354380719

1. ISO 27000 Family (Day 1)__________________________________________2

1.1 ISO 27001______________________________________________________2
1.2 ISO 27002______________________________________________________2
1.3 ISO 27009+____________________________________________________3
2. Certification Schema_______________________________________________3
3. ISO 9000 Clause 7.3.1 Information and Asset_______________________4
4. Information Security_______________________________________________4
4.1 Vulnerabilities & Threats________________________________________4
4.2 Impact & Risk__________________________________________________6
4.3 Relationjships__________________________________________________8
5. ISMS (Information Security Management System)__________________9
5.1 Organization__________________________________________________10
5.1.1 Risk Assessment Methodologies___________________________11
5.1.2 Identify The Risks__________________________________________12
5.1.3 Documentation____________________________________________14
6. Auditing (Day 2)__________________________________________________16
6.1 Audit Evidence________________________________________________19
6.2 Quality of Audit Evidence______________________________________19
6.3 Audit Approach Based on Risk_________________________________20
6.4 Initiating the audit_____________________________________________20
6.5 Auditing Verbal Expressions___________________________________22
7. Auditing (Day 3)__________________________________________________23
7.1 ISO 19011 Evidences:_________________________________________24
7.2 Examples of audit evidence collection steps___________________24
8. Evidence Collection_______________________________________________25
8.1 Sampling Methods_____________________________________________28
8.2 Audit Test Plans_______________________________________________29
8.3 Audit Findings_________________________________________________30
9. Closing The Audit_________________________________________________31
9.1 Action Plans___________________________________________________31
10. Surveillance Audit_______________________________________________32
10.1 Recertification Audit_________________________________________33

1 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

1. ISO 27000 Family (Day 1)

 ISO 27000: This information security standard develops the

basic concepts as well as the vocabulary that applies when
analysing Information Security Management Systems. A free
copy of this standard can be downloaded from the ISO website.
 ISO 27001: This information security standard defines the
requirements of the Information Security Management Systems
(ISMS).
 ISO 27002 (previously ISO 17799): Guide of best practices
for the management of information security. This standard
defines objectives and recommendations in terms of
information security and anticipates meeting global concerns of
organizations relating to information security for their overall
activities.
 ISO 27003: Guide for implementing or setting up an ISMS.
 ISO 27004: Guide of metrics to facilitate ISMS management, it
provides a method to define the objectives for implementation
and effectiveness criteria, of follow-up and evolution
measurements all through the process.
 ISO 27005: Guide for information security risk management
which complies with the concepts, models and general
processes specified in ISO 27001.
 ISO 27006: Guide for organizations auditing and certifying
ISMS’s.
 ISO 27007: Guidelines for information security management
systems auditing.
 ISO 27008: Guidelines for auditors on information security
controls.
 ISO 27011: Guidelines for the use of ISO 27002 in
telecommunication industry.
 ISO 27031: Guidelines for information and communication
technology readiness for business continuity.
 ISO 27799: Guidelines for the use of ISO 27002 in health
informatics.

1.1 ISO 27001

Requirements using shall for ISMS management. A set of normative
requirements for the establishment, implementation, operation,
monitoring and review to update and improve a Information Security
Management System (ISMS). All types of organizations of all sizes in
all industries.
 14 Clauses
 35 Control objetives
 114 Controls

2 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

1.2 ISO 27002

Guide for code practice using should. List of security objectives and
controls.

Designed to be used by organizations that intend to:

1. Select controls within the process of implementing an
Information Security Management System based on ISO/IEC
27001
2. Implement commonly accepted information security controls
3. Develop their own information security management guidelines.

