Professional Documents
Culture Documents
Practitioner
Student Workbook
(I27-302 v1.10)
>>
ISO/IEC 27001
Practitioner
(I27-302 ISO27K PR v1.10)
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
1
2
This document contains proprietary information, which is protected by copyright. All rights reserved. No part of this document
may be photocopied, reproduced or translated to another language without prior consent from Quint Wellington Redwood,
Amstelveen.
Quint Wellington Redwood is an accredited training Organization (ATO) with PeopleCert, APMG, EXIN, DevOps Agile Skills
Association (DASA) and LEAN IT Association (LITA).
4XLQW :HOOLQJWRQ 5HGZRRG LV OLFHQVHG E\ $;(/26 /LPLWHG DQG RɝFLDOO\ DXWKRUL]HG IRU Ζ7Ζ/®, PRINCE2®, MoP®, MSP®, MoV®,
PRINCE2 Agile®, P3O®, M_o_R® and accredited for the following AXELOS products.
IT Infrastructure Library®, PRINCE2®, MoP®, MSP®, PRINCE2 Agile®, P3O®, M_o_R®, MoV® and the Swirl Logo are [registered]
trademarks of AXELOS Limited. These trademarks are used by Quint Wellington Redwood under permission of AXELOS Limited.
All rights reserved.
Quint Wellington Redwood is licensed and accredited by APMG International and EXIN for the following products:
Application Services Library ASL® and Business Information Services Library BiSL® are registered trademarks of the ASL BiSL
Foundation.
PMI®, PMP® and PMBOK® are registered trademarks of the Project Management Institute Inc.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
3
4
03 NoƟce
07 PMI Project Management
Professionals
09 Syllabus
45 Module 1
IntroducƟon and Background
79 Module 2
Preparing for the ISMS 103 Module 3
Planning and OperaƟng the ISMS
139 Module 4
Controls 213 Sample Exams
317 Acronyms
321 Forms
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
5
6
AƩendees of this course earn Professional Development Units (PDUs) granted by the Project
Management InsƟtute (PMI®) in order to maintain their status as cerƟfied Project Management
Professional (PMP).
Please ask your instructor for the applicable Registered EducaƟon Provider (R.E.P.) ID and Course code
in order to be able to claim your PDUs aŌer compleƟng your course.
If you are interested to learn more about this program, please log on to:
hƩp://www.pmi.org/
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
7
8
Information Security Management
Qualification using
ISO/IEC 27001
Scheme Syllabus
For ISO/IEC 27001 Foundation,
Practitioner- Information Security Officer
and Auditor qualifications
This syllabus describes the APMG ISO/IEC 27001 Foundation, Practitioner – Information
Security Officer and Auditor certificate qualifications.
The primary purpose of the syllabus is to provide a basis for accreditation of people involved
with ISO/IEC 27001 and information security management at Foundation, Practitioner –
Information Security Officer and Auditor levels. It documents the learning outcomes for the
following ISO/IEC 27001 at these levels and describes the requirements a candidate is
expected to meet to demonstrate that these learning outcomes have been achieved at each
qualification level:
This syllabus informs the design of the exams and provides accredited training organizations
with a more detailed breakdown of what the exams will assess. Details on the exam structure
and content are documented in the ISO/IEC 27001 exam design documents.
1 Foundation Qualification
1.1 Purpose of the Foundation Qualification
The purpose of the Foundation qualification is to confirm that a candidate has sufficient
knowledge of the contents and high-level requirements of the ISO/IEC 27001 standard and
understands at a foundation level how the standard operates in a typical organization.
The Foundation qualification is designed to provide the basic knowledge of ISO/IEC 27001
required as a pre-requisite for the Practitioner – Information Security Officer qualification.
There is no pre-requisite for the Foundation qualification but an interest and/or background
in information security or service management would be an advantage.
x The scope and purpose of ISO/IEC 27001 and how it can be used
x The key terms and definitions used in the ISO/IEC 27000 series
x The fundamental requirements for an ISMS in ISO/IEC 27001 and the need for continual
improvement
x The processes, their objectives and high-level requirements
x Applicability and scope definition requirements
x Use of controls to mitigate IS risks
x The purpose of internal audits and external certification audits, their operation and the
associated terminology
x The relationship with best practices and with other related International Standards: ISO
9001 and ISO/IEC 20000.
x Apply the principles of ISMS policy and its information security scope, objectives, and
processes within an organizational context
x Apply the principles of risk management including risk identification, analysis and
evaluation and propose appropriate treatments and controls to reduce information
security risk, support business objectives and improve information security
x Analyze and evaluate deployed risk treatments and controls to assess their
effectiveness and opportunities for continual improvement
x Analyze and evaluate the effectiveness of the ISMS through the use of internal audit and
management review to continually improve the suitability, adequacy and effectiveness of
the ISMS
3 Auditor Qualification
3.1 Purpose of the Auditor Qualification
The purpose of the Auditor qualification is to confirm whether the candidate has achieved
sufficient understanding of ISO/IEC 27001 and ISO 19011 in their application in a given
situation. A successful Auditor candidate should be able to perform audits against ISO/IEC
27001, lead organizations through an audit program and direct audit teams in relation to the
guidance given in ISO 19011. Their individual information security expertise, understanding of
the complexity of the information security management systems and the support given for the
use of ISO/IEC 27001 in their work environment will all be factors that impact what the Auditor
can achieve.
The Auditor qualification assumes candidates will have knowledge of the ISO/IEC 27001 and
ISO 19011 standards, and their application in a given situation. It is recommended that
candidates hold the APMG ISO/IEC 27001 Foundation level (or equivalent qualification) before
attending this course.
APMG have incorporated this into a Learning Outcomes Assessment Model which is used to
provide a simple and systematic means for assessing and classifying the learning outcomes
for APMG qualifications.
The Practitioner – Information Security Officer qualification tests learning outcomes at levels 2
(comprehension), 3 (application) and 4 (analysis).
1. 2. 3. 4.
Knowledge Comprehension Application Analysis
Generic Definition from Know key facts, Understand key Be able to apply Be able to
APMG Learning terms and concepts from key concepts analyse and
Outcomes Assessment concepts from the the standard relating to the distinguish
Model standard syllabus area for between
a given scenario appropriate and
inappropriate use
of the standard for
a given scenario
situation
Information Security Know facts, Understand the Be able to audit Be able to
Management Auditor including terms concepts, key ISMS identify, analyze
Qualification Learning and definitions, responsibilities concepts relating and distinguish
Outcome Assessment concepts, and the to achievement of between
Model principles, requirements, the requirements appropriate and
controls, roles processes and of ISO/IEC 27001 inappropriate use
and documents and ISO 19011 of ISMS methods
responsibilities needed to for a given for achieving the
from the relevant auditing scenario. requirements of
standards. management ISO/IEC 27001
systems and ISO 19011
through
assessment of
situations outlined
in given scenarios
OV Overview of ISO/IEC 27001 and related best practices, standards and schemes
LE Leadership and support of the ISMS
PL Planning and operation of the ISMS
CO Information security control objectives and controls
AM Auditing information management systems
AC Achieving ISO/IEC 27001 certification
6 Syllabus Presentation
For each syllabus area learning outcomes for each learning level are identified. Each learning
outcome is then supported by a description of the requirements that a candidate is expected to
meet to demonstrate that the learning outcome has been achieved at the qualification level
indicated. These are shown as syllabus topics.
This syllabus is for the Foundation, Practitioner – Information Security Officer and Auditor level
qualification.
References
Foundation
Area
Primary
Auditor
Code The ISO/IEC 27001 Auditor syllabus Area (XX) Theme [1]
ISO
AM [2]
Topic
Level
Know fact, terms and concepts relating to the syllabus area. [3]
Specifically to recall:
01 01 [6] [7] [7] [7] [8]
[4] [5]
01 02
2 Syllabus Area Code A unique character code identifying the syllabus area.
7 Important Points
The following points about the use of the syllabus should be noted.
The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2013 and the
terms, definition and concepts in ISO/IEC 27000:2018 as well as information in the
supplementary reference paper as stated in the syllabus topic. It is essential that all delegates
have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference
Paper during any training course. Delegates should have access to a personal copy of ISO/IEC
27000:2018 or to the information referenced from it in this syllabus. Please note that the
examination is closed book.
The references provided should be considered to be indicative rather than comprehensive, i.e.
there may be other valid references within the guidance.
The syllabus requires awareness of but does not require a detailed knowledge of other
referenced standards:
The primary references for the Practitioner – Information Security Officer course are the
International Standards:
Syllabus topics at levels 3 and 4 provide the primary references but may also include any other
topic from the syllabus area.
It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the
Supplementary Reference Paper during any training course. Delegates should have access to
a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2018. Please note that the
examination is open book.
The primary references for the ISO/IEC 27001 Auditor course are the International Standards:
Other references are made to the Supplementary reference paper for ISO/IEC 27001
Qualification.
It is mandatory that all delegates have access to a personal copy of these documents during
their training and at the Examination
Please note that Auditor examinations are open book. No content related individual notes in the
used standards are permitted.
Syllabus topics at levels 3 and 4 provide the primary references but may also include any other
topic from the syllabus area.
The references provided should be considered to be indicative rather than comprehensive, i.e.
there may be other valid references within the guidance.
For the primary reference, the relevant part of the standard is used as the major part of the
reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to
ISO/IEC 27001:2013 Clause 4.2.
8 Syllabus Exclusions
The syllabus does not require specific knowledge of ISMS implementation and best
management practice guidelines.
Practitioner - ISO
Area
References
Foundation
Primary
Auditor
Code Overview of ISO/IEC 27001 and Related Best
Practices, Standards and Schemes
OV
Topic
Level
Know facts, terms and concepts at overview level about ISO/IEC 27001 and
related best practices, standards and schemes
Specifically, to recall:
01 01 The key standards with their purpose that comprise the ISO/IEC ISO/IEC 27000,
27000 series: 5.2, 5.3 & 5.4
Title and purpose
1. ISO/IEC 27000 sections only
2. ISO/IEC 27001
3. ISO/IEC 27002 9
4. ISO/IEC 27003
5. ISO/IEC 27004
6. ISO/IEC 27005
Practitioner - ISO
Area
References
Foundation
Primary
Auditor
Code Overview of ISO/IEC 27001 and Related Best
Practices, Standards and Schemes
OV
1. Residual risk
2. Risk acceptance
3. Risk analysis
4. Risk assessment
5. Risk criteria 9
6. Risk evaluation
7. Risk identification
8. Risk management
9. Risk owner
10. Risk treatment
1. Consequence
2. Risk 9
3. Threat
4. Vulnerability
Practitioner - ISO
Area
References
Foundation
Primary
Auditor
Code Overview of ISO/IEC 27001 and Related Best
Practices, Standards and Schemes
OV
01 07 The names of the clauses (in Bold) and sub-clauses covered within ISO/IEC 27001,
requirements of ISO/IEC 27001: Contents
6. Leadership
7. Leadership and commitment
8. Policy
9. Organizational roles, responsibilities and authorities
10. Planning
11. Actions to address risks and opportunities
12. Information security objectives and planning to achieve them
13. Support
14. Resources
9
15. Competence
16. Awareness
17. Communication
18. Documented information
19. Operation
20. Operational planning and control
21. Information security risk assessment
22. Information security risk treatment
27. Improvement
28. Nonconformity and corrective action
29. Continual improvement
Practitioner - ISO
Area
References
Foundation
Primary
Auditor
Code Overview of ISO/IEC 27001 and Related Best
Practices, Standards and Schemes
OV
Understand how ISO/IEC 27001 and associated best practices, standards and
schemes can be used to achieve conformity to ISO/IEC 27001
Specifically, to identify:
02 01 The relationships and differences between ISO/IEC 27001 and the ISO/IEC 27000
following standards within the ISO/IEC 27000 series: 5.2, 5.3, 5.4 title
and purpose
sections only
1. ISO/IEC 27000
2. ISO/IEC 27002 9
3. ISO/IEC 27003
4. ISO/IEC 27004
5. ISO/IEC 27005
02 02 The roles of the organizations and entities involved in ISO/IEC 27001 Supplementary
Qualification and Certification Schemes paper, 2.5
1. APMG-International
2. Certification Bodies (CBs)
3. National Accreditation Bodies (NABs)
9
4. Accredited Training Organizations (ATOs)
5. Practitioners
6. Consultants
7. Internal Auditors
8. External Auditors
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Leadership and support of the ISMS
ISO
LE
Topic
Level
01 02 The integration of the ISMS with the organization’s processes and ISO/IEC 27001,
0.1 para 3, 5.1 b)
management structure 9
01 03 The decisions and influencing factors for the adoption and 9 ISO/IEC 27001,
0.1, para 1
implementation of an ISMS
01 04 The requirement to understand the organization and its context 9 ISO/IEC 27001,
4.1
01 06 The characteristics used to define the scope and boundaries of the 9 ISO/IEC 27001,
1, 4.3
ISMS
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Leadership and support of the ISMS
ISO
LE
02 02 Further principles of top management demonstrating leadership and ISO/IEC 27001,
commitment to ISMS processes, specifically: 5.1 b), 5.1 g) &
5.1 h)
02 04 The activities and considerations to be made when defining roles and ISO/IEC 27003
responsibilities 5.2, 5.3
9 (Supplementary
paper, 6)
02 05 The roles and their specific requirements and responsibilities required ISO/IEC 27003
for information security management and operation, along with their 5.2, 5.3
interaction within the organization 9 (Supplementary
paper, 6)
02 07 The requirements for the processes and content for the appropriate ISO/IEC 27001,
7.5.1 NOTE a-c),
management of documents for the operation of an ISMS specifically:
7.5.2, 7.5.3 c-f)
end para & NOTE
1. The creation and updating of documents (7.5.1 NOTE)/ 7.5.2) 9
2. The control of documented information (7.5.3 c-f, end para &
NOTE)
02 08 The basic principles of the provision of resources and competence ISO/IEC 27001,
7.1, 7.2 & 5.1c
within an ISMS:
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Leadership and support of the ISMS
ISO
LE
02 09 The basic principles for awareness and communication for personnel ISO/IEC 27001,
7.3, 7.4 1st line of
working within an ISMS:
para 1 excluding
a) – e)
1. Awareness of the information security policy, contribution to the
effectiveness of the ISMS, benefits of the ISMS and implications 9
of not complying to the ISMS
2. Determining the need for internal and external communication
about the ISMS
02 11 The requirements for appropriate boundaries and scope for an ISMS ISO/IEC 27001,
4.3
with consideration of:
ISO/IEC
27003:2017 4.2
1. External and internal issues 9 (Supplementary
paper, 5)
2. The requirements of interested parties
3. The interfaces and dependencies of activities
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Leadership and support of the ISMS
ISO
LE
Apply the ISMS Leadership and Support management systems requirements
from ISO/IEC 27003, to enable the achievement of conformity to ISO/IEC
27001 for a given scenario
Specifically, to apply:
03 01 The activities and considerations to be made when defining roles and ISO/IEC 27003
responsibilities 5.2 & 5.3
9 (Supplementary
paper, 6)
03 02 The roles and their specific requirements and responsibilities required ISO/IEC 27003
for information security management and operation, for a given 5.2 & 5.3
scenario 9 (Supplementary
paper, 6)
