practices
code
New Version of
SO 17799
SO 27001
publication
History of the SO 27001 Series
mportant dates
1998
2005

Beginning of the1990s
An industry need expressed in terms of better practices and controls to support trade and
government in the implementation and improvement of information security;
Ministry of Commerce and ndustry (United Kingdom) forms a work group grouping
together directors with experience in information security;
Publication of a collective work of advice on the management of information security.

1992
Guide of good practices of the industry (September) initially published as a British
Standard nstitute (BS) publication;
This guide was the basis for the British Standard: BS 7799-1.
1995
BS 7799-1:1995 published as a British standard.

1996 - 1997
dentification of a need to increase the level of confidence in the BS 7799 standard;
The industry request a certification programme for an SMS.

1998
Launch of the SMS certification model (Published as BS 7799-2:1998).

1999
Revision of BS 7799-1:1999 (updates and addition of new security controls):
New security controls: e-commerce, mobile T, third-party agreements;
Suppression of specific references to United Kingdom.
BS 7799-2:1999 (Alignment of controls to BS7799-1).
S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 36


2000
Publication of SO 17799:2000.
2002
Launch of BS 7799-2:2002.
The main updates are:
ntegration of the Plan-Do-Check-Act (PDCA) Model;
SO 17799 controls included as an annex to the standard;
Annex demonstrating the connection between BS7799-2, SO 9001 and SO
14001.
2005
Publication of the new version of SO 17799:2005.
Publication of SO 27001:2005, which replaces BS7799-2, and contains:
SMS specifications;
SO 17799 controls in standard annex;
Annex demonstrating the connection between SO 9001 and SO 14001.

2007
Publication of SO 27002:2005 replacing SO 17799:2005 (No change in the content, just
identification number);
Publication of SO 27006:2007 (Requirements for bodies providing audit and certification
of information security management systems).

2008
Publication of SO 27005:2008 (nformation security risk management);
Publication of SO 27011:2008 (nformation security management guidelines for
telecommunications organizations based on SO 27002).

2009
Publication of SO 27000:2009 (nformation security management systems -- Overview
and vocabulary);
Publication of SO 27004:2009 (nformation security management Measurement);
Publication of SO 27033-1:2009 (Network security -- Part 1: Overview and concepts).
2010
Publication of SO 27003:2010 (nformation security management system
implementation guidance);
Publication of SO 27033-3:2010 (Network security -- Part 3: Reference networking
scenarios -- Threats, design techniques and control issues).
2011
Publication of SO 27005:2011 (nformation security risk management);
Publication of SO 27006:2011 (Requirements for bodies providing audit and certification
of information security management systems);
Publication of SO 27007:2011 (Guidelines for information security management systems
auditing);
Publication of SO 27008:2011 (Network security -- Part 3: Reference networking
scenarios -- Threats, design techniques and control issues).




S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 37

25
SO 27000 Family
V
o
c
a
b
u
I
a
r
y
R
e
q
u
i
r
e
m
e
n
t
s
G
e
n
e
r
a
I
g
u
i
d
e
s
I
n
d
u
s
t
r
y

g
u
i
d
e
s

ISO 27001
ISMS
requirements
ISO 27006
Certification
organization
requirements
ISO 27005
Risk
management
ISO 27004
Metrics
ISO 27003
ImpIementation
guide
ISO 27002
Code of
practices
ISO 27007-27008
Audit guides
ISO 27011
TeIecommunications
ISO 27799
HeaIth
ISO 270XX
others
ISO 27000
VocabuIary

Resulting from nternational workgroup reflections dedicated to the information security
scope, the SO 27000 family is progressively published since 2005. SO 27001:2005 is the
only certifiable standard of the SO 27000 family. The other standards are guidelines.

ISO 27000: This information security standard develops the basic concepts as well as
the vocabulary that applies when analyzing nformation Security Management Systems.
A free copy of this standard can be downloaded from the SO website.
ISO 27001: This information security standard defines the requirements of the
nformation Security Management Systems (SMS).
ISO 27002 (previousIy ISO 17799): Guide of best practices for the management of
information security. This standard defines objectives and recommendations in terms of
information security and anticipates meeting global concerns of organizations relating to
information security for their overall activities.
ISO 27003: Guide for implementing or setting up an SMS.
ISO 27004: Guide of metrics to facilitate SMS management, it provides a method to
define the objectives for implementation and effectiveness criteria, of follow-up and
evolution measurements all through the process.
ISO 27005: Guide for information security risk management which complies with the
concepts, models and general processes specified in SO 27001.
ISO 27006: Guide for organizations auditing and certifying SMS's.
ISO 27007: Guidelines for information security management systems auditing.
ISO 27008: Guidelines for auditors on information security controls.
ISO 27011: Guidelines for the use of SO 27002 in telecommunication industry.
ISO 27031: Guidelines for information and communication technology readiness for
business continuity.
ISO 27799: Guidelines for the use of SO 27002 in health informatics.


S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t
Certified SO/EC 27001 | Lead Auditor | nstructor Guide
Copyright 2013, Tpreneurs Nederland B.V. All rights reserved. 38

26
SO 27001
Specifies requirements for
SMS management
(Clause 4 to 8)
Requirements (clauses) are
written using the imperative
verb "shall
Annex A: 11 clauses containing
39 control objectives and 133
controls
Organization can obtain
certification against this
standard

ISO 27001:
A set of normative requirements for the establishment, implementation, operation,
monitoring and review to update and improve a nformation Security Management
System (SMS);
A set of requirements for selecting security controls tailored to the needs of each
organization based on industry best practices;
A management system that is integrated in the overall risk framework associated with the
activity of the organization;
An internationally-recognized process, defined and structured to manage information
security;
An international standard to suit all types of organizations (e.g. commercial enterprises,
government agencies, nonprofit organizations ...), of all sizes in all industries.
ISO 27001, clause 0.1: General
This International Standard has been prepared to provide a model for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an Information
Security Management System (ISMS). The adoption of an ISMS should be a strategic
decision for an organization. The design and implementation of an organizations ISMS is
influenced by their needs and objectives, security requirements, the processes employed
and the size and structure of the organization. These and their supporting systems are
expected to change over time. It is expected that an ISMS implementation will be scaled in
accordance with the needs of the organization, e.g. a simple situation requires a simple
ISMS solution.
This International Standard can be used in order to assess conformance by interested
internal and external parties.

S
a
m
p
l
e

M
a
t
e
r
i
a
l

-

N
o
t

f
o
r

R
e
p
r
i
n
t