 14 Clauses
 35 Control objetives
 114 Controls

1.3 ISO 27009+

Here are some of the standards already published or under
development:
 ISO 27010: Information security management guidelines for
inter-sector communication.
 ISO 27011: Information security management guidelines for
telecommunications organizations based on ISO 27002.
 ISO 27013: Guideline on the integrated implementation of ISO
20000-1 and ISO 27001.
 ISO 27014: Information security governance framework.
 ISO 27015: Information security management guidelines for
the finance and insurance sectors.
 ISO 27016: Information security management guidelines on
organizational economics.
 ISO 27017: Information security management guidelines on
cloud computing security and privacy management system.
 ISO 27018: Code of practice for data protection controls for
public cloud computing services.
 ISO 27031: Guideline for ICT readiness for business continuity
(essentially the ICT continuity component within business
continuity management).
 ISO 27032: Guidelines for cyber security.
 ISO 27033: IT Network security (ISO 27033-1 to ISO 27033-7).
 ISO 27034: Guideline for application security.
 ISO 27035: Security incident management.
 ISO 27036: Guidelines for security of outsourcing.
 ISO 27037: Guidelines for identification, collection and/or
acquisition and preservation of digital evidence.
 ISO 27038: Specification for Digital Redaction.
 ISO 27039: Guideline for selection, deployment and operations
of intrusion detection systems.
 ISO 27040: Guideline for storage security.

3 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

 ISO 27041: Guidance on assuring suitability and adequacy of

investigation methods.
 ISO 27042: Guidelines for the analysis and interpretation of
digital evidence.
 ISO 27043: Guideline for investigation principles and
processes.
 ISO 29100: Information technology privacy framework.

2. Certification Schema
The certification process involves the following parties:
 Accreditation authorities (responsible for the assessment
and the accreditation of certification organizations): ANAB &
ANSI, SCC, UKAS, COFRAC, etc.
 Certification bodies (responsible for managing the
certification activities of their customers and performing audits
on their customers’ management system): BSI, SGS, Bureau
Veritas, DNV, TUV, etc.
 Organizations certifying persons, like PECB, will certify not
only auditors but also training organizations and trainers.
 Organizations whose management system is subject to
certification and who are customers of certification bodies.

ISO 17011 specifies national organization that supervises certification

programs: ANSI, ANAB, UKAS, etc. ISO 17021 specifies certified
bodies: Bureau Veritas, TÜV, etc. ISO 17024 specifies personnel
certification bodies: PECB.

The certification process of an organization is as follows:

1. Implementation of the management system
2. Internal audit and review by top management
3. Selection of the certification body (registrar)
4. Pre-assessment audit (optional)
5. Stage 1 audit
6. Stage 2 audit (On-site visit)
7. Follow-up-up audit and
8. Confirmation of registration
9. Continual improvement and surveillance audits

3. ISO 9000 Clause 7.3.1 Information and Asset

 Information: meningful data
 Asset: Anything that has value to the organisation:
o Information
o Software (computer program)
o Physical (computer)
o Services
o People (skills and experience)
o Intangibles (reputation and image)

4 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

4. Information Security

 Confidentiality: Ensure that the information is only accessible

to authorized individuals (individuals with a real need). (ISO
27000 clause 2.12).
 Integrity: Data must be complete and intact. (ISO 27000
clause 2.40).
 Availability: Information must be easily accessible by
individuals who need it. (ISO 27000 clause 2.9).

4.1 Vulnerabilities & Threats

5 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

Annex C of ISO 27005 provides a typology for classification of threats.

6 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

Here is a list of several potential impacts (see ISO 27005, Annex B.2)
that can affect either availability, integrity, confidentiality or a
combination of any:
 01.Financial losses;
 02.Loss of assets or of their value;
 03.Loss of customers, loss of suppliers;
 04.Lawsuits and penalties;
 05.Loss of competitive advantage;
 06.Loss of technological advantage;
 07.Loss of efficiency or effectiveness;
 08.Violation of the privacy of users or customers;
 09.Service interruption;
 10.Inability to provide service;
 11.Loss of branding or reputation;
 12.Disruption of operations;
 13.Disruption or third party operations (suppliers, customers…);
 14.Inability to fulfill legal obligations;
 15.Inability to fulfill contractual obligations;
 16.Endangering safety of staff, users.

