02a - 27001LA en Day1 V8.2.2 20130730EL Unlocked

Schedule for Day 1
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contact PECB
PECB
PECB
Customer
Customer
CustomerServic
Servi
Serv
Section 1: Course objectives and structure
Section 2: Standard and regulatory framework
Section 3: Certification process
Section 4: Fundamental principles of information security
Section 5: Information Security Management System (ISMS)
© 2005 PECB
Version 8.2.2
René St-Germain / Eric Lachapelle (Editors)
Document number: ISMSLAD1V8.2.2
Documents provided to participants are strictly reserved for training purposes and are copyrighted by
PECB. Unless otherwise specified, no part of this publication may be, without PECB’s written permission,
reproduced or used in any way or format or by any means whether it be electronic or mechanical including
photocopy and microfilm.
© PECB official training – Reproduction prohibited without authorization 1

Day 1: Introduction to information security and ISO 27001
1. Course objectives and structure Pg.: 4
2. Standard and regulatory framework Pg.: 21
3. Certification process Pg.: 48
4. Fundamental principles of information security Pg.: 58
5. Information Security Management System (ISMS) Pg.: 87
Day 2: Audit principles, preparation and launching of an audit

6. Fundamental audit concepts and principles Pg.: 4
7. Audit approach based on evidence and risk Pg.: 42
8. Initiating the audit Pg.: 64
9. Stage 1 audit Pg.: 82
10. Preparing the stage 2 audit (on-site audit) Pg.:103
11. Stage 2 audit (Part 1) Pg.:116
Day 3: On-site audit activities

11. Stage 2 audit (Part 2) Pg.: 4
12. Communication during the audit Pg.: 11
13. Audit procedures Pg.: 28
14. Creating audit test plans Pg.: 66
15. Drafting audit findings and non-conformity reports Pg.: 77
Day 4: Closing the audit

16. Documentation of the audit and quality review Pg.: 4
17. Closing the audit Pg.: 14
18. Evaluating action plans by the auditor Pg.: 39
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
Customer
19. Beyond the initial audit
Servic
Servi
Serv Pg.: 47
20. Managing an internal audit programme Pg.: 60
21. Competence and evaluation of auditors Pg.: 79
22. Closing the training Pg.:102

Normative references used in this training
1. Main standards
• ISO 17021:2015, Conformity assessment — Requirements for bodies providing audit and certification
of management systems.
• ISO 17024:2012, Conformity assessment — General requirements for bodies operating certification of
persons.
• ISO 19011:2011, Guidelines for auditing management systems.
• ISO/IEC 27000:2016, Information technology — Security techniques — Information security
management systems — Overview and vocabulary.
• ISO/IEC 27001:2013, Information Security Management Systems – Requirements.
• ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for
information security management.
• ISO/IEC 27003:2010, Information technology — Security techniques — Information security
management system implementation guidance.
• ISO/IEC 27005:2011, Information technology — Security techniques — Information security risk
management.
• ISO/IEC 27006:2011, Information technology — Security techniques — Requirements for bodies
providing audit and certification of information security management systems.
• ISO/IEC 27007:2011, Information technology — Security techniques — Guidelines for information
security management systems auditing.
tat
at • ISO/IEC TR 27008:2011,
2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please Please
Informationcontact
contact
contact
technology — Security
PECBPECB
PECB —
Customer
techniques Customer
Customer
Guidelines Servic
Servi
for auditors Serv
on
information security controls.
2. Other standard references
• ISO Guide 73:2009, Risk management – Vocabulary.

• ISO 9000:2015, Quality management systems – Fundamentals and vocabulary.
• ISO 9001:2015, Quality management systems – Requirements.
• ISO 14001:2015, Environmental management systems – Requirements with guidance for use.
• ISO/IEC 17011:2004, Conformity assessment – General requirements for accreditation bodies
accrediting conformity assessment bodies.
• OHSAS 18001:2007, Occupational Health and Safety Management Systems — Requirements.
• ISO/IEC 20000-1:2011, Information Technology — Service Management. Information technology —
Part 1: Service management system requirements.
• ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the
application of service management systems.
• ISO 22000:2005, Food safety management systems — Requirements for any organization in the food
chain.
• ISO 22301:2012, Societal security — Business continuity management systems — Requirements.
• ISO/IEC 27004:2009, Information technology – Security techniques – Information security
management – Measurement.
• ISO 28000:2007, Specification for security management systems for the supply chain.
• ISO 31000:2009, Risk Management – Principles and Guidelines.

List of acronyms and abbreviations use in this training
BS: British Standard
BCMS: Business continuity management system
CERT: Computer Emergency Response Team
CMS: Content Management System
CobiT: Control Objectives for Business and related Technology
COSO: Committee of Sponsoring Organizations of the Treadway Commission
CPD: Continuing Professional Development
DMS: Document Management System
EA: European Co-operation for Accréditation
EDM: Electronic Document Management System
EMS: Environment management system
FISMA: Federal Information Security Management Act
GAAS: Generally Accepted Auditing Standards
GLBA: Gramm-Leach-Bliley Act
HIPAA: Health Insurance Portability and Accountability Act
IAF: International Accreditation Forum
IFAC: International Federation of Accountants
IMS2: Integrated Implementation Methodology for Management Systems and Standards
ISMS: Information security management system
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
ISO: International Standards contact
Organization contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
ITIL: Information Technology Infrastructure Library
LA: Lead auditor
LI: Lead Implementer
NC: Non-conformity
NIST: National Institute of Standards and Technology
OHSAS: Occupational Health and Safety Assessment Series
OECD: Organization for Economic Co-operation and Development
PCI-DSS: Payment Card Industry Data Security Standard
PDCA: Plan-Do-Check-Act
QMS: Quality management system
PECB: Professional Evaluation and Certification Board
ROI: Return on Investment
ROSI: Return on Security Investment
SMS: Service management system
SoA: Statement of applicability
SOX: Sarbanes-Oxley Act

Section 1 : Course objectives and structure
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

To break the ice, participants introduce themselves stating:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• Name;
• Current position;
• Knowledge of and experience with information security;
• Knowledge of and experience with ISO 27001 and other standards of the 27000 family
(27002, 27003, 27004, 27005, etc.);
• Knowledge and experience with other management systems (ISO 9001, ISO 14001, ISO
20000, ISO 22301, etc.);
• Auditing knowledge and experience;
• Course expectations and objectives.
Duration of activity: 20 minutes

• For simplification, only the masculine is used throughout this training and is not meant to offend
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
anyone. Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• In case of emergency, please be aware of exits.
• Agree on course schedule and two breaks (be on time).
• Set your cell phone on vibration and if you need to take a call, please do it outside the classroom.
• Recording devices are prohibited because they may restrict free discussions.

The training is designed to allow candidates to acquire and/or enhance their competency to audit an
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
information security management contact
system. contact
contact
From PECB
an educational PECB
PECB
view, Customer
Customer
Customer
competency Servic
Servi
Serv
consists of the following
3 elements:
1. Knowledge;
2. Skill;
3. Behavior (attitude).
This training is focused on the acquisition of knowledge related to audit techniques applied to information
security, and not on the acquisition of an expertise in information security. Minimal knowledge of
information security is however required for successful completion of the course.
To obtain more in-depth knowledge of the implementation and the management of an ISMS, it is
recommended to take the Certified ISO 27001 Lead Implementer course.
At the end of the course, participants will obtain knowledge and develop the competency on How to audit
and not only on the Why audit and What to do during an audit.

Regarding the development of skills, the objective of this training is to ensure that the candidate can
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
actively participate in an Please contact
contact
contact
ISO 27001 certification PECB
audit or an PECB
PECB
internal Customer
Customer
audit Customer
the Servic
day following the Servi
Serv
end
of the training. This training is focused on the daily realities of the conduct of an audit. The case study and
role-plays act as simulations of situations that are as close as possible to the reality in the field.
Regarding attitude, several exercises will allow the candidate to strengthen his personal skills necessary for
an auditor to act with due professional care during the implementation of audit activities such as decision-
making ability, teamwork, openness of mind, etc.
Important note: The Certified ISO 27001 Lead Auditor training is intended for both internal auditors
as external auditors. Auditing techniques and the competencies needed for auditors are common to all
types of audits. The peculiarities of the different types of audits will be explained during the training. Internal
audits will be handled in a dedicated section of day 4.

This course is primarily based on:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• Trainer led sessions, where contact
questions contact
arecontact
welcomed. PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Student involvement in various ways: exercises, case studies, notes, reactions, This course is primarily
based on:
• Trainer lead sessions, where questions are welcomed.
• Student involvement: exercises, case studies, role-plays, notes, reactions, discussions (participant
experiences).
Remember, this course is yours: you are the main players of its success.
Students are encouraged to take additional notes.
Homework and exercises are essential in the acquisition of the competencies necessary to conduct an
audit. Thus it is very important to do them conscientiously. Moreover, even if they are not scored,
homework and exercises prepare participants for the certification exam.

ISO 19011 provides guidance on audit principles, audit programme management, management
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
systems audit, as well as contact
guidance on contact
the contact
competencies ofPECB
PECB
PECB
auditors. Customer
Customer
Customer
It applies to all organizationsServic
Servi
Serv
needing to conduct internal and external audits or to manage an audit programme. The
application of ISO 19011 to other types of audits is possible: it is sufficient, in this type of case, to
give special attention to identifying the competencies required by the audit team members.
Reference: www.iso.org
International Federation of Accountants - IFAC: This is the world accounting organization. It

operates with its 157 members and associates in 122 countries to protect public interest by
encouraging high quality practices by the accounting world. Standards developed by IFAC
provide guidelines and advice in the following fields: audit, insurance, control and services related
to quality, to training, ethics and accounting.
Reference: www.ifac.org
Generally Accepted Auditing Standards - GAAS: These are several audit standards,
developed by the AICPA (American Institute of Certified Public Accountants), including general
standards, standards by activity sector and report standards, with interpretations. They were
developed by AICPA in 1947 and have undergone a few minor changes since then.
Reference: www.aicpa.org

ISACA standards and guidelines: The Information Systems Audit and Control Association
(ISACA) has developed several standards and guidelines to provide advice on the audit of
information systems. Founded in 1967, ISACA has over 65 000 members. Two of its main
professional certifications, CISA (Certified Information Systems Auditor) and CISM (Certified
Information Security Manager), enjoy international recognition.
Reference: www.isaca.org
Professional practices of the Internal Auditors Institute: The provide advice on conducting
internal audits. They are the result of a careful analysis, consultations and deliberations on the
fundamental principles concerning the performance of internal audit services by members of the
IIA (Institute of Internal Auditor) and the CIA (Certified Internal Auditor).
Reference: www.theiia.org
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

The objective of the certification examination is to ensure that auditor candidates have mastered audit
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
concepts and techniques so contact
that they are contact
contact
able to participate inPECB
PECB
PECB
audit Customer
Customer
Customer
assignments. Servic
Servi
Serv
The PECB examination
committee shall ensure that the development and adequacy of the exam questions is maintained based
upon current professional practice. The questions are developed and maintained by a committee of
information security specialists that are all ISO 27001 Lead Auditor certified.
The exam only contains essay questions. The duration of the exam is 3 hours. The minimum
passing score is 70%.
All notes and reference documents may be used during the exam excluding the use of a computer.
The exam is available in several languages. When taking the exam, please ask the trainer or check on the
PECB website to know the list of available languages.
All seven competency domains are covered by the examination. To read a detailed description of each
competency domain, please visit the PECB website.

Passing the exam is not the only pre-requisite to obtain the credential of “Certified ISO 27001 Lead
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
Auditor”. This credential will contact
contact
endorse both contact
the passing the PECB
PECB
examPECB
and theCustomer
Customer
Customer
validation Servic
Servi
Serv
of the professional
experience records. Unfortunately, many people claim they are ISO 27001 Lead Auditor-qualified following
a successful exam, although they don’t have the required experience level.
The set of criteria and the certification process are explained at the last day of the training.
A candidate with lesser experience can apply for the credential of “Certified ISO/IEC 27001 Auditor” or
“Certified ISO/IEC 27001 Provisional Auditor”.
Important note: Certification fees are included in the examination price. The candidate will therefore not
have to pay any additional costs when applying for certification at their corresponding experience level and
receive one of the other professional credentials, i.e. Certified ISO/IEC 27001 Provisional Auditor, Certified
ISO/IEC 27001 Auditor or Certified ISO/IEC 27001 Lead Auditor.

After passing the exam, the candidate has a maximum period of three years to apply for one of the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
professional credentials related contact
to the ISO contact
contact
27001 PECB
PECB
PECB
certification scheme. Customer
Customer
CustomerServic
Servi
Serv
When the candidate is certified, he will receive, via electronic mail, from PECB a certificate valid for three
years. To maintain his certification, the applicant must demonstrate every year that he is satisfying the
requirements for the assigned credential and abiding to PECB’s Code of Ethics. To learn more about
certificate maintenance and renewal procedure please visit PECB Website. At the end of the training, more
details will be given.
An electronic version (in .PDF) course completion certificate which is valid of 31 CPD (Continuing
Professional Development) credits will be issued (sent via email) to participants after the training.

PECB is a certification body for persons, management systems, and products on a wide range of international
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
standards. As a global provider contact
contact
of training, contact
examination, PECB
audit, PECB
PECB
and Customer
Customer
certification Customer Servic
Servi
services, PECB offers Serv
its
expertise on multiple fields, including but not limited to Information Security, IT, Business Continuity, Service
Management, Quality Management Systems, Risk & Management, Health, Safety, and Environment.
We help professionals and organizations to show commitment and competence with internationally
recognized standards by providing this assurance through the education, evaluation and certiﬁcation
against rigorous, internationally recognized competence requirements. Our mission is to provide our
clients comprehensive services that inspire trust, continual improvement, demonstrate recognition, and
benefit society as a whole. PECB is accredited by IAS against ISO/IEC 17024, ISO/IEC 17021-1, ISO/IEC
17065.
The purpose of PECB, as stated in its Bylaws, is to develop and promote professional standards for certification
and to administer credible certification programs for individuals who practice in disciplines involving the audit and
the implementation of a compliant management system. This principal purpose includes:
1. Establishing the minimum requirements necessary to qualify certified professionals;

2. Reviewing and verifying the qualifications of applicants for eligibility to sit for the certification examinations;
3. Developing and maintaining reliable, valid, and current certification examinations;
4. Granting certificates to qualified candidates, maintaining certificant records, and publishing a directory of
the holders of valid certificates;
5. Establishing requirements for the periodic renewal of certification and determining compliance with those
requirements;
6. Ascertaining that certificants meet and continue to meet the PECB Code of Ethics;
7. Representing its members, where appropriate, in matters of common interest;
8. Promoting the benefits of certification to employers, public officials, practitioners in related fields, and the
public.

• An internationally recognized certification can help you maximize your career

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
potential and reach contact
contact
contact
you professional objectives. PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• An international certification is the formal recognition of competencies of an
individual.
• According to salary surveys published by the several magazines in the last five
years, certified auditors have an average salary considerably higher than their
non-certified counterparts.

