e § bsi. a. Table of Contents: j Welcome and Agenda. 6 i Slides... ‘ : Case Study 1. | ; Gc. © ” Ba sd Ba! Bed 22222. p 9 Def a> eet ie making excellence a habit" 1.2 ISMO3OO1ENIN vi,0(ADO1) Apr 2015 ©The British Standards Institution 2015 20fSbsi. Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Delegate Workbook . Version 1.0(AD01) April'2015 By Royal Charter » This materi i is for: the es use of a delegate attending a-course presented by BSI. + NO part’ of the inateials smay-be Fepréduced, stored: electronically, or ansrited in any form ‘or by any means without the prior written consent of BSI. making excellence a habit"e Ss l o te . Delegate Workbook 4. Welcome to the Information Security Management Systems Internal Auditor Training Course (BS ISO/IEC 27001) ‘The tutors and BSI staff welcome you to this class. We alm to provide the best and most authoritative training available on internal auditing against 180 27001 ‘Information Security Management Systems standard here. We believe that you get the most out of the coursé by fully joining in the discussions and exercises. Participation brings better understanding and provides a good foundation on which to further develop your expertise. It also makes the course fun. We invite you to join 1.4, Schedule Please return to class on time after breaks or lunch, The agenda included in this delegate workbook thoroughly outlines the course schedule. 1.2, Personal Property Please do not leave valuables unattended. Keep them with you or make other arrangements for thelr safe custody. ° 1.3, Facilities ‘The tutor will inform you of the nearest restrooms and the location of public telephones for use during class breaks. 1.4, Recording Please do not tise recording devices since they tend to restrict free discussions, 15. Safety Please familiarize yourself with any safety notices and the actions to be taken in thie case of fire including the position of fire exits in the lecture and other rooms that you may occupy whilst at the course venue. 1.6, Smoking Please do not smoke in the lecture or other rooms used for course work. 1.7. Mobile phones, pagers and laptops Please do not have pagers, mobile phones or laptops switched on during class sessions unless agreed with the tutor prior to the course. 1.8. Special.Needs : Please inform tutor for any special needs (dietary, physical, etc) that you have. “making excellence a habit" ISMO3002ENIN vi.0(ADO1) Apr 2015 ©The British Standards Institution 2015 30f5bsi. 2. Agenda Day1 Delegate Workbook Tim ‘Tutor Introduction Welcome and Safety Information Delegate Introductions Overview of Course Structure and Learning Objectives Background to Information Security Management Systems (IMS) 1SO 27001: Structure, Auditing Areas, Terms and Definitions Management System and ISMS Auditing Auditor Competence, Responsibilities and Characteristics ‘Audit Evidence Triangle “Types oF Audit Audit Activities Creating an Audit Plan ‘Checklists: Audit Questioning Techniques: Communication and Interpersonal Skills ‘Conducting the Opening Meeting Conducting an Audit 17:00 | Day 1 Review and Questions making excellence 2 habit ISMO3OO1ENIN v1,0(AD01) Apr 2015 ©The British Standards Insttution 2035 ne 20-90), mono aA nS Moicvoevscrc: 22 See tm aan een che in 2annnn e vem on wissen GDe IS l. Delegate Workbook Day 2 “} Review of Day 1 Quiz - Work Documents Conducting an Audit Nonconformities and Writing Nonconformities Creating the Audit Report: Prepare, Approve & Distribute Conducting Audit Follow-up Activities 16:30 Exam “Two short breaks will be taken at sultably convenient times in the morning and afternoon. ‘An hour will be given for a lunch break, Additional breaks may be taken as long as agreed by delegates and tutor, and all learning objectives are met. making excellence a habit” ISMOSOO1ENIN v1,0(ADO1) Apr 2015 ‘©The British Standards Institution 2015 SofInformation Security Management System (ISMS): Internal Auditor Traintig Course (BS ISO/IEC 27001:2013) bsi. sing eda information Security Management System (ISMS): Internal Auditor - ss Training ¢ Course (BS ISO/IEC ) ISMO3OOLENIN v1.0(AD01) Apr 2015 Copyright © 2015 BSI. All rights reserved.Information Security Management System (ISMS): internal Auditor Training Course (BS ISO/IEC 27001:2013) BSI Training Course Structure Where are you on the map? TSMOBOQLENIN v1.0(AD01) Apr 2015 Copyright © 2015 BSI. Al rights reserved.Information Security, Management System (ISMS): Intemal Auditor Training Course (BS ISO/IEC 27001:2013) UuUEY » » » » » > a > : Appiopriately trained auditors will bring added value to the internal audit process. The ISO > standard that we will be referencing, states that planned audits are a requirement for any Information Security Management System which claims compliance to it. You will develop the necessary skills to carry out internal audits and be linparted with the core knowledge and requirements to help your business to remain compliant to the latest. ’ ‘international standard for information security ISO/IEC 27001. ao ISMQSOOLENIN v1.0(ADO4) Apr 2015 Copyright © 2015 BSI. Ali rights reserved. ' 3Information Security Management System (SMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Welcome! NNMANNANA DBM! Oy ei bsi. — @ ©. 1 For your personal safety, please be aware of the emergency exits from your classroom and | the building, and assembly points and fire drill test times. & The tutor will inform you of the nearest restrooms. € ] Please do not leave valuable items unattended in the classroom. Keep them with you or make S other arrangements for their safekeeping. el Please be considerate of other delegates and avoid-distractions from your personal electronic el devices ~ mobile phones off/silent please. Pree Please do not use recording devices as they may restrict free discussion. The tutor will inform you of the lunch and break schedule, Please return to class on time. Please refrain from smoking in the classroom, or any breakout areas used for course work. The tutor will inform delegates of any area(s) known to be available for smoking. If there are any special needs (dietary, etc) please confirm these now. Ry dy dD BDBM | a9: 2 ISMOZ00LENIN v1.0(ADO1) Apr 2015, Copyright © 2015 BSI. All rights reserved. Dg @,~wrm vw ee evo vvrEUHEBOHUYUUY & Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) seekers ‘The tutor(s) will introduce themselves, ‘This is your first audit! Using the checklist below please interview the person next to you (Ground 5'minutes for each person ~ the timer on the slide will remind you): + Delegate name * Company and product or service +. Job position or role Level of knowledge in Information Security including knowiedge of ISO 27001 (1-10) + Level of knowledge in auditing (1-10) + Any specific expectations for this course + Something interesting about the person Be ready to introduce this person to the rest of the class! ISMO3OOLENIN vi.O(ADO1) Apr 2015 + Copyright © 2015 BI. All rights resérved.Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) ¥ Course Aim To provide guidance and practical experience’ planning, executing, and! reporting Information Security Management System Audits. ‘The course Is broken‘down into a combination of knowledge and skills. We will increase your knowledge of ISO 27001, ISO 19011, and ISO 27007 and in some cases actually introduce them to you. You may be unfamiliar with some of the terms above; please do not worry, these will be explained as the course progresses. PFNMNAAnrAnAnnArraAKHAH HHH NAD om ap om TSMO3001ENIN v1.0(ADO1) Apr 2015 Copyright © 2015 BSI. All rights reserved.3 3 {Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) 3 > “ Learning Objéctives 5 3d > > > D a eter e@ > Learning objectives describe in outline what you will know and be able to do by the end of. the course, » On completion, delegates will gain the displayed knowledge and skills, ; : , ISMOSOOLENIN v1,0(ADO1) Apr 2015Information Security Management System (ISMS); Internal Auditor Training’ Course (BS ISO/IEC 27001:2013) This course includes a detailed delegate workbook, tutorial sessions and practical activities: ‘The contents of the Delegate Workbook includes an agenda, slides & associated notes (like these), activities, references and case study materials. Model answers (in references section) are included in the folder for reference completing the activity, not for copying from during the activities. The activities are designed to increase understanding of the key learning points and for the delegate to look at the answers prior to thie activity will cause the effect to be lost, Delegates are expected and encouraged to participate, experiment, and question in a stress- free environment. ISMO300LENIN v1.0(AD01) Apr 2015 Copyright © 2015 B51. Al rights reserved. GAWWARAPARPHRNOAADHDNNNKHHHAONHNAN NH AAV 4 a7:Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Me ot In order to be able to become a competent auditor of a management system we must, understand what itis the system is managing. ‘A management system is a framework of processes and procedures usedto ensure that an organization can fulfil all asks required to fulfil its objectives, whatever those objectives may be. In this case we are talking about Information Security. ISMS stands for Information Security Management System. ISMOBOOLENIN vi,0(ADO1) Apr 2015 * Copyright © 2015 BSI. Albrights reserved.* Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) ¢ - ic ce C. c. e. e. C, ©, e e So what is information? What is an information asset? =| Information is knowledge or data that has value to the business or organization. This ] information can be stored in any format, © | What are some examples of the format which information can be stored in? Ao e. ¢ | el PBB ISMO3001ENIN vi:0(ADOL) Apr 2015 Copyright ©'2015 Si. All rights reserved. fs raInformation Security Management System (ISMS); Internal Auditor Training Course (BS ISO/IEC 27001:2013) or ri Despite its “Information Technology” ttle this is an Information Security Management Systems standard. Printed or written on paper Stored electronically Transmitted by post or using electronic means Shown on corporate videos Verbal - spoken in conversations ’... Whatever form the information takes, or means by which itis shared or stored, It should always be appropriately protected.’ (ISO 27002) We're managing information in all its forms. It is very easy to overlook information assets that are in the written form. We're managing information through its entire lifecycle, from frst draft through several drafts to usage and ultimately its (securely managed) disposal. ISMOBOOLENIN v1.0(AD01) Ape 2015 - Copyright © 2015 USI. All rights reserved, anws sefermaton Security Managerent System (IMS) Intl Autor ‘Tring Course (B5 ISO/IEC 27001:2013) e. e. €. G. G e © e & & G & Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes e Integrity: the property of safeguarding the accuracy and completeness of assets eS ‘Availability: the property of being accessible and usable upon demand by an authorized © entity of information e « ‘There are three main principles which 1SO 27001 addresses when it comes to the security of « information. . CG ‘This is commonly known amongst IT Security Professionals and the CIA triad. e What is Non-repudiation? « it « c a > af ISMO3002ENIN. vi.0(ADOL) Apr 2015 Copyright © 2045 BSI. All rights reserved. 2Information Security Management System (1SMS): Internal Audter Training Course (BS ISO/IEC 27001:2013) Planned intervals — control objectives/controls/processes/procedures of ISMS Audit programme — status and importance Results of previous audits Audit criteria, scope and frequency Method : Auditors shall not aucit their own work Management responsible — ensure that actions are taken without undue delay Follow up verification of actions taken and reporting results . Maintain documented information as evidence of audit results Within.1SO 27001 Clause 9,2 states that’ The organization shall conduct internal audits at planned intervals. The keyword here is shall. Tt means it is a requirement and not a guideline or a suggestion. It doesn’t dictate the period of time between internal audits but states that the audit Programme shall take into consideration the Impoytance of the processes concerned and the results of previous audits. oF TSMO3001ENIN v1.0(A001) Apr 2015 "Copyright © 2045 BSI. AI rights reserved. 13Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) 1SO 27007 150 27007 provides f ‘guidance on: ‘Managing an ISMS ‘+ Managing IS audit programmes + Conducting ISMS internal and ‘external audits + Competence of ISMS auditors 180 27007 does provide guidance on auditing Information Security Management Systems. 