03 03 The concepts, responsibilities and requirements about the context, ISO/IEC 27001,
leadership and support for an ISMS according to Clauses 4, 5 and 7 4, 5 & 7
9
of ISO/IEC 27001
Specifically, to apply:
03 04 The concepts, responsibilities and requirements about the context for 9 ISO/IEC 27001, 4
an ISMS according to Clause 4 of ISO/IEC 27001
03 05 The concepts, responsibilities and requirements about the leadership 9 ISO/IEC 27001, 5
for an ISMS according to Clause 5 of ISO/IEC 27001 & 7.1
03 06 The concepts, responsibilities and requirements about the awareness 9 ISO/IEC 27001,
and competence support for an ISMS according to Clause 7 of 7.2 & 7.3
ISO/IEC 27001
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Leadership and support of the ISMS
ISO
LE
04 02 The roles and their specific requirements and responsibilities required ISO/IEC 27003
for information security management and operation, for a given 5.2 & 5.3
9
scenario (Supplementary
paper, 6)
04 03 The concepts, responsibilities and requirements about the context, ISO/IEC 27001,
leadership and support for an ISMS according to Clauses 4, 5 and 7 4, 5 & 7
9
of ISO/IEC 27001
Specifically, to analyse:
04 04 The concepts, responsibilities and requirements about the context for 9 ISO/IEC 27001, 4
an ISMS according to Clause 4 of ISO/IEC 27001
04 05 The concepts, responsibilities and requirements about the leadership 9 ISO/IEC 27001, 5
for an ISMS according to Clause 5 of ISO/IEC 27001 & 7.1
04 06 The concepts, responsibilities and requirements about the awareness 9 ISO/IEC 27001,
and competence support for an ISMS according to Clause 7 of 7.2 & 7.3
ISO/IEC 27001
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
Topic
Level
Know facts, terms and concepts relating to the planning and operation of an
ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001
Specifically, to recall:
01 01 Contents of the Statement of Applicability ISO/IEC 27001,
9 6.1.3 d)
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
02 03 The general considerations, basic criteria, scope and boundaries and ISO/IEC 27005, 7
organization for establishing the context of the risk management
process, specifically the:
9
1. Risk evaluation criteria
2. Impact criteria
3. Risk acceptance criteria
1. Consequences 9
2. Incident likelihood
3. Risk determination
02 08 Selection of the risk treatment options taking account of the risk ISO/IEC 27001,
assessment results 6.1.3a),
9
ISO/IEC 27000,
3.72
02 09 The approaches to risk treatment, specifically: ISO/IEC 27005, 9
1. Modification
2. Retention 9
3. Avoidance
4. Sharing
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
02 11 Formulating a risk treatment plan: ISO/IEC 27001,
6.1.3 e) f), last
para and 8.3
1. formulate an information security risk treatment plan
2. obtain approval from risk owner for the plan and residual risks
9
3. implement the risk treatment plan
4. retain documented information for the process and results of the
risk treatment
1. Risk factors 9
2. Risk management monitoring, review and improvement
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
02 17 Appropriate development steps for performance evaluation including: ISO/IEC 27001,
9.1 Para 2, a) - f),
excluding NOTE
1. What needs to be monitored and measured (9.1 a) and last para
2. When and who will monitor and measure (9.1 c-d)
9
3. The appropriate methodologies for monitoring, measurement,
analysis and evaluation (9.1 b)
4. When and who will analyze and evaluate the results (9.1 e-f)
02 21 The applicable principles for the review and outputs for a ISO/IEC 27001,
management review including: 9.3 para a), b), d)
– f), last para
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
02 22 Nonconformity and corrective actions: ISO/IEC 27001,
10.1
Specifically, to apply:
03 08 The risk evaluation, impact and risk acceptance criteria for 9 ISO/IEC 27001,
establishing the context of the risk management process 6
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
03 10 The concepts, responsibilities, requirements and processes relating 9 ISO/IEC 27001,
to performance evaluation of an ISMS within Clause 9 of ISO/IEC 9
27001
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Planning and operation of the ISMS
ISO
PL
04 10 The concepts, responsibilities, requirements and processes relating 9 ISO/IEC 27001, 9
to performance evaluation of an ISMS within Clause 9 of ISO/IEC
27001
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
Topic
Level
Know the topic areas for information security controls within ISO/IEC 27001
Specifically, to recall:
01 01 1. The structure and contents of the controls and control objectives Supplementary
listed in Annex A of ISO/IEC 27001 paper, 3.1
ISO/IEC 27000,
2. The definition of: 3.14 & 3.15
a. Control 9
b. Control objective
01 02 The names of the security control clauses for information security ISO/IEC 27001,
controls (numbers with the prefix A refer to references in Annex A of Annex A
ISO/IEC 27001):
01 03 The names of the security control clauses for information security ISO/IEC 27001,
controls (numbers with the prefix A refer to references in Annex A of Annex A
ISO/IEC 27001):
01 04 The name of the security category and the control objective for the ISO/IEC 27001,
security control clause ‘information security policies’ Annex A, 5.1
9
category and
objective only
There are no syllabus items at level 1 for this area 9 9
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
Understand the subjects covered for specific information security control
clauses within ISO/IEC 27001, with implementation parameters defined by
ISO/IEC 27002
Specifically, to identify:
02 01- Not used. (See 19 onwards for Foundation 02 topics)
9
04
02 05 Information security policies; scope and implementation parameters SO/IEC 27001,
9 Annex A, A.5,
ISO/IEC 27002, 5
02 06 Organization of information security; scope and implementation SO/IEC 27001,
parameters 9 Annex A, A.6,
ISO/IEC 27002, 6
02 07 Human resources security; scope and implementation parameters ISO/IEC 27001,
9 Annex A, A.7,
ISO/IEC 27002, 7
02 08 Asset management; scope and implementation parameters ISO/IEC 27001,
9 Annex A, A.8,
ISO/IEC 27002, 8
02 09 Access control; scope and implementation parameters ISO/IEC 27001,
9 Annex A, A.9,
ISO/IEC 27002, 9
02 10 Cryptography; scope and implementation parameters ISO/IEC 27001,
Annex A, A.10,
9
ISO/IEC 27002,
10
02 11 Physical and environmental security; scope and implementation ISO/IEC 27001,
parameters Annex A, A.11,
9
ISO/IEC 27002,
11
02 12 Operations security; scope and implementation parameters ISO/IEC 27001,
Annex A, A.12,
9
ISO/IEC 27002,
12
02 13 Communications security; scope and implementation parameters ISO/IEC 27001,
Annex A, A.13,
9
ISO/IEC 27002,
13
02 14 System acquisition, development and maintenance; scope and ISO/IEC 27001,
implementation parameters Annex A, A.14,
9
ISO/IEC 27002,
14
02 15 Supplier relationships; scope and implementation parameters ISO/IEC 27001,
Annex A, A.15,
9
ISO/IEC 27002,
15
02 16 Information security incident management; scope and implementation ISO/IEC 27001,
parameters Annex A, A.16,
9
ISO/IEC 27002,
16
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
02 17 Information security aspects of business continuity management; ISO/IEC 27001,
scope and implementation parameters Annex A, A.17,
9
ISO/IEC 27002,
17
02 18 Compliance; scope and implementation parameters ISO/IEC 27001,
Annex A, A.18,
9
ISO/IEC 27002,
18
02 19 The control description for the control ‘policies for information ISO/IEC 27001,
security’ 9 Annex A, A.5.1.1
02 20 The control description for the control ‘review of the policies for ISO/IEC 27001,
information security’ 9 Annex A, A.5.1.2
02 21 The control objective for the security category ‘during employment’ ISO/IEC 27001,
Annex A, A.7.2,
9
category and
objective only
02 22 The control objectives for the security categories in asset ISO/IEC 27001,
management covering: Annex A, A.8.1,
A.8.2 and A.8.3,
1. Responsibility for assets categories and
9 objectives only
2. Information classification
3. Media handling
02 23 The control objectives for the security categories in access control ISO/IEC 27001,
covering: Annex A, A.9.1
and A.9.2,
9 categories and
1. Business requirements of access control objectives only
2. User access management
02 24 The control objective for the security category ‘management of ISO/IEC 27001,
information security incidents and improvements’ Annex A, A.16.1,
9
category and
objective only
02 25 The control objective for the security category ‘compliance with legal ISO/IEC 27001,
and contractual requirements’ Annex A, A.18.1,
9
category and
objective only
There are no syllabus items at level 2 for this area 9
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
Be able to identify, apply and tailor the appropriate aspects of ISO/IEC 27001
Annex A controls to a scenario, as defined in ISO/IEC 27002
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
Be able to apply an audit of ISO/IEC 27001 Annex A controls in a scenario, as
defined in ISO/IEC 27002
Specifically, to apply:
03 19 Information security policies 9 ISO/IEC 27001,
Annex A, A.5,
ISO/IEC 27002 5
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
03 31 Information security aspects of business continuity management 9 ISO/IEC 27001,
Annex A, A.17,
ISO/IEC 27002 17
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Information security control objectives and controls
ISO
CO
04 16 Information security incident management ISO/IEC 27001,
9 Annex A, A.16,
ISO/IEC 27002 16
04 17 Information security aspects of business continuity management ISO/IEC 27001,
9 Annex A, A.17,
ISO/IEC 27002 17
04 18 Compliance ISO/IEC 27001,
9 Annex A, A.18,
ISO/IEC 27002 18
Be able to identify, analyze and distinguish audit requirements within an ISMS
to demonstrate conformity status to ISO/IEC 27001 for a given scenario
Specifically, to analyze with reasons whether the requirements of ISO/IEC
27001 have been met under an audit scenario including:
04 19 Information security policies 9 ISO/IEC 27001,
Annex A, A.5,
ISO/IEC 27002 5
04 20 Organization of information security 9 ISO/IEC 27001,
Annex A, A.6,
ISO/IEC 27002 6
04 21 Human resources security 9 ISO/IEC 27001,
Annex A, A.7,
ISO/IEC 27002 7
04 22 Asset management 9 ISO/IEC 27001,
Annex A, A.8,
ISO/IEC 27002 8
04 23 Access control 9 ISO/IEC 27001,
Annex A, A.9,
ISO/IEC 27002 9
04 24 Cryptography 9 ISO/IEC 27001,
Annex A, A.10,
ISO/IEC 27002 10
04 25 Physical and environmental security 9 ISO/IEC 27001,
Annex A, A.11,
ISO/IEC 27002 11
04 26 Operations security 9 ISO/IEC 27001,
Annex A, A.12,
ISO/IEC 27002 12
04 27 Communications security 9 ISO/IEC 27001,
Annex A, A.13,
ISO/IEC 27002 13
04 28 System acquisition, development and maintenance 9 ISO/IEC 27001,
Annex A, A.14,
ISO/IEC 27002 14
04 29 Supplier relationships 9 ISO/IEC 27001,
Annex A, A.15,
ISO/IEC 27002 15
04 30 Information security incident management 9 ISO/IEC 27001,
Annex A, A.16,
ISO/IEC 27002 16
04 31 Information security aspects of business continuity management 9 ISO/IEC 27001,
Annex A, A.17,
ISO/IEC 27002 17
04 32 Compliance 9 ISO/IEC 27001,
Annex A, A.18,
ISO/IEC 27002 18
There are no syllabus items at level 4 for this area 9
Version 4.6 (Status: Final) Page 32 of 35 Owner: Chief Examiner
©The APM Group Limited 2020
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd
The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Syllabus Area:
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Auditing information management systems
ISO
AM
Topic
Level
Specifically, to recall:
01 01 Terms relating to establishing an audit 9 ISO 19011,
3.1 – 3.7
1. Audit
2. Combined audit
3. Joint audit
4. Audit programme
5. Audit scope
6. Audit plan
7. Audit criteria
2. Audit evidence
3. Audit findings
4. Audit conclusion
5. Conformity
6. Nonconformity
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Auditing information management systems
ISO
AM
01 04 Terms relating to auditing of a management system 9 ISO 19011,
3.18 – 19 & 3.23 -
1. Management system 26
2. Risk
3. Requirement
4. Process
5. Performance
6. Effectiveness
Specifically, to identify:
02 01 Application of the principles of auditing 9 ISO 19011,4
02 04 Processes for determining audit information availability and access 9 ISO 19011,6.4.5
02 07 Processes for the generation of audit findings using audit criteria 9 ISO 19011,6.4.8
02 08 Processes for the preparation and content of audit conclusions 9 ISO 19011,6.4.9
Processes for the conduct of closing meeting & presentation of audit 9 ISO 19011,6.4.10
02 09
findings and conclusions
02 10 Preparation and distribution of the audit report 9 ISO 19011,6.5
Practitioner -
References
Foundation
Area
Primary
Auditor
Code Achieving ISO/IEC 27001 Certification
ISO
AC
Topic
Level
Know facts, terms and concepts about auditing an ISMS for ISO/IEC 27001
certification and concepts relating to provide and conduct audits.
Specifically, to recall:
Specifically, to identify:
The requirements for the conduct of audits:
Supplementary
02 01 1. Certification audits (initial and re-certification) 9 9 paper, 4.1
2. Surveillance audits
$'(%%&!
"
# #
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
45
46
#
)/1--. ""
" '"$!
!""#!
" #"
"
,
, ,
"
$!'
#
""
"" # "&" !
%'%
/1*0-/+.(.-+ +
+
/1
/
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
47
!
0 $,1**+
#
"
)16//0$ )16//1$ )16//2
)
16//4
#&
#
%!!!&&)#
#%%933*/+1/78858//0$
% ,&&
"
"
)16//0%1/02
#
#
#14 1/02
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
48 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
49
$
,14//0!##!
$!"##"*#%"*(#!(%! $!#"#
,
14//0"#!&#""$"!)####
!#"$!#(#"("#+
'###"! $!!#$# $#
"#!####((#"#%#! $!#"
,14//0
"$!#"#!"&#!)##'#+
14-2/1.0+0/. .
.
14
3
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
50 I27-302_1.10_ENG_QWRN_ISO27KPR
$
,25001!##!
"""#%"!)#"#%#!#,25001
!##
!"#*' %"""$"!! #(" #
!"#' #!#" #&,25001"$ !#"#!"
&#"$"#"$ !##%#!###,25001+
' #!#" #&# (*#%"* !"""#!
25-302.1+10.
.
.25 4
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
51
&
-24001#%% #
24.302/1,10/
/
/24 4
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
52 I27-302_1.10_ENG_QWRN_ISO27KPR
"$ !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
53
!
!
.
!#
$
$
/'1)! " '
"
'
"!
! &
#
(/2--.
!
'
" ! !! $
'
!
#
! '
! # /-
&"
$!3-
'
1-6*0-
+'
%
!
# !
#
!
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
54 I27-302_1.10_ENG_QWRN_ISO27KPR
'
!#
#&
%% %
$ $
!#
!"
%"
"!
!" $
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
55
"
!#
$
#!
"
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
56 I27-302_1.10_ENG_QWRN_ISO27KPR
$
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
57
+
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
58 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Classic - ‘Choose one from a list’ of possible answers’. The correct response is to be selected from a list
of 3 or 4 options.
Multiple Response – ‘Choose two correct options from a list’. This test type follows exactly the same
format as the ‘Classic test type’, but more than one response is required for the answer. It is the only
test type that requires more than one response. Both responses must be correct to gain a mark.
If more or fewer than two responses are given then the answer will be void. The format 2 out of 5
options is the only format used.
Matching - ‘Link items in one list to items in a second list’. There is only one correct response to each
question item, but options from the second list may be used once, more than once or not at all.
Sequence Matching – ‘Position events in a sequence’. The activities in Column 1 have to be placed
in the sequence in which they should be performed. An option from Column 2 is selected for each
activity in Column 1.
Assertion Reason – ‘Evaluate two statements (an assertion and a Better Business Cases reason), to
determine if either, both or neither is true and, if both are true, whether the reason explains why the
assertion is true’. If either statement is false, the answer is selected from options C, D or E. If both
statements are true a third step is required: if the reason explains why the assertion is true, the answer
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
59
!$
is A, if it does not the answer is B. There is only one correct response to each question item, but
options can be used once, more than once or not at all.
Notes:
Copyright © AXELOS Limited 2020. Used under permission of AXELOS Limited. All rights reserved.
60 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
$ '# %"$)"!"#$ $ "
")#"&#
" "#
!)
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
61
"% !
!##'$!"&!"# $"#
#&"$!#$###
"""""#
!"#$!!#
'
#!!#"
#!#%"
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
62 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
%"+#$ )" )*%* , * )%(* , *. $
%"+#$)"*(%#
%"+#$*"+) $
(%#
**('+ ()** , *.*%&(%(#)"* %$(%#
%"+#$$
+)%$#%(*$%$%($%**""
)*" )$ $%(#* %$)+( *.&%" . () &$%## *#$*
%" .
(%(#*(, -
($ /* %$"(%")
$$&&".$ $%(#* %$)+( *.( )! ()&%$) " * )$+*%( * )
))))#$*&(%)) %$%*%,
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
63
"$ !