In order to ensure your satisfaction and continually improve the training, examination and certification
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
processes, PECB Customer Service hascontact
contact
contact
established PECB
a support PECB
PECB
ticket Customer
system Customer
forCustomer Servic
handling complaints Servi
Serv
and
services for our clients.
As a first step, we invite you to discuss the situation with the trainer. If necessary, do not hesitate to contact
the head of the training organization where you are registered. In all cases, we remain at your disposal to
arbitrate any dispute that might arise between you and these parties.
To send comments, questions or complaints, please open a support ticket on PECB’s website in the PECB
Help Center. (www.pecb.com/help)
If you have suggestions for improving PECB’s training materials, we'd like to hear from you. We read and
evaluate the input we get from our members. You can do so directly from our KATE application or you can
open a ticket directed to Training Department the PECB Help Center. (www.pecb.com/help)
In case of dissatisfaction with the training (trainer, training room, equipment,...), the examination or the
certification processes, please open a ticket under “Make a complaint” category on the PECB Help Center.
(www.pecb.com/help)

Day 1: Introduction to information security and ISO 27001

1. Course objectives and structure
2. Standard and regulatory framework
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
Customer
3. Certification process Servic
Servi
Serv
4. Fundamental principles of information security
5. Information Security Management System (ISMS)
Day 2: Audit principles, preparation and launching of an audit

6. Fundamental audit concepts and principles
7. Audit approach based on evidence and risk
8. Initiating the audit
9. Stage 1 audit
10. Preparing the stage 2 audit (on-site audit)
11. Stage 2 audit (Part 1)
Day 3: On-site audit activities

11. Stage 2 audit (Part 2)
12. Communication during the audit
13. Audit procedures
14. Creating audit test plans
15. Drafting audit findings and non-conformity reports
Day 4: Closing the audit

16. Documentation of the audit and quality review
17. Closing the audit
18. Evaluating action plans by the auditor
19. Beyond the initial audit
20. Managing an internal audit programme
21. Competence and evaluation of auditors
22. Closing the training
Day 5: Final exam

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. The main objective of this training is to acquire the competency (knowledge, skills and behavior) to
participate in an ISO 27001 internal audit or certification audit.
2. Success of the training is based on participant involvement (experience feedback, discussions, role-
play, exercises, etc.).
3. The objective of the certification examination is to ensure that auditor candidates have mastered audit
concepts and techniques so that they are able to participate in audit assignments. The exam only
contains essay questions. The duration of the exam is 3 hours. The minimum passing score is 70%.
The exam is available in several languages.
4. Passing the exam is only one of the prerequisites to obtain the professional credential “Certified ISO
27001 Lead Auditor”. This professional credential endorses both the passing the exam and the
validation of the professional experience records.
5. PECB (Professional Evaluation and Certification Board) is a certification organization for persons. The
first objective of PECB, as included in its statutes, is to develop and promote professional standards
for certification and to administer credible certification programs for persons who work in disciplines
involving verification and implementation of a compliant management system.

Section 2 : Standard and regulatory framework
During this training, we will adopt the following convention: standards will often be referenced as “ISO
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
XXXX” in the slide instead contact
contact
of their official contact
designation PECB
PECB
“ISO/IECPECB Customer
Customer
Customer
XXXXX:20XX” Servic
without specifying Servi
Serv
their
publication date, each referring to its latest version.
ISO documents are copyright protected. Each participant has a responsibility to possess a legal copy of the
standards required for this course. If a standard is included or was given to you for the period of this
training, you must follow the conditions for use stated by ISO.
No part of this publication may be reproduced by any means or use in any way whether it be electronic our
mechanical, including photocopies and microfilms, without written permission from ISO (see address
below) or a member of the ISO organization located in the country of the person of the related organization.
Copies of the different ISO standards can be bought online on the ISO website (www.iso.org) or from the
accreditation authority of each country. For example, you can buy ISO standards from ANSI
(webstore.ansi.org).
Note on terminology: Depending on the standard, there are different terms used to refer to specific part of a
standard like clause, section, paragraph or chapter. In this course we will use "clause" to express any
reference to a specific part of a norm or standard.

History
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
In 1946, delegates from 25Please
countries metcontact
incontact
contact
London PECB
and decided PECB
to PECB
create aCustomer
Customer
new Customer Servic
Servi
Serv
international organization,
of which the object would be "to facilitate the international coordination and unification of industrial
standards". The new organization officially began operations on 23 February 1947, in Geneva, Switzerland.
The International Standards Organization (ISO) is a non-governmental organization that holds a special
position between the public sector and the private sector. Its members include national standards
organizations who often are part of government structures in their countries or who are mandated by these
governments.
Other members belong to the private sector as national partnerships of industry associations.
Goals/Advantages
The role of ISO is to facilitate international coordination and the standardization of industrial standards. To
reach these objectives, ISO publishes technical standards. These standards contribute to the development,
manufacturing and delivery of products and services that are more effective, safer and clearer. They
facilitate fair trade between countries. In addition, they bring a technical foundation for health, security, and
environmental legislation to governments; and they help transfer technologies to developing countries. ISO
standards are also used to protect consumers and general users of products and services. These
standards are also used to simplify their lives.
Note on terminology: Because "International Organization for Standardization" would have different
acronyms in different languages ("IOS" in English, "OIN" in French for Organisation internationale de
normalisation), its founders decided to give it also a short, all-purpose name. They chose "ISO", derived
from the Greek isos, meaning "equal".
Source: www.iso.org

How ISO standards are developed?

The national delegations of experts of a committee meet to discuss, debate and argue until they reach consensus on a
draft agreement. The “organizations in liaison” also take part in this work. In some cases, advanced work within these
organizations means that substantial technical development and debate has already occurred, leading to some
international recognition and in this case, a document may be submitted for "fast-track" processing. In both cases, the
resulting document is circulated as a Draft International Standard (DIS) to all ISO's member bodies for voting and
comment.
If the voting is in favor, the document, with eventual modifications, is circulated to the ISO members as a Final Draft
International Standard (FDIS). If that vote is positive, the document is then published as an International Standard.
(There is no FDIS stage in the case of documents processed through the fast track procedure of the joint technical
committee ISO/IEC JTC 1, Information technology.)
Every working day of the year, an average of seven ISO technical meetings takes place around the world. In between
meetings, the experts continue the standards' development work by correspondence. Increasingly, their work is carried
out by electronic means, which speeds up the development of standards and cuts travel costs.
International Standards are developed by a six-step process:
Stage 1: Proposal stage

The first step in the development of an International Standard is to confirm that a particular International Standard is
needed. A new work item proposal (NP) is submitted for vote by the members of the relevant TC or SC to determine
the inclusion of the work item in the programme of work.
The proposal is accepted if a majority of the P-members of the TC/SC votes in favor and if at least five P-members
declare their commitment to participate actively in the project. At this stage a project leader responsible for the work
item is normally appointed.
Stage 2: Preparatory stage

Usually, a working group of experts, the chairman (convener) of which is the project leader, is set up by the TC/SC for
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
the preparation of a working draft. Successive working drafts may be considered until the working group is satisfied
that it has developed the best technical solution to the problem being addressed. At this stage, the draft is forwarded to
the working group's parent committee for the consensus-building phase.
Stage 3: Committee stage

As soon as a first committee draft is available, it is registered by the ISO Central Secretariat. It is distributed for
comment and, if required, voting, by the P-members of the TC/SC. Successive committee drafts may be considered
until consensus is reached on the technical content. Once consensus has been attained, the text is finalized for
submission as a draft International Standard (DIS).
Stage 4: Enquiry stage

The draft International Standard (DIS) is circulated to all ISO member bodies by the ISO Central Secretariat for voting
and comment within a period of five months. It is approved for submission as a final draft International Standard (FDIS)
if a two-thirds majority of the P-members of the TC/SC are in favor and not more than one-quarter of the total number
of votes cast are negative. If the approval criteria are not met, the text is returned to the originating TC/SC for further
study and a revised document will again be circulated for voting and comment as a draft International Standard.
Stage 5: Approval stage

The final draft International Standard (FDIS) is circulated to all ISO member bodies by the ISO Central Secretariat for a
final Yes/No vote within a period of two months. If technical comments are received during this period, they are no
longer considered at this stage, but registered for consideration during a future revision of the International Standard.
The text is approved as an International Standard if a two-thirds majority of the P-members of the TC/SC is in favor
and not more than one-quarter of the total number of votes cast are negative. If these approval criteria are not met, the
standard is referred back to the originating TC/SC for reconsideration in light of the technical reasons submitted in
support of the negative votes received.
Stage 6: Publication stage

Once a final draft International Standard has been approved, only minor editorial changes, if and where necessary, are
introduced into the final text. The final text is sent to the ISO Central Secretariat which publishes the International
Standard.
Reference: www.iso.org

ISO basic principles

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. Equal representation: Every ISO member (full-fledged member) has the right to
participate in the development of any standard it deems important to the economy of its
country. Whatever the size or strength of the economy, each participating member can
claim their right to vote. ISO activities are thus carried out in a democratic structure
where member countries are on the same footing in terms of their influence on work
orientation.
2. Voluntary: Adoption of ISO standards is voluntary. As a non-governmental

organization, ISO has no legal authority for their implementation. A percentage of ISO
standards – more particularly those related to health, security and the environment –
have been adopted in several countries as part of the regulatory framework, or are
mentioned in the legislation for which they act as a technical basis. Such adoptions are
sovereign decisions by regulatory organizations or governments.
ISO itself does not regulate, or legislate. However, although ISO standards are voluntary,
they can become a market requirement, as is the case with ISO 9001 or with freight
container dimensions, the traceability of food products, etc.

3. Business orientation: ISO only develops standards for which a market demand exists. Work
is carried out by experts in the related industrial, technical and business sectors. These experts
may be joined by other experts holding the appropriate knowledge such as public organizations,
academic world and testing laboratories. ISO launches the development of new standards in
response to sectors and stakeholders that express a clearly established need for them.
An industry sector or other stakeholder group typically communicates its requirement for a
standard to one of ISO's national members. The latter then proposes the new work item to the
relevant ISO technical committee developing standards in that area. New work items may also be
proposed by organizations in liaison with such committees. When work items do not relate to
existing committees, proposals may also be made by ISO members to set up new technical
committees to cover new fields of activity.
4. Consensus approach: ISO standards are based on a representative consensus approach of

the different stakeholders (experts, industries, researchers, governments, etc.). This ensures a
larger circulation and a greater application. ISO standards are developed by technical
committees, (subcommittees or project committees) comprising experts from the industrial,
technical and business sectors which have asked for the standards, and which subsequently put
them to use. These experts may be joined by representatives of government agencies, testing
laboratories, consumer associations, non-governmental organizations and academic circles.
Proposals to establish new technical committees are submitted to all ISO national member
bodies, who may opt to be participating (P), observer (O) or non-members of the committee. The
secretariat (i.e. the body providing the administrative support to the work of the committee) is
allocated by the Technical Management Board (which itself reports to the ISO Council), usually to
the ISO member body which made the proposal. The secretariat is responsible for nominating an
individual to act as chair of the technical committee. The chair is formally appointed by the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECB
Technical Management Board.
Customer
Customer
CustomerServic
Servi
Serv
Experts participate as national delegations, chosen by the ISO national member body for the
country concerned. National delegations are required to represent not just the views of the
organizations in which their participating experts work, but those of other stakeholders too.
National delegations are usually based on and supported by national mirror committees to which
the delegations report.
According to ISO rules, the national member body is expected to take account of the views of all
parties interested in the standard under development. This enables them to present a
consolidated, national consensus position to the technical committee.
International and regional organizations from both business and the public sector may apply for
liaison status to participate in developing a standard, or to be informed about the work. Such
“organizations in liaisons” are accepted through voting by the relevant ISO committee. They may
comment on successive drafts, propose new work items or even propose documents for “fast
tracking” , but they have no voting rights.
5. International cooperation: ISO standards are technical agreements that bring, at the
international level, technological compatibility structures. Developing a technical consensus on an
international scale is a major activity. 3 000 technical ISO groups are identified (technical
committees, subcommittees, work groups, etc.) within which 50 000 experts take part in
developing standards annually.
Source: www.iso.org

1. Customer focus: Organizations depend on their customers and therefore should understand current
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
and future customer needs, shouldcontact
contact
contact
meet PECB
PECB
PECB
customer requirements Customer
and Customer
Customer
strive Servic
Servi
Serv
to exceed customer
expectations.
Management system implications
• Researching and understanding customer needs and expectations.
• Ensuring that the objectives of the organization are linked to customer needs and expectations.
• Communicating customer needs and expectations throughout the organization.
• Systematically managing customer relationships.
• Ensuring a balanced approach between satisfying customers and other interested parties (such
as owners, employees, suppliers, financiers, local communities and society as a whole).
2. Leadership: Leaders establish unity of purpose and direction of the organization. They should create
and maintain the internal environment in which people can become fully involved in achieving the
organization's objectives.
• Considering the needs of all interested parties including customers, owners, employees,
suppliers, financiers, local communities and society as a whole.
• Establishing a clear vision of the organization's future.
• Setting challenging goals and targets.
• Creating and sustaining shared values, fairness and ethical role models at all levels of the
organization.
• Establishing trust and eliminating fear.
• Providing people with the required resources, training and freedom to act with responsibility and
accountability.
• Inspiring, encouraging and recognizing people's contributions.

3. Engagement and competence of people: People at all levels are the essence of an organization and their full
involvement enables their abilities to be used for the organization's benefit.
• People understanding the importance of their contribution and role in the organization.
• People identifying constraints to their performance.
• People accepting ownership of problems and their responsibility for solving them.
• People evaluating their performance against their personal goals and objectives.
• People actively seeking opportunities to enhance their competence, knowledge and experience.
• People freely sharing knowledge and experience.
• People openly discussing problems and issues.
4. Process approach: A desired result is achieved more efficiently when activities and related resources are
managed as a process.
• Systematically defining the activities necessary to obtain a desired result.
• Establishing clear responsibility and accountability for managing key activities.
• Analyzing and measuring of the capability of key activities.
• Identifying the interfaces of key activities within and between the functions of the organization.
• Focusing on the factors such as resources, methods, and materials that will improve key activities of the
organization.
• Evaluating risks, consequences and impacts of activities on customers, suppliers and other interested
parties.
5. Improvement: Continual improvement of the organization's overall performance should be a permanent objective
of the organization.
• Employing a consistent organization-wide approach to continual improvement of the organization's
performance.
• Providing people with training in the methods and tools of continual improvement.
• Making continual improvement of products, processes and systems an objective for every individual in the
organization.
• Establishing goals to guide, and measures to track, continual improvement.
• Recognizing and acknowledging improvements.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
6. Informed decision making: Effective decisions are based on the analysis of data and information.
• Ensuring that data and information are sufficiently accurate and reliable.
• Making data accessible to those who need it.
• Analyzing data and information using valid methods.
• Making decisions and taking action based on factual analysis, balanced with experience and intuition.
7. Relationship management: An organization and its suppliers are interdependent and a mutually beneficial
relationship enhances the ability of both to create value.
• Establishing relationships that balance short-term gains with long-term considerations.
• Pooling of expertise and resources with partners.
• Identifying and selecting key suppliers.
• Clear and open communication.
• Sharing information and future plans.
• Establishing joint development and improvement activities.
• Inspiring, encouraging and recognizing improvements and achievements by suppliers.
Source: www.iso.org

Since 1947 ISO has published over 19 000 international standards. ISO publishes
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
standards related Please
to traditional contact
contact
contact
activities PECBPECB
PECB
such as agriculture andCustomer
Customer
Customer
construction, media Servic
Servi
Serv
devices and the most recent development in information technologies, such as the digital
coding of audiovisual signals for multimedia applications.
ISO 9000 and ISO 14000 families are among the best known ISO standards. The ISO
9000 standard has become an international reference in regard to the quality
requirements in commerce and business transactions. The ISO 14000 standard, for its
part, is used to help organizations meet challenges of an environmental nature.
ISO 9001 is related to quality management. It contains the good practices that aim to
improve customer satisfaction, achievement of customer requirements and regulatory
requirements as well as continuous improvement actions in those fields. In December of
2009, 1 064 785 organizations were ISO 9001 certified (China having the most certified
organizations: 257 076).
ISO 14001 is mainly related to environmental management. It defines the actions that the
organization can implement for the maximum reduction of negative impacts of its
activities on the environment and for the continuous improvement of its environmental
performance. In December 2009, 223 149 organizations were ISO 14001 certified (China
having the most certified organizations: it had in 2009, 55 316; Japan is second with 39
556 certified organizations).