1SO 27007 does not replicate any of the generic auditing guidelines which are found in ISO 19011. Where the information is already found in.1SO 19011 it will indicate to the reader the int ich deals wi ecific guideline. Note: BSI Client Managers follow 1SO 17021 - Requirements for bodies providing audit and certification of management systems when auditing clients’ management systems. This publication gives specific requirements as opposed to guidelines to 3! party auditors. ISMO300LENIN v1,0(AD01) Apr 2015 Copyright © 2015 BSI. Al rights reserved. nrnnnono Sh ee a a a ee ee ee oo wOAPAAONOOARONORHHOS yon om yore »vwvvuwuvvvvvwove~evuguw~HwTuUusUs Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Activity 2: Auditing Terms and Definitions Purpose: : To familiarize delegates with common audit terms and ISO 27000 definitions Duration: 10 minutes individual work 5 minutes class discussion ‘Working individually, review the auditing terms and definitions on the next page, and note which definitions belongs to which term. (Simply note the correct letter of the definition next to the appropriate term. Once completed, compare with your colleague and note any differences.) ‘Once completed, the tutor will discuss the correct’ answers with the class. ISMO30OLENIN vL.O(ADOL) Apr 2015 Copjright © 2015 BSI. All rights reserveid.Information Security Management System (ISHS): Internat Auditor Training Course (BS ISO/IEC 27001:2013) gerne r re nage n PRPXAORMADANHAONONONN DH ? ISMO3002EHNIN VI.O(ADO1) Apr 2015 Copyright © 2015 BSI. All rights reserved. 16Information Security Management System (ISMS): Internal Auditor Training Course (BS'TSO/LEC 27001:2013) FEES What is en audit? + Systematic, Independent and documented process for obtaining audit evidence ‘and evaluating it objectively to-determine thé extent to which audit criteria are fuliled (Cause 3.1, BS EN 150 19011) ss vwuvveese bsi. ee eo What is an audit? "After answering this and discussing with the class, review the definition of an audit in the standard. viyvwuvvuvuvvvvuvsuVveY ISHHO3OOLENIN vi.C(ADO1) Apr 20:5 Copyright © 2015 SI. Al rights Yeserved. 7 : i. odInformation Security Management System (ISMS): Intemal Auditor Trening Course (BS ISO/IEC 27001:2013) Activity 3 Activity 3: Definition of an audit Purpose: To gain full understanding of the definition of an audit Duration: 10 minutes Group activity 10 minutes class discussion Directions: Working in small groups as directed by the tutor, review the definition of an audit as defined in ISO 19011. Discuss what is meant by each of the underscored words and document your answers on a flip chart and be prepared to present your findings to the other delegates. Audit. ‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled (Clause 3.1, BS ISO 19011) FS Term : Definition ‘Systematic Independent Objective Audit Criteria ISHOBOOLENIN -vi.0(AD03) Apr 2015, Copyright © 2015 BSI, Al rights reserved. 8 nDnOonHnoaaye cay PFRNOODNONANHDDHHED el~ w~v eevee vrero rrr vvVv wu Information Security Management System (ISMS): Internal Autor Training Course (BS ISO/IEC 27001:2013) Plan, Execute, Report, Close-out/down ‘An audit is based around the acronym P.E.R.C. ~ Plan, Execute, Report, Close out/down, Each of these areas will be covered in this order, Tracts like a process ~ one leads into the'next. This also links to POCA ~ continual improvement. The audit is not complete or effective unless these four stages have been completed. You are free to use these templates for your personal and business presentations. SMO3ODLENIN v1.0(ADO1) Apr 2015 Copyright © 2015 BST.-All rights reserved: 19om Information Security Management System (ISMS): intemal Auditor Training Course (BS ISO/IEC 27001:2013) € ¢ ¢ G e, © ©. € 6 a e Note, the new high level structure includes records within the term document, so has no need 6: to use the term. Explain what documents/records may be produced as a result of an audit. Ss 6 e c Pron n > MO nor ] a | | | ISMOBOOIENTN v1.0(AD01) Apr 2015 Copyright © 2015, BSE. Ail rights reserved. 20Information Security Management System (ISMS): Internal Auditor Training Course (BS 1S0/1EC 27001:2013) vweww ‘The Process Approach systematically identifies and manages the Jinkage, combination, and Interaction of a system of processes within an organization, ‘The process approach emphasizes the importance of: + Understanding and meeting requirements + Looking at processes in terms of risk * Obtaining results of process performance and effectiveness + Continual improvement of processes based on objective measurement > » dS b > s d > 7 i ile a 7 This management syste can be ved inthe spi f the pres approach and the PECA > ‘A Process Is a set of interrelated or interacting activities that use resources to transform > Inputs into outputs, > > > > > > » TSMO3001ENIN v1.0(ADO1) apr 2015 Copyright © 20/5 BSI. Al rights reserved. aInformation Security Management System (ISMS) Internel Auditor Training Course (BS ISO/IEC 27001:2013) Activity 4 Activity 4: Process approach Purpose: ‘To demonstrate to the delegate how the process approach can be applied to various activities. Duration: 10 minutes in groups 10 minutes classroom discussion Directions: In your groups as directed by the tutor, replicate the diagram drawn by the tutor on the previous slide for a process of the tutors choice. Flipchart your diagram taking into account Management, Resources, Inputs, Outputs and Activities. Be prepared to brief the other delegates on your process. ISMO3001ENIN vi.0(ADO1) Apr 2015 Copyright © 2015 BSI. All rights reserved. 2 nrfanane. PePBAPFRONOO DAH HD HHO HHA~~~ wvwww yey vor vrNeHTHEHKTEUEBseve Information Security Management System (ISMS): Internal Aucitor Training Course (BS ISO/IEC 27001:2013) A process is a series of steps carried oist to turn inputs into outputs. In generic terms, applicable to all audits against whatever criteria, the auditor gathers objective evidence which is verifiable, and ‘compares it to the Audit Criteria. The auditor then rriakes a decision based on these findings, which is the’output. The output then feeds into the audit report which we will come on to later, {SMO2001ENIN vL.O(ADOL) Apr 2015 «Copyright @ 2015 8, Al sights reserved, 2BInformation Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) ‘Audit objectives taken from 19011 and 17021: ‘The audit objectives define what is to be accomplished by the audit and may include the following: Determine the extent of conformity of the auditee's management system, or parts of it, with audit criteria, Evaluate the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements Evaluate the effectiveness of the implemented management system in meeting specified objectives Identify areas for potential improvement of the management system. ISMOBOOIEMIN v1,0(ADO1) Apr 2045 + Copyright © 2015 BSI. Al rights reserved. 24 iy. fh bn POPPA AHONNANNNANNAHHHHHNHNHRH HANA~-wwvyuvyuUeUuUYUOUEeUEECeEHUoEUE Information Securty Management System (ISM): Internal Audkor Training Course (BS ISO/IEC 27001:2013) Activity 5: Principles of auditing Purpose: = To introduce the delegate to the principles of auditing as documented in ISO, 19011 ~ guidelines for auditing management systems. : Et Duration: 10 minutes in groups 10 minutes classroom discussion Directions: : The tutor will hand out laminated cards of two colors. Put the'cards into Pairs of one color each, one principle to oné expansion, Be prepared to brief the rest of the-delegates on your answers. ISMOBOOLENIN v1,0¢AD01) Ape 2018 "Copyright © 2015 ast. Al ights reserved 25Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Activity 6: Auditor Attributes - Purpose: To increase the delegate's knowledge of the competence required by an auditor and the personal attributes that make a good auditor. Duration: 15 minutes in groups 15 minutes classroom discussion Directions: In your groups, as directed by the tutor, come up with positive attributes an individual would have as a successful auditor. Document your findings on a flip chart and prepare to brief the other delegates of your findings. ISMO3OOLENIN vi.0(ADO2) Apr 2015 Copyright © 2015 St. All rights reserved. 26wv eve yrurervrurvvrvueuvuevue Information Securty Management System (ISMS): Internal Auditor Training Course (8S ISO/IEC 27001:2013) . Safeguard ali acumen 10, Prepare the alidit’repor Ensure that the auditee knows when the audit will commence, who needs to be involved, arrive prepared and consider the auditee's needs (they are busy people). Maintain confidential Information shared regarding the business may be confidential and must remain so; Although you work for the same organisation, it is important that any audit findings are not discussed or shared outside of the audit; Sharing audit information with others will undermine the credibility of auiditors and the audit process. ‘Support the audit team leader (if there is one): ‘When working as part of a team, take on the tasks allocated by the team leader. Do not undermine the team leader's authority. If you need to bring things to the attention of the team leader, do so at the appropriate time and place. tan th are work documents: Ensure the plan is completed and communicated. Prepare appropiate checklists for the relevant audit activities. Share the plan and the checklists with the auditee. ISMOBOOLENIN v1.0(AD03) Apr 2015 Copyright © 20}5 BSI. Ali rights reserved.Information Security Management System (ISMS): Internal Audtor Training Course (BS ISO/IEC 27001:2013) Inform auditees of the audit process: The audit process is an open one, and will be more effective if the auditee knows what will happen. Introduce the audit approach at each stage, ensure the auditee understands what is going to happen. Carry out audit tasks. Complete the tasks required by the plan. Keep to the timetable. Manage the time against the plan, if required change the plan. If the plan changes ensure the auditee is kept informed. Document all findings: Record accurate records; Make sure the correct sample references are taken; Ensure that any notes are complete and can be read by others, legible. Keep auditees informed throughout the audit: Advise the auditee on what you are going to do, advise the auditee of what you have done. Feed back verbally on the findings. There should be no surprises for the auditee. ‘Safeguard all documents: Ensure that samples/documents are returned to the auditee. Ensure that the audit report is distributed correctly and not disclosed to others outside of the audit. Prepare the audit report: Ensure that you the auditor understand the report, Ensure that the auditees understand the report. Ensure that it is completed on time and that it is balanced and contains both positive and negative feedback. ISMO3001ENIN v1.0(AD01) Apr 2085 Copyright © 2015 851. ‘All rights reserved. 2B | Hoe PPP PFHRHHNMAANDRHHK PP HHH KOO Peo ISSA AAR AS i et es ee ” ”owe vwwrvhvovvvvvv YU w Information Security Management System (ISMS): Internal Auditor Training Course (BS 1S0/1EC 27001:2013) How are we going to obtain Objective Evidence? “There are three methods:- 1. We can visually see’a process being carried out. 2. We can be told a Statement of Fact from an interview with an responsible individual from the area that we are auditing. 3. We can inspect relevant documents. ISMOBOOLENIN v1.0(AD01) Apr 2015 Copyright © 2015 BST. Al rights reserved.Information Security Management System (ISMS): Internal Auditor Training Course (BS 1S0/IEC 27001:2013) e ic & c & c, & “ 6 6 Activity 7: The audit process &; Purpose: eS To explain the audit process. a Duration: el 15 minutes in groups 15 minutes classroom discussion a Directions: G The tutor will provide each group with a pack of cards. Please try and arrange these into a logical process to explain the sequence of activites that are involved in a generic a management system audit. eC q g a e é i 4 ISMOSOOLENIN. v1.0(ADOL) Apr 2015 Copyright ©,2015 BSI, All rights reserved. 