&#+$%!)#!)*&*!,!*!)+%(*"%)'(*&
(*!!*!&%&( *!,!*/!%
&#+$%
!- * (&(%&*!*!)+%(*"%)'(*&* (*!!*!&%'(&))%!%- ! &((*
*!,!*!)-!##&+(
&#+$%
&#+$%
$'#$%** !)"(*$%*#% &*+%(*"%+(!%
* (*!!*!&%'(&))
*($!%- &* !%*()*'(*!)(#,%**&* !()*
(
,#+** '(&($%%* *!,%))&*
&%
%()*%* %)%.'**!&%)&!%*()*'(*!) !(
!%%''#/%!%&($*!&%)+(!*/(!)"))))$%* &+(*
'(&))
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
64 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
!##))!!$,$#(()($#((')$#())"#)#'($#())"#)$'!#
#).)%%'$%')$%)$#'$"$%)$#( )$
))%%!(
$%)$##*($#"$'
)#$#$'#$))!!
%)$# ((')$# ($#
'* '* )'($#-%!#()((')$#
'* '*
)'($#$(#$)-%!#)((')$#
'* !(
!( '*
!( !(
',!!#+'#)$').)$
)(!!!)$#()#'(#
)+'($#$ "#''))$#,)$*)%'$+#
!'.'))$'!'+'($#( ##!$"%#()$#
$%$*"#)(
)"$#()')()$*#'($)
"#)$'.$*"#)'&*'$' ##(*'($#)'$!('%%!
'))$# %%'$%')!.($%$*"#)"*()
%).)').#*)$'
( (((("#)"*()%'$'"
*($*()$"")$$!$(,$*!
*(#$#$(+'!%'(' #)'$*#$"!(),#$#
")$$!$( ##$)'
!#"!
!#
$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
65
!#
!#
!#
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
66 I27-302_1.10_ENG_QWRN_ISO27KPR
"
!#
#%!!"#!"$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
67
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
68 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
History
The graphic provided shows that 2-pronged nature of the 27000 standard. This is historic and now an
embedded feature of the documents.
BS7799 was published in 1995 as a ‘Code of Practice’. In April 1999 it became a formal 2-part
standard. BS7799 Part 1 ‘Code of Practise for Information security Management’ and BS7799 Part 2
‘Specification for Information Security Management Systems". Part 1 provided best practise guidance;
part 2 formed the standard against which an organisation security management systems could be
assessed. BS7799 Part 1 internationalised as ISO 17999, then ISO 27002. The BS7799 Code of Practice,
Part 1, took the form of guidance and recommendations. Its foreword clearly stated that it was not to
be treated as a specification. It became internationalised as ISO17799 in December 2000 and a revised
version was issued in early 2005, it was later renamed in 2007 as ISO 27002.
ISO 27002:2005 is the international code of best practice that is increasingly applied by organizations
who are seeking a method of implementing an information security management system that will
ensure they effectively meet the wide range of regulatory and compliance demands they face today.
BS7799 Part 2 was revised in 2002, with significant reordering of the controls. The British Standard
then underwent fast track internationalisation in 2005 and ISO 27001:2005 was published.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
69
!#
Certifications prior to publication of ISO/IEC 27001 will be certified against BS7799-2:2002 and,
therefore, organisations will need to adapt their current projects or existing management systems
accordingly. The ISMS converter provides more information on the changes, together with a detailed
side-by-side comparison of the old and new of ISO/IEC 17799 (27002).
ISO 27001:2013 was published on the 25/09/2013 . It cancels and replaces ISO 27001:2005, and
is published by the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC). It is a specification for an information security management system
(ISMS). Organisations which meet the standard may be accredited by an independent accreditor.
The revised 2013 version of ISO/IEC 27002 was published in September 2013 at the same time as the
new version of ISO/IEC 27001. The title has changed from “Code of practice for information security
management” to “Code of practice for information security controls” to emphasize that one handles
with the actual security controls whereas the other handles their management
Notes:
Copyright © AXELOS Limited 2020. Used under permission of AXELOS Limited. All rights reserved.
70 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
71
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
72 I27-302_1.10_ENG_QWRN_ISO27KPR
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
73
)
!#
&*.(()%*()+'
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
74 I27-302_1.10_ENG_QWRN_ISO27KPR
"$ !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
75
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
76 I27-302_1.10_ENG_QWRN_ISO27KPR
&
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
77
78
$&""#
$&
$ ""
""#
#
$'(%%&!
"
# #
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
79
80
!#
Leadership
There are many reasons why an organisation might try to become certified to 27001. If you can’t think
of a good reason, then it may not be worth doing. It is not an end in itself. Before any work starts, you
need to identify the objectives of certification. These COULD include inter alia:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
81
$)+''(
!"
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
82 I27-302_1.10_ENG_QWRN_ISO27KPR
%
* 03../"$$ "
"
!$
'%$& $$
"+
03+1.0-/)/.---
03
2
Top Management is most likely to be the Board or equivalent. The Board tends to be the legal ‘owner’
of corporate or organisational assets. They need to delegate authority to executives to ensure they
are empowered to operate. The CEO may well sit on the Board, but may also have an operational,
executive role. The committee structure set out on this page is for illustration purposes. Organisation
and governance for the ISMS and related matters are covered in more detail later in this slide pack.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
83
!$
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
1. ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization;
2. ensuring the integration of the information security management system requirements into the
organization’s processes;
3. ensuring that the resources needed for the information security management system
are available;
4. communicating the importance of effective information security management and of conforming
to the information security management system requirements;
5. ensuring that the information security management system achieves its intended outcome(s);
6. directing and supporting persons to contribute to the effectiveness of the information security
management system;
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
84 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
85
&
"% !
$ "
BAU - Business As Usual
!"
! #
! " !
!
!"
Top management shall demonstrate leadership and commitment with respect to the information
1. ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization;
2. ensuring the integration of the information security management system requirements into the
organization’s processes;
3. ensuring that the resources needed for the information security management system
are available;
4. communicating the importance of effective information security management and of conforming
to the information security management system requirements;
5. ensuring that the information security management system achieves its intended outcome(s);
6. directing and supporting persons to contribute to the effectiveness of the information security
management system;
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
86 I27-302_1.10_ENG_QWRN_ISO27KPR
&
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
87
#
(.1,,- ""
.1)/,.+-'-,+
+
+.1 1
When planning how to achieve its information security objectives you must determine
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
88 I27-302_1.10_ENG_QWRN_ISO27KPR
%
"$ !
%'##$
&%'##%&
!
"
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
89
%
!#
#
$ !"
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
90 I27-302_1.10_ENG_QWRN_ISO27KPR
!
%+-))*
" ! # #
!"
! ( !
Resources
7.1 Resources
The organization shall determine and provide the resources needed for the establishment,
implementation, maintenance and continual improvement of the information security
management system.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
91
$
(-0++,!##!
!"#-0++,### !!# "! !### ! !#
%
"#!$#$!#!"#"#$ #&$## !#$"#"
-0++./'.'-
-0++.,
-0).+-*,',+*
*
*-0 ,,
This table is used for the practitioner paper in the LE syllabus area. This information is taken directly
from ISO/IEC 27003:2010, table B.1. In supplementary paper.
This table is used for the practitioner paper in the LE syllabus area. This information is taken directly
from ISO/IEC 27003, 5.3.2. In supplementary paper.
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
92 I27-302_1.10_ENG_QWRN_ISO27KPR
$
(-0++,!##!
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined.
The role generally is different at each organization, because of the number of people dealing with
information security. The organizational structure and resources for information security vary with the
size, type and structure of the organization. For example, in a smaller organization, several roles may
be carried out by the same person. However, management should explicitly identify the role (typically
Chief Information Security Officer, Information Security Manager or similar) with overall responsibility
for managing information security, and the staff should be assigned roles and responsibilities based on
the skill required to perform the job. This is critical to ensure that the tasks are carried out efficiently
and effectively.
The most important considerations in the definition of roles in information security management are:
The roles for managing information security should work together; this may be facilitated by an
Information Security Forum, or similar body.
Collaboration with appropriate business specialists should be undertaken (and documented) at all
stages of the development, implementation, operation and maintenance of the ISMS.
Representatives from departments within the identified scope (such as risk management) are potential
ISMS implementation team members. This team should be maintained at the smallest practical size
for speed and effective use of resources. Such areas are not only those directly included in the ISMS
scope, but also the indirect divisions, such as legal, risk management and administrative departments.
Output
The deliverable is a document or table describing the roles and responsibilities with the names and
organization needed to successfully implement an ISMS.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
93
#)+''(
!
&
!
!
)+$*')%("('%
%
%)+ ()
Communication
d) be communicated;
7.4 Communication
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
a) on what to communicate;
b) when to communicate;
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
94 I27-302_1.10_ENG_QWRN_ISO27KPR
#)+''(
5.3 Organizational roles, responsibilities and authorities Top management shall ensure that
the responsibilities and authorities for roles relevant to information security are assigned
and communicated.
A5.1.1 Policies
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
95
$
+02../!##!
02,1.0-/*/.-
-
-02 /1
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
96 I27-302_1.10_ENG_QWRN_ISO27KPR
$
+02../!##!
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
97
"
',/**+!!
!!!"#!!"! % !!
#$ " !"! !!# !
,/(-*,)+&+*) )
)
,/
+.
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
98 I27-302_1.10_ENG_QWRN_ISO27KPR
"
',/**+!!
The outputs of the management review shall include decisions related to continual improvement
opportunities and any needs for changes to the information security management system.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
99
"
).1,,-!!
.1*/,.+-(-,+ +
+
.1
-0
7.2 Competence
1. determine the necessary competence of person(s) doing work under its control that affects its
information security performance;
2. ensure that these persons are competent on the basis of appropriate education, training,
or experience;
3. where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken; and
4. retain appropriate documented information as evidence of competence.
NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or
the reassignment of current employees; or the hiring or contracting of competent persons
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
100 I27-302_1.10_ENG_QWRN_ISO27KPR
"
)/2--.!!
/2*0-/+.(.-+ +
+
/2
.1
Leadership – Documentation
7.5.1 General
NOTE The extent of documented information for an information security management system can
differ from one organization to another due to:
1. the size of organization and its type of activities, processes, products and services;
2. the complexity of processes and their interactions; and
3. the competence of persons.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
101
"
)/2--.!!
When creating and updating documented information the organization shall ensure appropriate:
Documented information required by the information security management system and by this
International Standard shall be controlled to ensure:
1. it is available and suitable for use, where and when it is needed; and
2. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).the
information security management system.
For the control of documented information, the organization shall address the following activities,
as applicable:
NOTE Access implies a decision regarding the permission to view the documented information only, or
the permission and authority to view and change the documented information, etc.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
102 I27-302_1.10_ENG_QWRN_ISO27KPR
#%!!"
#%
# !!
!!"
"
$'(%%&!
"
# #
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
103
104
"
&+-))*!!
!
!!
#"!
!"!
!#$
#!
+-',)+(*%*)(
(
(+- +
6.1.1 General
When planning for the information security management system, the organization shall consider
the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and
opportunities that need to be addressed to:
1. ensure the information security management system can achieve its intended outcome(s);
2. prevent, or reduce, undesired effects; and
3. achieve continual improvement.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
105
"
&+-))*!!
The organization shall establish information security objectives at relevant functions and levels.
The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security
risk treatment.
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced in any form without the wriƩen permission of both SPOCE and AXELOS Copyright
Limited. Permission can be2019.
© APMG Limited requested at hƩ
All rights ps://www.quintgroup.com
reserved. andunder
Material is reproduced licensing@AXELOS.com
license from APMG
106 I27-302_1.10_ENG_QWRN_ISO27KPR
"
&+-))*!!
NOTE The methods selected should produce comparable and reproducible results to be
considered valid.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results.
Notes:
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced
Copyright © in any form
APMG without
Limited 2019. the wriƩen
All rights permission
reserved. of both
Material SPOCE andunder
is reproduced AXELOS Limited.
license fromPermission
APMG can be requested at hƩps://www.quintgroup.com and licensing@AXELOS.com
I27-302_1.10_ENG_QWRN_ISO27KPR
107
!
%*-(()
A scope document is required when planning to implement the standard This mandatory scope
document must list all the business processes, facilities, and technical assets, as well as the types of
information within the ISMS. Furthermore, when defining the scope of compliance, you must define
clearly the dependencies and interfaces between your organisation and external entities.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
108 I27-302_1.10_ENG_QWRN_ISO27KPR
#
&+/))* ""
+/',)+(*%*)(
(
(+/ -
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
109
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
110 I27-302_1.10_ENG_QWRN_ISO27KPR
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
111
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
112 I27-302_1.10_ENG_QWRN_ISO27KPR
"$ !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
113
!
&+-))*
$
! !
"#
+-',)+(*%*)(
(
(+- .
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
114 I27-302_1.10_ENG_QWRN_ISO27KPR
"
#(*&&'
(*$)&(%'"'&% %
%
(*
'&
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
115
$
).0,,-
!##!
##""#"
###!#"
##&"##!"
##%$!#"
##" $"
"'""#"
""""#" $"
""""##
%!"#!#
The assessment must compare the results of risk analysis with the risk criteria established earlier and
then prioritize the risks for treatment.
Documented information about the information security risk assessment process MUST be retained.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
116 I27-302_1.10_ENG_QWRN_ISO27KPR
$
!##
, +35112
!##!
#&##!" "
#&#!" "
#&#!" "
!/"0#""""# !/"0#"""" !/"0#!#
$""" #""#
#%#"
##()#!#(!
%#(!#
Phase 1: assesses the level of business risk associated with an information system, by considering
the business consequences and impact of a loss of the confidentiality, integrity or availability of
information processed by the system.
Phase 2: identifies the likelihood of various events which could lead to a loss of confidentiality,
integrity or availability. These events are then plotted in a matrix that highlights those risks that need
prioritised attention.
Phase 3: produces an agreed plan of action for implementing required controls to mitigate the
identified risk, by considering the controls identified as being important, their priority and the work
involved in introducing them.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
117
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
118 I27-302_1.10_ENG_QWRN_ISO27KPR
#(+&&'
!
(+$)&(%'"'&% %
%
(+
'*
Selection of risk treatment options must take account of the Risk Assessment results
• Controls determined by the Risk Assessment should be compared with those in Annex A to verify
that no necessary controls have been omitted
• The SOA must contain the necessary controls and justification for inclusions (whether they
are implemented or not) and the justification for exclusions of controls listed in Annex A of
the Standard
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
119
!$
• Controls can be designed specifically for an ISMS, or can be identified from any source
• Annex A contains a comprehensive list of control objectives and controls. Ensure that no necessary
controls are overlooked by using Annex as a checklist
• Although control objectives are implicit in many of the Annex A controls, these are not exhaustive
and additional control objectives and controls may be needed
Notes:
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced in any form without the wriƩen permission of both SPOCE and AXELOS Copyright
Limited. Permission can be2019.
© APMG Limited requested at hƩ
All rights ps://www.quintgroup.com
reserved. andunder
Material is reproduced licensing@AXELOS.com
license from APMG
120 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Risk Treatment
Four options are available for risk treatment: risk modification, risk retention, risk avoidance and
risk sharing. Note that ISO/IEC 27001:2005 4.2.1. f) 2) uses the term “accepting risk” instead of
“risk retention”.
When a large reduction in risk can be obtained with relatively low expenditure, such an option should
be implemented. Sometimes things are not so obvious and require a balanced investigation to justify
implementation.
In general, the impact of risks manifesting should be reduced to as low a level as is reasonably
practicable. Note that it is important to consider uncommon but severe risks. These can be hard to
justify in economic terms, but should they manifest, they may take down the entire organisation. An
example of the types of control developed to meet such risks is business continuity planning.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
121
"% !
The four options are not mutually exclusive - a combination of options such as reducing the likelihood
of risks manifesting, reducing their impact should they occur, and sharing or retaining any residual
risks. Note that some risk treatments can address more than one risk (e.g. information security training
and awareness).