OHSAS 18001 (OHSAS = Occupational Health and Safety Assessment Series) identifies best
practices for the rigorous management and effective protection of the occupational health and
safety. In spite of the publication of the ISO 18001 standard after various disagreements within
the ISO organization to create a management standard for health and safety, OHSAS 18001 is
the de facto standard for health and safety at the enterprise. OHSAS 18001 is a private norm. It
was developed from existing national standards (BS 8800, UNE 81900, VCA) and standards
published by different certification bodies (OHSMS, SafetyCert, SMS 8800).
ISO 20000-1 defines the requirements that an information technology service provider must
apply. This standard applies to service providers regardless of the organization’s size or type.
The standard consists of two parts. The first part defines the specifications the organization shall
apply to obtain certification. The second part (ISO 20000-2) explains the different practices or
recommendations to reach the objectives previously defined.
ISO 22000 creates and manages a food safety management system (FSMS). This standard
applies to all organizations that are involved in any aspects of the food supply chain and want to
implement a system to continuously provide safe food. This standard focuses on personnel
competencies, continuous information research about food products (new legislations, standards,
rules…). Organizations must perform a HACCP (Hazard Analysis Critical Control Point) to
identify, analyze and evaluate the risks for food safety. For each risk that has been defined as
significant, the organization must define controls to implement.
ISO 22301 defines the requirements that an organization must apply to certify a Business
Continuity Management System (BCMS). To comply with the requirements of this standard the
organization needs to document a model to develop, implement, operate, monitor, review,
maintain and improve a BCMS to increase the resilience of an organization in case of a disaster.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
This standard is compatible with PAS 22399 (Guideline for incident preparedness and operational
continuity management) and BS 25999 (British Standard on business continuity).
ISO 27001 defines the requirements that an organization must apply to provide a model for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving an
Information Security Management System (ISMS). An ISMS is a framework of policies and
procedures that includes all legal, physical and technical controls involved in an organization's
information risk management processes. The ISO 27001 standard does not mandate specific
information security controls, but it provides a checklist of controls that should be considered in
the accompanying code of practice, ISO 27002. This second standard describes a
comprehensive set of information security control objectives and a set of generally accepted good
practice security controls.
ISO 28000 prescribes the requirements applicable to a security management system of the
supply chain. An organization has to define, implement, maintain, and improve a supply chain
security management system during each step of production: manufacturing, maintenance,
storage or transport of goods.

More and more organizations have to manage several compliance frameworks simultaneously. To simplify
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
the work, to avoid conflictsPlease contact
and to reduce contact
contact
duplication PECB
PECB
PECB
of documents, Customer
Customer
Customer
it is recommended Servic
Servi
to implement Serv
an
integrated management system. An integrated management system (IMS) is a management system which
integrates all components of a business into one coherent system so as to enable the achievement of its
purpose and mission. The table in the slide presents certain requirements that are common to all
management systems.
There are several good reasons for integration, to:

• harmonize and optimize practices
• eliminate conflicting responsibilities and relationships
• balance conflicting objectives
• formalize informal systems
• reduce duplication and therefore costs
• reduce risks and increase profitability
• turn the focus into business goals
• create consistency
• improve communication
• facilitate training and awareness
Important note: In June 2009, the Technical Steering Committee of ISO adopted a resolution asking the
committees involved in the development of standards to specify the requirements of a management system
(ISO 14001, ISO 22000, ISO 27001, etc.) by following a common structure of clauses in line with ISO 9001.
This Directive is applicable to the versions published after 2011. So the common elements to every
management system will have the same reference. The main objective is to facilitate the combined
management of a normative framework for an organization.

As of March 2012, there are 106 published ISO standards on information security (JTC 1/SC 27 technical
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
committee) including the following contact
contact
examples: contact
PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
ISO 9798: This standard specifies a general model including the requirements and constraints for the use
of identity authentication mechanisms. These mechanisms are used in to demonstrate that an entity is who
it claims to be. Details on the different mechanisms are explained in different parts of this standard.
ISO 11770: This standard defines a general model for key management independent of the cryptographic
algorithm used. This standard addresses both the automatic and manual key and the required sequence of
operations. However, it does not specify details on the interface protocols needed for the operations.
ISO 15408: Under the general title Common Criteria, the scope of this standard is the use of it as a basis to
evaluate the security properties of products and systems of Information Technology (IT). A free copy can be
downloaded from the ISO website.
It contains the following parts:
Part 1: Introduction and general model;
Part 2: Security functional components;
Part 3: Security assurance components.

ISO 21827 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-
CMM®), which describes the essential characteristics of an organization's security engineering
process that must exist to ensure good security. ISO 21827 does not prescribe a particular
process or sequence, but captures practices generally observed in industry. The objective is to
facilitate an increase of maturity of the security engineering processes within the organization.
ISO 24761 specifies the structure and elements of a mechanism for authentication using
biometrics in the verification process.
ISO 27033 provides an overview of network security and related definitions. It defines and
describes the concepts associated with network security. The various parts of ISO 27033 address
specific topics related to network security.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Beginning of the1990s
• An industry need expressed in terms of better practices and controls to support trade and
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
government in the implementation and improvement of information security;
• Ministry of Commerce and Industry (United Kingdom) forms a work group grouping together
directors with experience in information security;
• Publication of a collective work of advice on the management of information security.
1992
• Guide of good practices of the industry (September) initially published as a British Standard
Institute (BSI) publication;
• This guide was the basis for the British Standard: BS 7799-1.
1995
• BS 7799-1:1995 published as a British standard.
1996 - 1997
• Identification of a need to increase the level of confidence in the BS 7799 standard;
• The industry request a certification programme for an ISMS.
1998
• Launch of the ISMS certification model (Published as BS 7799-2:1998).
1999
• Revision of BS 7799-1:1999 (updates and addition of new security controls):
 New security controls: e-commerce, mobile IT, third-party agreements;
 Suppression of specific references to United Kingdom.
• BS 7799-2:1999 (Alignment of controls to BS7799-1).

2000
• Publication of ISO 17799:2000.
2002
• Launch of BS 7799-2:2002.
• The main updates are:
 Integration of the Plan-Do-Check-Act (PDCA) Model;
 ISO 17799 controls included as an annex to the standard;
 Annex demonstrating the connection between BS7799-2, ISO 9001 and ISO 14001.
2005
• Publication of the new version of ISO 17799:2005.
• Publication of ISO 27001:2005, which replaces BS7799-2, and contains:
 ISMS specifications;
 ISO 17799 controls in standard annex;
 Annex demonstrating the connection between ISO 9001 and ISO 14001.
2007
• Publication of ISO 27002:2005 replacing ISO 17799:2005 (No change in the content, just identification
number);
• Publication of ISO 27006:2007 (Requirements for bodies providing audit and certification of information security
management systems).
2008
• Publication of ISO 27005:2008 (Information security risk management);
• Publication of ISO 27011:2008 (Information security management guidelines for telecommunications
organizations based on ISO 27002).
2009
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• Publication of ISO 27000:2009 contact
contact
contact
(Information PECB
PECB
security management PECB
systems Customer
-- Customer
Customer
Overview
• Publication of ISO 27004:2009 (Information security management – Measurement);
Servic
and vocabulary); Servi
Serv
• Publication of ISO 27033-1:2009 (Network security -- Part 1: Overview and concepts).
2010
• Publication of ISO 27003:2010 (Information security management system implementation guidance);
• Publication of ISO 27033-3:2010 (Network security -- Part 3: Reference networking scenarios -- Threats,
design techniques and control issues).
2011
• Publication of ISO 27005:2011 (Information security risk management);
• Publication of ISO 27006:2011 (Requirements for bodies providing audit and certification of information security
management systems);
• Publication of ISO 27007:2011 (Guidelines for information security management systems auditing);
• Publication of ISO 27008:2011 (Network security -- Part 3: Reference networking scenarios -- Threats, design
techniques and control issues).
2012
• Publication of ISO 27000:2012 (this second edition cancels and replaces the first edition: ISO/IEC 27000:2009)
2013
2014
• Publication of ISO 27000:2014 (this third edition cancels and replaces the second edition: ISO/IEC 27000:2012)
2016
• Publication of ISO 27000:2016 (this fourth edition cancels and replaces the third edition: ISO/IEC 27000:2014)

Resulting from International workgroup reflections dedicated to the information security scope, the ISO
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
27000 family is progressively published contact
contact
since contact PECB
PECB
PECB
2005. ISO 27001:2013
the ISO 27000 family. The other standards are guidelines.
is theCustomer
Customer
only Customer
certifiable standardServic
ofServi
Serv
• ISO 27000: This information security standard develops the basic concepts as well as the
vocabulary that applies when analyzing Information Security Management Systems. A free copy of
this standard can be downloaded from the ISO website.
• ISO 27001: This information security standard defines the requirements of the Information Security
Management Systems (ISMS).
• ISO 27002 (previously ISO 17799): Guide of best practices for the management of information
security. This standard defines objectives and recommendations in terms of information security and
anticipates meeting global concerns of organizations relating to information security for their overall
activities.
• ISO 27003: Guide for implementing or setting up an ISMS.
• ISO 27004: Guide of metrics to facilitate ISMS management, it provides a method to define the
objectives for implementation and effectiveness criteria, of follow-up and evolution measurements all
through the process.
• ISO 27005: Guide for information security risk management which complies with the concepts,
models and general processes specified in ISO 27001.
• ISO 27006: Guide for organizations auditing and certifying ISMS’s.
• ISO 27007: Guidelines for information security management systems auditing.
• ISO 27008: Guidelines for auditors on information security controls.
• ISO 27011: Guidelines for the use of ISO 27002 in telecommunication industry.
• ISO 27031: Guidelines for information and communication technology readiness for business
continuity.
• ISO 27799: Guidelines for the use of ISO 27002 in health informatics.

ISO 27001:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• A set of normative requirements contact
for contact
thecontact
establishment,PECB
PECB
PECB Customer
Customer
implementation, Customer
operation,
review to update and improve a Information Security Management System (ISMS);
Servic
monitoring Servi
Serv
and
• A set of requirements for selecting security controls tailored to the needs of each organization based
on industry best practices;
• A management system that is integrated in the overall risk framework associated with the activity of the
organization;
• An internationally-recognized process, defined and structured to manage information security;
• An international standard to suit all types of organizations (e.g. commercial enterprises, government
agencies, nonprofit organizations ...), of all sizes in all industries.
ISO 27001, clause 0.1: General

This International Standard has been prepared to provide requirements for establishing, implementing,
maintaining and continually improving an information security management system. The adoption of an
information security management system is a strategic decision for an organization. The establishment and
implementation of an organization’s information security management system is influenced by the
organization’s needs and objectives, security requirements, the organizational processes used and the size
and structure of the organization. All of these influencing factors are expected to change over time.
The information security management system preserves the confidentiality, integrity and availability of
information by applying a risk management process and gives confidence to interested parties that risks
are adequately managed.
It is important that the information security management system is part of and integrated with the
organization’s processes and overall management structure and that information security is considered in
the design of processes, information systems, and controls. It is expected that an information security
management system implementation will be scaled in accordance with the needs of the organization.
This International Standard can be used by internal and external parties to assess the organization’s ability
to meet the organization’s own information security requirements.

ISO 27002:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• Revised in 2005, ISO 17799 contact
is a guidecontact
ofcontact PECB
PECB
PECB
best practices information Customer
Customer
securityCustomer Servic
Servi
management. In 2007, Serv
it
became ISO 27002 to be integrated into the ISO 27000 family. In 2013, a second edition of ISO 27002
is published.
• This international standard provides a list of security objectives and controls generally practiced in the
industry.
• In particular Clauses 5 to 18 provide specific advice and an implementation guide related to the best
practices to support the controls specified in Annex A of ISO 27001 (clause A.5 to A .18).
ISO 27002, clause 1: Scope

This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management of
controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System based
on ISO/IEC 27001;
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.

Here are some of the standards already published or under development:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please Please contact
contact
contact PECB
PECB
PECB Customer
Customer
Customer
• ISO 27010: Information security management guidelines for inter-sector communication;
Servic
Servi
Serv
• ISO 27011: Information security management guidelines for telecommunications organizations
based on ISO 27002;
• ISO 27013: Guideline on the integrated implementation of ISO 20000-1 and ISO 27001;
• ISO 27014: Information security governance framework;
• ISO 27015: Information security management guidelines for the finance and insurance sectors;
• ISO 27016: Information security management guidelines on organizational economics;
• ISO 27017: Information security management guidelines on cloud computing security and privacy
management system;
• ISO 27018: Code of practice for data protection controls for public cloud computing services;
• ISO 27031: Guideline for ICT readiness for business continuity (essentially the ICT continuity
component within business continuity management);
• ISO 27032: Guidelines for cyber security;
• ISO 27033: IT Network security (ISO 27033-1 to ISO 27033-7);
• ISO 27034: Guideline for application security;
• ISO 27035: Security incident management;
• ISO 27036: Guidelines for security of outsourcing;
• ISO 27037: Guidelines for identification, collection and/or acquisition and preservation of digital
evidence;
• ISO 27038: Specification for Digital Redaction;
• ISO 27039: Guideline for selection, deployment and operations of intrusion detection systems;
• ISO 27040: Guideline for storage security;
• ISO 27041: Guidance on assuring suitability and adequacy of investigation methods;
• ISO 27042: Guidelines for the analysis and interpretation of digital evidence;
• ISO 27043: Guideline for investigation principles and processes;
• ISO 29100: Information technology privacy framework.