30,~~ vw Vy’ yey UYU KU HEVEOEeusevus Information Security Management System (ISMS): Internal Aucitor Training Course (BS ISO/IEC 27001:2013) First, Second & Third-party Certification audits arty = val AA first party audit is an audit conducted by an organization on itself, to determine whether their systems and procedures are consistently improving their ability to provide products and/or services to customers and users, and as a means to evaluate conformance with their procedures and the standard, Internal audits are a requirement of ISO 27001 clause 9,2 nd Party ~ Ci si A second party audit is that carried out on a current or potential supplier by a purchasing organization; audit results may then be used as part of the purchasing equation, This Is just one method of complying with 1S0.27001 Control objective AL5.1 information Security in supplier relationships, Purchasers must consider factors such as access to data and assets, Competence of staff, information security events and how this is monitored and reviewed. ‘This should mean that even ifa supplier had a very attractive price, they would not be given a contract where risk was involved due to weaknesses in their Information Security Management System. ird = Ce tion or Ii er nt The third party ISO 27001 certification scheme was designed to reduce, and perhaps remove the need for many second party audits, by providing a list of companies whose systems had been assessed and shown to be in conformance with a level of ISO 27001. The assurance thus provided to potential customers could mean that they might not have to audit suppliers themselves, providing that the assurance given by the third party satisfied their needs. ‘An organization may also invite an independent body (e.g. a consultancy) to audit their management systems for a purpose other than certification, i.e. an evaluation of statutory and regulatory requirements or to assess the effectiveness of a particular process etc. This could also be considered a third: party audit, from the perspective of the consultancy. ISMO30OLENINN vf.0(ADO1) Apr 2015 Copyright © 2015 SI. Al rights reserved. 31Information Security Management System (ISMS): Intemal Auditor Training Course (BS ISO/IEC 27001:2013) Audit Process. + Similarities + 1, 243" party certification audit ‘Guidetnes for audi gnagement syst 49011) bsi. eed @ The tutor will now explain in further detall the process steps just identified, Please note all these activities may not be required for an internal audit. Please ask questions on any step as they arise, with the tutor. i imilarities include: Preparation — before the audit Communication — during the audit Collection and verifying findings ‘Conclusions ~ from findings Reporting ~ preparation & distribution A.useful acronym is P.E.R.C: Planning Execute Reporting Close out/down findings ISMO300LENIN v1.0(AD01) Apr 2015: Copyright © 2015 851. All rights reserved. eeea2 ane re aner nnn Sn ee a ee ome a me ee "(AT A ee ey & & 6 ¢ i Cc € & c e - @ e c a & © oawesw ~v wwe ye evvu we wrvrvw~wrvuHHvYOUY Information Security Management:System (ISMS): Internal Auditor Trainifig Course (8S ISO/IEC 27001:2013) ISO 19011 — Figure 2: Typical Audit Activities bsi, The tutor will direct the class to ISO 19011 Figure 2 and explain the above process with you. Please note all these activities may not be required for an internal audit. TSMOSOOLENIN v1.G(ADO1) Apr 2015 Copyright © 2015.0SI. All rights reserved. a g a 2BInformation Security Management System (ISMS): Intemal Auditor Training Course (BS ISO/IEC 27001:2013) Activity 8: Creating an Audit Pian Purpose: Gain experience in ‘creating audit plans Duration: 20 minutes group work 10 minutes feedback and discussion Directions: Individually read the supplied case study notes then in your allocated groups, prepare an audit plan, Flipchart your plan and be prepared to discuss your plan with the other delegates. Using the information provided, determine: 1. Who you will interview and the activity/clause to be assessed 2. How long each interview might take 3. Time for the opening and closing meetings Audit Objective: To assess the implementation & effectiveness of the audit criteria as part of a mandated planned internal audit. Audit Criteria: LOCC Risk Treatment Plan Audit Scope: LOCC Contact Centre in India ‘Aucitee Representative: Department Representatives as requested by the auditor. “TSMOBO0IENIN v1.0(AB01) Apr 2015 Copyright ©2015 BE. All rights reserved. 4 n anon | | | T2779 ? > pope eee Lt ” fy | | n- vere re yee oO wO OC OVE ET Eo GE YG & Information Security Management System (ISM5): Intemal Auditor Training Course (BS ISO/IEC 27001:2013) ISMO3D01ENIN v1.0(AD01) Apr 2015 Copyright © 2015.8Si. al rights reserved. 35Information Security Management System (ISMS): Internat Auditor Training Course (BS ISO/IEC 27001:2013) © e e Check List ‘A document that is created during the planning phase of an audit. It is often called an Aide Memoire, and this is @ more accurate description of its purpose. Created using the audit plan, it can essentially be a list of open questions the auditor wishes to ask the aucitee. Its main functions are to:> + Keep the audit objectives clear. + Provide evidence of audit planning. + Maintaining the audit pace and continuity. + Reducing workload during the audit. They lose effectiveness when used as a tick sheets or questionnaires. QVTAFADAANHANAHHANAHH HK KKK A a a ISMOBOOLENIN v1.O(ADO1) Apr 2015 Copyright © 2015 BS, Ali rights reserved. 36vee 9oOUe ww vvvvvwrvwevvuvevevuvuvw wove” Information Security Management System (ISMS); Internal Auditor Training Course (BS ISO/IEC 27001:2013) Activity 9 Activity 9: Check lists Purpose: To give the delegate the opportunity to create a check list from the case’ study material for. use in an aut later in the course, Duration: 30 minutes group work 10 minutes feedback and discussion, Directions: : * In your groups, using the case study notes and the audit plan-you prepared in the last activity. Come up with 5 ‘Open’ questions you would ask during an interview with the personnel you chose in your audit plan. ‘Try to avoid ‘closed!’ questions. Flipchart your plan and be prepared to discuss your plan‘ with thé other delegates. TSMOBOOLENIN v1.0(ADO1) Apr 2015 -Copyright © 2015 8St. Al rights reserved, 37Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Effective Communication Perhaps the biggest challenge for the auditor is the fact that finding out information depends, amongst other things, on communication skills. Within a very short time of meeting ‘someone the auditor needs to have developed a degree of rapport with that person to obtain the facts essential to the investigation whilst remaining objective. If these facts are indicative of a lack of management control in the area, then the auditor needs to be tactful in the way these findings are presented. The main method of soliciting information is by asking questions in a series of interview situations. Though not always appreciated, the best interviewers are those who say least and have an abilty to listen or hear what is being sald. By combining this with the right kind of attitude and tone, the auditors generate an atmosphere in which good communication can take place. ‘The interviewee (the auditee) must not feel threatened by the auditor. Many people are easily intimidated by auditors. The auditor can avoid generating this by being polite, patient, slightly informal and not afratd to smile. Showing interest in what people say is essential. Holding a degree of eye contact, small verbal acknowledgements, 'l see’, ‘ah’, ‘yes’, and so ‘on will show that the ‘transmission Is being received’, as will the right facial expression and head movement. There are no standard expressions and head movements recommended to elicit information, each auditor will develop their own style. Tt often happens that the auditee, (because the majority of them are human), misunderstands ‘a question or is determined to tell the auditor about some other matter. They may even say something which the auditor knows not to be true. If the auditor interrupts abruptly or directly contradicts the auditee, easy communication will not continue: ISMO3001ENIN v1.0(AD01) Apr 2015 Copyright © 2015 B51. All rights reserved. 38 y ny na nn RA He HOH nA Ss LLELARAR rrr fs pee ed an] eae) ny Sa) a ed a) hy t i 1 eivue wweewwv we vw we weerwewveverwwu Information Security Management System (ISMS); Internal Auditor Training Course (BS ISO/TEC 27001:2013) Activity 10: Opening meeting Purpose: To identify agenda items for use in an opening meeting and their purpose. Duration: 15 minutes whole class Directions: é ; ‘Whole class, please shout out the possible agenda items for an opening meeting. The tutor will record these on a flipchart, and ask the purpose/meaning behind them. ISMOSOQIENIN v1,0(ADOL) Apr 2015 Copyright © 2015 BSI. AM rights reserved. 29Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) The opening meeting Introductions prior to the opening meeting ~ it is possible that only the team leader and the company management representative have had any contact, as Stage 1 audit has now been conducted. This meeting affords the opportunity for the whole audit team and the management team to meet. Ina 3rd party audit there Is likely to be a degree of tension and although the meeting is formal the team leader must try and relieve some of this tension. ‘The ground rules of the aucit will be explained; the purpose, scope and issue status of the ISMS reaffirmed. “The programme, (a copy of which has previously been sent to the auditee), confirmed, and atl the logistical arrangements set. “The allocation by the company of guides for the auditor is important since no auditor must walk about the client's premises unaccompanied. Explain the reporting methods, also definition of observation, issue and non-conformity, and the implications, Remember delegates have not covered these definitions at this time. It Is normal, and good practice, to establish who will have authority for the signing of ariy issue/nonconformity reports if raised. Care should be taken not to suggest that this is the sole intention of the audit. : ISMO3OOLENIN v1.0{AD01) Apr 2015 Copyright © 2015 B51, All rights reserved. 40 | ae ee ene a Fe nmnnnonrrnnnennnanng — pannon nan 2 n,eee wvuvwrvvuvvwvvvveovuvvuguwv ye > Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) vt oy Activity 11 Activity 1:1: Conducting an Audit Purpose: To give delegates the chance to conduct an audit in a stress free environment by simulating an internal audit situation using audit plans, check lists and the LDCC case study notes. Duration: 60 minutes Directions: For this exercise, you will rely on the case study notes and the Audit Objectives, Criteria, ‘Scope and associated checklists already compiled. ‘When it is not your turn to’act as an auditor, you should take thorough notes with special attention around any nonconformity identified or any good points (positives). Listen carefully to the auditor's interview questions and the responses from the auditees. Note: Nonconformities found in this exercise will be used in upcoming exercises, so make sure you take excellent notes! The tutor will act as the auditee; you should ask whom you wish.to speak to before you start asking the question. Records will be provided during the audit (upon request). ISMO3OOLENIN, v1.0(AD01) Apr 2015: Copyright © 2015 BSI, Al its esewed, 4aInformation Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Evening Work ~ Read through course notes for today quiz + Familiarize yourself with 1S0 27001:2013 + Read case study notes Evening work day 1. Read through Course notes. Make a note of any points you don’t understand and bring them with the tutor up at the start of day 2 Read through ISO 27001:2013. Don't try and memorize It, read the different clauses and controls and attempt to map them to the working practices of your own organization. Read the case study notes, There will be another audit tomorrow using this case study. You will be required to produce work documents for the audit ISMO30OLENIN v2.0(ADO1) Apr 2015" . Copyright © 2015 BSI. All rights reserved. 42 MPP ADDPRONAHONHODRNHH KH HHHOH ANAM. non °ww www ew wereewy wee werwervrw vr veo vuureesee Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) et ae ISMO3001ENIN vi.0(ADO1) Apr 2015 «Copyright © 2015 BSI, -All rights reserved. 434 {oration Secunty Management System (ISHS): Internal Audtor Training Course (85 1SOVIEC 77001:2013) nnnerTonnnana Activity 12: Closed book quiz Purpose: To test delegates knowledge and Understanding of the material discussed in day one. Duration: 30 minutes individually 20 minutes classroom discussion NnNnannn Directions: Working individually, and without referring to your notes, work through all 10 questions and decide on your answers. After 30 minutes the tutor will go through the questions with the delegates as a group giving explanations for the correct answers, 1) “Which publication gives guidelines specifically for the au 2) What is the definition of an Information Asset? an POND NH o=9 2 > 3) Name the 3 principles of Information Security ny ny we n Vv ny oo ISMO3001ENIN vi.0¢AD0L) Apr 2015 Copyright © 2015 BSI. All rights reserved. 44 vw~~ vr rr vveyuvuv Ee Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) 4) What is an audit? 5) What does the acronym PERC stand for? 6) What is a record? 7) Whatis a process? “ 8) Give two examples of audit objectives. 9) List 3 principles of auditing. 10) List 5 responsibilities of an auditor ISMO3001ENIN v1.0(ADO1) Apr 2015 Copyright © 2015 BST. All rights reserved. 45Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) aaa o e © e o € e c - Activity 13: Work documents € Purpose: ‘ e To practice and test the skills for preparing the necessary work documents: ‘Audit Plans and Checklists. e! Duration: € | 30 minutes in groups | (These will be used to audit "Physical Entry’ and "Back up’ Risk Treatment Plan) ¢ | Directions: . | Working in teams, as directed by the tutor and using the case study material as well as the loan e publications, create work documents to audit the particular area of the business assigned to you. | e Audit Objective - To assess the implementation & effectiveness of the audit criteria as part of a | mandated planned internal audit. c Audit Criterla— Physical Access or Back up Procedure (as directed by the course tutor). | Audit Scope -LDCC Contact Centre in India & Auditee representative — Department representatives as requested by the auditor. a | el el el rE ol ISMO3ODLENIN' v1.0(ADO1) Apr 2015 Copyright © 2015 851. All rights reserved. 46 a j ; . iow u wv wvvywvvuvvvVTvrvw~ VvUYMUUY Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Activity 14 Activity 14: Conducting an Audit Purpose: To give delegates the chance to conduct an audit in a stress free environment by simulating an internal audit situation using audit plans, check lists and the LDCC case study notes. Duration: 60 minutes group work Directions: For this exercise, you will rely on the case study notes and the Audit Objectives, Criteria, Scope and associated checklists already compiled. ‘When it is not your turn to act as an auditor, you should take thorough notes with special attention around any nonconformity identified or any good points (positives). Listen carefully to the auditor's interview questions and the responses from the auditees, Note: Nonconformities found in this exercise will be used in upcoming exercises, so make sure you take excellent notes! The tutor will act as the auditee; you should ask whom you wish to speak to before you start asking the question, Records will be provided during the audit (upon request). TSMO3CO1ENIN vi.0(ADOL) Apr 2015 Copyright © 2015 BSI. All rights reserved. 7Information Security Management System (ISM): Intemal Auditor Training Course (BS ISO/IEC 27001:2013) nranoonadg Pe eAAannanannannanngn an h > oop | | | | | | | | I | I ] ISMO3OOLENIN v1.0(ADOL) Apr 2015 Copyright © 20:5 BSI. At rights reserve. 48~~ vy vyvurvenvvuvr vee wow Information Security Management System (ISMS): Internal Auditor Training Course (8S ISO/IEC 27001:2013) ISMO3O0{ENIN -v1.0(AD01) Apr 2015 Copyright © 2015 BSI. All rights reserved. 49e Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 2700132013) HE € = Nonconformity ¢knowtedae) 6 © visas! 7 La ¢ & Quatty management systems ~ Requirements 6 6 : & Minor nonconformity: A single identified lapse: which would not in itself elther lead'to € nonconforming products or services being delivered, or raise significant doubt as to the capability of the management system to achieve the policy and objectives of the organization. ¢ xamiple - ¢ e ¢ oe oe: oo Major nonconformity: Failure to fulfil one or more requirements of the management system oe standard, or a situation that raises significant doubt about the ability of the management system to achieve its intended outputs. This would also extend to a failure in the management ee system to identify, or meet applicable legal requirements for the product. 7 Example - ismo3001eNIN vi.0(ADOL) Apr 2015 Copyright © 2015 851. All rights reserved. 50ewe vuvvveuue wwvweuvuevwuvuuvesy Information Sécurty Management System (ISM): Inteml Auditor Training Course (BS ISO/IEC 27001:2013) Activity 15: Nonconformities Purpose: To enhance your understanding of ISO 27001 to an audit situation, and show how you would determine conformity or nonconformity: Duration: 40 mifiutes in groups 10 minutes class discussion Directions: In groups, review the scenatios on the following pages andi, using your judgment and the loan copies of standards in front of you to decide whether you believe this to be a non- conformity using ISO 27001 as your criterion. If you believe there is sufficient evidence to raise a non conformity then state which clause or control you can raise it against: If you don't believe there is sufficient evidence to raise a nonconformity, then’state the audit trail which you would follow to obtain objective evidence to prove conformity (or otherwise). ISMO3OQLENIN vi.0(AD01) Apr 2045. otInformation Security Management System (ISM): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Scenario 1: During a planned internal audit within LDCC the auditor interview’s the ISMS manager, Tim about the company’s Risk Assessment Process. Auditor: How do you decide which risks to accept and which risks to control?” Tim:* Assets are graded in terms of their value to the organization, they can be Low, Medium, High or Very High."” Auditor: "Do you have definitions of what terms like ‘High’ mean?" Tim:"No, there is no need. If the asset owner doesn’t know, I will tell them.’ Auditor:*Do you take into account likelihood when assessing risk?” Tim: "Well, yes. It’s just that some people try to controls on a risk which is very unlikely to occur, again I will tell them.” ‘Scenario 2 : Duririg an interview with the John Bishop, the IT Manager the auditor asks about risks to the main server. Auditor:"How would the organization cope if the main server was to fail?” John:*Good question. In an ideal world we would have a back up server; however this was too costly. My technical team are competent to bring the server back on line within maximum tolerable downtime which was signed off by management.” Auditor: “But, what if the data is irretrievable?” John: "I knew you would ask that. All our data, including system Images is backed up as per the RTP. The technical staff retrieve it from the offsite storage facility and the job’s a good “un.” Auditor: What action do you take when the technical team can’t repair the server within maximum tolerable downtime?” John:*We've never had to take any action. We've never lost the server.” ISMOBOOLENIN ¥1.0(AD0%) Apr 2015 Copyright © 2015 BSI. Al rights reserved, 82 renonnndnan ornnon PERPONONHAAHH ip tp ODwwyvy yew wrevrvurvewrvvur ve ve , > > > » Information Security Management System (ISMS): Internal Auditor Tralning Course (8S ISO/IEC 27001:2013) rio During an internal audit at LDC the auditor asks to be taken to where customer data is processed. Guide; Sure, it’s all processed in this secure room.” (The guide escorts the auditor to a room with swipe card access and he rings the bell. Sarah comes to the door.) Sarah:"Hello, my name Is Sarat and I afm the office manager within here.” Auditor: “Hello, I shouldn't keep you long I just have a.couple of questions if that’s ok?” ‘Sarah: Sure, ask away!” a ‘Auditor: "Would you like ime to sign the visitors tog?" Sarah: "Ha ha! No it’s fine, we know who you are and.where you aré from, but thanks for offering.” ISMOBOOLENIN vi,0(RDO1) Apr 2015 Copyright © 2015 8St. Al rights reserve, 53Information Security Management System (ISMS): Intemal Auditor Training Course (BS ISO/IEC 27001:2013) arty butt reusrccteaeoe A899 ve vel "1,5) the justification for thé exclusion of Control’A.14: ma ‘Outsourced Developments missing: os ‘This is an example of a good nonconformity statement, It has the 3 main requirements for the report; R requirement ~ In this case we are using the standard as the criteria, and the requirement Is what the clause states. E evidence - The statement of Applicability is your evidenice. D discrepancy — Justification for the exclusion of control A.14.2.7 is missing. ISMO3OOLENIN v2.0(ADO1) Apr 2015 Copyright © 2015 BSI. All rights reserved. 4 onan fi rT nh rrnannh PAIADRANANHHHNHH eT ? fn " ”vvuvwvwwuuueuevunvnvUUUUUUEGEHUUEL EGE | | ASMO30OLENIN v1.0(ADO1) Apr 2015 Copyright © 2015 BSI. All rights reserved. 55 ‘ |Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) The clositig meeting is facilitated by the audit team leader and is held to present audit findings and conclusions. A sample agenda is contained on the slide. Attendees should be the management of the area being audited. The objective and scope of the audit should be repeated to ensure that the basis for the audit is in no doubt. It must be restated that the audit was a sample of activities and therefore not every conforming or nonconforming area was seen. Therefore it is possible that there are nonconformities in areas not covered by this audit. ‘The audit findings and conclusions must be presented in such a manner that they are understood and acknowledged by the auditee's management. It is recommended that all Positive findings (good practice, etc) are covered first and then nonconformities (if any). Al diverging opinions.regarding the audit findings or conclusions between the audit team and the auditee should be discussed and, if possible, resolved. If not resolved, this should be recorded. ‘The team leader Is responsible for presenting the conclusion that the audit results have led the team to reach. This is the ‘informed judgment’. It takes into account the seriousness of any non conformities and whether they indicate a departmental or organization-wide breakdown of systems. They must be balanced with positive findings made during the audit. ISMOBOOLENIN v1.0(ADO1) Apr 2015 Copyright © 2015 BSI. Alrights reserved, 56 Foe o9On spe nsp roo FH OF ? Pee ee Pane elSs 3 8 3 > a 3 > > > > ° > > > > 3 > > > > > bd E > > > > Information Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) The audit report should provide a complete, accurate, contise and clear record of the audit and should include or refer to the following: the audit objectives, scope and criteria; identification of the audit client; audit team and audltee’s participants; dates and locations where conducted; audit findings and evidence; audit conclusions; statement to which the criteria have been fulfilled. Please see an example audit report in your teferences'section. ISMOBOOLENIN .v1.0(AD01) Apr 2025, Copyright © 2015 BSI. All rights reserved. 3?Inforftation Security Management System (ISMS): Internal Auditor Training Course (BS ISO/IEC 27001:2013) Activity 16 Activity 16: Audit report Purpose: To allow the delegate to develop the skill to draft an audit report. Duration: 60 minutes Directions: In your groups submit an audit summary using the template provided, Base your report on the audit carried out on the second day. Each delegate is therefore required to submit on the morning of the last day of the course a, written report based on the information gained from case studies 1 and 2, and in accordance with the instructions that will be given by the tutor. For this exercise, it is accepted that the written report will be in draft form, which in practice would be tidied up before inserting it in the audit report file. ISMOBOOLENIN v1,0(ADOL) Apr 2015 Copyright © 2015 BSI. All rights reserved. $8 norrernanane PAOOABSHANA AHHH KH TOG a 41 Oa Dp te Papp ryante gnnngraonn pane tase itasy Olean rasp casi Renss runes tates anor Unaniy Mast EastSiEE "bsi eee e “The audit report should be issued within an agreed period of time. If it is delayed, the reasons should be communicated to the auditee and the person managing the audit programme. ‘The audit report should be dated, reviewed and approved, as appropriate, in accordance with audit programme procedures. ‘The audit report should then be distributed to the recipients, aS defined in the audit procedures, audit plan or closing meeting. ISMO30OLENIN v1.0(AD01) Apr 2015 Copyright © 2015 8SI.’All rights reserved. 59Information Security Management System (ISMS): Intemal Auditor Training Course (BS 1S0/TEC 27001:2013) Activity 17: Audit follow-up Purpose: To recognize the purpose of audit follow-up, and the activities involved. Duration: 10 minutes individual work 10 minutes classroom discussion Directions: Individually, please refer to ISO 19011 clause 6.7 and decide what the purpose of this phase is, and what you would dofcheck, as the lead auditor. PPADGHRnnnnnrnnnnnnannanas: - aa nn o> 2 ISMOB001ENIN v1-0(ADOL) Apr 2015 Copyright © 2015 BST. Alt rights reserved. 60~ Tr rw ee UH UUEUOUHUYEUoues Information Securty Management System (ISMS): Internal Auitor Training Course (BS ISO/IEC 270012013) ea : COURSE REVIEW Learning objectives describe in outline what students will know and be able to do by the end of the course, On completion, delegates will have the knowledge and skills fr the following; Knowledge: The principles of auditing and the principles of auditing to ISO/IEC 27001:2013 + Audit activities Skills: Initiating the audit Preparing audit activities Conducting audit activities Preparing and distributing the audit report Completing the audit Audit follow-up ISMO3OOLENIN Vi0(ADO!) Api 2015, Copyright © 2015 Bsr, Al rghts reserved. 