4.2 Impact & Risk

7 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

ISO 27000 – Definitions:

 2.64. Residual risk: The risk remaining after risk treatment.
 2.69. Risk acceptance: Decision to accept a risk.
 2.70. Risk analysis: process to comprehend the nature of risk
and to determine the level of risk
 2.71. Risk assessment: Overall process of risk identification,
risk analysis and risk evaluation.
 2.74. Risk evaluation: Process of comparing the the results of
risk analysis with risk criteria to determine
 whether the risk and/or its magnitude is acceptable or tolerable
 2.76. Risk management: Coordinated activities to direct and
control an organization with regard to risk.
 2.79. Risk treatment: Process of selection and
implementation of measures to modify risk.

8 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

4.3 Relationjships

9 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

5. ISMS (Information Security Management System)

10 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

5.1 Organization

 ISO 27001, Clause 4.1: Understanding the organization and its

context
 ISO 27001, Clause 4.2: Understanding the needs and
expectations of interested parties
 ISO 27001, Clause 4.3: Determining the scope of the
Information Security Management System
 ISO 27001, Clause 4.4: Information security management
system
 ISO 27001, clause 1: Application
 ISO 27001, clause 5.1 Leadership and commitment
 ISO 27001, Clause 6.1.2: Information security risk assessment

5.1.1 Risk Assessment Methodologies

The following is a list of several recognized risk assessment

methodologies:
 OCTAVE (Operationally Critical Threat, and Vulnerability
Evaluation): allows to evaluate the values threatened, the most
formidable risks, as well as the vulnerability of the defense
based on a standardized knowledge base (standard catalogue
of information) included in the method. From these results, the

11 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

method allows to develop and implement a strategy of risk

reduction. The OCTAVE is structured in three phases: profile of
security needs as regards the values of the company,
vulnerability study, and development of the strategy and
security plan.
 CRAMM (CCTA Risk Analysis and Management Method): was
created in 1987 by the Central Computing and
Telecommunications Agency (CCTA) of the United Kingdom
government. The CRAMM is a three phase structure: definition
of values threatened, risk and vulnerability analysis and
definition and selection of security measures.
 MICROSOFT also released a guide for managing security risks,
based on several industry-recognized standards, which is
accompanied by tools to perform a comprehensive assessment
of risk. The overall process of risk management has four main
phases: risk assessment, the decision support, the
implementation of security controls and measuring programme
effectiveness. Section 5 :
 TRA (Harmonized Threat and Risk Assessment Methodology) is
a publication issued under the authority of the Chief,
Communications Security Establishment Canada (CSEC) and the
Commissioner, Royal Canadian Mounted Police (RCMP). This
methodology has four-steps: Establish the scope of assessment
and identify employees and assets to be safeguarded;
Determine the threats to employees and assets, and assess the
likelihood and impact of theiroccurrence; Assess vulnerabilities
based on the adequacy of safeguards and compute the risk;
Implement additional safeguards, if necessary, to reduce risk to
an acceptable level.
 EBIOS (Expression des Besoins et Identification des Objectifs
de Sécurité): allows to evaluate and act on risks relative to
information systems security, and proposes a security policy
adapted to the needs of an organization. This method has been
created by ANSSI (Agence Nationale pourla Sécurité des
Systèmes d'Information) (former DCSSI). This agency is placed
under the authority of the Prime Minister and is attached to the
Secretary General for National Defence. The 5 steps of the
EBIOS method are: circumstantial study, security requirements,
risk study, identification of security objectives, and
determination of security requirements.
 MEHARI (MÉthode Harmonisée d'Analyse de Risques -
“Harmonized method of risk analysis”): is developed by the
CLUSIF since1995, it derives from the Melissa and Marion
methods. The MÉHARI global approach consists in the analysis
of the security issues and in the preliminary classification of IS
entities based on three (3) basic security criteria
(confidentiality, integrity, availability). These issues express the
dysfunctions having a direct impact on the activity of the

12 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

organization. Audits identify the IS vulnerabilities and the risk

analysis itself is subsequently conducted.
Note: ENISA (European Network and Information Security Agency)
has established an inventoryof several risk management/risk
assessment methods available on the market including a comparison
by 22 attributes. See http://rm-inv.enisa.europa.eu/rm_ra_tools.html

5.1.2 Identify The Risks

From ISO 27005:2011, clauses 8.2.2-8.2.6: Identify assets, threats,

existing controls, vulnerabilities, consequences.