Please read the following parts of the case study provided for this course:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• History of the business enterprise;
• Organization of the business enterprise.
Using this information, determine and explain the three greatest advantages for implementing the ISO
27001 standard for this organization and how Thalia can measure these advantages using metrics.
Duration of the exercise: 30 minutes

Comments: 15 minutes

Improvement of security:
• General improvement of the effectiveness of information security;
• The standard covers both the technological aspects of security as the other aspects: corporate
security, physical security, etc.
• Independent review of your information security management system;
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• Better awareness to information security;
• Mechanisms to measure the effectiveness of the management system.
Good governance:
• Awareness and empowerment of personnel regarding information security;
• Decrease of lawsuit risks against upper management in virtue of the ‘‘due care’’ and the ‘‘due
diligence’’ principles;
• The opportunity to identify the weaknesses of the ISMS and to provide corrections;
• Increase of the accountability of top management for information security.
Conformity:
• To other ISO standards;
• To OECD (Organization for Economic Co-operation and Development) principles;
• To industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard), Basel II
(for banking industry);
• To national and regional laws.
Cost reduction:
• Decision makers often ask to justify the profitability of projects and demand concrete and
measurable return-benefits. A new financial evaluation concept has emerged to treat specifically the
information security field: Return on Security Investment (ROSI). ROSI is a concept derived from
Return on Investment (ROI). It can be interpreted as the security project’s financial profit taking into
account its total cost over a given period of time.
Marketing:
• Differentiation provides a competitive advantage for the organization;
• Satisfaction of requirements of customer and/or other stakeholders;
• Consolidating confidence of customers, suppliers and partners of the organization.

ISO 27002, clause 18: Compliance

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
18.1: Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information
security and of any security requirements.
18.1.1: Identification of applicable legislation and contractual requirements

Control: All relevant legislative statutory, regulatory, contractual requirements and the organization’s
approach to meet these requirements should be explicitly identified, documented and kept up to date for
each information system and the organization.
Implementation guidance: The specific controls and individual responsibilities to meet these requirements
should also be defined and documented.
Managers should identify all legislation applicable to their organization in order to meet the requirements for
their type of business. If the organization conducts business in other countries, managers should consider
compliance in all relevant countries.

1. Data protection
In countries where specific laws exist that cover the safeguarding of confidentiality and data integrity,
it is often limited to control of personal data. In the same way that security incidents must be related
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
to the individuals who caused it, personal information should also be subject to management and
adequate recording. A structured approach for incident management related to information security
should therefore manage the most appropriate measures to protect the privacy.
2. Privacy
In compliance with applicable laws, many organizations choose to establish a policy for the
protection of privacy, often designed to achieve the following objectives:
• Increase awareness of regulatory, legal and business requirements regarding the treatment and
protection of personal information;
• Establish a clear and complete company policy for the treatment of personal information;
• Establish the responsibility of all persons dealing with personal information, and;
• Enable the organization to meet its commercial liability, legal and regulatory obligations in
respect of personal information.

3. The identification and prosecution of computer crimes

Cyber crime represents a significant threat via the Internet for information systems of an
organization. The damage can be really big, and can result in direct financial losses, lost
reputation or lost time for the organization. It has many faces and knows no borders. The generic
and unstable nature requires the head of the organization (with virtually any structure being
connected to an external network) to have the necessary awareness and to have implemented
the adequate countermeasures in compliance with applicable laws. Ensure that the collection of
evidence respects legislation. Protective measures cannot themselves be crimes (e.g.,
responding to spam by countermeasures such as buffer overflow attack ...).
4. The use of digital signature

Today, the law recognizes the validity of agreements on the evidence as was already the case
based on the non-mandatory rules on evidence. The drafting of these agreements cannot be
done no matter how; drafting should proceed in respect to the context in which they fall to be
considered valid in case of litigation. In some countries, electronic records must ensure the
preservation of "traces" as evidence of integrity and safety procedures developed on the basis of
recognized standards for electronic records (e.g., in France, the AFNOR NF Z 42 -013 or more
internationally, the standard ISO 14721 for the "transfer systems and spatial information - System
Open Archival Information - Reference Model").
5. Intellectual property
The results of intellectual effort are often recognized by national and international conventions as
an intellectual property right to protect certain intangible assets. For small and medium
enterprises, efficient use of human intellectual property can help compete with bigger companies.
Intellectual property has great potential for SMEs in terms of legal protection, information
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
technology and competitive advantage. The goal here is to strengthen the competitive position of
the company.
6. Commerce and electronic payments

From a legal standpoint, in most countries it is quite essential to prove in court that a customer
bought the product or service sold by the company. It should also be possible to satisfy the tax
authority to show in which period the individual transactions took place. The big difference
between electronic commerce and trade by paper is the medium in which transactions are stored.
With proof on paper, a physical change is difficult while a change to an electronic file is easier.
Another aspect is the possibility that a competitor may offer the same products from a server
located in a tax haven. Finally, when a consumer buys a product on a website, it is not always
easy to determine which national law applies.
7. Records management
Some national laws require that companies maintain updated records regarding their activities to
the review through a process of annual audit. Similar requirements exist at the governmental
level. In some countries, organizations are obliged by law to issue such reports or to provide
records for legal purposes (for example, in each case which could be the result of an offense
involving penetration of a sensitive Government system).

ISO 27001 and Regulatory Frameworks

Example – United States
Sarbanes-Oxley Act (2002)
The Sarbanes-Oxley Act or SOX was introduced following different financial scandals revealed in
the United-States at the beginning of the years 2000, such as the Enron or the WorldCom affaire.
It brings crucial legislative changes concerning the financial governance and administration of
companies to protect stockholders. SOX is based on the establishment of controls based on the
conceptual framework such as COSO (Committee of Sponsoring Organizations of the Treadway
Commission) for example.
HIPAA (1996)
HIPAA (Health Insurance Portability and Accountability Act) is an act that aims to protect the
personal information related to the activities of the healthcare industry. Standards established
concerning the administrative and financial transactions, security of personal information and
unique health identifiers (e.g. insurance number, disease identifier).
GLBA (1999)
The function of the Gramm-Leach-Bliley Act is to make American financial institutions more
competitive. Some clauses of this act force financial institutions to ensure a minimum level of
protection of information touching its customers and to implement controls to protect the security
of information.
Federal Information Security Management Act (2002)

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
FISMA (legislation on information security management) imposes a series of processes that must
Servi
Serv
be followed for any information system used by the American Federal Government, its
contractors or suppliers.
SB 1386 (2002)
California Senate Bill 1386 forces organizations doing business in California and who hold
personal information to inform any California resident of any security breach that can affect their
personal information.
NIST 800-53 (2006)

NIST 800-53 (National Institute for Standards and Technology) provides guidelines to secure
information systems within the federal government by choosing and specifying security controls.
These guidelines apply to every part of an information system that processes, stores, or transmits
federal information. It is issued by the U.S. Department of Commerce.


Example – Europe
The European Parliament and the European Council have issued several guidelines, regulations and
decisions related to information security. These guidelines are strongly based on the protection of
European consumer-citizen rights. All guidelines have been transposed in the national legislations of
member states.
Directive 95/46/EC
Directive related to the protection of individuals with regard to the processing of personal data and on
the free movement of such data. This Directive applies to data processed by automated means (e.g. a
computer database of customers) and data contained in or intended to be part of non automated filing
systems (traditional paper files).
Directive 2002/58/EC
Directive concerning the processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications). This Directive tackles a
number of issues of varying degrees of sensitivity, such as the retention of connection data by the
Member States for police surveillance purposes (data retention), the sending of unsolicited electronic
messages, the use of cookies and the inclusion of personal data in public directories.
Regulation (EC) n°45/2001

Regulation concerning the protection of individuals with regard to the processing of personal data by the
Community institutions and bodies and on the free movement of such data. The text includes provisions
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
which guarantee a high level of protection of personal data processed by the Community institutions
and bodies. It also provides for the establishment of an independent supervisory body to monitor the
application of these provisions.
Decision 92/242/EEC
Decision concerning attacks against information systems. The member states recognized the definitions
and the applicable sanctions for several criminal acts: illegal access to information systems, and illegal
system interference illegal data interference. The Member States will have to make provision for such
offences to be punished by effective, proportionate and dissuasive criminal penalties.
This Directive establishes the legal framework at the European level for electronic signatures and
certification services. The aim is to make electronic signatures easier to use, help them become legally
recognized within the Member States and to secure trans-border recognition of signatures and
certificates from third party countries. The main provision of the Directive States that an advanced
electronic signature based on a qualified certificate satisfies the same legal requirements as a
handwritten signature. It is also admissible as evidence in legal proceedings.
This Directive aims to adapt legislation on copyright and related rights to technological developments
and particularly to the information society. The Directive deals with three main areas: reproduction
rights, the right of communication and distribution rights.
Source: www.europa.eu


Example – International and industry repositories
OECD Principles (2002)

OECD (Organization for Economic Cooperation and Development) has developed guidelines
regulating the security of information systems and networks based on nine principles: awareness,
responsibility, response, ethics, democracy, risk assessment, security design and
implementation, security management and reassessment.
Payment Card Industry Data Security Standard (2004)

The PCI-DSS standard (data security standard for the payment card industry) consists of a series
of technical and operational controls whose goal is to protect organizations against fraud and
other threats related to credit cards. This standard applies to any organization that stores,
processes or transmits information on credit card holders.
Basel II (2004)
Second committee of banking control, the Basel agreements, that issue recommendations
concerning banking legislations and regulations. The goal of this committee is the creation of
international standards for the regulation of banking institutions and systems. Basel II issues 10
principles concerning security which appear in ISO 27001 such as identification, risk assessment
and management, internal audit or even still the emergency plan.
COBIT (1994+)
Developed by the ISACA and the ITGI, CobiT (Control Objectives for Business and related
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Technology) is a reference frame to manage the governance of information systems. CobiT
provides information technology managers, auditors and users with indicators, processes and
best practices to help them maximize advantages stemming from the information technologies
recourse and the elaboration of the governance and the control of a company.
ITIL (1980+)
Enacted by the Office of Government Commerce (OGC), Information Technology Infrastructure
Library is a set of works listing best practices for IT Service Management (ITSM).

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. The ISO is a network of national standardization institutions of more than 160 countries
2. The eight management principles of the ISO are: client focus, leadership, personnel involvement,
process approach, systems approach to management, continual improvement, factual approach,
mutually beneficial supplier relations.
3. The two most commun management systems standards are the ISO 9001:2008 (quality) and ISO
14001:2004 (environment).
4. ISO/IEC 20000 adresses IT service management.
5. ISO/IEC 20000-1:2011 details the certifiable requirements for an Information Technology - Service
Management System
6. ISO/IEC 20000-2 :2012 is a guidance on the application of the ISO 20000-1 standard
7. In most countries, the implementation of an ISO standard is a voluntary decision, not a legal obligation
8. The ISO 20000 standard is a management systems that aims at maximizing value to the clients while
meeting their expectations, through the optimisation of the partner-trechnology-process triad

Section 3 : Certification process
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

1. Implementation of the management system: Before being audited, a management

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
system must be in operation for some time. Usually, the minimum time required by the
certification bodies is 3 months.
2. Internal audit and review by top management: Before a management system can be
certified, it must have had at least one internal audit report and one management review.
3. Selection of the certification body (registrar): Each organization can select the
certification body (registrar) of its choice.
4. Pre-assessment audit (optional): An organization can choose to do a pre-audit to
measure the gap between its current management system and the requirements of the
standard.
5. Stage 1 audit: A conformity review of the design of the management system. The main
objective is to verify that the management system is designed to meet the requirements of
the standard(s) and the objectives of the organization. It is recommended that at least some
portion of the Stage 1 audit be performed on-site at the auditee’s premises.

6. Stage 2 audit (On-site visit): The Stage 2 audit objective is to evaluate whether the declared
management system conforms to all requirements of the standard, is actually being
implemented in the organization and can support the organization in achieving its objectives.
Stage 2 takes place at the site(s) of the organization’s sites(s) where the management
system is implemented.
7. Follow-up audit: If the auditee has non-conformities that require additional audit before
being certified, the auditor will perform a follow-up visit to validate only the action plans
linked to the non-conformities (usually one day).
8. Confirmation of registration: If the organization is compliant with the conditions of the
standard, the Registrar confirms the registration and publishes the certificate.
9. Continual improvement and surveillance audits: Once an organization is registered,
surveillance activities are conducted by the Certification Body to ensure that the
management system still complies with the standard. The surveillance activities must
include on-site visits (at least 1/year) that allow verifying the conformity of the certified
client's management system and can also include: investigations following a complaint,
review of a website, a written request for follow-up, etc.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

The certification process involves the following parties:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
• Accreditation authorities contact
(responsible contact
contact
for PECB
PECB
the assessment PECB
and theCustomer
Customer
Customer
accreditation Servic
Servi
Serv
of certification
organizations): IAS, ANAB, ANSI, SCC, UKAS, COFRAC, etc.
• Certification bodies (responsible for managing the certification activities of their customers and
performing audits on their customers’ management system): PECB, BSI, SGS, Bureau Veritas, DNV,
TUV, etc.
• Organizations certifying persons, like PECB, will certify not only auditors but also training organizations
and trainers.
• Organizations whose management system is subject to certification and who are customers of
certification bodies.
Important note: The accreditation and certification activities are not performed by ISO but by specialized
and independent accreditation and certification bodies. The mission of ISO is to develop international
standards and not to verify that ISO standards are implemented by users in accordance with the
requirements defined in these standards.

ISO 17011 specifies general requirements for accreditation authorities assessing and accrediting
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
certification bodies. It consists of a contact
contact
contact
requirements PECB
document PECB
forPECB Customer
the peer Customer
Customer
evaluation process forServic
Servi
Serv
mutual recognition arrangements between accreditation bodies.
Usually, there is only one accreditation authority in each country. However, in the United States,
there are different accreditation bodies: IAS, ANSI and ANAB.
• The International Accreditation Service (IAS) accredits certification programs for persons,
products and management systems according to ISO 17024, ISO 17065, and ISO 17021-1.
• ANSI oversees the creation and distribution of international standards and accredits
certification programs for persons according to ISO 17024;
• ANAB supervises the certification bodies accredited under ISO 17021-1.
Accreditation Authority Groups

• European co-operation for Accreditation (EA) is the European network of accreditation
organizations nationally recognized based in the European geographic sector. The members
include UKAS, COFRAC, BNAC, ENAC ...
www.european-accreditation.org
• International Accreditation Forum (IAF) is the international association of accreditation

organizations for systems in management, product, services, individuals and other programs
of this type. The objective of IAF is to ensure that the member national certification
organizations only certify competent organizations and establish agreements of mutual
recognition among its members.
www.iaf.nu

Here is a not exhaustive list of accreditation authorities for several countries (see complete list on IAF website -
www.iaf.nu):
• Argentina: Organismo Argentino de Acreditacion (OAA), www.oaa.org.ar