6+ ISMOBOOLENIN y1,0(ADO1) Apr 2015 Information Security Management System (ISMS): Intesnal Auditor Training Course (BS ISO/TEC 27001:2013) Contact Information 35) gow ia ett Thee Crprte Stes Pl Not ‘Adress: 2 hw Nage New Ga 10005 ‘Wlophone: +94 11.2602 9000 Enalt inde rahing@telgroup.com Lnkes wonubeigtoupcoin Copyright © 2015 BSI. All rights reserved 2 PRPPRANHOOANDHDHHKDNNNHHAHNADAMSE 22RD Oe 5 "ewe Activity 11: Conducting an Audit View uMoy wwe ewww vuevvvuvvuT KO ree ee ee Ds : References ‘This docurnent contains typical activity solutions and additional information referred to during the course. Table of Contents: Section 1 Activity 1: Delegate Introductions... Activity 2: Auditing Terms and Definitio Activity 3: Definition of an Audit Activity 4: Process Approach. Activity Activity 7: The Audit Process... Activity 12: Closed Book Quiz . Activity 13: Work Document Activity 14: Conducting an Audit. Activity 15: Nonconformities. Activity 16: Audit Report Activity 17: Audit Follow-Up ae RR ww 4 Section 2 Example Audit Report.bsi Sl. Activity 1: Delegate Introductions ‘No additional comments to add here; Activity 2: Auditing Terms and Definitions 2 Bennison I cof em] SY emf nf a) -c) vo) me ea | 6 mo) x] >| x! Hl ul a} a) onl oo HI 5 Activity 3: Definition of an Audit ‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. . Systematic ‘An audit is carried out by following a specified method ie P.E.R.C. Independent An auditor must not audit their own work, Objective Uninfluenced by emotions or personnel prejudice, evidence must be objective Audit Criteria Set of policies, procedures or requirements Used as a reference against which audit evidence is obtained . ISMO30O1ENIN v1.0 Oct 2013 making excellence a habit.” ‘©The British Standards Institution 2013 ° 20f9 o rene nn rane nan PRPrIAnNMANAH AHA AD no% " *vUuUuUU eee were Uv were DD e we veeve vu u bsi. | _ Activity 4: Process Approach No ddaitional comments to add here. Activity 5: Principles of Auditing No additional comments to add here. Activity 6: Auditor Attributes Conce the classroom discussion is complet, display the fp charts on the walif possible, ‘Typical answers ‘Competence: Knowledge of the standard Understanding of IS Knowledge of Risk Assessment/Management Technical knowledge of activity to be’audited Regulatory requirements Principles of auditing = Attributes: Open-mindedness Versatility Diplomacy Perceptiveness Attentiveness Decisiveness Tenaciousness Self-reliance Ethical Knowiedge Common sense Activity 7: The Audit Process No additional comments to add here Activity 8: Creating an Audit Plan No additional comments to add here Activity 9: Check Lists No. additional comments to add-here. making excellence 2 habit” iswoz00iENIN vi,0.0ct 2013 gs Institution 2013. > Botbsi Sl. ee Activity 10: Opening Meeting The opening meeting, (sometimes called pre-audit conference or start-up meeting), is typically held at the location of the audit. Good practice demands that the auditor arrives on time; otherwise it can be seen as unprofessional, “This meeting, as any other, requires preparation by the auditor. The auditor should have come prepared with an agenda, which will ensure that all necessary points are covered quickly and efficiently. ‘The way it is conducted can set the ‘style’ or ‘tone’ of the audit. The meeting is the place to establish the rules of conduct for the audit. Matters requiring to be addressed include: Possible items: Confirm attendees Objectives, Scope and criteria Timings according to the audit plan ‘Audit method Confidentiality Health and Safety Reporting method The closing meeting The sampling approach must be emphasized and the reporting methods explained. Itis normal, and good practice to establish, who will have authority for the signing of any nonconformity reports if raised. Care should be taken not to suggest that this is the sole intention of the audit. ‘The meeting should not last for more than about 10 minutes. Activity 11; Conducting an Audit No additional comments to add here. Activity 12: Closed Book Quiz No additional comments to add here. Activity 13: Work Documents No additional comments to add here. Activity 14: Conducting an Audit No additional comments to. add here. making excellence a-habit! ISMOSOOIENIN. vi.0 Oct 2013 ©The Brtish Standards Institution 2013 40f9 ON OEM OH OME n & & & & c ¢. & ©vvvww wu Vue UB UO UE OOTOWOUOUOUOKOKCKTUEE EY bsi. Activity 15: Nonconformities No additional comments to add here. Activity 16: Audit Report template audit report can be found in Section 2 of this reference quide; © The report may also include or refer to the following, as appropriate: + Audit plan; Summary of the audit process including and obstacles; + Confirmation that the audit objectives have been achieved in accordance with the audit plan; Areas within scope not covered; ‘Summary of audit conclusions and main findings; «Unresolved diverging opinions; +. Opportunities for improvement; * Good practices identified; © Agreed:follow-up plans; «Statement of confidentiality; + Implications for the audit programme or subsequent audits; «Distribution list, Additional notes ‘As the audit moves towards the concluding stages the auditors could be gradually building up a picture of areas of systems exhibiting the most failures. This is the composite picture the auditors are required to present at the closing meeting and in their written report. The auditor has the responsibility for generating this composite picture as their informed judgement of the degree to which working systems comply with stated systems (and the standard). The information to provide this comes from the audit findings, but it is necessary to sort’ these, so that a reasonable conclusion can be thus sought (assuming nonconformities have been found). Based on this, a picture emerges of the types of failure found, relative frequency, where they were found in the company, and the management system requirement, (clause of the standard), which is weakest. As with any record, audit reports should be retained on file for a prescribed time. All the other records from the audit should also be retained, i.e. checklists, which are useful for re audits, and the auditor's own notes made during the audit investigation. As corrective action is'taken the records of this will be kept to satisfy the ‘close out” requirements,of each nonconformity. making excellence a-habit? : ISMO300LENIN v1.0 Oct 2013 institution 2013, Sofobsi. = Activity 17: Audit Follow-Up Purpose ‘The audit report may indicate the need for corrections, cdrrective, preventive or improvement actions. The auditee decides and undertakes any action within agreed time frames. The completion and effectiveness of these actions should be verified by the auditor. This verification may be part of a subsequent audit, This action is referred to as audit follow- up. What would the auditor do/check ‘That any action is timely, especially the correction, That action is appropriate to the effects. of the nonconformity encountered. The organization follows their own procedures and the relevant requirements of ISO 27001 ie review the nonconformity, determine the causes, evaluate need for action to prevent recurrence, determine and implement the action needed, recording actions taken, reviewing the effectiveness of actions taken. Finally, the auditor should sample for its effectiveness and on-going conformance. Additional Notes A summary of the process, including follow-up, is as follows: Identification of nonconformities found during the ‘audit; Summary report prepared; Corrective action request (CAR) issued; Auditor evaluates response to CAR; Completion of corrective action by auditee; Evaluation of effectiveness by auditee; Verification of completion by auditor; Escalation (if necessary); Records of each stage in this process. making excellence a habit? 1SMO30OLENIN V3.0 Oct 2013 ‘©The British Standards institution 2013 6 of 9 Luc real pa Red acd Da bea I DI BG ba tI ET oF IL GF FG OP _ LD __F__DY"7 wr ww ee Sw BEEK KUEHEUUYUEECUbEL & ISMOSOOLENIN v1.0 dct 2013 making éxcellence a habit’. tish*Star dar dg Institution 2013 7 of 9ISMOBOOIENIN vi.0 Oct 2013. making'excellencé a habit” ‘The British Standards’ Institution 2013 t. Borg nO TOHKTTH OMHNMMogane Oo ORean 2 oe vadvwuwu Nw wwe VvUUYE HY TUOUHOUUOUHOUOUeuse References ‘The Information detalled within this report relates to the’ audit which was undertaken objectively in accordance with company procedures. The findings within this report and the activities discussed during the audit remain confidential to the company. The audit was based on sampling therefore there may be areas of nonconformity not identified within this report. ISMO300LENIN v1.0 Oct 2013 making excellence a habit”, tangas Institution 2013 9069vvvwrwywr wr ewe vver we eevee ww vr wrvrvwvve vee ISMO3OO1ENIN'vi.0(AD01), Apr 2015, bsi. Lake Dale Contact Center - (Case Study) This section contains the Case-Study information for a fictitious organization called “Lake Dale Contact Center (LDCC).” Please note that the documents included in this Case Study contain errors for training purposes only. These documents should not be used as guides for developing management ‘system documentation. Case Study Table of Contents Actions to Addréss Risks and Opportunities. Risk and Opportunities Planning Process ~ D8 ~ Issue 1. Risk Assessment Process - D9 ~ Issue. Risk Treatment Process ~ D10= Issue Information Security Risk Procedure D11 ~ Issue 2.. Statement of Applicability - 14 - Issue 1 Information Security Risk Treatment Plan — RTP EI ~ Risk Treatment Plan Criteria (Physical Location, Information Security Risk Treatment Plan - RTP A-17... Risk Treatment Plan Criteria (Back up) .. Backup ~ Procedure (For: A-17) - Aug 20XX— 23 — Issue Annex A ~ Backup Schedules +... Annex B Backup Log Annex C ~ Backup Recovery Test Schedules. Annex D - Backup Recovery Test Log... Backup Log - 024 ~ Issue 3 Backup Log ~ 024 — Issue Backup Log - 024 ~ Issue LOCC HR2 Access Change Form making excellence a habit? 10f 39Actions to Address Risks and Opportunities making excellence a. habit” ISMO3OOLENIN v1.0{ADO1) Apr 2015 @he-Brtish Standards Institution 2015, 2oF 39Vw www eee ev VUYHOUOUEHKUUEUEUBsEsUY Risk and Opportunities Planning Process — D8 — Issue 1 Consideration to determine the risks ‘and opportunities in Felation to the ISMS, Tiformation risk Eaabish Information security -objectves, objectives .making excellence @ habit” TSHOJ00ENIN-v.0(AD01)-Api 2015,” The Big Standards Institution 2015 30f 39N9no Risk Assessment Process — D9 — Issue 1 : Information fue tania Risk acceptance criteria a information security rk assessment itera t Tdentited Information —=p Risk Owners security risks On nT HON HHLKEG » making excellence a habit” | | : | fe | | ! c| ! ¢ | c| H Ce e| el el el ei e | 7 irene al eet | ‘| i | i | ISMOZ001ENIN v1.O(ADO1) Apr 2015 ©The British Standards Institution 2015 40f39vEvUVvUEUUVvUp we vvuvvvwuvevvvuuvuuvvy Mr, Risk Treatment Process — D10 —Issue'1 Risks prioritized ‘Select appropmate risk for treatment treatment options Controls from ther sources Determine Designed controls ISMO3OOIENIN vi.0(ADOL) Apr 2015° all controls necessary to implement ‘isk treatment options ©The Brlgh Standards Institution 2015 Beiagse os Justification of ‘exclusion (annex A) ustiication of, Inclusion (controls) Statement of ‘applicabilty Risk treatment pian making excellence a habit” 5 0f 39Locc Information Security Risk Procedure — D1 1 — Issue 2 Information Security Risk Criteria Performing IS Risk Assessments The criteria for prompting a risk assessment will be: 1. Significant changes to the business affecting IS (determined by the ISF) 2. Anew contract involving bespoke IS. requirements (determined by the ISF) 3. Afteran Information Incident (single or series of unwanted or unexpected information security events — as agreed by the ISF) 4. A period not exceeding 3 years IS Risk Acceptance Criteria Risk acceptance criteria is calculated using Likelihood x consequence x asset value. Any scores within the area indicated are to be caiegorized as unacceptable and prioritized as risk to be treated. Any scores outside the unacceptable area will not be prioritized for treated but however assessed for risk reduction in pursuit of continual improvement, Identifying Information Security Risks An inventory of asset groups will be created that reflect the information types held within LDCC. ‘These asset groups will be individually assessed for risk treatment as if they were singular assets. Any assets within each group, that needs to be assessed separately from the group, will be identified uniquely in the asset register. Internal and external issues identified within the ‘Context’ and the specific requirements of our interested parties will be seen as assot groupings and risk assessed with opportunities identified, and treatment options considered. Other risk sources, such as reported ARE events or incidents, will also be considered for risk assessment. This will be determined by the ISF at management review meetings. For each asset identified a rating is give: on a scale from 1 —3 for ‘Confidentiality’, ‘Availability’ and ‘Integrity’, These values are added together to give an ‘Asset Value’. Risk owners arc identified at this point, Analyzing Information Security Risks ‘The potential consequences and realistic likelihood are determined, each on a scale of 1~3, ‘The ‘Asset Value’ identified above is now multiplied by the ‘Consequence’ and ‘Likelihood’ values to determine the level of risk for each asset (taking into account existing controls), Evaluating Information Security Risks Based on the ‘Risk Acceptance Criteria’ detailed above we have identified a score of over 40 as being the threshold for tisk treatment (half of 81). These Information Security Risks will then be prioritized anumbér score. The highest priority for risk treatment will be scores above 60 (these will left fented in the cell and identified as highest priority in the risk treatment plan): The priotity will be scores above 40 (these will centered in the Gell and identified as medium priority in the risk treatment plan). Scores below 40 will not be prioritized for risk treatment (these-will be right indented in the cell and ifé risk treatment plan is created.