A risk treatment plan needs to be defined which identifies the priority ordering in which individual
risk treatments should be implemented and when this should happen. You can establish priority
via a number of techniques, including risk ranking and cost-benefit analysis. It is a management
responsibility to decide the balance between risk, the costs of implementing controls and the
budget assignment.
Risk assessment needs to take current controls into account. It may be the case that existing controls
appear to exceed current needs. The option of removing a control is available, as this may reduce
cost and improve the process. However, controls infrastructures can be very complex, with controls
becoming intertwined and interdependent. Removing one control may impact of the efficacy of others.
As a rule of thumb, it is often best to leave control in place unless there is a truly compelling case to
remove them.
Once the risk treatment plan has been documented, residual risk needs to be determined. This
requires a re-run of the risk assessment, taking into account the expected effects of the proposed risk
treatment. Should any residual risk still not meet risk acceptance criteria, a further risk treatment may
be necessary before risks are accepted.
Notes:
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced in any form without the wriƩen permission of both SPOCE and AXELOS Copyright
Limited. Permission can be2019.
© APMG Limited requested at hƩ
All rights ps://www.quintgroup.com
reserved. andunder
Material is reproduced licensing@AXELOS.com
license from APMG
122 I27-302_1.10_ENG_QWRN_ISO27KPR
"% !
• determine any gaps between the information security controls and related security management
practices in place, and those recommended by ISO/IEC 27001
• provide a documented record of the findings made and any recommendations
• provide a detailed action plan with delivery dates and responsibilities
The analysis process normally consists of interviews with key people within each of the areas within
the scope of the ISMS. Actions identified are recorded, with those responsible or accountable for
delivering the control identified and given their task(s).
One technique for assessing gaps is a concept called the Maturity Level Rating - The maturity levels are
rated using the Capability Maturity Model (CMM) methodology. The Capability Maturity Model was
originally used to assess the ability of the US government contractors' ability to perform a software
development project. Though the model comes from the field of software development, it is also used
as a general model to aid in business processes generally, and has been used extensively in assessing
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
123
!#
information security capability. CMM provides a benchmark for comparison and acts as an aid to
understanding the behaviours, practices and processes of an organisation. The five CMM levels are:
• CMM 1 (Initial) – A security risk(s) needs to be addressed, but there are no controls in place to
mitigate it (them)
• CMM 2 (Limited) – limited, often informal, undocumented controls are in place.
• CMM 3 (Defined) - Security controls are in place and formalised, but require more effective
corporate backing and implementation
• CMM 4 (Managed) - Controls are in place, documented and implemented, but require refinement
• CMM 5 (Optimized) – Controls meet all requirements of ISO 27001
Notes:
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced in any form without the wriƩen permission of both SPOCE and AXELOS Copyright
Limited. Permission can be2019.
© APMG Limited requested at hƩ
All rights ps://www.quintgroup.com
reserved. andunder
Material is reproduced licensing@AXELOS.com
license from APMG
124 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Having assessed the information security risks within the ISMS scope, you need to work out which
controls (normally taken from Annex A of the standard) apply.
You should record your decision in a table of spreadsheet as in the slide. The result should be cross-
referenced with the Gap analysis. All decisions that indicate a control is NOT applicable need to be
justified. Both the Gap Analysis and SOA documents/spreadsheets need to be maintained. They are
living documents, and form core elements of the material used as evidence during certification.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
125
#
(.0,,- ""
.0)/,.*-'-,*
*
*.0 -1
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
126 I27-302_1.10_ENG_QWRN_ISO27KPR
!
&+-))*
+-',)+(*%*)(
(
(+- *.
Stakeholder can include shareholders, authorities (including legal and regulatory), clients, partners,
etc.– all interested parties must be listed, together with all their requirements to form one of the key
inputs to deciding the initial scope of the ISMS
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
127
!
%*,(()
#
"!
#
#"!
!
The information security risk management process should be continually monitored, reviewed and
improved as necessary and appropriate.
This monitoring and review activity should address (but not be limited to):
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
128 I27-302_1.10_ENG_QWRN_ISO27KPR
!
%*,(()
Any agreed improvements to the process or actions necessary to improve compliance with the process
should be notified to the appropriate managers to have assurance that no risk or risk element is
overlooked or underestimated and that the necessary actions are taken and decisions are made to
provide a realistic risk understanding and ability to respond.
Notes:
Copyright © Quint Wellington Redwood and AXELOS Limited 2020. All rights reserved. Material in this document has been sourced from ITIL® Lifecycle PublicaƟons 2011 EdiƟon. No part of this document may be
reproduced
Copyright © in any form
APMG without
Limited 2019. the wriƩen
All rights permission
reserved. of both
Material SPOCE andunder
is reproduced AXELOS Limited.
license fromPermission
APMG can be requested at hƩps://www.quintgroup.com and licensing@AXELOS.com
I27-302_1.10_ENG_QWRN_ISO27KPR
129
!
(-/++,
# !%! ! $
%! %$"! %%
!"!
# !
# !&
# ! ! $"! &
#$"! ! '
-/).+-*,',+* *
*
-/
-,
ISMS Performance Evaluation needs to meet ISO 27001 9.1 Monitoring, measurement, analysis
and evaluation.
Covers 9.3 of 27001 NOTE The methods selected should produce comparable and reproducible results
to be considered valid.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
130 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
131
"
!#
!# $!
• Audits are mandatory and must comply with internal requirements and those of ISO 27001 9.2
Internal Audit.
• It is required that these audits are implemented effectively and the process is maintained.
• An audit programme must be planned, established, implemented and maintained. The plan must
include the frequency of audit, the methods to be used, who is responsible for it and how findings
are reported.
• Each audit must have defined criteria and be scoped appropriately
• They must be conducted to ensure objectivity and impartiality – and reporting must be made to
appropriate management
• All relevant information must be retained and documented
• Audit requirements set out clearly how this should be carried out
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
132 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
133
"
(
(-0++,!!
"
#
')%%&*!($
! !!" ! #" !#$
%!! " !!#!!!
!! "!&
-0).+-*,',+* *
*
-0
-/
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
134 I27-302_1.10_ENG_QWRN_ISO27KPR
#
!
'-0++, ""
"! "$"!
" !# " !#"!
#" !#"!
#" "!# "%"$!
" !" "!
!#"! !!!!!"!""#!" !" ""
"#"! "# $"
-0(.+-),&,+) )
)
-0
-/
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
135
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
136 I27-302_1.10_ENG_QWRN_ISO27KPR
$
%
*02../!##!
02+1.0,/)/., ,
,
02
03
A non-conformity is the non-fulfilment of a requirement (ISO 27000 :2012 – from ISO 9000:2005)
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
137
138
!#
!#
!
$'(%%&!
"
# #
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
139
140
$
,13//0!##!
13-2/1.0+0/.
.
.13 1
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
141
!
',.**+
,.(-*,)+&+*) )
)
,.
-
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
142 I27-302_1.10_ENG_QWRN_ISO27KPR
"'*%%&
'*#(%'$&!&%$
$
$'* )
Controls
• Communication of roles and responsibilities – this is essential in all subject areas and for all
relevant staff – at whatever level
• Documentation of agreed policy, processes and procedures – and this is communicated and
made accessible
• Management information needs to be gathered and managed so the ISMS can be ‘managed
by fact’
• Risk assessment is core to all aspects of control. It guides focus, priority for action, and
ultimately, investment in security. This helps practitioners distinguish between ‘appropriate and
inappropriate controls’
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
143
$),''(
Controls
From 27002
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
144 I27-302_1.10_ENG_QWRN_ISO27KPR
'
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
145
$&""#
Source: ISO 27001 Table A.1 — Control objectives and controls - A.5 Information security policies -
A.5.1 Management direction for information security
• a) business strategy;
• b) regulations, legislation and contracts;
• c) the current and projected information security threat environment.
• a) definition of information security, objectives and principles to guide all activities relating to
information security;
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
146 I27-302_1.10_ENG_QWRN_ISO27KPR
$&""#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
147
"$ !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
148 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
This is an example of a ‘Policy Map’. It is not designed to be complete nor to act as an exact template.
The documents in it are hierarchical. The documents will need to be supported by documented
processes (these are not listed on the map provided). The light green 2nd level documents follow ISO
27001. This is not mandatory.
The yellow documents (sub-policies – sometimes called Standards) are examples. There will
undoubtedly be others.
There is a collection of items associated with the blue Security Organisation box. These are normally
supporting documents and/or activities that are not policies themselves, but need to be in place to
make the document set work.
The red boxes at the foot of the diagram indicate what are often called ‘baseline documents’. These
set out how various devices are set up – normally in a way to meet the requirements set out in the
policies themselves. It’s important to note that the degree of ‘volatility’ of the documents increases
as you descend down the hierarchy. Baseline documents can change very rapidly in response to new
threats. Policies tend to react to slower elements, such as changes in the law or to regulations.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
149
!#
Guide to acronyms
There are inevitable links across the map – JLT links closely to ID & Access Management. The AUPs can
include usage of various assets, including email and internet browsing. These link to other aspects of
HR, including sanctions for non-compliance (linking to the blue ‘Security Organisation’ box).
At a lower level, the information security policy should be supported by topic-specific policies, which
further mandate the implementation of information security controls and are typically structured to
address the needs of certain target groups within an organization or to cover certain topics. Examples
of such policy topics include:
These policies should be communicated to employees and relevant external parties in a form that is
relevant, accessible and understandable to the intended reader, e.g. in the context of an “information
security awareness, education and training programme” (see 7.2.2).
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
150 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Other information
The need for internal policies for information security varies across organizations. Internal policies are
especially useful in larger and more complex organizations where those defining and approving the
expected levels of control are segregated from those implementing the controls or in situations where
a policy applies to many different people or functions in the organization. Policies for information
security can be issued in a single “information security policy” document or as a set of individual but
related documents.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
151
!
&+-))*
# ! ! $
#"
+-',)+(*%*)( (
(
+-
*)
For example a security policy manual or an intranet wiki containing a coherent and internally
consistent suite of policies, standards, procedures and guidelines.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
152 I27-302_1.10_ENG_QWRN_ISO27KPR
"
&+-))*!!
! "!$ !
!"!
!!#!"!!
!!#! ! !"
! "!$!!
"!
+-',)+(*%*)( (
(
+-
**
Reference 27001 A.6 Organization of information security - A.6.1 Internal organization - Objective:
To establish a management framework to initiate and control the implementation and operation of
information security within the organization
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
153
$)+''(
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined.
The role generally is different at each organization, because of the number of people dealing with
information security. The organizational structure and resources for information security vary with the
size, type and structure of the organization. For example, in a smaller organization, several roles may
be carried out by the same person. However, management should explicitly identify the role (typically
Chief Information Security Officer, Information Security Manager or similar) with overall responsibility
for managing information security, and the staff should be assigned roles and responsibilities based on
the skill required to perform the job. This is critical to ensure that the tasks are carried out efficiently
and effectively.
The most important considerations in the definition of roles in information security management are:
The roles for managing information security should work together; this may be facilitated by an
Information Security Forum, or similar body.
Collaboration with appropriate business specialists should be undertaken (and documented) at all
stages of the development, implementation, operation and maintenance of the ISMS.
Representatives from departments within the identified scope (such as risk management) are potential
ISMS implementation team members. This team should be maintained at the smallest practical size
for speed and effective use of resources. Such areas are not only those directly included in the ISMS
scope, but also the indirect divisions, such as legal, risk management and administrative departments.
Output
The deliverable is a document or table describing the roles and responsibilities with the names and
organization needed to successfully implement an ISMS.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
154 I27-302_1.10_ENG_QWRN_ISO27KPR
$)+''(
"
!
)+%*')&(#('&
&
&)+ ()
Reference 27001 A.6 Organization of information security - A.6.2 Mobile devices and teleworking
Reference 27002 Organization of information security - 6.2 Mobile devices and teleworking
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
155
!#
All parties involved should review and become very familiar with the current requirements for
protecting the organization’s assets. Participation in organizational analysis should include individuals
who possess a strong knowledge of the organization and the environment in which it operates. These
individuals should be selected to represent a broad spectrum across the organization and include:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
156 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Information security is a wide area that affects the whole organization. As such, clearly defined
security responsibilities are essential for a successful implementation. As security related roles and
responsibilities vary, an understanding of the different roles is fundamental for understanding some of
the activities described later in this International Standard. The table below outlines security related
roles and responsibilities. It should be noted that these roles are general, and specific descriptions are
needed for each individual implementation of an ISMS.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
157
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
158 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
159
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
160 I27-302_1.10_ENG_QWRN_ISO27KPR
!
$)+''(
"
!"
"
)+%*')&(#('&
&
&)+ (+
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
161
#)+''(
)+$*')%("('% %
%
)+
(,
Background checks can be sensitive, and need to be carried out in accordance with relevant laws,
regulations and ethics. Such checks need to be proportional to the business requirements, the
classification of the information to be accessed and the perceived risks.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
162 I27-302_1.10_ENG_QWRN_ISO27KPR
!
&+-))*
+-',)+(*%*)(
(
(+- *.
Everyone must receive appropriate Information Security awareness, education and training and be
given timely updates in regard to changes to policies and procedures that are relevant to their job
That has to be a clear, formal and communicated process that sets out actions that follow a breach of
policy – including disciplinary action
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
163
!
'.0,,-
! " *! +#%
&$
.0(/,.)-$-,)
)
).0 .,
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
164 I27-302_1.10_ENG_QWRN_ISO27KPR
"
'-/++,!!
!$ ! )
!#%
! !(
!#%
(
!#%
-/(.+-*,&,+* *
*
-/
-,
Asset Management
Note the following guidance (not examinable) from ISO/IEC 27003:2010 – Clause 7
7.2 deliverables
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
165
!#
7.3 deliverables
• identified information assets of the main processes of the organization within the ISMS scope
• Information security classification of critical processes and information assets
Media handling
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
166 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Assets need to be identified and an inventory drawn up and maintained. Any asset in the inventory
needs a formal owner
As part of ‘acceptable use’, and in line with HR termination policy, any organisation assets possessed by
any party (employee, contractor etc) must return these assets
Legal ownership of assets – it’s the legal entities who own the assets (organisations, government
departments, charities etc)
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
167
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
168 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Classification example
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
169
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
170 I27-302_1.10_ENG_QWRN_ISO27KPR
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
171
!#
Business requirements are set out in the Information Security policy – authorised by the SC or
equivalent. The issue of user access can be problematic. One approach is to follow a tight ‘need to
know’ policy. This can be a justified interpretation of the standard. However, some think that this
can be restrictive, and follow a ‘need to restrict’ philosophy. Authority to access assets is provided
explicitly. Denial of access is the exception rather than the rule. Decisions on the approach are made at
the SC or higher.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
172 I27-302_1.10_ENG_QWRN_ISO27KPR
"$ !
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
173
!#
A formal user registration and de-registration process shall be implemented to enable assignment of
access rights.
A formal user access provisioning process shall be implemented to assign or revoke access rights for all
user types to all systems and services.
The allocation and use of privileged access rights shall be restricted and controlled.
The access rights of all employees and external party users to information and information processing
facilities shall be removed upon termination of their employment, contract or agreement, or adjusted
upon change.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
174 I27-302_1.10_ENG_QWRN_ISO27KPR
!&($$%
In many organisations there are rules permitting password sharing. This is used to inter alia help
permit holiday cover and so forth. These are also used to help Personal Assistants access their boss’
email and files. Such rules carry risk, and have to be very specific as to what’s allowed and what is not.
Some organisations do not permit any form of password sharing, but allow actions like IT Support by
using privileged access IDs to carry out work. The scope and capability of these privileged IDs also carry
risk. They will have to be managed appropriately according to the risk. Whichever choice is made, the
choice and use of passwords is important. Systems must ensure passwords are of quality (i.e. Difficult
to guess) and the process for developing them must be interactive – involving the user.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
175
!
&+-))*
!'!
# $
"! $
!