• Australia & New Zealand: Joint Accreditation System of Australia and New Zealand (JAS-ANZ), www.jas-anz.org
• Austria: Federal Ministry of Economy, Family and Youth (BMWFJ), www.bmwfj.gv.at
• Belgium: Belgian Accreditation Structure (BELAC), www.belac.fgov.be
• Brazil: General Coordination for Accreditation (CGCRE), www.inmetro.gov.br
• Canada: Standards Council of Canada (Conseil Canadien des Normes) (SCC), www.scc.ca
• Chile: Instituto Nacional de Normalizacion (INN), www.inn.cl
• China: China National Accreditation Service for Conformity Assessment (CNAS), eng.cnas.org.cn
• Egypt: Egyptian Accreditation Council (EGAC), www.egac.gov.eg
• Finland: Finnish Accreditation Service (FINAS), www.finas.fi
• France: Comité Français d’Accréditation (COFRAC), www.cofrac.fr
• Germany: Deutsche Akkreditierungsstelle GmbH (DAkkS), www.dakks.de
• Hong Kong, China: Hong Kong Accreditation Service (HKAS), www.itc.gov.hk/hkas
• India: National Accreditation Board for Certification Bodies (NABCB), www.qcin.org
• Iran: National Accreditation Center of Iran (NACI), http://naci.isiri.org
• Ireland: Irish National Accreditation Board (INAB), www.inab.ie
• Japan: The Japan Accreditation Board for Conformity Assessment (JAB), www.jab.or.jp
• Korea: Korea Accreditation Board (KAB), www.kab.or.kr
• Malaysia: Department of Standards Malaysia, www.standardsmalaysia.gov.my
• Mexico: Mexican Accreditation Entity, (Entidad Mexicana de Acreditacion) (EMA), www.ema.org.mx
•
Netherlands: Dutch Accreditation Council (Raad Voor Accreditatie) (RvA), www.rva.nl
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact
• Norway: Norwegian Accreditation (NA), www.akkreditert.no
PECB
PECB
PECB Customer
Customer
Customer
Servic
Servi
Serv
• Pakistan: Pakistan National Accreditation Council (PNAC), www.pnac.org.pk
• Philippines: Philippine Accreditation Office (PAO), www.dti.gov.ph/dti/index.php?p=176
• Portugal: Portuguese Institute for Accreditation (IPAC), www.ipac.pt
• Spain: Entidad Nacional de Acreditacion (ENAC), www.enac.es
• Romania: Romanian Accreditation Association (Asociatia de Acreditare din Romania) (RENAR), www.renar.ro
• Russian Federation: Scientific Technical Centre on Industrial Safety (STC-IS), www.oaontc.ru
• Singapore: Singapore Accreditation Council (SAC), www.sac-accreditation.gov.sg
• Slovenia: Slovenska Akreditacija (SA), www.gov.si/sa
• South Africa: South African National Accreditation System (SANAS), www.sanas.co.za
• Sweden: Swedish Board for Accreditation and Conformity Assessment (SWEDAC),
www.swedac.se/sdd/SwInternet.nsf
• Switzerland: State Secretariat for Economic Affairs, Swiss Accreditation Service (SAS), www.sas.ch
• Taiwan: Taiwan Accreditation Foundation (TAF), www.taftw.org.tw
• Thailand: National Standardization Council of Thailand (NSC), www.tisi.go.th
• Tunisia: Tunisian Accreditation Council (Conseil National d'Accréditation, CNA) (TUNAC), www.tunac.tn
• Turkey: Turkish Accreditation Agency (TURKAK:), www.turkak.org.tr
• United Arab Emirates: Dubai Accreditation Center (DAC), www.dac.gov.ae
• United Kingdom: United Kingdom Accreditation Service (UKAS), www.ukas.com
• United States: ANSI-ASQ National Accreditation Board (ANAB), www.anab.org
• United States: American National Standards Institute (ANSI), www.ansi.org
• United States: International Accreditation Services (IAS), www.iasonline.org
• Uruguay: Organismo Uruguayo de Acreditacion (OUA), www.organismouruguayodeacreditacion.org
• Vietnam: Bureau of Accreditation (BoA), www.boa.gov.vn

ISO 17021-1, clause 1: Scope

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
This part of ISO/IEC 17021 Please contact
contact
contact
contains principles PECB
and requirements PECB
PECB
for the Customer
Customer
Customer
competence,
impartiality of bodies providing audit and certification of all types of management systems.
Servic
consistency Servi
Serv
and
Certification bodies operating to this part of ISO/IEC 17021 do not need to offer all types of management
system certification.
Certification of management systems is a third-party conformity assessment activity (see ISO/IEC

17000:2004, 5.5) and bodies performing this activity are therefore third-party conformity assessment
bodies.
NOTE 1 Examples of management systems include environmental management systems, quality

management systems and information security management systems.
NOTE 2 In this part of ISO/IEC 17021, certification of management systems is referred to as “certification”
and third-party conformity assessment bodies are referred to as “certification bodies”.
NOTE 3 A certification body can be non-governmental or governmental, with or without regulatory authority.
NOTE 4 This part of ISO/IEC 17021 can be used as a criteria document for accreditation, peer assessment
or other audit processes.
ISO 17021-1: Introduction

Certification of a management system provides independent demonstration that the management system of
the organization:
a) conforms to specified requirements,
b) is capable of consistently achieving its stated policy and objectives, and
c) is effectively implemented.
Certification activities involve the audit of an organization's management system. The form of attestation of
conformity of an organization's management system to a specific management system standard or other
normative requirements is normally a certification document or a certificate.

Here is a not exhaustive list of certification bodies that have a certification programme for ISO
27001:
1. ACS Registrars Limited (UKAS), www.ACSRegistrars.com

2. AJA Registrars Limited (UKAS), www.ajaregistrars.co.uk
3. AQA International (ANAB), www.aqausa.com
4. BM TRADA Certification Limited Incorporating CQA (UKAS), www.bmtrada.com
5. Brightline (ANAB), www.brightline.com
6. BSI (ANAB, UKAS), www.bsi-global.com
7. Bureau Veritas Certification Holding SAS (UKAS), www.bvqi.com
8. Center Teknologisk institutt Sertifisering AS (NA), www.teknologisk.no
9. Certification International Limited (UKAS), www.cert-int.com
10. China Certification Center Inc (UKAS), www.ccci.com.cn
11. CEPREI (ANAB), www.ceprei.org
12. CQS (CAI), www.cqs.cz
13. D.A.S Certification Limited (UKAS), www.dascertification.co.uk
14. DNV Certification B.V. (UKAS), www.dnv.com
15. EQAICC (ANAB), www.eqaicc.com
16. HKQAA (Hong Kong Quality Assurance Agency) (China), www.hkqaa.org
17. ISOQAR Limited (UKAS), www.isoqar.com
18. JACO-IS (Japan), www.jaco-is.co.jp
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
19. Japan Quality Assurance Organization (Japan), www.jqa.jp
PECB
Customer
Customer
CustomerServic
Servi
Serv
20. KPMG Audit Plc (UKAS), www.kpmg.co.uk
21. Lloyd’s Register Quality Assurance Limited (UKAS), www.lrqa.com
22. Moody International Certification Limited (UKAS), www.moody-group.com
23. National Quality Assurance (ANAB), www.nqa-usa.com
24. Nemko (Norway), www.nemko.com
25. NICEIC Group Limited Trading as NQA (UKAS), www.nqa.com
26. Professional Evaluation and Certification Board (PECB), www.pecb.com
27. PSB Certification (Singapore), www.psbcert.com
28. Perry Johnson Registrars, Inc (UKAS), www.pjr.com
29. Registrar of Standards (Holdings) Ltd, Incorporating (UKAS), www.ros-group.com
30. RINA S.p.A. (ANAB), www.rina.org
31. SFS-Inspecta Certification (Finland), www.inspecta.com
32. SIRIM QAS International Sdn. Bhd. (Malaysia), www.sirim-qas.com.my
33. SRI Quality System Registrar (ANAB), www.sriregistrar.com
34. SGS United Kingdom Limited (ANAB, UKAS), www.sgs.co.uk
35. United Registrar of Systems Limited (UKAS), www.urs.co.uk

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
Servi
The ISO 17024 standard provides a comprehensive framework for certification bodies of persons such
as PECB to operate coherently, comparable and trusted in the world. The primary function of the
Serv
certification body of persons is an independent assessment of the demonstrated experience, knowledge
and attitudes of a candidate that are applicable to the field for which certification is granted.
The ISO 17024 standard provides a uniform set of guidelines for organizations that manage the
qualification and certification of persons, including procedures relating to the preparation and updating of
a certification scheme. The standard is designed to help organizations that carry out certification of
persons to conduct well-planned and structured assessments using objective criteria of competencies
and grading to ensure impartiality of operations and reduce the risk of conflict interest.
The ISO 17024 addresses the structure and governance of the certification body, the characteristics of
the certification programme, information that must be made available to candidates and the renewal of
the certification of the certification body.
IAS is one of the largest and most recognized organization to offer an accreditation program to ISO
17024.

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. The certification process of an organization is as follows:
a) Implementation of the management system;
b) Internal audit and review by top management;
c) Selection of the certification body (registrar);
d) Pre-assessment audit (optional);
e) Stage 1 audit;
f) Stage 2 audit (On-site visit);
g) Follow-up-up audit and;
h) Confirmation of registration;
i) Continual improvement and surveillance audits;
2. The accreditation authority is the organization at the national level that supervises the certification
programs (organizations and auditors) and that ensures the compliance of the national and
international criteria.
3. A certification body is a third party that evaluates the conformity of management systems.
4. The role of a certification body of persons is to certify professionals (auditors and consultants), training
organizations, training and the trainers.

Section 4 : Fundamental principles of information security
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Information system: Collection of material, software and organizational ways that allow to receive, store
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
and process information Please
contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Clause 8 of Annex A defines the objectives for the security control linked to the management of assets.
ISO 27001, A.8.1 - Responsibility for assets

Objective: To identify organizational assets and define appropriate protection responsibilities.
A.8.1.1 Inventory of assets

Control: Assets associated with information and information processing facilities shall be identified and an
inventory of these assets shall be drawn up and maintained.
A.8.1.2 Ownership of assets

Control: Assets maintained in the inventory shall be owned.
A.8.1.3 Acceptable use of assets

Control: Rules for the acceptable use of information and of assets associated with information and
information processing facilities shall be identified, documented and implemented.
A.8.1.4 Return of assets

Control: All employees and external party users shall return all of the organizational assets in their
possession upon termination of their employment, contract or agreement.

Note:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
• The medium ofPlease
a documentcontact
contact
can contact
be PECB
PECB
paper, magnetic, PECB Customer
electronic orCustomer
Customer
optical computer Servic
Servi
Serv
disc, photograph or a combination of these.
• A set of documents (for example specifications and records) is frequently called
documentation.
It is important to make the difference between documents and records. In dictionaries, a

record is a type of document, but in the ISO world, these are distinct concepts. A record
is the output of a process or control. As an example:
1. An audit procedure is a document. This procedure generates audit report and these
audit reports become records.
2. A documented process for management reviews is a document. This process
generates records such as management review minutes.
3. A documented procedure for continuous improvement is a document. A filled
corrective action form is a record.

ISO 27002, clause 0.2: How to establish security requirements

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
It is essential that an organization identifies its security requirements. There are three main
sources of security requirements:
a) assessing risks to the organization, taking into account the organization’s overall business
strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability
to and likelihood of occurrence is evaluated and potential impact is estimated;
b) legal, statutory, regulatory and contractual requirements that an organization, its trading
partners, contractors and service providers have to satisfy, and their socio-cultural environment;
c) set of principles, objectives and business requirements for information handling, processing,
storing, communicating and archiving that an organization has developed to support its
operations.
Resources employed in implementing controls need to be balanced against the business harm
likely to result from security issues in the absence of those controls. The results of a risk
assessment will help guide and determine the appropriate management action and priorities for
managing information security risks and for implementing controls selected to protect against
these risks.
ISO/IEC 27005 provides information security risk management guidance, including advice on risk
assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.

Other definitions of ISO 27000

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
2.8. Authenticity: Property that an entity is what it claims to be.
PECB
Customer
Customer
CustomerServic
Servi
Serv
2.54. Non-repudiation: Ability to prove the occurrence of a claimed event or action and its originating
entities
2.62. Reliability: Property of consistent intended behaviour and results

ISO 27001 is an information security standard. This means it applies to the protection of information
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
whatever its type, whether contact
it is numeric, contact
contact
paper or human. PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Annex A includes control objectives related to the classification of information:
ISO 27001, A8.2 – Information classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its
importance to the organization.
A8.2.1 Classification of information

Control: Information shall be classified in terms of legal requirements, value, criticality and sensitivity to
unauthorised disclosure or modification.
A8.2.2 Labelling of information

Control: An appropriate set of procedures for information labelling shall be developed and implemented in
accordance with the information classification scheme adopted by the organization.
A8.2.3 Handling of assets

Control: Procedures for handling assets shall be developed and implemented in accordance with the
information classification scheme adopted by the organization.

Confidentiality: Ensure that the information is only accessible to authorized individuals (individuals with a
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
real need). Please
contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
For example, the personal data of salaried employees must only be accessible to authorized Human
Resources Department personnel.
Several types of access control can ensure the confidentiality of information. Encryption is an example of
such an access control. It can be used to protect the confidentiality of information. Access controls can be
applied at different levels of an information security management system:
• At the physical level (example: locks on doors, filing cabinets that lock, safes etc.)
• At the logical level (example: access controls to information)

Integrity: Data must be complete and intact.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
For example: Accounting data must comply with reality (complete and exact). The exactness is translated
by the absence of alterations in the information.
Many devices manipulating data, including disk drives and other media as well as telecommunications
systems contain devices for automatic data integrity verification. Data integrity controls are essential in
operating systems, software and applications. They allow to avoid intentional or involuntary corruption of
programs and data.
Integrity controls must be included in the procedures. These contribute to the reduction in the risk of error,
theft or fraud. Data validation controls, user training as well as certain controls at the operational level are
good examples of this.

Availability: Information must be easily accessible by individuals who need it.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
For example, data related to customers must be accessible to the marketing department.
In practice, availability of information requires a control system such as, for example, the backup of data,
capacity planning, procedures and criteria for approval of the systems, the incident management
procedures, the management of removable media, the information processing procedures, the
maintenance and testing of equipment, continuity concept procedures as well as the procedures to control
the usage of systems.

The vulnerability assessment can be complicated by a common misperception that weaknesses or

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
shortcomings are always associated withcontact
contact
contact
negative PECBPECB
characteristics. PECB
Many Customer
Customer
Customer
vulnerabilities Servic
Servi
Serv
are indeed negative
characteristics as in an information system where the "patches" are not updated.
But, in the case of other vulnerabilities, weakness may be associated with positive characteristics that could
have undesirable side effects. For example, the mobility of laptops is a desirable benefit for which you pay
a higher price, but one advantage that makes them more likely to be stolen.
The vulnerabilities can be intrinsic or extrinsic. The intrinsic vulnerabilities are related to the inherent
characteristics of the assets. The extrinsic vulnerabilities are related to characteristics of specific
circumstances of the asset. For example, a server that has no capacity to process data is a victim of
intrinsic vulnerability and if this server is in a basement in a flood zone, it undergoes extrinsic vulnerability.

Annex D of ISO 27005 provides a typology for classification of vulnerabilities which we could use in
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
principle. However, this listPlease contact
contact
of vulnerabilities contact
should PECB
be used withPECB
PECB
caution. Customer
Customer
This Customer
list Servic
is not complete as Servi
Serv
new
vulnerabilities occur regularly due to, among others, evolution and changes in technology.
One must use Annex D as a guide or reminder to help organize and structure the collection and collation of
relevant data on vulnerabilities rather than as a checklist to follow blindly.

By definition, a threat has the potential to harm assets such as information, processes and systems and so
therefore harm the organizations. It is associated with the negative aspect of risk. The nature of the threat
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
induces it is always undesirable.
CustomerServic
Servi
Serv
In interviews, simple language should be used to facilitate the discussion on the threats. For example, one
can ask stakeholders for which events they wish to preserve the resources of the organization and provide
for this purpose a list of examples.