\vill be identified as léwesi pridrty). making excellence a habit! ISMO3001ENIN v1.0(AD01) Apr 2015, @The British Standards Institution 2015 6 of 39 2PRe.n aS re { aieo vwwwwwwuvuevuvuvvuvuuvvvVUEUoreusy Loce Information Security Risk Treatment Once risks have been prioritized for treatment, one risk treatment option is chosen and identified. An Information Security (independent) consultant will be appointed to determine all controls from ISO 27002 that are necessary to implemént the Information Security treatment options chosen, These controls will be identified, documented and kept up to date. A Statement of Applicability will be created detailing controls selected and justification for inclusion. Risk owner's acceptance of the residual Information Security risks will be documented. An Information Security Risk Treatment Plan will be owned and held by the Information Security consultant, ISMOSOOLENIN y1.0(4001) Apr 2035 SPs ne making excellence a habit- rte By tanta Institution 2015. =: Poh 39Lake Dale Contact Centre Owner ur customers customer. information n ur systems, At ‘Customer provided information Includes contact and financio! To be determined shortly information : (ur information on our a L2ce Customer contact Information rormation o Seles Director 3 LDC Financial account information - | Fnaree,Invoeing, debts and Finance Director . ‘Wages, Next of kin, Contact: i M4 LDC HR Information at of HR Director AB LDCC Management Information Reports, Plans, Strategies Operations Manager i i AB. LDCC internal information Reports, Plans, Strategies ‘Operations Manager : “A ar LOCC IT Systems ate en TT Manager na Computers = Desk FCs Thin Glents, no data Foor Manger AD Phones - Mobile Mix of smartphones: TT Manager_ AiO Phones - Desk TP Phones TT anager aut Paper Files = Finance Signed contacts and reports Operations Manager AI2 Paper Files - General Repors and general Operations Manager i AIS ‘Staff Aemin 5x work in bus support (peretons Manager Ald <~"Siaff- Prone operatives 150 x On phones Fioor Hanger AIS: Staff - Management 6 x Managers and directors CEO Ais Staff - Temps ita camer ever HR Director A Tr Main Server TBH TT Manager . making excellence a habit? TSMO3OOLENIN. vi;Q(ADOL) Apr 2015, ‘©The Brkish Standards Insthution 2015 80f39 AAMMADNDHPOLF HH PPRH DDYIU UU eee TNE KEUNvUv UO rKOKErKO EYEE EYE O YEE Lake Dale Contact Centre f Risk Assessment Template for ISO 27001 - D13 - Issue 1 Risk Risk Assessment Assessments Liitainbebi thai Date: 15/01/20xx C= Confidentiality L- Lowest risk [- Integrity 2~ Medium risk A-Availability | 3 - Highest risk ‘AV- Asset Value ‘CHS + Consequences LKLH -Likelthood 7 = GENERIC ASSETS. Asset a A | CNS LKL | Levels =, Additional | New Levels Risk Owner No. AssetName [C1 A v Q Existing Controls H_ | of Risk Risk Treatment Controls of Risk Approval GENERIC ‘ASSETS: Customer 4 a 7 Please see Ai | ‘provided [23 27 | 3 aces 3 |. 63 ones a ‘soa’ a2 information a ee document upec Customer : ‘ : co contact 2 302.7 3 3 63 Accept 42 | Sales Director Information ee «making excellence a habit? ISMO3001ENIN ‘v1.0(AD01) Apr 2015 ‘©The British Standards Institution 2015 a 9 0f-39,Lake Dale Contact Centre GENERIC ASSETS 3.) SHsiaHor|e3 : 2| sa penne : 7 Finance Director 7 account Likelihood information toccHR [32a 6] 3 ' 2 | 36 Accept ; 36 HR Director Information wocc ; as |.Menagemen|11 1 3 | 3 : 1a] 9 Reduce : 9 Cesanan Manager |__. tinformation ioec ae-| inert faa as | 1] 3 | netics 3 | petion |__| information : >) tpcerr ; ; a | Sweme,.[233 9 | 3 3 | 81 | Remove sorce 27 1T Manager : Computers - ; Reduce ; AB | veskec's [22 1 4 | 2 3 | 24 iieelindad 24 Floor Manager Phones - ; Change ; y fro data a | a af | ere 2 WT Manager Phones - , : =| |. bee [2223 | 2 1] 3 Share 3 IT Manager Paper Files - ; ; ‘Operations aaa eee (aia aristl| ra 1 | 10. | Remove Source 10 Meee Paper Files |> 44 4 | 4 ; Sales Change ; 7 Operations General Consequences Manager 413 | staff-admin|2104 4 | 2 ' 3 | 24 Avoid : 24 Creston i Manager Staff Phone q ‘ ' aud | Sactnee (3.24.6 | 2 3 | 36 Avoid 36 Floor Manager making excellence a habit? ISHO3OOLENIN vi,0(AD01) Apr 2015 ©The Brlish Standards Institution 2015 10 0f 39 hiya aaron NOONAN rTEennennnnnnoasTow ee NM So MoM wow ew ewww www eve rv vrvvK uv UUYU Lake Dale Contact Centre ror AIS | Managemen |3.2 27 | 3 : 2| a Share ' a 15 Manager | i ‘Ale | Staff-temps|32 1 6 | 2 ; 336 Share ' 36 HR Director az} MMain tsa 3 6 | 3 ' 2. |. 36 eotanee ' 36 TT Manager : Server Consequences T= Main ; Reduce ; £28 | "switches [27 3 5 | 2 aoe Likelihood 20 A * «making excellence a habit? ISMO3OO1ENINvi.0(@D01) Apr 2015 ©The British Standards Institution 2015 ‘11 of 39 PeetLake Dale Contact Centre Statement of Applicability - D14 -Issue 1 ‘GENERIC Controls tae ‘]dustification:for | implemented? re J ges SP 5: ainelusions:. LS peter al [Customer 1, Media containing information shall be protected against | Because customers send — | Partial, RTPAL fromoton | Unauthorized access, misuse or corruption during information to us in | transportation, 2. Formal transfer policies, procedures and | different ways we need It controls shall be In place to protect the transfer of secured and safe, Policies Information through the use of all types of communication _|.make our staff follow facilities. 3, Appropriate procedures shall be Implemented to | accepted ways of doing ensure compliance with legislative, regulatory and things. contractual requirements related to intellectual property rights and use of proprietary software products. making excellence a habit” ISMOB001ENIN. vi,0(ADO1) Apr 2015 ‘©The British Standards Institution 2015 12 of 39 22a DT PRAARAHDNHN OHHH HH HKRHEH HH HK HE NODALake Dale Contact Centre Statement of Applicability - D14 - Issue 1 AD LOCC Customer | 1, Procedures for handling assets shall be developed and. Our customers No See don | implemented in accordance with the information information needs to classification scheme adopted by the organization. 2. remain accurate and Changes to the organization, business processes," ‘complete, Identifying information processing facilities and:systems that affect ‘ownership of sales information security shall be controlled, 3. Detection, documents helps prevent prevention and recovery controls to protect-against malware | unauthorized editing. In 3 shall be implemented, combined with appropriate user the past sales staff have ‘i awareness. provided incorrect and incomplete information ‘that has then been added to our CRM system. When we have updated systems . in the past, records have 1 been altered, we need to manage changes. In the past we have had malware Infections that has damaged our data. ATS vs AS pCc Financial “| 1, Procedures for handling assets shall be developed and Our financial Information Yes, RTP AZ igeviation implemented in accordance with the Information is sensitive so needs classification scheme adopted by the organization. 2, classifying. Incidents need Management responsibilities and procedures shall be managing quickly and established to ensure a quick, effective and orderly efficiently. Rooms in response to information security incidents, 3. Physical finance should be locked, security for offices, rooms and facilities shall be designed and applied. making excellence a habit” ISMOSOOIENIN vi.0(AD01) Apr 2015 ‘©The British Standards Institution 2015 13 of 39Lake Dale Contact Centre Statement of Applicability -D14 - Issue 1 Ad LOCC HR T. Procedures for handling assets shall. be developed and HR Information Is very, No Information} implemented in accordance with the information sensitive so needs classification scheme adopted by the organization. 2. Identifying as sensitive Management responsibilities and procedures shall be and protecting. HR office established to ensure a quick, effective and orderly should be locked at all | response to information security incidents. Physical security | times. for offices, rooms and facilities shall be designed and applied. pas Loc Procedures for handling assets shall be developed and Wanagerent | implemented in accordance with the Information Et ‘classification scheme. adopted by the organization. Physical security for offices, rooms and facllities shall be designed and applied. Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. AG LOCE Internal [ 1, Physical security for offices, rooms and facilities shall be | Our internal information No, RTP AG Information designed and applied, 2. Requirements for confidentially or | should be locked away non-disclosure agreements whenever possible as It Yes, RTP AS reflecting the organization's needs for the protection of ‘can be accessed by many information shall be Identified, regularly reviewed and staff, non disclosure documented. agreements are valuable. hace 1. Equipment shall be correctly maintained to.ensure its TT should be maintaining | No eee continued availability and integrity, 2. Equipment shall be the equipment properly. It sited and protected to reduce the risks from environmental | should be located in a threats and hazards, and opportunities for unauthorized good place and software access. 3. Rules governing the installation of software by —_| not installed without users shall be established and implemented. asking. making excellence a habit” TSHOBOOLENIN vi.0(ADOL) Apr 2015, ©The British Standards Institution 2015 tot30 Pie Epo peat ON OOOO ine Me Me tet Sit Man herria MetinwVVvUUV Yew EEO Ve LDGG & 3) Lake Dale Contact Centre Statement of Applicability - D14 - Issue 1 ‘a8. | Computers - |Z. Media shail be disposed of securely when no longer Ifusers use DC's or USB No Liseabiciel required, using formal procedures. 2. Rules governing the | sticks to manipulate installation of software by users shall be established and | information, these should Implemented, 3. Rules for the development of software and |'be deleted or destroyed systems shall be established and applied to developments: | after use. Users should within the organization.. Not fiddle with programs : because they could break it. ‘49 "| Phones Mobile [1 Security shall be applied to off-site assets taking Into Mobiles contain a lot of | No account the different risks of working outside the information, often emails organization’s premises, 2, Information involved in and so should be looked application services passing over public networks shall be _| after. If used out of the protected from fraudulent activity, contract dispute and office care should be unauthorized. disclosure and modification. taken using insecure public networks. A10 "| Phones = Desk “['1. Information about technical vulnerabilities of Information | New threats come along | No systems being used shall be obtained in a timely fashion, _| all the time. Out phones the organization's exposure to such vulnerabilities evaluated | are network devices and ~ | and appropriate measures taken to address the associated |-we need support keeping | risk.2. Power and telecommunications cabling carrying data | them secure. If the power ‘or supporting information services shall be protected from | falled it can cause interception, problerhs when the I Interference or damage. system restarts. ALL” | Paver Files =| 1. Physical security for offices, rooms and facilities shall be | Paper Is easily seen and | No Piiance designed and applied. 