+-',)+(*%*)(
(
(+- ,*
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
176 I27-302_1.10_ENG_QWRN_ISO27KPR
#(*&&'
! !$
!$
(*$)&(%'"'&% %
%
(*
)(
Cryptography
a. the management approach towards the use of cryptographic controls across the organization,
including the general principles under which business information should be protected;
b. based on a risk assessment, the required level of protection should be identified taking into
account the type, strength and quality of the encryption algorithm required;
c. the use of encryption for protection of information transported by mobile or removable media
devices or across communication lines;
d. the approach to key management, including methods to deal with the protection of
cryptographic keys and the recovery of encrypted information in the case of lost, compromised or
damaged keys;
e. roles and responsibilities, e.g. who is responsible for:
• the implementation of the policy;
• the key management, including key generation (see 10.1.2);
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
177
!
%,.**+
f. the standards to be adopted for effective implementation throughout the organization (which
solution is used for which business processes);
g. the impact of using encrypted information on controls that rely upon content inspection (e.g.
malware detection).
When implementing the organization’s cryptographic policy, consideration should be given to the
regulations and national restrictions that might apply to the use of cryptographic techniques in
different parts of the world and to the issues of trans-border flow of encrypted information (see
18.1.5).
A key management system should be based on an agreed set of standards, procedures and secure
methods for:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
178 I27-302_1.10_ENG_QWRN_ISO27KPR
!
%,.**+
#
# !
# $$ !! ( )
# &! ( "" !&!
" )
,.&-*,'+$+*'
'
',. --
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
179
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
180 I27-302_1.10_ENG_QWRN_ISO27KPR
!
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
181
"% !
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
182 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Operations Security
Documentation
Documented procedures need to cover standard IT Operations, including start-up, close-down, backup,
equipment maintenance, media handling, mail handling management and safety. The documents
should be subject to formal change management, and include instruction to cover:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
183
!#
Change
Change procedures need to be agreed and documented. This must include descriptions of the various
roles involved.
All change requests should be recorded and a log maintained. Decisions to go ahead and ultimately
implement must be formally approved
Prior to any change a risk assessment should take place. This assessment should note if any aspect of
the change impacts on Service Level Agreements
There must be provision for implementing emergency changes – with appropriate controls to ensure
they are managed retrospectively
Every change must be managed through version control and be tested before going into production
(excepting emergency changes)
All stakeholders (including users) must be told of the change and be given the opportunity to comment
on it prior to implementation
Once implemented, the change and its effects must be documented. This should include update of
Business Continuity Plans (BCP)
The changes must be monitored after implementation to ensure they operate as expected.
Capacity
Organisations need to identify and avoid potential bottlenecks and dependence on key assets
(including people) that might present a threat to system security or services, and plan appropriate
action. Such action can include:
Should risk assessment indicate any systems as mission critical, a specific capacity action plan
may be required. Systems should be monitored to ensure capacity problems are dealt with before
they happen.
Capacity planning should form a core aspect of setting out future requirements, particularly when
there are protracted procurement timescales and high costs
Capacity includes people, buildings, utilities and other support elements. It is not confined to
IT systems.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
184 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Testing
Separating development, testing and operational environments reduces the risk of accidental change
or unauthorized access to operational software and business data. Untested code can cause unwanted
modification of files or system environment or system failure. Development personnel have skills
that could be used malevolently if access to live systems is permitted. A regime to separate these
environment needs to be setup on a risk basis, and include inter alia:
Malware
Malware prevention goes beyond technology. A range of controls is required. These include anti-
malware software (normally two or more to provide wider coverage), operating procedures,
organisation staff education, appropriately managed access control and change management. Further
controls worthy of consideration include:
Always remember that anti-malware tools and processes can impact on normal operations – this
is inevitable. Communications are core: implementing procedures to verify information relating to
malware, and ensure that warning bulletins are accurate and informative; managers should ensure
that qualified sources, e.g.
Reputable journals, reliable Internet sites or suppliers producing software protecting against malware,
are used to differentiate between hoaxes and real malware; all users should be made aware of the
problem of hoaxes and what to do on receipt of them.
Backup
Backing up is essential. Procedures should ensure the successful and complete execution of backup.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
185
!#
Backup arrangements must be regularly tested to ensure that they meet requirements (as defined in
policy) – especially those relating to critical systems. Such arrangements must include retention and
archive management
Adequate backup facilities should be provided to ensure that all essential information and software
can be recovered following a disaster or media failure.
Backup media should be regularly tested to ensure that they can be relied upon for emergency use
when necessary; this should be combined with a test of the restoration procedures and checked
against the restoration time required. Testing the ability to restore backed-up data should be
performed onto dedicated test media, not by overwriting the original media in case the backup or
restoration process fails and causes irreparable data damage or loss;
Protection applied to backup information should be equal to or greater than protection applied to the
original if protectively marked. Protective marking applies equally to backups. This is easy to forget.
Monitoring and logging tools normally generate a huge amount of data, little of which is relevant to
security management. Successful monitoring requires either a reduction in this volume, an automated
tool to deal with the volume, or a combination of the two
System logs can be sensitive, or may be required as legal evidence or as part of a compliance regime.
They need to be protected and handled to ensure they remain valid and useful. This protection can
include ensuring those administrators responsible for managing the monitored system cannot access,
change or delete the logs. An intrusion detection system managed outside of the control of these
administrators might be used to protect the logs
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
186 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
• user IDs
• system activities
• dates, times and details of key events, e.g. log-on and log-off
• device identity or location if possible and system identifier
• records of successful and rejected system access attempts
• records of successful and rejected data and other resource access attempts
• changes to system configuration
• use of privileges
• use of system utilities and applications
• files accessed and the kind of access
• network addresses and protocols
• alarms raised by the access control system
• activation and de-activation of protection systems, such as anti-virus systems and intrusion
detection systems
• records of transactions executed by users in applications
Log information needs to be protected against unauthorized change, and any operational problems
with the logging facility needs to be brought to immediate attention.
Alerts should be raised if the are any alterations to the message types recorded, if log files are edited
or deleted, or if the storage capacity of the log file media is in danger of being exceeded.Log files need
to be managed in accordance with the corporate record retention policy.
Due to their enhanced capability (and inherent higher risk), privileged user accounts (System
administrators, operator etc..) need careful logging. These logs need protection from privileged users.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
187
"$ !
Operations Security
Operational Software
Ensuring the integrity of operational systems requires that upgrade is managed. Third party software
normally requires support from the vendor. Support can be withheld on ageing systems, and the risks
associated with unsupported software need to be considered.
Access to these assets needs close management and monitoring – especially access by third parties.
Update should only be performed by trained, authorised staff.
Separate live operational systems from development and test arenas– and don’t permit development
or testing tools into live environments.
Technical Vulnerability
Technical vulnerability management does not stand on its own. It requires an appropriate change
management regime and appropriate asset management
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
188 I27-302_1.10_ENG_QWRN_ISO27KPR
"$ !
Patch management is core to managing technical vulnerabilities. Patches are often released quickly
and quality can be suspect. Note that uninstalling patches can be problematic, so risks should be
assessed prior to installation, especially is testing is hard to complete.
A current and complete inventory of assets is a prerequisite for effective technical vulnerability
management. Specific information needed to support technical vulnerability management includes
the software vendor, version numbers, current state of deployment (e.g. what software is installed on
what systems) and the person(s) within the organization responsible for the software.
ISO/IEC 27031:2011 describes the concepts and principles of information and communication
technology (ICT) readiness for business continuity, and provides a framework of methods
and processes to identify and specify all aspects (such as performance criteria, design, and
implementation) for improving an organization's ICT readiness to ensure business continuity. It applies
to any organization (private, governmental, and non-governmental, irrespective of size) developing its
ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to
be ready to support business operations in the event of emerging events and incidents, and related
disruptions, that could affect continuity (including security) of critical business functions. It also
enables an organization to measure performance parameters that correlate to its IRBC in a consistent
and recognized manner. The scope of ISO/IEC 27031:2011 encompasses all events and incidents
(including security related) that could have an impact on ICT infrastructure and systems. It includes and
extends the practices of information security incident handling and management and ICT readiness
planning and services.
Managing technical vulnerabilities requires speed – you have to detect the issues in time – and deal
with them quickly. The following actions should cover what’s needed:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
189
!#
Audit considerations
Systems audit is, by its very nature, intrusive. It has the capacity to disrupt normal business operations.
This situation must be avoided wherever possible.
Access requirements for audit need to be agreed upfront, as does the scope of the audit. This
agreement should include any special or additional processing.
Access needs to be limited – it should, wherever possible, be read-only. Where this cannot be
enforced, access should only be permitted to isolated copies of the relevant files, which should be
erased (unless needed as part of the audit evidence) once testing is complete.
All access should be monitored and logged in accordance with corporate policy.
Any testing likely to impact on business operation availability should be performed outside, wherever
possible, outside core business hours.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
190 I27-302_1.10_ENG_QWRN_ISO27KPR
!#
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
191
!$
Networks shall be managed and controlled to protect information in systems and applications.
Security mechanisms, service levels and management requirements of all network services shall be
identified and included in network services agreements, whether these services are provided in-house
or outsourced.
Groups of information services, users and information systems shall be segregated on networks.
Formal transfer policies, procedures and controls shall be in place to protect the transfer of
information through the use of all types of communication facilities.
Agreements shall address the secure transfer of business information between the organization and
external parties.
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for
the protection of information shall be identified, regularly reviewed and documented..
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
192 I27-302_1.10_ENG_QWRN_ISO27KPR
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
193
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
194 I27-302_1.10_ENG_QWRN_ISO27KPR
"
',/**+!!
! "!%"! % !
"! # "!$
!!! # ! !
,/(-*,)+&+*) )
)
,/
.-
The identification and management of information security requirements should happen early in the
acquisition and/or development process. They should be identified using various sources such as:
Requirements must be documented and reviewed appropriately, and reflect the business value of
the information.
• user authentication requirements, as well as the relevant access provisioning and authorization
processes (for business users as well as for privileged or technical users)
• The protection needs of the assets involved
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
195
"
',/**+!!
• requirements derived from business processes e.g. Logging, monitoring, and non-repudiation
requirements
• requirements mandated by other security controls
All acquired products should be subject to formal testing – part of an agreed acquisition process. This
process should include the inclusion of security requirements in contracts as well as the criteria for
accepting products. If a product fails to meet these requirements or criteria any decision to proceed
with acquisition must be based on risk.
Systems that operate over public networks are subject to additional threats. Such systems required
thorough risk assessment and care with control selection.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
196 I27-302_1.10_ENG_QWRN_ISO27KPR
"
',/**+!!
"#!%
% !!"
#$! !!!
!! ! !$
" % ! #!#!
"! "#!
% ! "!%! !
% !!! !
,/(-*,)+&+*) )
)
,/
..
When introducing new systems and making major changes to existing systems, a formal process
of documentation, specification, testing, quality control and managed implementation should be
followed, This process should include:
• a risk assessment
• analysis of the impact of change
• specification of required controls
• assurance that existing security and control procedures are not compromised
• the limiting of access to those people and assets necessary to perform the work
• formal agreement and approval for any change
A Secure Development policy must be developed and implemented. This must include:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
197
"
',/**+!!
• guidance on applying security within the software development lifecycle, such as security in
the software development methodology and secure coding guidelines for each programming
language used
• ensuring security requirements are integrated into the design phase, and that security checkpoints
are embedded within project milestones
• the use of secure repositories, appropriate version control and suitably knowledgeable and
skilled developers
Secure programming techniques and secure coding standards should be used for new developments
and when reusing code. Developers should be trained in their use and testing and code review should
verify their use.
If development is outsourced, you should ensure that the outsource organisation complies with policy.
New systems, whether developed in-house or externally, should be tested to ensure they operate
as intended.
Test data needs to be substantial in volume, but should not contain personally identifiable information
or any other confidential information.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
198 I27-302_1.10_ENG_QWRN_ISO27KPR
#'!!"
#'$!# ""!
#'
%&
New systems, whether developed in-house or externally, should be tested to ensure they operate
as intended.
Test data needs to be substantial in volume, but should not contain personally identifiable information
or any other confidential information.
System acceptance testing should include testing of information security requirements (see 14.1.1 and
14.1.2) and adherence to secure system development practices (see 14.2.1). The testing should also
be conducted on received components and integrated systems. Organizations can leverage automated
tools, such as code analysis tools or vulnerability scanners, and should verify the remediation of
security related defects. Testing should be performed in a realistic test environment to ensure that
the system will not introduce vulnerabilities to the organization’s environment and that the tests
are reliable.
The use of operational data containing personally identifiable information or any other confidential
information for testing purposes should be avoided. If personally identifiable information or otherwise
confidential information is used for testing purposes, all sensitive details and content should be
protected by removal or modification (see ISO/IEC 29101)
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
199
"& !
The following guidelines should be applied to protect operational data, when used for
testing purposes:
a. the access control procedures, which apply to operational application systems, should also apply
to test application systems;
b. there should be separate authorization each time operational information is copied to a
test environment;
c. operational information should be erased from a test environment immediately after the testing
is complete;
d. the copying and use of operational information should be logged to provide an audit trail.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
200 I27-302_1.10_ENG_QWRN_ISO27KPR
"& !
Supplier Relationships
A risk assessment needs to be performed to determine the information security requirements relating
to any commercial agreement. These requirements, and the controls needed to meet the risks,
need to be agreed with each supplier and documented accordingly, normally within a commercial
agreement or contract
Changes to contracts need to be subject to risk assessment and formal change control
The decision to outsource is a commercial decision, but must include a risk assessment
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
201
!
%*-(()
*-&+(*')$)('
'
'*- ,-
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
202 I27-302_1.10_ENG_QWRN_ISO27KPR
#),''(
),$*')%("('% %
%
),
+-
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
203
!$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
204 I27-302_1.10_ENG_QWRN_ISO27KPR
#
(-0++,
""
!!"! # !
" "!# "&$"!
" "!# "&%!!!
!!!!"! "!# "&$"!
!!" "!# "&"!
"!# "&"!
"$
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
205
!$
The organization shall determine its requirements for information security and the continuity of
information security management in adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement and maintain processes, procedures and
controls to ensure the required level of continuity for information security during an adverse situation.
The organization shall verify the established and implemented information security continuity controls
at regular intervals in order to ensure that they are valid and effective during adverse situations.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
206 I27-302_1.10_ENG_QWRN_ISO27KPR
&+.))*
# #
# #
#$!"! # #
+.',)+(*%*)( (
(
+.
-+
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
207
!
%*-(()
" #
*-&+(*')$)('
'
'*- ,+
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
208 I27-302_1.10_ENG_QWRN_ISO27KPR
!%
Compliance
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach
to meet these requirements shall be explicitly identified, documented and kept up to date for each
information system and the organization.
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized
release, in accordance with legislatory, regulatory, contractual and business requirements.
Privacy and protection of personally identifiable information shall be ensured as required in relevant
legislation and regulation where applicable.
Cryptographic controls shall be used in compliance with all relevant agreements, legislation
and regulations.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
209
"
&+.))*!!
The organization’s approach to managing information security and its implementation (i.e. control
objectives, controls, policies, processes and procedures for information security) shall be reviewed
independently at planned intervals or when significant changes occur.
Managers shall regularly review the compliance of information processing and procedures
within their area of responsibility with the appropriate security policies, standards and any other
security requirements.
Information systems shall be regularly reviewed for compliance with the organization’s information
security policies and standards.
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
210 I27-302_1.10_ENG_QWRN_ISO27KPR
"
&+.))*!!
!! !!!""!
!!"!$!
!!
#$!! $!!
"!$!!
+.',)+(*%*)( (
(
+.
--
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
211
%+/))*
!" #
" #
!"
Notes:
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
212 I27-302_1.10_ENG_QWRN_ISO27KPR
>>
SAMPLE EXAMS
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
213
214
The Practitioner Examination
SX01
Scenario Booklet
This is a 2.5-hour objective test examination. This booklet contains the Project Scenario
upon which this exam paper isbased. All questions are contained within the Question
Booklet.
Additional information isprovided within this Scenario Booklet for a number of questions.
Where reference should be made to additional information,this is clearly stated within the
question to which it is relevant. All information provided within a question must only be
applied to that question.
Each of the4 questions is worth 20 marks, giving a maximum of 80 marks in the paper. The
pass mark is 50% (40 marks). Within each question the syllabus area to which the
question refers is clearly stated.