13 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

From ISO 27005:2001 8.3.2-8.3.4 & 8.4: potential consequences,

likelihood of its ocurrence, evaluate risks.

14 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

Residual risk = Inherent risk – Risk treated by controls

5.1.3 Documentation

15 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

16 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

6. Auditing (Day 2)

The new version of ISO 19011:2011 is a generic audit guide

applicable to any management system. Contents of ISO 19011:2011:

1. Scope;
2. Informative references;
3. Terms and definitions;
4. Principles of auditing;
5. Managing an audit programme;
6. Performing an audit;
7. Competence and evaluation of auditors.
8. Annex A: Guidance and illustrative examples of discipline-
specific knowledge and skills of auditors
9. Annex B: Additional guidance for auditors for planning and
conducting audits

ISO 27007 contains additional guidance to ISO 19011 for auditing an

ISMS. Those advices are presented clause by clause.

ISO 17021 is intended to be used by organizations that audit and

certify management systems. Introduces generic requirements that
apply to certification bodies auditing and certifying management
systems. ISO 17021:2006 cancels and replaces the ISO Guide 62:1996
and the ISO Guide 66:1999 that were merged. Contents of ISO
17021:2011:
1. Scope
2. Normative references
3. Terms and definitions
4. Principles
5. General requirements
6. Structural requirements
7. Resource requirements
8. Information requirements
9. Process requirements
10. Management system requirements for certification bodies
11. Annex A (normative): Required knowledge and skills
12. Annex B (informative): Possible evaluation methods
13. Annex C (informative): Example of a process flow for
determining and maintaining competence
14. Annex D (informative): Desired personal behaviours
15. Annex E (informative): Third-party audit and certification
process
16. Annex F (informative): Considerations for the audit
programme, scope or plan
17.
ISO 27006 is intended to be used by organizations that audit and
certify information security management systems according to the
audit criteria of ISO 27001. Contents of ISO 27006:2011:

17 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

1. Scope;
2. Normative references;
3. Terms and definitions;
4. Principles;
5. General requirements;
6. Structural requirements;
7. Resource requirements;
8. Information requirements;
9. Process requirements;
10. Management system requirements related for certification
bodies.
11. Annex A: Analysis of a client organization’s complexity
and sector-specific aspects
12. Annex B: Example areas of auditor competence
13. Annex C: Audit time
14. Annex D: Guidance for review of implemented ISO/IEC
27001:2013, Annex A controls

18 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

6.1 Audit Evidence

19 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

 Physical evidence is any evidence obtained through

observation or direct inspection of tangible elements.
 Mathematical evidence consists in validating the
mathematical exactness of certain documents or records.
 Confirmative evidence consists in obtaining the confirmation
of one or more elements through a third party.
 Technical evidence consists of validating the operation of an
information system.
 Analytical evidence consists in analysing data and their
variations to discover their tendencies as well as the potential
deviations.
 Documentary evidence is the verification of any record or
document.
 Verbal evidence generally consists of an interview with a
person that has the necessary knowledge and responsibilities to
perform the operation that is being audited.

6.2 Quality of Audit Evidence

6.3 Audit Approach Based on Risk

20 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

 Inherent Risk: Corresponds to the possibility that, without

taking into account the internal control that could exist in the
organization, a significant defect occurs in the management
system. This is the risk related to the industrial sector in which
the audited organization evolves.
 Control Risk: Corresponds to the risk that a significant defect
will not be prevented, nor detected by the internal control
environment (all the organization’s processes and controls), and
therefore not be corrected in the time required.
 Detection Risk: Corresponds to the risk that the auditor is not
able to detect a significant defect.
 Acceptable Detection Risk: Corresponds how far the auditor
is willing to go to accept that his conclusions can be
substantially erroneous. This is why some auditors request more
audit days than the minimum days required for a certification
audit.

Audit Risk = Inherent Risk + Control Risk + Detection Risk

6.4 Initiating the audit

21 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

The minimum expected time by ISO 27006 for an audit engagement

is 5 days/person. Generally, the 5 days are divided as follows:
 0,5 day: feasibility study and audit preparation;
 1 day: documentation audit;
 3 days: on-site audit;
 0,5 day: drafting of the final report.