2. Procedures for working in secure _| stolen. Locking rooms will areas shall be designed and applied: protect the information. If we do have secure rooms, how they are used Is important in keeping up security. Making excellence a habit” ISMO3OO1ENIN vi.0(AD01) Apr 2015 ©The British Standards Institution 2015 15 of 39Pee: Lari ‘Al2 Paper Fes - General Lake Dale Contact Centre Statement of Applicability - D14 - Issue 1 1, Physical security for offices, rooms and facilities shall be designed and applied. 2. Procedures for working in secure areas shall be designed and applied. 3. A clear desk policy for papers and removable storage media and a clear screen policy for Information processing facilities shall be adopted. Paper is easily seen and stolen. Locking rooms will protect the information. If we do have secure rooms, how they are used is Important in keeping up security. The clear desk policy helps with paper records. No a Stall Admin 1. A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. 2. Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. Not all staff need to see all files and information. A formal structure helps protect information. When we send information to partners and suppliers we need to do it right anid safely. No aia ‘Staff Phone Operatives ‘A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. Formal transfer policies, procedures and controls, shall be in place to protect the transfer of Information through the use of all types of communication facilities. No ISMOZOOLENIN vi,Q(AD01) Apr 2015 «making excellence a habit" ‘©The British Standards Insiution 2015 BAe ererGgnrnnnnrnnnrnnernne nnn 16 of 39 oon nsea 2 Lake Dale Contact Centre € Statement of Applicability - D4 - Issue 1 Als. | Statf- Management 1. Media shall be disposed of securely when no longer Our managers use a lot of | Yes, RTP AIS required, using formal procedures. 2. Information involved _| information, often saved 'n application services passing over public networks shall be | on mobile devices and * protected from fraudulent activity, contract dispute and media we need them to unauthorized disclosure and modification. look after these items. They also work from their cars and homes so use i insecure public conriections sometimes. ‘416 ~ | Staff “Temps. 7. A formal user access provisioning process shall be Temps should only get the | No { Implemented to assign or revoke access rights for all user | information they actually i | types to all systems and services. 2. Formal transfer need - no more.-As they Policies, procedures and controls shail be in place to protect | may not know how to the transfer of information through the use of all types of. | send information (our . communication facilities, way) they will need more structure and guidance. ALT [TE Fraie 1. Media shall be disposed of securely when no longer If the server is backed up | Yes, RTP Al7 | cer required, using formal procedures. 2. Procedures for. the the media files used working in secure areas shall be designed and applled. 3. _| be securely wiped or : Equipment shall be protected from power failures and other |-destroyed after use. The . disruptions caused by failures in supporting utilities. server should be kept ina Backups should be taken. secure room and protected from power loss. Backups of systems 7 7 are very important. Making excellence-a habit” ISMOSOOLENIN v1.0(AD04) Apr 2015, ‘©The British Standards Institution 2015 : 17 of 39LOCC Lake Dale Contact Centre Information Security Risk Treatment Plan — RTP El- 6 FOR:.‘El — 6 Physical location (Physical entry controls) 02/07/20xx making excellence a habit? ISMOSOOLENIN.vi.0(AD01) Apr 2015 ‘The Snitish Standerds Institution 2015 18 0f 39 g nond pnHer on monnnannrene, rPrRrmH > y > bn ty ay etLake Bale Contact Centre Risk Treatment Plan Criteria (Physical Location) Developing a Risk Treatment Plan The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. Risk to be treated, reasoning and accountability Risk ‘There are multiple risks associated with physical entry controls relating to protecting securé areas. These include access to areas containing sensitive information which may give rise to theft, fraud, information leakage, misuse or willful damage to information or assets. Reasoning Our assets require managing, in order to prevent unauthorized physical access, damage and inttérference to the organizations information and information processing facilities: Sensitive areas of our facilities should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Appropriate entry controls for other offices, rooms and facilities, should also be designed and implemented, commensurate to the identified risks and the value of the assets at risk in each setting. Accountability ‘Simon Lock, Facilities Manager ig responsible for the approval of this plan. Geoff King, Maintenance Engineer is responsible for plan implementation. Proposed actions, resources and performance measures Proposed Actions Sensitive areas of information processing facilities should be protected by appropriate entry controls this will include: 1. Identify potential access locations where improved security could be implemented 2. Identify appropriate access requirement groups suitable for LDCC 3. Install locks and Key code or swipe card biometric authentication mechanism for all entry points (e.g. key card and/or PIN) as required 4, Provision of identification cards for visitors, temps and staff 5. Create appropriate ‘Physical Entry Controt’ procedures Resources 1. The Maintenarice Enginéer shall be responsitile for implementation of phy: processes and procedures ‘ 2. , Facilities staff will be assigned to Undertake the activities making excellence a habit” TSMOSOOLENIN vi,O(ADOL) Apr 2015 ‘©The Brtsh Standards Institution 2015 1939 no abeno Lake Dale Contact Centre 6 . Gq 3. Management will be responsible for the identification and request of specificscreening che requirements if Performance measures. co 4. Adherence to the implementation schedule o 2. Completion of locks and access system installation i “ 3. Audit of adherence to ‘card issuing” procedures (new starter card issuing requests being actioned and Jeavers being de-activated) o 4. Observation on the use of the system at peak entry times. . Reporting &, Facilities will provide the next quarterly management ‘meeting with an update report. t- Monitoring ee Internal audit will be invited to review the 3 performance measures. eee Schedule eo: 1. 2Weeks oc 2 2 Weeks after 1 o i 3. 3months after 2 a ry 4. With 3 ] cS 5. With ] - al ie al d making excellence a habit" 7 tsHo2001ENIN 04001) Apr 2015 othe eh Stars nin 205 mote 5© Lpcc Lake Dale Contact Centre Information Security.Risk Treatment Plan - RTP A -17 FOR: A— 17 ‘Backup (IT Main Server)’ 22/04/20xx making excellence a habit” ISMO3O01ENIN vi.0(ADO1) Apr 2015 ©The British Standards Insttstion 2015 21 0f 39Lake Dale Contact Centre Risk Treatment Plan Criteria (Back up) Developing a Risk Treatment Plan The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. Risk to be treated, reasoning and accountability Risk ‘There are risks associated with the information security backup control relating to the protection against loss of data, These include server failure, power failure, and corruption of sensitive information which may give rise to loss, deletion or unavailability of information, software or system images. Reasoning ur information requires protecting, in order to ensure we can correct, secure and recover operations of our information processing. Information backup and testing ensures that the correct information is available and retrievable when and where required. Accountability John Bishop IT Manager is responsible for the approval of this plan. Colin Strange, IT Analyst, is responsible for plan implementation. Proposed actions, resources and performance measures Proposed Actions Inform: should be protected by appropriate backup controls this will include: 6, Identify data to be backed up and required frequency 7. Identify media to be used and it’s handling requirements 8 Assign responsibility for completing backups 9. Establishing standard operating procedures for backup 10. Start to check the effectiveness of back up activities (‘Restoration’ testing) 1L..Implement procedures and backups Resources 4... Jobn Bishop IT Manager shall be responsible for impleinentation of information backup processes and procedures TT staff will be assigned to undertake the activities’ ‘6: Management will be responsible for the identification and request of sp requirements backup making excellence a habit” ISMOSOOLENIN v1.0(AD01) Apr 2015 ©The British Standards Institution 2015 220F 39 nnn os prof fi~wwvrwM wee wee weve wee OU“ LDCcC Lake Dale Contact Centre 7. Third party IT providers will be made-available if required to provide support, Performance measures i Adherence to the implementation schedule Verification records of backups are documented and retained (according to criteria) ‘Restoration’ testing is carried out according to procedures Testing of ‘Restoration’: data is then available, with no loss of integrity Pepe Reporting, monitoring requirements and schedule Reporting The tS Manager will provide the next quarterly management meeting with a backup schedule report. Monitoring, internat audit will be invited to réview thie 3 performance measures. Schedule 1 -2Weeks 2 Weeks after 1 2. 3. 1Week after 2 4, 2months after 3 5. 1Monthafter 4 6. Upon completion of 5 «making excellence a habit: ISMO3001ENIN V1.0(AD01) Apr 2015 ‘©The British Standards Institution 2015 23 of 39 bsLake Dale Contact Centre Backup — Procedure (For:.A-17) - Aug 20XX ~ D23 - Issue 1 Introduction ‘This backup procedure has been developed to allow data essential to LOCC to be restored or recovered as quickly as possible in, the event of data loss or corruption on one or more of its, computer systems. In order to achieve this, a number of things need to be taken into account, such as: a) copying of data to a medium which can then be stored in a secure place. ) retrieval of data from the copy made on the medium. ©) secure storage of the media containing backup data. d) recording of details about the media and what data it stores to facil identification of media when it is necessary to retrieve data from it. e) testing the quality of the back-ups made by test retrieval of data. 4) who is responsible for completing the actions above Back-up Procedure ‘These procedures cover all critical data and critical software contained on database and file servers within the five critical areas of the LDCC business as follows: HR Operations Facilities Finance Sales and Marketing ‘The frequency of backups for each server, the media type used and the responsibility for carrying out the backups can be seen in the table below oa ea ee ee All critical HR Data and Software Full Weekly, Tape ‘Systems Admin All critical Operations Data and Software | Full Weekly - * | Tape ‘Systems Admin Alf critical Facilities Data and Software Full Weekly Tape ‘Systems Admin All critical Finance Data and Software Full Weekly, Tape Systems Admin ‘Alleritical Sales & Marketing Dataand |Full | Weekly” | Tape,, | Systems Admin Software } The weekly Backup will be carried out a3 Follows: making excellence a habit~ ASMO3001ENIN vi.0(ADO1) Apr 2015 (©The British Standards institution 2015 24 0f 39 rononrernonnne n HMmnDPAAA RSP )aw yw Tew ww eT VEE EEUU VUE YOU eows Lake Dale Contact Centre a). Retrieve the next tape in the sequence from the fire safe using the record of the last backup carried out as a guide b) Check to ensure the tape is not damaged. Ifit is replace the tape with a new one and label accordingly. ) Place the tape into the tape drive d) Execute the backup process on the relevant server as per the schedule in ‘annex a’ of this procedure e) -Remave the tape from the tapie drive f) Label the tape with the name of the server backed up and the date 8) Record details of the backup using the record template documented in ‘annex b’ of this procedure In addition to the backups noted in the table above, a full backup will also be carried out of all critical data and'software for each area on a quarterly basis as per the table below. These backups will be written to durable archive media and stored offsite for a period of no less than one year. eae ioe All critical HR Data and Software Full | Quarterly [DVD - | Systems Admin ‘Allcritical Operations Data and Software | Full | Quarterly [DVD __| Systems Admini ‘Alleritical Facilities Data and Software | Full [Quarterly [OVD | SystemsAdmin ‘Allcritical Finance Data andSoftware | Ful | Quarterly | DVD __| Systems Admin Alleritical Sales & Marketing Data and | Full | Quarterly | OVD _| Systems Admin Software ‘The