The exam is to be taken with the support of only the following British Standards,
ISO/IEC 27000:2018
ISO/IEC 27001:2013
ISO/IEC 27002:2013
ISO/IEC 27003:2017
ISO/IEC 27005:2018
No material other than the Question Booklet, the Scenario Booklet, the Answer Booklet, and
the five standardsare to be used. However, if required the ISO/IEC 27001 Supplementary
Paper, which contains relevant parts of ISO/IEC 27003:2017 may be used.
Candidate Number: ........................................
ISO/IEC 27001 – Case Study: Equitable ProductsThe organizations and people within the scenario
are fictional.
Background
Equitable Products are a food processing and supply company to supermarkets. They supply food
packaged under their own brand name to general retailers and ʻsupermarket brandʼ packaged goods
to supermarket chains.
In addition they have recently begun supplying frozen 'ready meal' products to a major restaurant chain.
To support their business, Equitable Products has food processing plants at two sites. One site deals
with the processing and re-packaging of bulk foodstuffs into branded packages (own brand and
supermarket). The other site produces ready meals which are supplied as frozen products to general
retail customers and the restaurant chain.
Organization
There are three marketing divisions within the organization to service the separate retail, supermarket
and restaurant markets. Each of the marketing divisions has their own business targets, objectives
and processes.
An internal IT unit is responsible for the provision of IT services within Equitable Products.
Each division uses some specific, dedicated IT services, together with a core set of shared corporate
IT services to support their business operations. For example, the Equitable Products' IT systems now
interface directly with the supermarketsʼ IT systems to enable 'just in time' re-ordering and delivery.
The restaurant chain's IT systems are also now connected to the Equitable Products' IT systems. All
the new Restaurant Ready Meal products are micro chipped with a Radio Frequency Identification
Device (RFID). All restaurant products must be consumed within five days of production. The RFID
technology enables the individual restaurantsʼ usage to be monitored by Equitable Products. A
production schedule is produced for the restaurant ready meal products in order to reduce wastage.
Current Status
As a result of international concern over contamination of products, Equitable Products decided that
they should take more control of their supply chain. They have recently acquired an established chain
of dairy farms which will, in the future, provide most of their fresh dairy products. This will better enable
them to track ingredients from 'field to plate'.
The other products and ingredients used in the processing plants are sourced from a variety of third
party suppliers. Wherever possible the contracts with those suppliers require the suppliers to maintain
ISO/IEC 27001 certification.
The diagram below shows the interaction between the various parties and Equitable
Products’ divisions.
Supermarket General
Restaurants
Chains Retailers
Diagram 1 - The interaction between the various parties and Equitable Products’
divisions
The contracts with the major supermarkets require Equitable Products to maintain ISO/IEC
27001 certification and there is an established ISMS in place. However the dairy farm
chain has never had ISO/IEC 27001 certification and needs to be brought into the scope of
certification.
Equitable Products’ corporate clients are supportive of the reasons and objectives of
acquiring the dairy farm chain. However, they require the ISO/IEC 27001 certification to be
extended to include this new business division.
The Equitable Products Chief Financial Officer has the role of Director of Information
Management. In this role he has been given the organizational responsibility to ensure that
ISO/IEC 27001 conformance is maintained.
The Chief Information Officer reports directly to the Director of Information Management
and has two Information Security Officers who work for him. They are responsible for
ensuring that the company and its third party suppliers maintain the required ISO/IEC
27001 certifications.
The Head of the IT Services Division also has an Information Security Specialist within his
team. The specialist is responsible for ensuring that the IT service is delivered in
accordance with ISO/IEC 27001.
Scenario continues on the next page
End of Scenario
A risk assessment has been carried out on the changes needed to incorporate the dairy farm chain
into the Equitable Productsʼ ISMS. This has identified the following information:
Each dairy farm site has differing information security policies to suit the type of dairy product
processed, specific authorities and special interest groups, and the site size and access
arrangements
Equitable Products has many environmental health contacts within the Food & Livestock Regulatory
Authority (a Government authority). However, there are many more contacts required for the dairy
farm chain, such as those relating to the testing for animal diseases
The dairy farm staff use tag readers and operational systems for the logging of each animalʼs milk
produced for processing
The staff in the dairy farm chainʼs Head Office use marketing, accountancy and HR systems,
logistics and stock systems
Many of the dairy farm chainʼs Head Office staff use the IT systems from home via an internet
connection. No issues have been experienced with this setup
In the past year there have been seven breaches of information security within the dairy farm chain.
One of these was a high profile incident involving press coverage of the short lifespan of the dairy
animals.
A widely recognized information security researcher and occasional trusted advisor to Equitable
Products is undertaking an independent research project. He is examining USB memory sticks bought
from individuals on internet sales sites. The devices were advertised as ʻusedʼ or ʻpre-ownedʼ.
The researcher contacted Equitable Productsʼ Chief Information Officer to report that he has recovered
a variety of records from one device that appear to be from the organization and dated as recently as
three months ago.
The researcher informed the Chief Information Officer that he plans to publish his findings from all of
the devices in a research paper as examples of protection failures.
The Chief Information Officer has validated the identity of the researcher.
Background
A supermarket recently complained that they were not receiving the best prices available for products
supplied to them. The investigation of the complaint found that the supermarket was basing this
complaint on a price list sent to them in error. The price list, sent by email, had been prepared by a
marketing team for a special promotion. This had then been sent by a different marketing team who
had retrieved it from the shared area thinking it was the standard price list.
Scope of Audit
The Internal Audit team were asked to undertake an audit of all third party information exchanges.
Audit Findings
i) Controls that are in place with each third party have been developed on an ad hoc basis and
there is no standard terminology
ii) The division of responsibilities between Equitable Products and third parties are not always
clearly defined
iv) It is common to receive replies to emails sent indicating they have been received by
unintended recipients.
v) Customers have expressed concerns about acting on information received by email before
they have been able to confirm authenticity
vi) The Equitable Productsʼ Information Security Policy document states that it should be possible
to confirm that information sent by email has been sent by an authorized person and the correct
information has been received. This requirement is not currently being met.
SX01
Question Booklet
Answer the following questions about establishing information security risk management for an
organization as stated in ISO/IEC 27005.
4 Which 2 statements identify aspects that should be considered when defining the scope and
boundaries of information security risk management process?
A The risk acceptance decision escalation paths.
B The legislation applicable to an organization.
C The estimated cost caused by a breach of contract.
D The use of the four options to treat risks.
E An organizationʼs business processes.
An Information Security Officer has undertaken a risk assessment on the changes needed to
incorporate the dairy farm chain into the Equitable Products' ISMS.
Column 1 is a list of input data for the risk analysis activity. For each input item in Column 1, select
from Column 2 the type of information it represents. Each selection from Column 2 can be used
once, more than once or not at all.
Column 1 Column 2
B 1 Animal rights activists may attempt to disrupt operations in order to A Asset
protest against the shortened life-spans of the animals.
B Threat
C 2 There is rigorous physical entry security to prevent unauthorized access
to the dairy farm sites. C Existing control
A 3 Smart labels, also called radio frequency identification (RFID) tags, are D Vulnerability
used to identify the milk production of each animal used in the dairy E Consequence
farm.
D 4 The latest updates have NOT been applied to the antivirus package
used to protect the dairy farm chainʼs IT systems.
A 5 The production schedule is an output of the just-in-time re-ordering
process.
A number of changes are needed to Equitable Productsʼ ISMS to incorporate the dairy farm
chain. A risk assessment has identified that some solutions may not comply with Equitable
Productsʼ information security policy. More details about the risk are given below.
Some ʻoff the shelfʼ IT system components are used to underpin the dairy farm chainʼs ISMS. If
technical problems arise with these components, a maintenance engineer is brought in from an
IT supplier. There is no formal contractual arrangement in place between the dairy farm chain
and the IT supplier. There is, therefore, a risk that technical solutions to issues may not adhere to
the information security policy for Equitable Products. A number of possible risk treatments for
this risk have been identified.
Column 1 is a list of some of the possible risk treatments. For each risk treatment in Column 1,
decide if it is relevant to the stated risk and select from Column 2 the type of risk treatment it
represents.
Each question is independent and should be answered in isolation from the other questions.
Each selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
B 1 All problem management and technical expertise for the dairy farm A NOT relevant to the
chain will be audited by the Equitable Products IT Services stated risk
Department. This department is responsible for ensuring that the
B Modification
Equitable Products' information security policy is adhered to.
B 2 The Equitable Products Information Security Officers will provide C Retention
awareness, education and training on Equitable Productsʼ D Avoidance
information security policy to the maintenance engineers supporting E Sharing
the dairy farm chainʼs IT systems.
E 3 A contractual agreement with the IT suppliers to the dairy farm chain
will be provided, which states the supplierʼs responsibilities for
maintaining information security.
A 4 Equitable Products will ensure that all outsourced development by the
dairy farm chain is monitored.
C 5 The current arrangements for technical support will remain
unchanged if the dairy farm chainʼs ISMS has been free of information
security incidents for the last three months.
Using the additional information provided for this question in the Scenario Booklet,
answer the following question about the risk assessment carried out on the changes
needed to incorporate the dairy farm chain into the Equitable Products' ISMS.
Lines 1 to 6 in the table below consist of an assertion statement and a reason statement.
For each line identify the appropriate option, from options A to E, that applies. Each option
can be used once, more than once or not at all.
Option Assertion Reason
A True True AND the reason explains the assertion
B True True BUT the reason does not explain the assertion
C True False
D False True
E False False
Assertion Reason
1 The effectiveness of each dairy farm siteʼs BECAUSE Detailed policies underpin an
existing information security policy should organizationʼs high-level information A
have been reviewed during the risk security policy.
assessment in order to determine the
changes needed to incorporate the dairy farm
chain.
2 When the staff from the dairy farm chain were BECAUSE Policies for information security C
transferred to Equitable Products, the should be issued only to internal
Equitable Productsʼ information security policy employees.
should have been published to all staff.
3 The control for the ʻcontact with authoritiesʼ in BECAUSE An organization should maintain the A
Equitable Products should have been updated appropriate contacts with relevant
with the specific contacts in the Food & authorities.
Livestock Regulatory Authority needed for the
dairy farm chain.
4 The terms and conditions for the dairy farm BECAUSE Management has the responsibility for
site staff transferred to Equitable Products ensuring that all employees and A
should refer to information security contractors follow the information
responsibilities. security policies and procedures of
the organization.
5 The access to the dairy farm chainʼs Head BECAUSE The control on securing application
Office systems over the internet should have services on public networks requires C
been reviewed as a priority. that access over the internet is
prevented until the proper controls are
selected.
6 The information on the dairy farm chainʼs BECAUSE Information security requirements
incidents will NOT be needed for an analysis should consider the required D
of Equitable Productsʼ information security protection needs of the assets
requirements. involved.
Column 1 is a list of activities. For each activity in Column 1, select from Column 2 the clause
heading from ISO/IEC 27001 that requires the activity to be performed. Each selection from Column
2 can be used once, more than once or not at all.
Column 1 Column 2
1 Supporting information security management roles. A Leadership and commitment
2 Providing a framework for setting information security B Policy
objectives. C Organizational roles,
3 Integrate actions to address opportunities into responsibilities and authorities
information security management processes. D None of the above
Using the Diagram 1 and the Information Security Management Structure section given in the
Scenario, answer the following questions about the role and responsibilities within the ISMS.
Each of the following questions contains a list of statements about roles, responsibilities and
authorities in the organization. Only 2 statements explain why, in this context according to ISO/IEC
27003, these statements represent the BEST justification.
3 Which 2 statements BEST best explain which aspects top management should consider when
assigning roles, responsibilities and authorities?
A Top management assigns roles, responsibilities and powers.
B Responsibilities and powers for information security should be separated from other roles.
C Documented information on the allocation of roles, responsibilities and powers is only
required in the form and to the extent that the organisation deems necessary for the
effectiveness of its management system.
D Documented information about the assignment of roles, responsibilities and authorities
must be created in the form of role descriptions.
E The assignment of roles, responsibilities and powers should include reports on the
performance of the ISMS to senior management.
4 What 2 statements BEST explain the requirements for assigning roles, responsibilities and
powers to the ISMS?
A Top management shall assign and disclose responsibilities and authority for roles related
to information security.
B Top management shall not delegate the authority to assign roles, responsibilities and
powers..
C Roles, responsibilities and powers shall be treated as documented information.
D The role of the risk owner must not be combined with any other role.
E It may be appropriate to identify and assign different roles to those involved in monitoring,
measuring, analysing and evaluating.
5 Which 2 persons would be NOT be classified as stakeholders within the ISMS, according to
ISO/IEC 27003?
A The CEO of a chain intending to contract with Equitable Products.
B The Chief Financial Officer of Equitable Products.
C The Facilities Manager for the site where the bulk foodstuffs are stored.
D A competitor to Equitable Products.
E Equitable Productsʼ internal Legal Advisor.
Answer the following questions about the use of controls within the ISMS.
The Director of Information Security needs to select control measures to protect against
recurrence of this incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Security of equipment and assets off-premises.
B Security of network services.
C Cabling security.
D Network control.
E Supporting utilities.
2 Equitable Products employ a cleaning contractor to empty their waste baskets and to clean the
offices during the evening once the employees have finished their daily work. One of the
cleaners was found to be accessing one of the computers and hard-copy lists of access
passwords in the Marketing department.
The Director of Information Security needs to select control measures protect against
recurrence of this incident.
Which 2 controls, if applied, would MOST likely protect against recurrence of this incident?
A Physical entry controls.
B Clear desk policy.
C Unattended user equipment.
D Working in secure areas.
E Securing offices, rooms and facilities.
Question continues on the next page
3 The Equitable Products' Sales Director has issued two of his new staff with laptops to record
their sales contacts and progress in the sales process. This information is used in the
management of a sales delivery process including key account details. Neither of the two new
laptops have been installed with company software or configured to enable connection to the
network. One of the laptops has been infected by a virus.
The Director of Information Security has discovered this situation and needs to select control
measures to manage this incident.
The Marketing Director is concerned that he selects the most appropriate controls to manage
the current variation in the application development and similar future changes.
Which 2 controls, if applied, would MOST likely address the Marketing Directorʼs concerns?
A System change control procedures.
B Addressing security within supplier agreements.
C Change management.
D System security testing.
E Protection of test data.
A recent information security incident occurred where there was the loss of the food
products between the Equitable Products' factory and a restaurant.
The root cause of the loss of the food has been identified as a dismissed worker gaining
access to the loading bay and removing two boxes of food products from the vehicle
destined for the restaurant. Access was gained using his electronic swipe card, which
he retained following his dismissal. His vehicle was driven to the loading bay during a
routine rest break.
Within the organization, the Director of Human Resources is responsible for the
termination of employment.
The Director of Information Management, as the asset owner, is responsible for the
management of access privileges for all workers within the defined and controlled
secure area of the loading bay.
Lines 1 to 5 in the table below consist of an assertion statement and a reason statement.
For each line identify the appropriate option, from options A to E, that applies. Each option
can be used once, more than once or not at all.
Option Assertion Reason
A True True AND the reason explains the assertion
B True True BUT the reason does not explain the assertion
C True False
D False True
E False False
Assertion Reason
1 The workerʼs termination of BECAUSE Asset owners shall review user access
employment was NOT correctly rights at regular intervals. A
completed by the Director of
Information Management.
2 The loss of food should trigger a review BECAUSE Knowledge gained from resolving B
of the termination of other dismissed information security incidents shall be used
workerʼs access privileges. to reduce the likelihood of future incidents.
3 It is NOT appropriate to classify the BECAUSE Information security events are only E
loss of the boxes of food as an classified as information security incidents if
information security incident. there is unauthorized access to an
organizationʼs systems and applications.
4 It was appropriate to leave the workerʼs BECAUSE Reviewing user access rights shall be done D
swipe card active after the dismissal. at regular intervals.
5 Temporary removal of access BECAUSE Access privileges for all workers shall be E
privileges to the loading bay should be removed when an information security
made for all loading bay workers after incident occurs.
the information security incident.
Answer the following questions about ISMS performance measurement, monitoring and evaluation.