22 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

6.5 Auditing Verbal Expressions

In the different ISO standards, four families of verbal expressions are

used :
1. Requirement: The terms “shall” and “shall not” indicate
requirements to be strictly followed in order to conform to the
document and from which no deviation is permitted;
2. Recommendation: The terms “should” and “should not”
indicate that among several possibilities one is recommended
as particularly suitable, without mentioning or excluding others,
or that a certain course of action is preferred but not necessarily
required, or that (in the negative form) a certain possibility or
course of action is deprecated but not prohibited;
3. Permission: The term “may” and “need not” indicates a
course of action permissible within the limits of the document;
4. Possibility : The term “can” and “cannot” indicates a
possibility of something occurring.

23 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

7. Auditing (Day 3)

24 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

7.1 ISO 19011 Evidences:

 Audit evidence: Records, statements of fact or other

information, which are relevant to the audit criteria and
verifiable. Note: Audit evidence may be qualitative or
quantitative.
 Audit findings: Results of the evaluation of the collected audit
evidence against audit criteria.
 Audit conclusion: Outcome of an audit, provided by the audit
team after consideration of the audit objectives and all audit
findings

7.2 Examples of audit evidence collection steps

Let’s take 2 examples to illustrate the steps from the collection of

audit evidence to issuing of the audit conclusion:
 Manual control (example A): Assigning access rights to the
organization’s financial application must previously be approved
by the system owner (internal audit criteria set forth by the
auditee).
 Automated control (example B): Backups must be
performed automatically and daily (internal audit criteria set by
the auditee).

1. Information sources: Information sources are raw information

available to the auditor. This information has not yet been
selected or analysed. In the case of samplings, the sources of
information represent the population.
a. Example A: The signed authorization forms.
b. Example B: Configurations of backup systems.
2. Audit evidence: When the auditor selects and obtains
information, it becomes audit evidence. With regards to
sampling, the auditor must follow a systematic or random
approach in a sampling selection. This audit evidence has not
yet been analysed by the auditor.
a. Example A: Sample of signed authorization forms.
b. Example B: Observation and screen shots of backup
configurations.
3. Audit findings: Following an audit findings analysis against the
audit criteria, the auditor must compare the audit findings to be
conform with the criteria.
a. Example A: Three access forms out of the sample of 25
were not signed by the owner of the application of the
system à Partial conformity with criteria à Minor non-
conformity.

25 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

b. Example B: Configurations show that backups are

performed automatically and daily à Conform to the
criteria à Conformity.
4. Audit conclusion: The auditor analyses all the audit findings
and another auditor performs a quality review. Finally, the
auditor issues an audit conclusion.
a. Example A: Following the reviewer’s comments, the
auditor modifies his audit finding to a major non-
conformity because the non-conform forms are related to
requests for access rights to critical systems.
Subsequently, the auditor issues his audit conclusion:
recommendation unfavourable to certification.
b. Example B: The reviewer has the same opinion as the
auditor and deems that the control is conform.
Subsequently, the auditor issues his audit conclusion:
recommendation favourable to certification.

8. Evidence Collection

26 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

27 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

28 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

8.1 Sampling Methods

29 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

8.2 Audit Test Plans

30 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

8.3 Audit Findings

31 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

9. Closing The Audit

9.1 Action Plans

At the action plans submission step, the auditee does not have to
submit detailed action plans with the information on the systems to
be installed, the costs, the firms selected the project plan, etc. Only a
general statement related to the actions that will be taken is required.

32 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

354380719

10. Surveillance Audit

ISO 17021, clause 9.3.2.1: Surveillance audit. The surveillance audit

programme shall include, at least:

 Internal audits and management review,

 A review of actions taken on non-conformities identified during
the previous audit,
 Treatment of complaints,
 Effectiveness of the management system with regard to
achieving the certified client's objectives,
 Progress of planned activities aimed at continual improvement,
 Continuing operational control,
 Review of any changes, and
 Use of marks and/or any other reference to certification.

33 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.

 354380719

10.1 Recertification Audit

34 © 2016 PECB. Extract by Pere Pla – All Rights Reserved.