quarterly archive backup will be carried out as follows: a) Retrieve the next disk in the sequence from the offsite archive using the record of the last, ‘backup carried out as a guide b) Check to ensure the disk is not damaged. Ifit is, replace it with a new one and label it accordingly ©) Place the disk in the disk drive of the relevant server as per the schedule in ‘annex a’ of this procedure : d) Execute the backup process for that server e) Remove the disk from the server and return it to its case f) Label the case with the server name and date 8). Arrange for the disk to be collected by secure courier and stored at the offsite archive hh) Record details of the backup using the record template documented in ‘annex b’ of this, procedure, : Back-up Media Handling ‘Two typés ofr media are used for backups. Magnetic tape is used for the weekly full backups did DVD. disks'are used for quarterly archive backups as they are more durable than magnetic tape. All tapes ‘will be labelled’ with the name of the server backed up, the date of the backup and a unique identifier so that it can be easify retrieved when necessary. ISMOSOOLENIN. vi.0(AD01) Apr 2015 {©The Brkish Standards Tnstition 2015 25,0f38 iaking excellence a habit”Lake Dale Contact Centre ‘Weekly backup tapes are transported across the LDC site in a protective plastic carry case. Quarterly DVD backups when complete are returned to their individual cases and labelled to show the name of the server backed up, and the date the backup was carried out. Each DVD will also have ‘a unique identifier so that it can be easily identified and retrieved when required. ‘Quarterly backups are then handed over to a secure courier to be transported to an offsite archive until required. Back-up Restoration Testing In order to ensure that backup media has not deteriorated and that all critical data and software has beer successfully backed up, periodic restoration tests will be carried out in accordance with the ‘schedule documented in ‘annex c’ of this procedure. ‘Two types of restoration test must be carried out (and indicated) as follows: File recovery test ~ recover critica! files from the backup in the case of loss or corruption of data on live systems as follows: a) Recover tape from the fire safe b) Insert the tape into the tape drive connected to the standby server <)_ Recover data from tape into the.database on the standby server d)_ Ensure the data recovered from the tape matches data on the live server e) Record details of the test using the form documented in ‘annex d’ of this procedure f) Return the tape to the fire safe HAO ATKRKHKA OH HK LF ANHAO« : spon System recovery test ~ recover the entire content onto a test server to ensure that systems can be recovered in the event of any unforeseen circumstances as follows: y>7 970 a) Recover disk from offsite storage as per the schedule in ‘annex ¢’ of this procedure b) Ensure standby server is operational and all previous recovered data has beén removed ‘¢) Recover data from archive disk onto the standby server d) Check to ensure that all software is operational on the standby server e) Check to ensure that data can be retrieved on the standby server f) Record details of the test using the form documented in ‘annex d’ of this procedure 8) Return the disk to the offsite archive . making excellence a habit, ISMO3001ENIN v1.0(ADO1) Apr 2015, ‘©The British Standerds Institution 2015 26 of 39 zaLpcCc Lake Dale Contact Centre Annex A— Backup Schedules making excellence a habit’ ish Standards Insitutén 2015 27.06 39 ISMG300LENIN v1.0(4D01) Apr 2015Lake Dale Contact Centre Annex B ~.Backup-Log This backup log should be completed daily to indicate the status of the backup scheduled for that day. At the end of the week the completed form should he:stored inthe I$ Department Date [Time | Backup Type | System / Application Backed | Media| Backup Carried out by: Up Used. | status (Complete / Failed) | Monday ‘| Ei Tuesday SemigE ‘Wednesday | Thursday a = i | Eriday 5 Date Time Server Name Media Used. Backup Status (Complete [ Failed) Carried out by: ..making excellence a habit? ISMO3001ENIN vi.0(AD01) Apr 2015 ‘©The British Standards Institution 2015 28 of 39 Tne penag) Lpcc y ; Lake Dale Contact Centre 5 ’ Annex C— Backup Recovery Test Schedules 5 , j U y ’ , » » , , » » , ’ » y , , , y \ Hea .imaking-excellence a habit” 1 ISMO3OOLENEN Vi.0(A001) Apr 2015 °-~ @The Bish Standards Inttuion 2015 29.0f 39Lake Dale Contact Centre Annex D — Backup Recovery Test Log This backup recovery test log should be completed after every recovery test and the completed form should be stored in the IS Department Recovery Test Type | Date ime | Business System Recovered [Media | Backup Status (Complete/ | Carried out by: (weekly / quarterly) Used. Failed) .making excellence a habit” ISMO3OOLENIN vi.0(ADO1) Apr 2025 (©The British Standatds Institution 2015 30.0f 39 PAM ARANMAHAHANAKNHHKHAH OK KH NH OH NSOO OG Lake Dale Contact Centre Backup Log ~ D24 — Issue 3 This Backup log should be completed daily to indicate the status of the backup scheduled for that day. At the end of the week the completed form should be stored in the IS Department Day | Date | Time Backup Type System / Application Backed Up | Media Backup Status | Checked by: Used. Monday 27/10 /xx 17:00 HRO4 Complete ‘Graham Spring Tuesday " 28/10/xx | 16:53 - prlele FAQ4 ‘Complete Graham Spring Wednesday 29/10/« [3650 Asi ‘soa Complete Graham §| | Thursday 30/10/xx 3 B 5 é ‘OPO Complete Graham Spring i fe s | Friday Bafta [26:12 A Figa Complete. Graham Spring = z 7 ae mas Dene a Date Time ‘Server Name ‘Media Used. Backup Status (Complete / Failed) | senorex 1655 ‘Operations ~_ OPBOS Failed 2 sae a STE [7 bate Server Name ‘Media Used. Restore Status (Complete / Falled) Carried out by: | 31/10/x 09:35; Finance Database and File Server FI04 Complete. Geoff King aking excellence a-habit? ISMO3001ENIN v1.0Q(ADO1) Apr 2015 ‘©The British Standards Institution 2015 31 of 39.LDEC a Lake Dale Contact Centre Backup Log— 024 —Issue 1 This backup log should be completed daily to indicate the status of the backup scheduled for that day. At the end of the week the completed form should be stored in the IS Department . [bay Date Time Backup Type System / Application Backed Up | Media Backup Status | Checked by: Used. bh ae Monday 01/09/« [17:00 a f] HRO1 Complete Graham Spring Tuesday 02/08; [16:53 ff F a 5 FAOL ‘Complete Graham Spring Wednesday 03/09/xx 16:50 a iE ‘SMO01 Complete Graham Spring | a e | Thursday 04/09/xx. 16:28 3 5 P01 Failed Graham Spring Friday 05/09/xx 16:12 é.a| FIOL Complete Graham Spring ~ Date Time Server Name Media wae Backup Status (Complete /Falled) 03/09/KK | 16:55 Sales & Marketing ‘SMDOL F ‘Complete Te = ES Naveed pee Date Time Server Name Media Used. Restore or coer / Failed) Carried out by: 03/09/xx 09:35 HR Database and File Server HROL ‘Complete Graham Spring «Making excellerice a habit" ISMO3OGIENIN V1.0(AD01) Apr 2015 ‘OThe British Standards Institution 2015 32 of 39 Beer Onn arnnrnrnonnnonrnnnrhoane“= ee a a ec OY Lake Dale Contact Centre Backup Log’— 024 Issue 1 ‘This backup log should be completed daily to indicate the status of the backup scheduled for that day. At the end of the ‘week the completed form should be stored in the IS Department Day Date Time Backup Type System / Application Backed Up [Media] Backup Status | Checked by: Used. Monday | 03/ii/xx | 17:00 Pao | ce ee j HROZ Complete ‘Graham Spring Tuesday Oa/itfx [1653 ; aa pE a FAOD Complete Graham Spring 5 ~ F Wednesday Por 16:50 E tae as sM02 —_* | Complete Graham Spring raeeay O6/iifex | 16:28 g 5 ‘OPo2 Failed Graham Spring O7/tifex | teria z Fi02 Complete Graham Spring ‘Backup Status (Complete / Failed) Carried out by: Media Used, Finance a FIDOZ Complete Graham Spring festitog.| eableys Date Time Server Name Media Used. Restore Status (complete / Failed) Carried out by: 08/ii/x 09:35 Operations ‘oPo2 Failed Graham Spring -making excellence a habit” ISMO3O01ENIN v1.0(AD01) Apr 2015 ‘©The British Standards Institution 2015 33 of 39Lake Dale Contact Centre Physical Entry Controls Procedure for: El-6 (Physical Location) - oct 20XX —D25—Issue 2 Introduction LLDC provides operational cover for its clients on a 24/7/365 basis, consequently access to its offices needs to be available at all times. All staff (including temporary and contract staff) are issued with an access card to the building and any areas within the building to which they have authorised access. This card includes a photograph and must be worn by members of staff at all times when they are in the offices. Visitors (including maintenance and service engineers, etc.) are provided with a visitor card which . provides limited access to areas within the offices and they must be accompanied at all times whilst inside the building. Entrance 2 from basement car park Entrance 1 Sp & = ae afc 20x windows Staff Access All staff must present their card to the building access card reader upon entering and leaving the building, failure to do this is a disciplinary offence and will be dealt with in accordance with the company’s disciplinary procedure. Access cards - Issuing ‘When first starting work at LLOC, staff.will be provided with a temporary card in order to access the building, HR will complete form HR2 (Access Change Form) and send to Facilities during this period Fequesting a photo-ID card. During the initial induction sessiofi with HR they will bé ther issued with their photo-ID card and sign to acknowledge its receipt on the same form (HR2). The:temporary.card will be réturried to reception by HR. See card issuing record Bl— -making excellence a habit” ISMO3OO1ENINY v1.0(AD01) Apr 2015 ©The Batish Standards Institution 2015 346f 39 ‘ 9 NM 1) tr TNT T OPO HMAonanveovTewvoveovwne vvw~ eM ee weve vvvvuUuwoYW Lake Dale Contact Centre Lost or Forgotten Cards In the event that a member of staff forgets their access card, a temporary one will be issued by the Receptionist (or Shift Manager if applicable). This-must be handed back to the Receptionist/Shift Manager at the end of the shift. In the event of a card being lost a temporary card is to be issued using the same process as above and an email must be sent to the Facilities Manager and the member of staff's line manager in order that a replacement can be issued and the lost card deactivated, Temporary cards will be linked to the individual in order to maintain the link to the payroll system. See card issuing record BI ~1. Name of staff to be issued and the card number isto be recorded. Access to secure areas If access is required to specific secure areas (e.g. computer room) this must be authorized by 2 named individual. In addition, every three months the manager responsible for the secure area must be provided witha list of staff that have access for review and sign-off. Visitor Access. All visitors must complete the “Visitor Book’ upon arrival at the offices and issued-with a numbered ‘Visitor’ card. They should ‘be permitted unaccompanied access to. the offices. Under no circumstances should visitors be provided access to the MD's office. Upon leaving the offices the Visitor card should be.fianded back to reception and form Bl.1 noted ‘with this. making excellence a habit” ISMO300IENIN vi0(AD01) Apr 2015 ©The British Standards Institution 2015 35 0f 39Locc Lake Dale Contact Centre LDCC access Cards making excellence a habit. ISMOBOOENTN v1.0(AD01) Apr 2045 ©The British Standards Institution 2015 * 360f 39 eT PINHNONnnnnKrT KF EN HnTnrnannnogad oo Le ‘3 toa cacti opevvw~rewryve eve ev vee rKCOKCKU VT MTV EO MOWE Ve Lpcc = Lake Dale Contact Centre IT Server room lock BId_ .. ‘TEMPORARY ACCESS CARDS Date Name (BLOCK CAPITALS) Department Card No | Car Returned Registration’ | (pate/Inits} TSMO3OO1ENIN vi.O(ADO1) Apr 2015 making ’excelience a habit” The British Standards Institution 2015 . 37 0f 39.eS ae ‘Current Security Level of Access SPECIFY: Requested naw Security Level of Access SPECIFY: Deactivation of Security Level of Access? ~ Ves or NO Reason for change (please specify): "Access Card updated and relssued or sent for deactivation Received by: Signature: ‘Completing HR Manager: ..making excellence a habit” TSHo30026NUN-v1,(4001) Apr 201s othe Bish Stardrdsinstuton 2018 38 of 39 PLENMONNNMDHETRENMO HHH OEP OODE: aA a OR 2 I SO OO The Lock Company Access review Pink Street 16/07/20xx The Town D26 - Issue 1 Ww Ww Back D E a @ fp 4S TT Server D P My [i Ww. Ww Ww WwW. Ww w Ww. 19 insecure window locks identified 3 insecure door lacks identified Recommendation: Replace all window locks Repiace ali external door locks with fit card access system. Server room to have combination lock making excellence a habit” ISMO3001ENIN vi.0(ADO1) Apr 2015 ©The British Sterlards Institution 2015 39 0f 39