Annex C of ISO 27005 provides a typology for classification of threats. We should use the list of threats with
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
caution. This list is not complete, contact
contact
and cannot contact PECB
PECB
PECB
claim to be exhaustive, Customer
Customer
since new Customer
threats Servic
occur regularly Servi
Serv
due
to, among others, technologies and capabilities of threat agents are evolving.
We must use Annex C as a guide or checklist to help organize and structure the collection and collation of
relevant data on threats rather than as a checklist to follow blindly.

In itself, the presence of a vulnerability does not produce damage, a threat must exist to exploit it. A
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
vulnerability that doesn’t correspond to contact
a contact
contact
threat PECB
PECB
may not require PECB
the Customer
set up Customer
of Customer Servic
Servi
a control, but it must Serv
be
identified and monitored in case of changes.
Note that the incorrect implementation, use or malfunction of a control could, in itself, represent a threat. A
control can be effective or ineffective based on the environment in which it operates. On the other hand, a
threat that is not vulnerable cannot represent a risk.

Here is a list of several potential impacts (see ISO 27005, Annex B.2) that can affect either availability,
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
integrity, confidentiality or aPlease
combination contact
of contact
contact
any: PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
01.Financial losses;
02.Loss of assets or of their value;
03.Loss of customers, loss of suppliers;
04.Lawsuits and penalties;
05.Loss of competitive advantage;
06.Loss of technological advantage;
07.Loss of efficiency or effectiveness;
08.Violation of the privacy of users or customers;
09.Service interruption;
10.Inability to provide service;
11.Loss of branding or reputation;
12.Disruption of operations;
13.Disruption or third party operations (suppliers, customers…);
14.Inability to fulfill legal obligations;
15.Inability to fulfill contractual obligations;
16.Endangering safety of staff, users.

ISO 27000 - Definitions

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
2.64. Residual risk: The risk remaining after risk treatment.
2.69. Risk acceptance: Decision to accept a risk.
2.70. Risk analysis: process to comprehend the nature of risk and to determine the level of risk
2.71. Risk assessment: Overall process of risk identification, risk analysis and risk evaluation.
2.74. Risk evaluation: Process of comparing the the results of risk analysis with risk criteria to determine
whether the risk and/or its magnitude is acceptable or tolerable
2.76. Risk management: Coordinated activities to direct and control an organization with regard to risk.
2.79. Risk treatment: Process of selection and implementation of measures to modify risk.

A risk scenario (or event) includes the various components that constitute a risk: asset, security aspect,
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
vulnerability, threat and impact. contact
contact
The example contact
illustrates PECB
PECB
PECB
the interrelationship Customer
Customer
Customer
between these concepts.Servic
Servi
Serv

Determine the threats and vulnerabilities associated to the following situations and indicate the possible
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
impacts. Also indicate if thePlease contact
impacts would contact
contact
affect confidentiality,PECB
PECB
PECB
integrity Customer
and/orCustomer
Customer
availability. Servic
Servi
Serv
Complete the risk matrix and get ready to discuss your answers after the exercise:
1. The former vice-president of Accounting is hired by a competitor.

2. A removable disk containing backups of the source code of the applications developed by Thalia
cannot be found at the head office.
3. The webmaster who designed the corporate Website for Thalia takes care of the updates and the
uploading of the site.
4. All the telecommunications equipments have the same password. Only the programmers and
technicians know the password.
Duration of the exercise: 20 minutes


1. Technical control: Controls related to the use of technical measures or technologies such as
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
firewalls, alarm systems, contact
surveillance contact
contact
cameras, PECB
PECB
PECB
intrusion detection Customer
Customer
systems Customer
(IDS), etc. Servic
Servi
Serv
2. Administrative control: Controls related to organizational structure such as segregation of duties,
jobs rotation, job descriptions, approval processes, etc.
3. Managerial controls: Controls related to the management of personnel, including training and
coaching of employees, management reviews and audits.
4. Legal control: Controls related to the applications of a legislation, regulatory requirements or

contractual obligations.
Note:
• An administrative control is more related to the structure of the organization as a whole without being
applied by a particular person, while a managerial control is to be applied by managers.
• The differences between the types of security controls are explained only for understanding. An
organization does not need to qualify the nature of the security controls it implements.

ISO 27000, clause 2.17.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
Control objective: Statement describingcontact
contact
contact
what PECB
is to be achieved PECB
as PECB
a Customer
result of Customer
Customer
implementing controls.Servic
Servi
Serv
ISO 27000, clause 2.16.
Control: Means of managing risk, including policies, procedures, guidelines, practices or organizational
structures, which can be of administrative, technical, management, or legal nature.
Note: Control is also used as a synonym for safeguard or countermeasure.

The ISO 27001 standard classifies security controls in three categories: preventive, detective and
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
corrective. Several information
categories.
contact
contact
security contact
reference PECB
PECB
frameworks PECB
define aCustomer
Customer
Customer
classification with moreServic
Servi
Serv
Important note: Please note that these different types of controls are inter-linked. For example,
the establishment of an antivirus solution is a preventive control as to protect against malware. At
the same time, the virus is a detective measure when it detects a potential virus. Also, it provides
a corrective measure when a “suspicious” file is quarantined or deleted.
Principle of operation:
1. Preventive control
Goal: discourage or prevent the occurrence of problems
• Detect problems before they occur;
• Control operations;
• Prevent an error, an omission or malicious acts.
Examples
• Publication of the information security policy;
• Have partners and employees sign a confidentiality agreement;
• Establish and maintain appropriate contacts with groups of information security specialists;
• Hire only qualified personnel;
• Identification of risks from third parties;
• Segregation of duties;
• Separation of equipment development, testing and operating;
• Restrict access to systems during office hours;
• Securing offices, rooms and equipment;
• Use clearly defined procedures (to prevent errors);
• Use well clearly defined procedures (to avoid mistakes);
• Use of Cryptography;
• Use an access control software that only allows authorized personnel to access sensitive files.

2. Detective control
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Goal: Search for and identify problems and incidents
• Use controls that detect and report the occurrence of an error, omission or malicious act.
Examples
• Perform a periodic independent review of information security;

• Monitor and review third-party services;
• Monitor the resources used by systems;
• Analysis of audit logs;
• Integration of checkpoints in the applications in production;
• Echo control in telecommunications;
• Alarm triggering when sensing heat, smoke, fire or risk to water;
• Verification of duplicate calculations in the data processing;
• Detect break-ins with video cameras;
• Detection of potential intrusions on networks with an intrusion detection system (IDS);
• Review of user access rights;
• Technical review of applications after a modification of the operating system.

3. Corrective control
Goal: Overcome the problems discovered and prevent the recurrence of problems
• Minimize the impact of a threat;
• Overcome problems discovered by detection controls;
• Identify the causes of the problem;
• Correct errors arising from a problem;
• Modify the processing system to reduce the presence of future problems to a minimum.
Examples
• Technical and legal investigation (forensics) following a security incident;
• Enabling the business continuity plan after the occurrence of a disaster;
• Review of the security policy after the integration of a new division to the organization;
• Appeal to authorities to report a computer crime;
• Change all passwords of all systems when a successful computer network intrusion has been
detected;
• Recover the transactions with the backup procedure after the discovery that some data has
been corrupted;
• Automatic disconnection of idle sessions;
• Implementation of patches following the identification of technical vulnerabilities.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Manual control: Control that mainly requires human intervention to be effective. For example: conducting
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
interviews, providing an authorization, contact
contact
contact
observing and inventory,PECB
PECB
PECB
completing Customer
Customer
forms,Customer
auditing… Servic
Servi
Serv
Automated control: Control operated by a logical system (example: validating data input in a payroll
software, consolidating automated accounts in accounting software) or a physical system (example: fire
detectors, alarm system, door with automatic locking system). An automated control can be controlled by a
logical and physical component such as a building access card.
Mixed control: Control requiring both human activity and at least one automated control to be in-use. For
example: automated backup of files and verification of data integrity of backup by a technician.
Note: It is important for an auditor to understand the distinction between the various operating modes of a
security control.
• In the case of an automated control, it is not necessary to conduct sampling in auditing to validate its
effectiveness. Just check the design of the control.
• In the case of a manual or mixed control, the auditor should validate a sample to verify the
effectiveness.
• For example, if antivirus control is carried out centrally with a console, the auditor will check the
configuration of the console and validate if the antivirus components are present on the desktop.
However, if each user manages his own update of the antivirus software, the auditor will do a sampling
to check if the antivirus is present and up to date in the organization.

Strategic controls are under the responsibility of management, i.e. they are the essential
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
processes & functional Please contact
components of contact
thecontact PECB
PECB
ISMS. They include PECB
the Customer
Customer
Customer
development and monitoring ofServic
Servi
Serv
strategies, risk management, the development of organizational structures, monitoring and review
of the ISMS, the management review, continual improvement, etc. These controls have the
primary function of aligning the information security strategy and management system with the
overall strategy of the organization to ensure an effective contribution towards achieving the
objectives of the organization. In essence, they are the controls related to Clauses 4 to 8 of ISO
27001. Several organizations use COBIT to implement and manage their governance controls.
General controls define the generic security mechanisms (not linked with a specific system or
technology) with which an organization guarantees the delivery of services that it needs. These
are the ISO 27001, Annex A controls. General controls can be selected from other guides or
standards or may be defined by the organization to satisfy its specific requirements.
Specific controls related to applications are automated controls included in a specific

information system (for example: accounting, logistics or sales software). These controls are
specific to each system or process and constitute sub-controls of the general controls. For
example, an authentication control of users at the opening of a session on an SAP software
package is part of the access controls.
Examples:
1. Defining an access control policy is a strategic control.
2. Performing an annual review of the privileges of user access rights is a general security
control.
3. Implementing an authentication mechanism on the Internet portal of the organization is a
specific control.

The management and maintenance of a governance framework is ensured by several layers of successive
controls:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
1. Conformity management: The first actors that can ensure the effectiveness of the processes and
Servi
Serv
controls related to the management system are the users performing the daily operations.
2. Internal controls: Internal controls represent the set of processes, mechanisms, framework and
guidelines established by management to ensure the attainment of objectives and realization of
strategic, tactic and operational plans of the organization. Internal controls fall under the responsibility
of management and are an integral part of good company management.
3. Internal audit: Internal audits examine and contribute to the continuous effectiveness of the internal
control system through the assessments and recommendations that derive from them and play an
important role in the effectiveness of internal control. However, they do not take on the basic
responsibility (that belongs to management) of design, implementation, maintenance and
documentation of internal controls.
4. External audits: External audits assess the implementation and the effectiveness of the management
system, the internal controls in place and the internal audits by means of independent audits.
5. Professional context: The different associations and professional corporations of auditors of which
PECB evaluate the competence of auditors and ensure, through committees of ethics, respect for
professional practice.
6. Legal framework: Each jurisdiction has laws that define the requirement in matters of legal
conformity.

1. Assets and controls can present vulnerabilities that can be exploited by threats.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
2. It is the combination of threats and vulnerabilities that can increase the potential effect of the risk.
Servi
Serv
3. Controls enable vulnerabilities to be reduced. An organization has few alternatives to act against
threats. For example, controls can be implemented to protect against system intrusions, but it is
difficult for an organization to take action to reduce the number of hackers on the Internet.

For each risks that were identified in the preceding exercise, identify the appropriate controls (by providing
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
the clause number of the control) whichcontact
contact
can contact
reduce, transferPECB
orPECB
PECB
avoid Customer
risks. Customer
Customer
Complete Servic
Servi
the matrix and Serv
be
ready to debate the controls you selected.
Duration of exercise: 30 minutes


Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. An (information) asset is anything that has value for the organization.
2. Information security aims to protect information from a large range of threats, to ensure business
continuity, to reduce as much as possible the risk and to maximize the return on investment as well as
the activity opportunities for the organization.
3. A vulnerability is a weakness of an asset or a control that is subject to being exploited by a threat.
4. A threat is a potential cause of an unwanted incident that can affect an organization.
5. Threats and vulnerabilities need one another to be considered a security risk for the organization’s
assets.
6. A risk is the combination of occurrences that a particular threat takes advantage of the vulnerabilities
of an asset or group of assets and causes harm to an organization.
7. The confidentiality property means the information is only accessible to authorized individuals, entities
or processes.
8. The Integrity property corresponds to ensuring that the asset retains its intended accuracy and
completeness.
9. The availability property implies that information is accessible and usable by authorized entity at the
time it is required.
10. A control is a way to manage a risk. A control can be of a technical, organizational, managerial or of a
legal nature.
11. A preventive control is designed to prevent problems, a detection control is designed to search for
them and identify them, a corrective control is designed to correct and prevent their recurrence.

Section 5 : Information Security Management System (ISMS)
In this section, we will discuss the main steps to implement an Information Security Management System
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
and the mandatory clausesPlease
tied to thesecontact
contact
contact
steps. ISMS is usedPECB
toPECB
PECB
ensure Customer
the Customer
Customer
selection Servic
of adequate Servi
Serv
and
balanced security controls that protect assets and to give assurance to stakeholders (interested
parties).
An auditor must have general knowledge of the functioning of a management system as well as the
process approach to be able to perform an ISO 27001 audit effectively.

A management system is a system that allows organizations to establish policies and objectives and to
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
subsequently implement Please contact
contact
contact
them. The management system PECB
ofPECB
PECB
an Customer
Customer
Customer
organization Servic
Servi
Serv
may include different
management systems, such as a quality management system, information security, environmental, etc.
Organizations use management systems to develop their policies and put them into effect through
objectives using:
• An organizational structure;
• Systematic processes and associated resources;
• An effective assessment methodology;
• A review process to ensure that the problems are adequately corrected and that opportunities for
improvement are recognized and implemented when justified.
Note: What is implemented must be controlled and measured, what is controlled and measured
must be managed. The standard indicates that the organization must evaluate the information security
performance and the effectiveness of the information security management system (clause 9.1). This
clause is an essential component of a management system because without the evaluation of the
effectiveness of processes and controls in place, it is impossible to validate if the organization has achieved
its objectives.

This international standard adopts the process model “Plan-Do-Check-Act” (PDCA) or the Deming wheel
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
which is applied to the structure contact
of all the contact
contact
processes PECB
PECB
PECB
in an management Customer
Customer
system. Customer Servic
The figure illustrates Servi
Serv
how
an management system uses as input the requirements and the expectations of the stakeholders, and how
it produces, with the necessary actions and processes, the information security results that meet the
requirements and expectations.
Plan (establish the management system): Establish the policy, the objectives, processes and procedures
related to risk management and the improvement of information security to provide results in line with the
global policies and objectives of the organization.
Do (implement and operate the management system): Implement and operate the policy, controls,
processes and procedures of the management system.
Check (monitor and review the management system): Assess and, if applicable, measure process
performances against the policy, objectives and practical experience and report the results to management
for review.
Act (maintain and improve the management system): Undertake corrective and preventive actions, on
the basis of the results of the internal audit and management review, or other relevant information to
continually improve the said system.

