MODULE TITLE BS7799 SECURITY AUDIT AND ASSESSMENT

Module Code 12-7005-00

Semester of Delivery 2
State whether module is Mandatory
Mandatory, Elective or
Option
Level (4/5/6/7/8) 7
Credit Points 15
Assessment Components 100% Coursework
& Percentage Weighting*
Pre-Requisite Modules (if n/a
applicable)
Breakdown of Student 40 hours contact, 40 hours directed study, 70
Learning Hours by Type hours independent study
Module Leader & School CMS
Module Banding C
Date of Original Approval New for validation
Date of Next Review 6/2011

AIMS AND RATIONALE

1 These are the aims of this module ...

To provide a context in which you can learn to
• Review, assess and critique the BS 7799-2 and related specifications
• Analyze and define the aspects of an Information Security Management
Systems (ISMS)
• Analyse and define the role of an ISMS auditor in terms of key technical,
methodological and professional principles, according to BS 7799-2 and
related standards
• Develop attitudes, values and ethics appropriate to the role of an ISMS
auditor
• Develop the skills required to drive an ISMS audit in order to meet the
requirements defined in BS 7799-2
• Develop the skills required to undertake the role of an ISMS auditor in
accordance with ISO 19011

2 The reason for having this module and for having it at this level is ...

This module is designed to equip you with the knowledge and skills required to
perform audits of information security management systems (ISMS) against the
current BS 7799-2 standard, in accordance with ISO 19011 and EA 7/03. The
module is presented at P/G level because it is expected that the role of an ISMS
auditor requires the development of advanced knowledge and skills. Such
requirement is given by the complexity of modern ISMSs, the broad range of
security threats and technologies, and by the wealth of legal and regulatory
frameworks one must adhere to.
3 By the end of the module you will be able to ...

• Select and explain appropriate principles of an information security

management system (ISMS) and the processes involved in establishing,
implementing, operating, monitoring, reviewing and improving an ISMS as
defined in BS 7799-2, including the significance of these for ISMS auditors.
• Critically discuss the purpose, content and interrelationship of BS 7799-2,
ISO/IEC 17799 and ISO 19011, ISO/IEC TR 13335 Parts 3 and 4 (GMITS),
EA 7/03 and the legislative framework relevant to an ISMS.
• Critically discuss the role of an auditor to plan, conduct, report and follow up
an ISMS audit in accordance with ISO 19011
• Interpret the requirements of BS 7799-2 and EA 7/03 in the context of an
ISMS audit.
• Undertake the role of an auditor to plan, conduct, report and follow up an
audit in accordance with ISO 19011.

4 These are the main ways of learning and teaching which will help you
to achieve the learning outcomes ...

• A balance of taught classes (lectures and tutorials) and directed study

(directed reading) will help you develop the advanced knowledge and skills
required to perform ISMS audits in accordance to the BS7799-2 standard.
• A number of practical activities will be used to develop the required skills
and critical thinking to be able to plan conduct, report and follow up an audit
in accordance with ISO 19011. Most of such activities will involve group-
work and role playing in order to simulate the various stages of an audit and
the different roles of an ISMS auditor. Activities include interviewing of
organizational staff, critical discussion of specific BS7799-2 controls, review
of stage one ISMS audit documentation, critical assessment of
implemented controls to deliberate on their effectiveness, planning of an
audit and audit meeting, simulation of audit meetings.
• You will be provided with a number of examples and scenarios to help you
practise and develop the advanced skills required to audit a complex ISMS
and identify and clearly report non conformities to the standard.

ASSESSMENT AND FEEDBACK

5 This is how the learning outcomes will be assessed …

The assessment for this module includes one coursework component, which is
both formative and summative. You will be continuously assessed throughout the
module through a set of practical tasks and activities with defined outputs that you
must produce. Each exercise is designed to explore a particular aspect of the
BS7799-2 standard and its interpretation at various stages in the audit process.
These exercises have been designed by the BSI alongside the learning materials
and relate directly to ideas and activities which constitute a BS7799 audit. Each of
the tasks is marked separately and the overall average is given as a final mark.

6 This is how and when you will be given feedback on your performance ...

Tutors will help and guide you during the coursework, providing informal formative
feedback on your performance. You will also receive marks on your coursework as
you progress through the assigned tasks.

7 To achieve a pass, you will show an ability to...

• Select and explain some critical aspects of an ISMS and relate them to a
given organizational context. The explanations will have enough detail to
make the meaning reasonably clear for the purpose.
• Identify and critically discuss some key responsibilities and activities of an
ISMS auditor, as defined in BS 7799-2, with regards to given contexts and
problems. You will refer to auditing principles, methodology and good
practice as recommended by the ISO 19011 standard.
• Select and critically discuss the links between legal compliance and
conformance with ISO standards and outline some relevant applicable
legislation, intellectual property rights, data protection and privacy of
personal information. The explanations will have enough detail to make
the meaning reasonably clear for the purpose.
• Demonstrate some ability in the processes required to plan an audit in
accordance with ISO 19011. Specifically:
- The audit plan and scope is clearly written, and communicated
effectively both orally and in written form.
- The plan addresses all key aspects of the audit and are specific,
achievable, realistic and time-bound.
- Audit plan makes sufficient use of individuals to achieve the desired
outcomes.
- You will take some responsibility for participating in and controlling
opening and closing audit meetings.
• Demonstrate some ability in the processes required to conduct an audit in
accordance with ISO 19011. Specifically, you will:
- perform a document review or stage one audit in order to assess
whether documentation meets BS 7799 requirements and to determine
whether adequate arrangements are in place to justify proceeding with
the implementation audit. Critical aspects of the documentation are
clearly explained and evidenced judgments are made about their
appropriateness
- select some relevant samples and correctly identify conformance
and non-conformance with requirements. The sample selection
approach is suitable and addresses the critical aspects of the audit
process. Both conformances and non-conformances are presented
through reasoned and valid judgments in the face of contradictory
claims. Objectivity is exercised in the review of evidence collected.
• Demonstrate some ability in the processes required to report and follow up
an audit in accordance with ISO 19011. Specifically you will:
 - Write a meaningful and accurate summary report of the audit
including graded non-conformity reports based on objective evidence
obtained during your course of the audit. Claims in the report are
supported by collected evidence, which is valid and current. The report
will include recommendations for certification/supplier approval based
on the audit findings.
- Present audit findings and recommendations to the client.
Conventions used in any communication are appropriate for a
professional audience. Communications are clear understandable for
and engage the audience.
- Evaluate proposals for corrective action and differentiate between
correction and corrective action. Crucial positive and negative aspects
of the proposed actions are critically discussed and reasoned and valid
judgments are made.

The above criteria are especially detailed because they are closely aligned with
BS7799-2 requirements.

8 These are examples of the content of the module and the main
learning resources you will use ...

This module is delivered alongside and utilizing content from the BSI’s BS7799 Lead
Auditor certification course. As such it utilizes the most current and rigorously vetted
material relevant to the BS7799 standard. Examples of content include

• Assessing security threats and vulnerabilities

• Management of security risks
• Selecting security controls
• How to build an Information Security Management System (ISMS)
• Auditing to BS 7799
• BS 7799 auditing techniques
• Managing and leading a BS 7799 audit team
• Interview techniques
• Audit reporting

Learning Material

- ISMS Auditor/Lead Auditor Training Course Workbook. British Standards Institution

- Information Security PD 3000 series. British Standards Institution
- Scott Barman (2001). Writing Information Security Policies. New Riders