A director has had their laptop bag stolen. Although the laptop was encrypted, the directorʼs bag
also contained paper documents describing commercial details and dairy farm animal welfare
information.
Column 1 is a list of actions relating to the theft. Column 2 is a list of the information security incident
management controls from Annex A of ISO/IEC 27001. For each action in Column 1, select from
Column 2 the security incident management control where these actions would be applied. Each
selection from Column 2 can be used once, more than once or not at all.
Column 1 Column 2
1 The director immediately informs the local police of the theft. A Responsibilities and
2 The police report that this event may have been a targeted procedures
theft by animal rights protestors. B Reporting information
security events
3 Travelling directors are immediately provided with encrypted
tablet PCs to use in place of paper documents. C Reporting information
security weaknesses
4 As the stolen items included sensitive paper documents,
the Chief Information Officer assigns an Information Security D Assessment of and decision
Officer to begin formal investigation of the episode. on information security
events
5 The Chief Information Officer briefs site security guards, all E Response to information
dairy farm staff and transport contractors about the need for security incidents
extra vigilance for strangers or unexpected behaviour.
F Learning from information
6 Media handling risks are reassessed with revised security incidents
probability and impact values related to this type of event. G Collection of evidence
Answer the following question related to the steps to return to normal operations.
A local power supply surge has occurred at Equitable Productsʼ shared IT data centre.
Servers and network equipment were protected and continued to operate. Air
conditioning units were not protected and failed.
This event has triggered a major information security incident as no shared IT services
are operational. Business operations, particularly customerʼs ʻjust in timeʼ re-ordering
and delivery, are unable to continue. The Disaster Recovery Plan mandates a return-
to-service target of five hours for this time-critical function.
Lines 1 to 6 in the table below consist of an assertion statement and a reason statement.
For each line identify the appropriate option, from options A to E, that applies. Each option
can be used once, more than once or not at all.
Option Assertion Reason
A True True AND the reason explains the assertion
B True True BUT the reason does not explain the assertion
C True False
D False True
E False False
Assertion Reason
1 The recovery team should attempt to BECAUSE During adverse conditions, physical security
restore normal operating temperatures controls of designated ʻsecure areasʼ must C
rapidly without opening the external data always remain the same as normal
centre doors. operating conditions.
2 Heat-damaged server disks that failed BECAUSE Achievement of the return-to-service target is
to power on again should be removed enabled by fitting spare components. B
for later physical destruction.
3 Asset tags should be removed from the BECAUSE The asset owner must ensure that the asset
failed disks and transferred to the inventory is maintained as a record of the D
replacement disks. assets in use.
Question continues on the next page
Assertion Reason
4 As each server is recovered, it must be BECAUSE Accurate logging of user and system
configured to use the network time events requires all system components to A
protocol. operate with a synchronised time
reference.
5 The recovery team should document BECAUSE Compensating controls for information
alternative information security controls security controls that cannot be maintained A
which were implemented to achieve a five during an adverse situation should be
hour return to service. documented.
6 No further action needs to be taken BECAUSE No further action is required if the E
following successful restoration of processes carried out are effective.
services.
Using the additional information provided for this question in the Scenario Booklet, answer the
following questions about managing incidents.Decide whether the actions suggested are
appropriate, and select the response that supports your decision.
1 The researcher has offered to encrypt and electronically transfer a representative sample of the
recovered data to the Chief Information Officer for validation.
Is it appropriate for the Chief Information Officer to report internally that the potential impact of the
incident can be contained?
A No, because the impact of the incident can only be reported following a full review of the
recoverable data on the USB memory stick.
B No, because a non-disclosure agreement with the researcher can only be used before the
information is accessed.
C Yes, because Equitable Productsʼ legal counsel can caution the researcher that it is an
offence to publish details about the data without having authorization.
D Yes, because information security requirements can be negotiated with the researcher and
documented in an agreement to restrict what can be published.
Question continues on the next page
3 The recovered device has an Equitable Products asset number. A full review of the recoverable
data confirms that it was used to store only publicly available information.
Answer the following questions about internal audit and management reviews.
1 Which action is taken towards the end of an internal audit?
A Advise the Certification Board of the outcome of the internal audit.
B Identify the processes to be included in the next internal audit.
C Store and protect the internal audit results.
D Issue a certificate when the internal audit is complete and successful.
2 Which activity is performed as part of Management review?
A Eliminating the cause of non-conformance.
B Dealing with the consequences of non-conformance.
C Determining the cause of non-conformance.
D Identify opportunities for continual improvement.
3 Which action is required by the organization to prepare for an internal audit?
A Define the scope of the audit.
B Identify opportunities for continual improvement.
C Document external concerns.
D Update the ISMS.
4 When shall there be an independent review of the organizationʼs approach to information
management security?
A At each management review.
B At each audit.
C As part of continuous improvement.
D At planned intervals.
5 In which compliance control should legal advice be taken in relation to jurisdictional borders
and compliance with relevant legislation?
A Protection of records.
B Regulation of cryptographic controls.
C Independent review of information security.
D Technical compliance review.
Question continues on the next page
Using the additional information provided for this question in the Scenario Booklet, answer the
following questions about information sharing.
5 The control of which 2 items should be improved to help prevent future similar occurrences of
inappropriate sharing of product pricing information by email?
A Interception.
B Non-repudiation.
C Forwarding.
D Attachments.
E Incident management.
Following the recent introduction of RFID microchip tags on the restaurant cook/chill products, an
audit has recommended that a non-disclosure agreement should be signed by any third party
organization before electronic data is exchanged.
The Chief Information Officer has agreed with this proposal and decided that all non-disclosure
agreements will be reviewed every 12 months.
Decide whether the actions suggested are appropriate, and select the response that supports your
decision.
1 Should public domain information about the intellectual property rights relating to the RFID tags
be included in the non-disclosure agreement for the restaurants?
A No, because non-disclosure agreements with the restaurants are required to use standard
wording.
B No, because public domain information relating to intellectual property rights is NOT
confidential information.
C Yes, because non-disclosure agreements with the restaurants should include relevant
information about intellectual property.
D Yes, because the use of RFID tags by the restaurants may need to be audited.
2 Should the non-disclosure agreement for the restaurants have a duration of only one year?
A No, because a duration of three months is required to ensure changes in circumstance are
not missed.
B No, because there is no need to restrict the non-disclosure agreement for a restaurant to a
year.
C Yes, because some restaurants may have changed ownership within the year.
D Yes, because changes in the evolving RFID microchip technology may change the
information to be shared.
3 Should consideration be given to what the supermarket must do to avoid breaching the
agreement when drafting their non-disclosure agreement?
A No, because the supermarket can handle the information however it wishes.
B No, because if information is disclosed it is for the relevant authority to decide if it was
handled properly.
C Yes, because if information is disclosed the relevant authority can only enforce an
agreement if they know how the information should have been protected.
D Yes, because the actions needed to avoid unauthorized disclosure by the supermarket
should be identified.
4 Is it appropriate for staff in the marketing division to also sign non-disclosure agreements?
A No, because non-disclosure agreements are applicable to third parties.
B No, because marketing staff need to disclose confidential information as part of their job.
C Yes, because a non-disclosure agreement may also define when information can be
disclosed.
D Yes, because all interested parties should sign non-disclosure agreements.
A recent management review has identified an increasing failure of some of the dairy
farms to disclose the use of antibiotics voluntarily.
It has also been recorded that a change in legislation is due to come into force in six
months. This change requires that dairy products used in processed meals supplied to
schools must come from designated herds. Such products should also be antibiotic free
during the three months period prior to milk production use.
It will be necessary for the information about the source, use of antibiotics and dairy
products used in such meals to be made available on a ʻfield-to-plateʼ application. This
will be accessible via a web-site and retained for a period of three years. A contract for
the provision of the application and web-site hosting will be signed with a specialist
provider.
Lines 1 to 5 in the table below consist of an assertion statement and a reason statement.
For each line identify the appropriate option, from options A to E, that applies. Each option
can be used once, more than once or not at all.
Option Assertion Reason
A True True AND the reason explains the assertion
B True True BUT the reason does not explain the assertion
C True False
D False True
E False False
Assertion Reason
1 User acceptance testing of the web-site BECAUSE User acceptance testing in the C
should use realistic data for the ʼfield-to-plateʼ operational environment should be
application. performed in a way that will expose any
vulnerabilities.
2 The addition of the web-site should trigger an BECAUSE Contractors should be required to B
information security risk assessment. report an observed information security
weaknesses in systems or services.
3 Dairy farm supplier agreements should be BECAUSE The information to be provided should A
reviewed and updated with any new legal be documented in supplier
requirements for electronic disclosure of the agreements to ensure legal
administration of antibiotics. obligations are met.
4 The need to retain the web-site data for three BECAUSE Data retention will be documented in a D
years should NOT require review or change web-hosting providerʼs agreement as
to information security policies. a compliance control.
5 It is appropriate for the web-site supplier BECAUSE An organizationʼs management are A
agreement to require an independent responsible for the effectiveness of
Penetration Test of the website. information security controls.
Note: For Multiple Response (MR) questions, 1 point is scored if and only if all correct
options are selected. Otherwise 0 points are scored.
Rationale
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
275
276
Information Security Management
Qualification using
ISO/IEC 27001
2.0 20 March 2014 1. Updated for the 2013 edition Andrew Marlow
of ISO/IEC 27001, 27002 and
the 2014 edition of ISO/IEC
27000
This supplementary reference paper includes information which is referenced in the syllabus
document for the Foundation and Practitioner ISO/IEC 27001 qualifications. This information is
supplementary to and needs to be read in conjunction with other reference material which is defined
in the syllabus for the qualification.
2.3 Definitions (Foundation OV0104 and general usage in the practitioner paper)
The following terms and definitions from ISO/IEC 27000:2012 are useful as they are not defined in
ISO/IEC 27000:2014:
NOTE: The management system includes organizational structure, policies, planning activities,
responsibilities, practices, procedures, processes and resources.
2.4 The APMG qualification scheme and the principles of ISO/IEC 27001 certification
schemes (Foundation OV0108)
Source of information: ITSMF pocket guide, Planning and achieving ISO/IEC 20000 certification. The
same principles apply to ISO/IEC 27001.
x Qualification schemes are for individuals. A qualification scheme provides the syllabus and
examinations for ATOs and delegates. This qualification will cover details of the APMG scheme.
The APMG qualification scheme has examinations at Foundation and Practitioner level. There are
also other schemes operated by other organizations.
x Certification schemes are for organizations. There are several ISO/IEC 27001 certification
schemes around the world. The certification schemes allow organizations to be certified to
ISO/IEC 27001 after being independently assessed by a CB (Certification Body) for meeting all of
the requirements of ISO/IEC 27001.
x According to ISO/IEC 17021, external audits for certification have 2 stages:
o Document review, on-site or remote
o On-site audit
2.5 The roles and responsibilities of the organizations and entities involved in ISO/IEC
27001 Qualification and Certification Schemes (FoundationOV0202)
Source of information: ITSMF pocket guide, Planning and achieving ISO/IEC 20000 certification. The
same principles apply to ISO/IEC 27001.
a) APMG International
x Owns, manages and operates the APMG International ISO/IEC 27001 qualification scheme
worldwide
x Accredits ATOs for the qualification scheme
e) Practitioner
x Practitioner is a generic term for individuals involved in carrying out aspects of the many activities
in information security management. They can be involved in the planning, design, transition and
operation of an ISMS that satisfies the requirements of ISO/IEC 27001. Examples are manager
for an ISO/IEC 27001 implementation project, process owner, asset manager
f) Consultant
x Consultants are external experts who assist organizations in their development and improvement
of an ISMS and achievements of certification to ISO/IEC 27001
g) Internal Auditor
x Auditors within an organization are known as internal auditors
x Internal auditors conduct audits of the ISMS within their own organization
x Internal auditors must demonstrate objectivity and impartiality (usually done by not auditing their
own work)
x Practitioners and consultants may act as an internal auditor on behalf of an organization
x Internal auditors speak to the organization’s staff and may additionally speak to customers,
suppliers and internal groups to gather evidence
h) External Auditor
x Conduct formal audits on behalf of a CB
x CB auditors will only speak to the organization’s staff, or other parties within the ISMS scope
acting on behalf of the organization, to gather evidence, not to suppliers or other staff external to
the scope of the ISMS
x Practitioners and consultants may act as an external auditor on behalf of a CB but may not audit
their own work
(Note that the introduction to Annex A in ISO/IEC 27001 refers to Clause 6.1.3. To be exact, 6.1.3 is a
sub-sub-clause).
Each security control clause is split into one or more security categories, each with a control objective.
Each security category is split into one or more controls which have a name and a description.
As an example, A.5 from ISO/IEC 27001 is shown with the names of each item in BOLD CAPITAL.
First party Audit using the organization’s own resources, or external consultants acting on their
audit behalf, usually referred to as an internal audit
Second party Audit by a person or organization that has a user interest in the organization e.g.
audit customer
a) Conformity
x Defined term in ISO/IEC 27000 as ‘fulfilment of a requirement’
x The requirements of ISO/IEC 27001 have been met
b) Nonconformity
x Defined term in ISO/IEC 27000 as ‘non-fulfilment of a requirement’
x Nonconformities can be graded into minor and major
x A major nonconformity is a failure to fulfill one or more requirements of ISO/IEC 27001 or a
situation that raises significant doubt about the ability of the organization’s management system to
achieve its intended outputs. For example, management reviews are not held
x All other nonconformities are minor. For example, two documents are found with the wrong
version number but all other documents are correct
x Nonconformities are recorded against a specific requirement in ISO/IEC 27001 and must have
supporting evidence
c) Observation
x A conformity to the standard where there is an opportunity for improvement
x An observation is a recommendation for improvement but does not have to be auctioned
Documented information
Information required to be controlled and maintained by an organization (2.57) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
Audit evidence may be qualitative or quantitative (see ISO 19011) and must be verifiable. Some audit
evidence may be collected by sampling.
Conformity must be shown to the requirements in ISO/IEC 27001:2013. In addition, for ISMS, there
are requirements for certification in ISO/IEC 27006 which is aimed at CBs.
Table B.1 — List of exemplified Roles and Responsibilities for Information Security
Role Brief Description of Responsibility
Senior Management (e.g. COO, For vision, strategic decisions and coordinates activities to
CEO,CSO and CFO) direct and control the organization.
Chief Information Security Officer Has the overall responsibility and governance for
information security ensuring the correct handling of
information assets.
Information Security Committee Handling the information assets and has a leading role for
(member of) the ISMS in the organization.
Information Security Planning Team During operations while the ISMS is being established. The
(member of) planning team works across departments and resolves
conflicts until the ISMS is established.
Legal Advisor Many information security risks have legal aspects and the
legal advisor is responsible for taking these into
consideration.
Human Resources The person/persons with overall responsibility for the staff.
Champion (Influential Person) This is not a responsible role as such, but in a larger
organization it may be of great help in the implementing
stage to have people who have a deep knowledge about
the implementation of an ISMS and can support the
understanding and reasons behind the implementation.
They may influence the opinion in a positive way and may
also be called “Ambassadors”.
Activity
The overall roles and responsibilities for the preliminary ISMS scope should be defined.
Input
a) Output from Activity 5.3.1 Develop the preliminary ISMS scope
b) List of stakeholders who will benefit from results of the ISMS project.
Guidance
In order to execute the ISMS project, the role of an organization for the project should be determined.
The role generally is different at each organization, because of the number of people dealing with
information security. The organizational structure and resources for information security vary with the
size, type and structure of the organization. For example, in a smaller organization, several roles may
be carried out by the same person. However, management should explicitly identify the role (typically
Chief Information Security Officer, Information Security Manager or similar) with overall responsibility
for managing information security, and the staff should be assigned roles and responsibilities based
on the skill required to perform the job. This is critical to ensure that the tasks are carried out
efficiently and effectively.
The most important considerations in the definition of roles in information security management are:
The roles for managing information security should work together; this may be facilitated by an
Information Security Forum, or similar body.
Collaboration with appropriate business specialists should be undertaken (and documented) at all
stages of the development, implementation, operation and maintenance of the ISMS.