Processes can be defined as being a logical group of interrelated tasks, performed to reach a defined
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
objective. A process is a sequence contact
contact
contact
of structured PECB
and measured PECBPECB
activities Customer
Customer
Customer
designed Servic
to create a product Servi
or Serv
a
service for a specific market or a particular client.
For an organization to function effectively, it must implement and manage numerous interrelated and
interactive processes. Often, the output element of a process directly forms the input element to the next
process. The identification and orderly management of processes within an organization and especially the
interactions of these processes are called "process approach“.
Controls are used to ensure that the conduct of the business processes is performed in a secure
manner in terms of information exchange. These security processes and controls are dependent of the
business processes because they are part of it.
For example, security measures relating to human resources should be integrated into existing processes
for human resources management of an organization by making these processes more secure by ensuring
that:
• Everyone’s responsibilities in terms of information security be defined (clause 5.3);
• Background checks of applicants be performed according to the criticality of the information they will
have to process (clause A.7.1.1);
• The organization has a formal disciplinary process in case of a breach in information security (clause
A.7.2.3);
• The organization has a formalized process to remove the access rights of employees leaving the
organization (clause A.9.2.6).

A PECB member committee has developed the methodology for implementing an ISMS,
“Integrated Implementation Methodology for Management Systems and Standards (IMS2)”,
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
based on project management best practices in line with the Project Management Institute (PMI)
and the International Project Management Association (IPMA) as well as the ISO 10006
standard, “Quality management systems – Guidelines for quality management in projects”.
This method is introduced in a detailed manner in the Certified ISO 27001 Lead
Implementer training.
By adopting the “Plan-Do-Check-Act” (PDCA) process model, the IMS2 method allows an
effective and operational implementation of the different stages of the ISMS life cycle: creation,
implementation, operation, monitoring and review, update and improvement. IMS2 is fully
compatible with ISO 27003 standard which defines guidelines for the implementation of
an ISMS.

ISO 27001, Clause 4.1: Understanding the organization and its context
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
The organization shall determine external and internal issues that are relevant to its purpose and that affect
its ability to achieve the intended outcome(s) of its information security management system.
Note: Determining these issues refers to establishing the external and internal context of the organization
considered in Clause 5.3 of ISO 31000:2009
ISO 27001, Clause 4.2: Understanding the needs and expectations of interested parties
The organization shall determine:

a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.
Note: The requirements of interested parties may include legal and regulatory requirements and contractual
obligations.

An organization seeking certification to ISO 27001 must comply with all terms defined in sections 4 to 10 of
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
the standard, define, in thePlease contact
statement of contact
contact
applicability, PECB
PECB
PECB
the applicable Customer
controlsCustomer
Customer
and Servic
Servi
Serv
justify the inapplicable
controls of Annex A.

ISO 27001, Clause 4.3: Determining the scope of the information security management
system
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1;
b) the requirements referred to in 4.2; and
c) interfaces and dependencies between activities performed by the organization, and those that
are performed by other organizations.
The scope shall be available as documented information
ISO 27001, Clause 4.4: Information security management system
The organization shall establish, implement, maintain and continually improve an information
security management system, in accordance with the requirements of this International Standard.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Also define the scope in terms of:

• Business processes;
• Organizational units;
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Please
• Location;
contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
• Assets;
• Technologies.
Consider interfaces with:

• Other systems;
• Organizations;
• Suppliers;
• Dependencies.
ISO 27001, clause 1: Application
The requirements set out in this International Standard are generic and are intended to be applicable to
all organizations, regardless of type, size and nature. Excluding any of the requirements specified in
Clauses 4, 5, 6, 7, 8, 9 and 10 is not acceptable when an organization claims conformity to this
International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be
justified and evidence needs to be provided that the associated risks have been accepted by
accountable persons. Where any controls are excluded, claims of conformity to this International
Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or
responsibility, to provide information security that meets the security requirements determined by risk
assessment and applicable legal or regulatory requirements.

ISO 27001, clause 5.1 Leadership and commitment

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Top management shall demonstrate leadership and commitment with respect to the information security
management system by:
a) ensuring the information security policy and the information security objectives are established and are
compatible with the strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the
organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
d) communicating the importance of effective information security management and of conforming to the
information security management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security
management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas
of responsibility.

Through its leadership and actions, management can create an environment in which different actors are
fully involved and in which the management system can operate effectively in synergy with the objectives of
the organization. Management can use the management principles of ISO to define its role, which involves:
a) establish guidelines and objectives of the organization;
b) promote policies and objectives at all levels of the organization to increase awareness, motivation and
involvement;
c) ensure that the requirements of stakeholders (customers, partners, shareholders, legislators, etc.) are
a priority at all levels of the organization;
d) ensuring that appropriate processes and controls are implemented to help meet the requirements of
customers and other stakeholders;
e) ensuring that an efficient and effective management system is established, implemented and
maintained;
f) ensuring the availability of necessary resources;
g) assurance that internal audits are conducted;
h) conduct the management review at least once a year;
i) decide on actions concerning the policy and objectives;
j) decide on actions to improve the management system.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

ISO 27001, Clause 6.1.2: Information security risk assessment

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) Ensures that repeated information security risk assessments produce consistent, valid and comparable
results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss
of confidentiality, integrity and availability for information within the scope of the information
security management system; and
2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were
to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk assessment
process.

Any risk assessment methodology that complies with the minimum ISO 27001 criteria is acceptable, even a
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
methodology developed internally. contact
The contact
contact
following is a listPECB
PECB
of PECB
several Customer
Customer
Customer
recognized Servic
Servi
Serv
risk assessment
methodologies:
OCTAVE (Operationally Critical Threat, and Vulnerability Evaluation): allows to evaluate the values
threatened, the most formidable risks, as well as the vulnerability of the defense based on a standardized
knowledge base (standard catalogue of information) included in the method. From these results, the
method allows to develop and implement a strategy of risk reduction. The OCTAVE is structured in three
phases: profile of security needs as regards the values of the company, vulnerability study, and
development of the strategy and security plan.
CRAMM (CCTA Risk Analysis and Management Method): was created in 1987 by the Central Computing
and Telecommunications Agency (CCTA) of the United Kingdom government. The CRAMM is a three-
phase structure: definition of values threatened, risk and vulnerability analysis and definition and selection
of security measures.
MICROSOFT also released a guide for managing security risks, based on several industry-recognized
standards, which is accompanied by tools to perform a comprehensive assessment of risk. The overall
process of risk management has four main phases: risk assessment, the decision support, the
implementation of security controls and measuring programme effectiveness.

TRA (Harmonized Threat and Risk Assessment Methodology) is a publication issued under the
authority of the Chief, Communications Security Establishment Canada (CSEC) and the
Commissioner, Royal Canadian Mounted Police (RCMP). This methodology has four-steps:
Establish the scope of assessment and identify employees and assets to be safeguarded;
Determine the threats to employees and assets, and assess the likelihood and impact of their
occurrence; Assess vulnerabilities based on the adequacy of safeguards and compute the risk;
Implement additional safeguards, if necessary, to reduce risk to an acceptable level.
EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité): allows to evaluate
and act on risks relative to information systems security, and proposes a security policy adapted
to the needs of an organization. This method has been created by ANSSI (Agence Nationale pour
la Sécurité des Systèmes d'Information) (former DCSSI). This agency is placed under the
authority of the Prime Minister and is attached to the Secretary General for National Defence.The
5 steps of the EBIOS method are: circumstantial study, security requirements, risk study,
identification of security objectives, and determination of security requirements.
MEHARI (MÉthode Harmonisée d'Analyse de Risques - “Harmonized method of risk analysis”): is

developed by the CLUSIF since1995, it derives from the Melissa and Marion methods. The
MÉHARI global approach consists in the analysis of the security issues and in the preliminary
classification of IS entities based on three (3) basic security criteria (confidentiality, integrity,
availability). These issues express the dysfunctions having a direct impact on the activity of the
organization. Audits identify the IS vulnerabilities and the risk analysis itself is subsequently
conducted.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Note: ENISA (European Network and Information Security Agency) has established an inventory
of several risk management/risk assessment methods available on the market including a
comparison by 22 attributes. See http://rm-inv.enisa.europa.eu/rm_ra_tools.html

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

From ISO 27005:2011, clauses 8.2.2-8.2.6

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
Identify the assets: The organization shall identify assets that fall within the scope of ISMS as
Servi
Serv
well as their owners. The identification must be performed with the level of detail that provides
enough information to evaluate the risks and the level of risk with which the organization is
comfortable. The level of detail used on the identification of assets will influence on the global
volume of information collected during the risk evaluation.
Identify the threats: The organization shall identify threats facing assets. Sources of the threats
being accidental or deliberate must be identified. A threat can arise from inside or outside of the
organization. Threats must be identified in a general way and by type (for example: unauthorized
actions, physical damage, technical failures). Individual threats can then be identified among the
general threats.
Identify the existing controls: The organization shall identify existing controls to avoid
unnecessary work or cost, e.g. in the duplication of controls. In addition, while identifying the
existing controls, a check should be made to ensure that the controls are working correctly
Identify vulnerabilities: The organization shall identify vulnerabilities that could be exploited by
the threats. Vulnerabilities, related to assets or controls that could be exploited by threats must be
identified as well as their characteristics. Vulnerabilities arising from different sources must be
contemplated, for example those intrinsic or extrinsic to the asset.
Identify the consequences: The organization identifies the impacts that losses of confidentiality,
integrity and availability have on assets. This action identifies the damages or consequences for
the organization that could be caused by an incident scenario (ISO 27001: security failures). An
incident scenario is the description of a threat exploiting a vulnerability or set of vulnerabilities in
terms of information security. A consequence could be the loss of effectiveness, unfavorable
operation conditions, damage to the reputation, damages or even the loss of the organization,
etc.

From ISO 27005:2001 8.3.2-8.3.4 & 8.4

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Assess the potential consequences: The organization shall assess the business impacts on the
organization that might result from security failures, taking into account the consequences of a loss of
confidentiality, integrity or availability of the assets. After having identified all the asset elements to
examine, values attributed to these assets must be taken into account when consequences are evaluated.
The impact value for the organization can be expressed in qualitative and quantitative forms.
Assess the likelihood of its occurrence: The organization shall assess the realistic likelihood of security
failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these
assets, and the controls currently implemented. Once incident scenarios have been identified, the likelihood
of each scenario and the impact it produces must be evaluated using qualitative or quantitative estimation
techniques. The frequency at which threats occur and the ease with which vulnerabilities can be exploited
need to be considered.
Determine levels of risk: The organization shall estimate the levels of risks. Among others, cost concepts,
third party concerns and other variables as needed can be taken into account to evaluate the risks.
Evaluate risks: The organization shall determine whether the risks are acceptable or require treatment
using the criteria for accepting risks defined by the organization.

The risk assessment method must allow managing the risk according to the following four
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
options: Please
contact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. Reduction: Appropriate and justified controls should be selected to meet the requirements
identified by the risk assessment and risk treatment. This selection should take account of
the risk acceptance criteria as well as legal, regulatory and contractual requirements. This
selection should also take account of cost and timeframe for implementation of controls, or
technical, environmental and cultural aspects.
2. Retention: it is possible that there are certain risks for which the organization will not be
able to identify controls or that the cost of these controls is higher than the potential loss by
the risk materializing. In this case, the organization may decide that it is better to live with
the consequences of the risk if it materializes. The organization will need to document this
decision so that risk owners are informed of the risks and accepts consequences.
3. Transfer: Risk transfer involves a decision to share certain risks with external parties. Risk
transfer can create new risks or modify existing, identified risks. Therefore, additional risk
treatment may be necessary. Risk transfer is a « non absolute » elimination of risk (ex:
using third parties for transportation and handling of some tasks).
4. Avoidance: When the identified risks are considered too high, or the costs of implementing
other risk treatment options exceed the benefits, a decision may be made to avoid the risk
completely, by withdrawing from a planned or existing activity or set of activities, or changing
the conditions under which the activity is operated.

The organization should apply the appropriate controls to:

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
• Be compliant with legal,Please contact
regulatory and contact
contact
contractual PECB
PECB
obligations; PECB
Customer
Customer
CustomerServic
Servi
Serv
• Reduce the likelihood of threats and vulnerabilities responsible for the risk;
• Reduce impacts if the risk occurs;
• Prevent or detect, react and correct undesired events.
Security objectives and security controls themselves must be selected and set in place to meet the
requirements identified by risk assessment and risk treatment process. This selection must take into
account risk acceptance criteria defined by the organization as well as legal, regulatory and
contractual requirements.
Security objectives and controls defined in Annex A can be selected as an integral part of the process in as
much as they can meet the requirements. The list of security objectives and controls in Annex A is not
comprehensive and additional security objectives and controls can also be selected, from other sources,
including the organization's own.

Note: Declared control objectives and controls must be appropriate to the results and conclusions of the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
risk assessment and treatment contact
contact
processes, contact
legal PECB
PECB
and regulatory PECB Customer
Customer
requirements,Customer Servic
contract obligations Servi
Serv
and
business requirements of the organization, relating to the ISMS.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Residual risk is the risk that remains after the risk has been treated. The notion of
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
residual risk can be defined as contact
contact
contact
being PECB
PECB
PECB
the risk that remains Customer
after the Customer
Customer
implementation of Servic
Servi
Serv
controls aiming to reduce the inherent risk, and can be summarized as follows:
Residual risk = Inherent risk – Risk treated by controls
After the implementation of a risk treatment plan, there are always residual risks. The
value of risk reduction following risk treatment should be evaluated, calculated
and documented. Residual risk can be difficult to evaluate, but an estimation should at
least be made to ensure that the value of residual risks respects the risk acceptance
criteria of the organization. Also, the organization must make sure to set in place residual
risk surveillance mechanisms.
If the residual risk remains unacceptable after the implementation of controls, a decision
must be made on the way to further treat the risk. One option is to identify other risk
treatment options such as risk transfer (insurance or externalizing) to reduce the risk to
an acceptable level. The other option is to accept the risk knowingly and objectively.
Even if it is good practice to tolerate no risks for which the level is above the risk criteria
defined by the organization, it may not always possible to reduce all risks to an
acceptable level.
In all circumstances, residual risks must be understood, accepted and approved

by risk owners.

To obtain management authorization to implement the ISMS, some documents should be prepared in
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
advance: Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. Risk analysis report;
2. Risk treatment plan (including the identification of the residual risks and their acceptance by risk
owners);
3. Statement of Applicability.
Usually, these documents are presented at a management review with a progress report. After the
management review, the following should be obtained from the management:
1. Approval of the Statement of Applicability;
2. Acceptance of the risk treatment plan (including the acceptance of the residual risks by the risk
owners) and authorization to implement the ISMS;
3. Written permission of the management to implement the ISMS.
Following the initial authorization to implement the ISMS, it is good practice to make an official
announcement. This can be done by the sending of an official letter from the management to the
employees or by a kickoff meeting.
It is important to ensure, however, that the risk assessment is regularly reviewed and that the residual risk
continues to be under-written (i.e. accepted) by risk owners.

ISO 27001, clause 6.2: Information security objectives and plans to achieve them
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk
treatment results;
d) be communicated; and
e) be updated as appropriate.
The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
f) what will be done;
g) what resources will be required;
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.