Representatives from departments within the identified scope (such as risk management) are
potential ISMS implementation team members. This team should be maintained at the smallest
practical size for speed and effective use of resources. Such areas are not only those directly
included in the ISMS scope, but also the indirect divisions, such as legal, risk management and
administrative departments.
Output
The deliverable is a document or table describing the roles and responsibilities with the names and
organization needed to successfully implement an ISMS.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
289
290
Term Definition
A principle whereby fixed as well as variable costs are allotted to cost units
Absorption and total overheads are absorbed according to activity level. The term may
costing be applied where production costs only, or costs of all functions are so
allotted.
Allocated cost A cost that can be directly identified with a business unit
Apportioned A cost that is shared by a number of business units (an indirect cost). This
cost cost must be shared out between these units on an equitable basis.
Asset
The management of Assets
Management
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
291
Term Definition
Baseline Snapshot of the state of a CI (CMDB) and related CI’s at a point in time.
Business This sub-process is responsible for ensuring that the future business
Capacity requirements for IT services are considered, planned and implemented in a
Management timely fashion.
Business
A business unit within an organization, e.g. a department, division, branch.
function
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
292 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Business
The desired time within which business processes should be recovered, and
recovery
the minimum staff, assets and services required within this time.
objective
Business A template business recovery plan (or set of plans) produced to allow the
recovery plan structure and proposed contents to be agreed before the detailed business
framework recovery plan is produced.
Business A defined group of personnel with a defined role and subordinate range of
recovery team actions to facilitate recovery of a business function or process
A segment of the business entity by which both revenues are received and
Business unit expenditure are caused or controlled, such revenues and expenditure being
used to evaluate segmental performance.
Capacity A Database that will hold the information needed by all the sub-processes
Database, CDB within Capacity Management.
The process that is responsible for ensuring that IT processing and storage
Capacity
capacity matches the evolving demands of the business in the most cost-
Management
effective and timely manner.
Capacity Process to provide plans and reports to meet current and future business
Planning workloads.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
293
Term Definition
Management
Change
Advisory Board A group of people who can give expert advice to Change Management on
Emergency the implementation of Changes in emergency situations.
Committee
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
294 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Change A group that is given the authority to approve Change, e.g. by the project
authority board. Sometimes referred to as the Configuration Board.
The procedure to ensure that all Changes are controlled, including the
Change control submission, analysis, decision making, approval, implementation and post
implementation of the Change.
Change
Request for Change, Change control form, Change order, Change record.
document
Auditable information that records, for example, what was done, when it
Change history
was done, by whom and why.
Chargeable
Business work units to which charges can be attached
Unit
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
295
Term Definition
Closure When the Customer is satisfied that an incident has been resolved.
Command,
control and The processes by which an organization retains overall co-ordination of its
communica- recovery effort during invocation of business recovery plans.
tions
Configuration Documents that define requirements, system design, build, production, and
documentation verification for a configuration item.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
296 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Configuration A database, which contains all relevant details of each CI and details of the
Management important relationships between CI’s.
Database
(CMDB)
Configuration Document setting out the organization and procedures for the
Management Configuration Management of a specific product, project, system, support
plan group or service.
Configuration
A hierarchy of all the CI’s that comprise a configuration.
Structure
Contingency Plan detailing actions and procedures to followed in the event of a major
Plan disaster.
Document between two bodies (i.e. with external suppliers) with separate
Contract
legal existence.
Document between two bodies (i.e. with external suppliers) with separate
Contract
legal existence.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
297
Term Definition
The term used in this module to describe the procedures, tasks and
Cost
deliverables that are needed to fulfill an organization’s costing and charging
management
requirements.
The cost unit is a functional cost unit which establishes standard cost per
Cost unit workload element of activity, based on calculated activity ratios converted to
cost ratios,
The process of identifying the costs of the business and of breaking them
Costing
down and relating them to the various activities of the organization.
Definitive The area for the secure storage of definitive hardware spares. These are
Hardware spare components and assemblies that are maintained at the same level as
Store, DHS the comparative systems within the live environment.
The library in which the definitive authorized versions of all software CI’s
are stored and protected. It is a physical library or storage repository where
master copies of software versions are placed. This one logical storage
Definitive
area may in reality consist of one or more physical software libraries or file
Software
stores. They should be separate from development and test file store areas.
Library (DSL)
The DSL may also include a physical store to hold master copies of bought-
in software, e.g. fireproof safe. Only authorized software should be accepted
into the DSL, strictly controlled by Change and Release Management.
The DSL exists not directly because of the needs of the Configuration
Management process, but as a common base for the Release Management
and Configuration Management processes.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
298 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
A Delta, or partial, Release is one that includes only those CI’s within the
Release unit that have actually changed or are new since the last full or
Delta Release. For example, if the Release unit is the program, a Delta
Delta Release
Release contains only those modules that have changed, or are new, since
the last full release of the program or the last Delta Release of the modules
- see also ‘Full Release’.
Demand
See Business Capacity Management
Management
Depreciation is the loss in value of an asset due to its use and/or the
passage of time, The annual depreciation charge in accounts represents the
amount of capital assets need up in the accounting period. It is charged in
the cost accounts to ensure that the cost of capital equipment is reflected
Depreciation
in the unit costs of the services provided using the equipment. There are
various methods of calculating depreciation for the period, but the Treasury
usually recommends the use of current cost asset validation as the basis
for the depreciation charge.
Charging business customers different rates for the same work, typically to
Differential
dampen demand or to generate revenue for spare capacity. This can also
charging
be used to encourage off-peak or nighttime running.
A cost, which is incurred for, and can he traced in full to a product, service,
Direct cost cost center or department. This is an allocated cost. Direct costs are direct
materials, direct wages and direct expenses.
Disaster
A series of processes that focus only upon the recovery processes,
recovery
principally in response to physical disasters that are contained within BCM.
planning
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
299
Term Definition
Elapsed Time Time from the start of an incident, whilst the incident is not yet resolved
Elements of The constituent parts of costs according to the factors upon which
cost expenditure is incurred with materials, labor and expenses.
Fault tree
Technique to analyze the availability of a system.
analysis
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
300 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Often, departments and (specialist) support groups other than the Service
First Line Desk are referred to as second- or third-line support groups, having more
Support specialist skills, time or other resources to solve Incidents. In this respect,
the Service Desk would be first-line support.
Often, departments and (specialist) support groups other than the Service
First Line Desk are referred to as second- or third-line support groups, having more
Support specialist skills, time or other resources to solve Incidents. In this respect,
the Service Desk would be first-line support.
Fortress
IT site made as disaster-proof as possible.
approach
Full absorption A principle where fixed and variable costs are allocated to cost units and
costing overhead costs are absorbed according to activity levels.
Full cost is the total cost of all the resources used in supplying a service
i.e. the sum of the direct costs of producing the output a proportional share
of overhead costs and any selling and distribution expenses. Both cash
Full cost
costs and notional (non-cash) costs should be included, including the cost
of capital. Calculated as a total cost of ownership, including depreciation /
planned renewal)
All components of the Release unit are built, tested, distributed and
Full Release
implemented together - see also ‘Delta Release’.
Functional
Escalation or Referral to more or other knowledge.
Escalation
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
301
Term Definition
Service Desk The single point of contact within the IT directorate for users of IT services.
Hierarchical
Escalation to a higher hierarchical layer.
Escalation
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
302 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Any event which is not part of the standard operation of a service and
Incident which causes, or may cause, an interruption to, or a reduction in, the quality
of that service.
Incident Life All activities from the moment an incident happens to the moment an
Cycle incident is closed.
Intelligent The purchaser (as distinct from the provider) of services. The term is often
customer used in relation to the outsourcing of IT/IS.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
303
Term Definition
One of the measures against which supporting processes for the IT service
Internal target are compared. Usually expressed in technical terms relating directly to the
underpinning service being measured.
Invocation
(of business Putting business recovery plans into operation after a business disruption.
recovery plans)
Invocation
Putting stand-by arrangements into operation as part of business recovery
(of stand by
activities.
arrangements)
Invocation and
The second phase of a business recovery plan.
recovery phase
The set of processes that enable the IT organization to fully account for the
way its money is spent (particularly the ability to identify costs by customer,
IT Accounting
by service, by activity). It usually involves ledgers and should be overseen
by someone trained in Accountancy.
IT Customer
Relationship See Business Relationship Management.
Management
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
304 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
An Incident or Problem for which the root cause is known and for which a
temporary Work-around or a permanent alternative has been identified. If
Known Error
a business case exists, an RFC will be raised, but, in any event, it remains a
Known Error unless it is permanently fixed by a Change.
Live Build
(Part of) the computer system used to build software releases for live use.
Environment
Live
(Part of) computer system used to run software in live use.
environment
The variable cost of producing one extra unit of product or service. That
Marginal cost is, the cost which would have been avoided if the unit/service was not
produced/provided.
See IPW™. The degree to which BCM activities and processes have
Maturity level/
become standard business practice within an organization. See the IPW
Milestone
Stadia Model (www.quintgroup.com).
Mean Time
Average time between restoration of service following an incident and
Between
another incident occurring.
Failures
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
305
Term Definition
Mean Time
Between
Average time between incident occurrence.
System
Incidents
The registration and guarding of the utilization of each resource and service
on an on-going basis to ensure the optimum use of the hardware and
Monitoring
software resources, that all agreed service levels can be achieved, and that
business volumes are as expected.
Those resulting from the day-to-day running of the IT Services section, e.g.
Operational staff costs, hardware maintenance and electricity, and relate to repeating
Costs payments whose effects can be measured within a short timeframe, usually
the less than the 12-month financial year.
Operational
An internal agreement covering the delivery of services, which support the
level
IT directorate in their delivery of services.
agreement
Package
A number of release units packaged together.
release
Alternative title for the BSI publication 'A Code of Practice for IT Service
PD0005
Management'.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
306 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Performance The process that ensures that technical resources in the infrastructure
Management provide the best possible value for money.
Post
Implementation A review to see if the change achieved what it should achieve.
Review, PIR
Post
A review to see if the change that should solve the problem, actually did
Implementation
solve the problem.
Review, PIR
Pricing The policy that determines how chargeable units are priced.
The total cost of direct materials, direct labor and direct expenses. The
term prime cost is commonly restricted to direct production costs only and
Prime cost
so does not customarily include direct costs of marketing or research and
development.
Proactive
Problem The process that tries to prevent incidents from happening.
Management
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
307
Term Definition
Process The process of planning and regulating, with the objective of performing the
Control process in an effective and efficient way.
Information that supports the plans and action lists, such as names and
Reference data
addresses or inventories, which is indexed within the plan.
A collection of new and/or changed CI’s, which are tested and introduced
Release
into the live environment together.
Release The process that management releases, both the technical and the non
Management technical aspects.
Release
The policy that determines how releases should be numbered.
numbering
Release unit The level at which software of a given type is normally released.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
308 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
This term is used to describe the amount of machine resource that a given
Resource cost task will consume. This resource is usually expressed in seconds for the
CPU or the number of I/Os for a disk or tape device.
Resource Process that ensures that adequate resources are available and functional
Management at the required time.
Resource profile describes the total resource costs, which are consumed by
Resource
an individual online transaction, batch job or program. It is usually expressed
profile
in terms of CPU seconds, number of I/Os and memory usage.
The term resources refers to the means the IT Services section needs
to provide the customers with the required services. The resources
Resources
are typically computer and related equipment, software, facilities or
organizational (people).
Restoration of The moment a customer has confirmed that the service can be used again
Service after an incident or a contingency.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
309
Term Definition
Restoration of The moment a customer has confirmed that the service can be used again
Service after an incident or a contingency.
Return to The phase within a business recovery plan which re-establishes normal
normal phase operations.
Also called running cost, value diminishes with usage, such as paper or
Revenue Cost
salaries. Usually a variable cost.
The moment or period that a (set of) system(s) is implemented. This term is
Rollout
usually used when multiple systems are implemented on different moments.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
310 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Often, departments and (specialist) support groups other than the Service
Second Line Desk are referred to as second- or third-line support groups, having more
Support specialist skills, time or other resources to solve Incidents. In this respect,
the Service Desk would be first-line support.
Often, departments and (specialist) support groups other than the Service
Second Line Desk are referred to as second- or third-line support groups, having more
Support specialist skills, time or other resources to solve Incidents. In this respect,
the Service Desk would be first-line support.
Security
The measure to which an organization aware of it’s security situation.
Awareness
Security Incidents that threaten the security of an organization, e.g. viruses, hacker
Incidents attacks, etc.
Security Incidents that threaten the security of an organization, e.g. viruses, hacker
Incidents attacks, etc.
Security The process that is responsible for the design and activation of all security
Management measures needed to reach the desired security level.
Security
The section in the SLA which describes the needed security level.
Section
Security
The section in the SLA which describes the needed security level.
Section
A decision to bear the losses that could result from a disruption to the
Self-insurance
business as opposed to taking insurance cover on the risk.
Service The actual service levels delivered by the IT directorate to a customer within
achievement a defined lime-span.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
311
Term Definition
Service
A formal project undertaken within an organization to identify and introduce
improvement
measurable improvements within a specified work area or, work process.
program
Service Level Written agreement between a service provider and the Customer(s) that
Agreement documents agreed service levels for a service.
Service level The process of defining, agreeing, documenting and managing the levels of
management customer IT service, that are required and cost justified.
Service Level Requirements, expressed by the customer that are inputs into negotiations
Requirement towards SLA.
Service
Third-party organization supplying services or products to customers.
provider
Service quality The written plan and specification of internal targets designed to guarantee
plan the agreed service levels.
Service
Every Incident not being a failure in the IT Infrastructure.
Request
Service
Hours/times to which service is available.
Window
Service
Hours/times to which service is available.
Window
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
312 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Single point of
A component that will cause unavailability to a service when it fails.
failure
Software
Configuration As ‘Configuration Item’, excluding hardware and services.
Item (SCI)
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
313
Term Definition
Standard A technique, which uses standards for costs and revenues for the purposes
costing of control through variance analysis.
Status
Process that records the state of CI’s at a given time.
accounting
Test Build (Part of) the computer system used to build software releases for
Environment operational acceptance testing.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
314 I27-302_1.10_ENG_QWRN_ISO27KPR
Term Definition
Test (Part of) the computer system used to run software releases for operational
environment acceptance testing.
Often, departments and (specialist) support groups other than the Service
Third Line Desk are referred to as second- or third-line support groups, having more
Support specialist skills, time or other resources to solve Incidents. In this respect,
the Service Desk would be first-line support.
An event that could happen and that would degrade the functioning of a
Threat
component or a service.
An event that could happen and that would degrade the functioning of a
Threat
component or a service.
Utility cost
A cost center for the provision of support services to other cost centers.
center (UCC)
Variant CI with the same functionality as another CI but different in some small way.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
315
Term Definition
Verification Process that ensures the CMDB and physical CI’s are synchronized.
Version
A version number; version date; or version date and time stamp.
Identifier
Workload
See Service Capacity Management.
Management
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
316 I27-302_1.10_ENG_QWRN_ISO27KPR
>>
ACRONYMS
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
317
318
Term Definition
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
319
Term Definition
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
320 I27-302_1.10_ENG_QWRN_ISO27KPR
>>
FORMS
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR 321
322
Strongly
Question (Please check only Strongly Dis-
Agree Neutral Dis-
one box) Agree agree
agree
The content presented in this
course was at the right level.
The content of this course met the
stated objectives.
The labs and exercises reinforced
skills taught in the course.
The labs and exercises were realis-
tic and reinforced how I might use
the knowledge or skills on the job.
My instructor communicated the
content of the course effectively.
My instructor was willing to provide
assistance at my level of need.
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
323
Do you have any comments related to the hand-outs, simulation material, quality
of the
presentation and/or the course locations? ______________________________________
_____________________________________________________________________________
_____________________________________________________________________________
What is one thing that would improve this education experience? ________________
_____________________________________________________________________________
_____________________________________________________________________________
What other comments do you have? (Please use additional paper if needed) _______
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
Copyright © APMG Limited 2019. All rights reserved. Material is reproduced under license from APMG
I27-302_1.10_ENG_QWRN_ISO27KPR
324