ISO 27001, clause 7: Support

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
7.1 Resources
The organization shall determine and provide the resources needed for the establishment, implementation,
maintenance and continual improvement of the ISMS.
7.2 Competence
The organization shall
a) determine the necessary competence of person(s) doing work under its control that affects its
information security performance,
b) ensure that these persons are competent on the basis of appropriate education, training, and
experience,
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness
of the actions taken, and
d) retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the
reassignment of current employed persons; or the hiring or contracting of competent persons.
7.3 Awareness
Persons doing work under the organization’s control shall be aware of:
a) the information security policy,
b) their contribution to the effectiveness of the ISMS, including the benefits of improved information
security performance,
c) the implications of not conforming with the ISMS requirements

7.4 Communication
The organization shall determine the need for internal and external communications relevant to the ISMS
including
a) on what it will communicate,
b) when to communicate,
c) with whom to communicate,
d) who shall communicate; and
e) the processes by which communication shall be effected.
7.5 Documented information
7.5.1 General
The organization’s ISMS shall include:
− documented information required by this International Standard; and
− documented information determined by the organization as being required for the effectiveness of the
ISMS.
NOTE The extent of documented information for a ISMS can differ from one organization to another due to
− the size of organization and its type of activities, processes, products and services,
− the complexity of processes and their interactions, and
− the competence of persons.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

ISO 27001, clause 7.5: Documented information

7.5.2 Creating and updating
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
When creating and updating documented information, the organization shall ensure appropriate
a) identification and description (e.g. a title, date, author or reference number),
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic),
c) and review and approval for suitability and adequacy.
7.5.3 Control of documented information

Documented information required by the ISMS and by this International Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed,
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
— distribution, access, retrieval and use,
— storage and preservation, including preservation of legibility,
— control of changes (e.g. version control),
— retention and disposition
Documented information of external origin determined by the organization to be necessary for the planning and
operation of the ISMS shall be identified, as appropriate, and controlled.
NOTE Access implies a decision regarding the permission to view the documented information, or the
permission and authority to view and change the documented information, etc.

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

ISO 27001, clause 8.2: Information security risk assessment

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
The organization shall perform contact
contact
information contact PECB
PECB
PECB
security risk assessments at Customer
Customer
Customer
planned intervals orServic
Servi
Serv
when
significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a).
The organization shall retain documented information of the results of the information security risk
assessments.
ISO 27001, clause 8.3: Information security risk treatment

The organization shall implement the information security risk treatment plan. The organization shall retain
documented information of the results of the information security
risk treatment.

ISO 27001, clause 9: Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation
The organization shall evaluate the information security performance and the effectiveness of the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
Customer
information security management system.
Servic
Servi
Serv
The organization shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid
results;
NOTE The methods selected should produce comparable and reproducible results to be considered
valid.
c) when the monitoring and measuring shall be performed;

d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated; and
f) who shall analyse and evaluate these results.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results.

Internal audits are used to assess the level of fulfillment of the requirements of the standard relating to the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
management system. Regular contact
contact
internal audit contact
activities PECB
PECB
PECB
allow assessing Customer
Customer
Customer
continuously the effectivenessServic
ofServi
Serv
the
management system and identifying opportunities for improvement.
The organization must implement an internal audit programme to determine if the management system
reaches the defined objectives of the organization, remains conform to the standard as well to other
internal, legal, regulatory and contractual requirements and is kept up-to-date in an efficient manner.
The audit program shall, as a minimum, contain:

1. Definition of the criteria, the scope, the frequency, the methods and the audit procedures;
2. Definition of the roles and responsibilities of the internal auditors;
3. Documentation ensuring the objectivity and impartiality of the audit process (examples: audit chart,
work contract, code of ethics of internal auditors, etc.);
4. Planning of audit activities;
5. Follow-up activities to audit the business actions following the detection of non conformities;
6. Procedure to keep the records of audit activities and safekeeping of records.
Note: The implementation and management of an internal audit program will be explained during Day 4 of
the training.

Management reviews allow the management of the organization to periodically review the level of
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECBPECB Customer
Customer
Customer Servic
Servi
performance (relevance, appropriateness, effectiveness and efficiency) of the management system in
Serv
place. These reviews allow the organization to adapt or refocus quickly and efficiently the management
system towards internal or external changes. A management review shall be organized at least once
a year.
Management reviews must be documented. They should then be distributed to all review participants.

ISO 27001, clause 10: Improvement

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
10.1 Nonconformity and corrective contact
contact
action contact
PECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
When a nonconformity occurs, the organization shall:
a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or
occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of:

f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.
ISO 27000 - Definitions
2.24. Effectiveness: Extent to which planned activities are realized and planned results achieved.

A corrective action is an action taken to eliminate the root causes of a non-conformity or of any other
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
undesirable existing eventPlease contact
and to preventcontact
itscontact
recurrence. A PECB
PECB
PECB
corrective Customer
actionCustomer
isCustomer Servic
Servi
Serv
thus a term that includes
the reaction to a system process problem, to security incidents, to gaps in reaching objectives, to non-
conformities, etc.
The corrective action process should include:

1. Identification and documentation of the non-conformity: The initial step in the process is clearly
to define, document the non-conformity and analyze its impacts on the organization.
2. Analysis of the causes: Determine the source of the non-conformity and analyze the root causes.
3. Evaluation of options: A list of possible corrective actions is developed and different action plans are
evaluated. At this stage, if the problem is significant or if the likelihood of re-occurrences is high,
temporary corrective actions can be set in place.
4. Selection of solutions: One or more corrective actions are selected to correct the situation and the
contemplated improvement objectives are determined. The selected solution must correct the problem
and should also be able to avoid a re-occurrence.
5. Implementation of corrective actions: The corrective action plan that was approved is implemented
and all the actions described in the plan are documented.
6. Follow-up of corrective actions: One must check that the new corrective controls are in place and
effective. The follow-up is usually performed by the person responsible for the project and the audit
department.
7. Review of corrective actions: To perform a review of the effectiveness of the corrective actions we
periodically evaluate whether the organization is accomplishing its security objectives, based upon the
defined corrective actions and whether those actions remain effective over time.

A preventive action is any action taken to eliminate the causes of a non-conformity or any other
potentially undesirable event and to prevent their re-occurrence in future. A preventive action is taken to
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
prevent a potential problem from occurring. Monitoring and adequate controls must be implemented within
the ISMS to ensure that the potential problems are identified and eliminated before they occur.
It is to be noted that an action aiming at preventing non-conformities is often more cost-effective than a
corrective action. An organization should aim for cost/effectiveness balance between the
implementation of corrective and preventive actions.
The preventive actions process is similar to the corrective actions process: identifying a potential problem,
evaluating solutions, choosing solutions, implementing preventive actions, follow-up and review of
preventive actions.

The objectives and the security controls listed in Annex A (A.5 to A.18) are aligned with the security
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
objectives and security controls contact
listed in thecontact
contact
clauses PECB
PECB
of ISO 27002, PECB
Clauses 5Customer
toCustomer
Customer
18. Servic
Servi
Serv
The lists of objectives and security controls contained in Annex A of ISO 27001 are not exhaustive. An
organization may consider including additional security objectives and security controls when necessary.

The organization should first conduct a risk assessment to identify the need for security controls.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
These should then be identified contact
contact
and record contact PECB
made of them (as PECB
PECB
has Customer
Customer
Customer
been previously Servic
discussed). TheServi
Serv
organization must then review the 114 security controls in Annex A to identify those that are
applicable and those that will not be considered in the specific context of the ISMS. The choice
whether to implement a security control should be justified primarily by the risk assessment. That is
why the final version of the Statement of Applicability should not be drafted before the filing of the risk
analysis and risk treatment report.
The security controls proposed in Annex A may be sufficient to address all risk scenarios that the
organization has identified. Other repositories to implement additional security controls (e.g. COBIT,
PCI-DSS, etc...) can be used and integrated in the ISMS. It should be noted that additional security
controls must also be described in the statement of applicability.
Most organizations select most security controls. One should avoid exaggerating. An ISMS that
contains only a few security controls may not be effectively protected. Conversely, the decision to
declare all relevant controls without taking the time to assess the needs of the organization may be
equally ineffective. Security controls may then be implemented without addressing a real need,
thereby considerably increasing the burden of system maintenance.
Moreover, the selection of security controls should take the cost/benefit into account. Given that
ISMS supports the organization in achieving its business objectives, it is subject to economic
imperatives. Implemented security controls need to be "profitable" for the organization.
To conclude, in the logic of the standard, the security controls declared in the ISMS should be
aligned with the organization's activities and not vice versa.

It is suitable for the organization to justify the reasons for selecting each security control included in the
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
ISMS. This activity may seem contact
trivial at first contact
contact
sight, PECB
or even useless. PECB
PECB
Why does itCustomer
Customer
Customer
justify Servic
the selected security Servi
Serv
controls and not only those who are excluded? The purpose of this requirement of ISO 27001 is to force the
organization to document the objectives associated with each control. This is the answer to the "Why" for
each control.
Here are some examples of justifications related to selected controls:
1. Addressing security within supplier agreements (A.15.1.2)

All relevant information security requirements shall be established and agreed with each supplier that may
access, process, store, communicate, or provide IT infrastructure components for, the organization’s
information.
Justification of the selection: Ensuring information security and means of accessing, processing, storing,
communicating or providing IT infrastructure components of the information belonging to the organization,
that is used by suppliers
2. Change management (A.12.1.2)

Changes to the organization, business processes, information processing facilities and systems that affect
information security shall be controlled.
• Justification of the selection: Ensuring the confidentiality, integrity and availability of information and
means of processing information belonging to the organization when there are changes to systems and
methods of information processing.
3. Implementing information security continuity (A.17.1.2)

The organization shall establish, document, implement and maintain processes, procedures and controls to
ensure the required level of continuity for information security during an adverse situation.
• Justification of the selection: Ensuring availability of information in and on time when an interrupt or
outage affects critical business processes.

The organization should justify the reasons for exclusion for each security controls of Annex A not
selected. There are many valid reasons why an organization may invoke the exclusion of security
controls. Here are some examples of reasons related to exclude security controls:
1. Screening (A.7.1.1): Background verification checks on all candidates for employment shall be carried
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
contact
contact PECB
PECB
PECB Customer
Customer
Customer Servic
out in accordance with relevant laws, regulations and ethics and shall be proportional to the business
Servi
Serv
requirements, the classification of the information to be accessed and the perceived risks.
Justification of the exclusion: In compliance with the collective agreement with the employees, no
security checks will be made.
2. Teleworking (A.6.2.2): A policy and supporting security measures shall be implemented to protect
information accessed, processed or stored at teleworking sites.
Justification of the exclusion: Teleworking is prohibited in the organization.

Important notes:
• In most cases, an organization may declare a security control applicable and explain what it
covers and its limitations. If we take the example of screening (A.7.1.1), the control does not
force the organization to use all necessary means to conduct a thorough investigation of
every person with credit investigation, criminal record validation, verification of qualifications,
etc. An organization could simply describe it will ask to be given inspection to original
certificates and that it will validate two references for each candidate. The organization
should, however, be able to justify the steps it takes, particularly when these are minimal.
• In most cases, an organization may declare a security control applies even if she does not
practice the activity. Here is an example; one organization said the control on teleworking
(A.6.2.2) is not applicable because teleworking is prohibited. The control could also be made
applicable and the organization could then document in the information security policy that
teleworking is prohibited.
• An organization may not declare a control as non-applicable if no justification for exclusion
exists. It is not possible to exclude a control for business or convenience reasons. If an
organization chooses not to implement a control that would normally be applicable, it must
declare the control as applicable but can decide to accept the risk of not implementing any
control. The control is thus documented as applicable and risk acceptance is the control.
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

ISO 27001 does not specify the form of the statement of applicability. It simply requires making a list of
security controls, selected or not, the reasons for these choices and actions being implemented to meet the
security controls being selected in the document. The additional controls put in place must also appear in
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECB
the statement of applicability. Customer
Customer
CustomerServic
Servi
Serv
It is good practice to include in the statement of applicability, the title or function of the responsible person
per control and the list of documents or records relating to it. The model proposed by PECB includes the
following sections:
1. Security control: Indicates the reference to Annex A of the security control
2. Applicable: Indicates whether the security control is applicable or not.
3. Brief description: Describes briefly in a few sentences the control and how it is implemented in the
organization. A simple way to do this is to use the method of the “6 Ws” (Who, What, When, Where,
Why, How). It should be noted that the "why" is addressed in the column "justification".
• For example: A security policy information (What), approved by management (who) is in force
since December 21, 2008 (When). A copy was sent (how) to all employees and stakeholders
(Who). The official version is available on the Intranet (Where).
4. Justification: Describes the reasons for selecting or exclusion of the security control
5. Documentation: Indicates documents (policies and procedures) or records related to this security
control.
6. Responsible: The owner of the control is the person who is responsible. This must be a person
whose name and position in the organization are included in the document. If the security control is not
applicable, please indicate the person able to prove its non-applicability to facilitate the work of
auditors (internal and external) and know who to address for information during the subsequent
revisions of the statement of applicability.

Section summary:
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
1. An Information Security Management System (ISMS) is the part of the global management system
based on a risk based approach to establish, implement, operate, monitor review, update and improve
information security.
2. The ISMS is used to ensure a selection of adequate and proportionate security controls that protect
the assets and bring assurance to the stakeholders.
3. Controls are used to ensure that the conduct of business processes is performed in a secure manner
in terms of information exchange. These security processes and controls are dependent of business
processes because they are integrated to them.
4. An organization that requests certification must be conform to all the clauses defined in Clauses 4 to 8
of ISO 27001, declaring the applicable controls together with the reasons for their selection and
justifying the excluded controls of Annex A in the statement of applicability.
5. Security objectives and security controls themselves must be selected and implemented to meet the
requirements identified by the risk assessment process and risk management process. This selection
must take into account the risk acceptance criteria as well as the legal, regulatory and contract
requirements.
6. The organization must continually improve the effectiveness of its ISMS through its policy and
objectives, its internal audits as well as by the preventive and corrective controls initiated by
management reviews.

Homework 1: Annex A general controls

tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv
Determine how you would verify each of the following controls. You must provide examples of evidence you
would look for to reasonable assurance that the control has been effectively implemented. State at least
two elements of proof for each.
1. Information security policy document (A.5.1.1)

2. Removal or adjustment of access rights (A.9.2.6)
3. Controls against malware (A.12.2.1)
4. Confidentiality or nondisclosure agreements (A.13.2.4)
5. Review of user access rights (A.9.2.5)
Duration of homework: 30 minutes

Page for Note Taking
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

Page for Note Taking
tat
at 2017-03-01.
2017-07-01Please
2017-09-01Please
3/1/2017Please
Pleasecontact
contact
contactPECB
PECB
PECBCustomer
Customer
CustomerServic
Servi
Serv

02a - 27001LA en Day1 V8.2.2 20130730EL Unlocked

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02a - 27001LA en Day1 V8.2.2 20130730EL Unlocked

Uploaded by

Copyright:

Available Formats

Schedule for Day 1

© PECB official training – Reproduction prohibited without authorization 1

Day 2: Audit principles, preparation and launching of an audit

Day 3: On-site audit activities

Day 4: Closing the audit

© PECB official training – Reproduction prohibited without authorization 2

2. Other standard references

• ISO Guide 73:2009, Risk management – Vocabulary.

© PECB official training – Reproduction prohibited without authorization 3

© PECB official training – Reproduction prohibited without authorization 4

© PECB official training – Reproduction prohibited without authorization 5

To break the ice, participants introduce themselves stating:

Duration of activity: 20 minutes

© PECB official training – Reproduction prohibited without authorization 6

© PECB official training – Reproduction prohibited without authorization 7

© PECB official training – Reproduction prohibited without authorization 8

© PECB official training – Reproduction prohibited without authorization 9

This course is primarily based on:

Students are encouraged to take additional notes.

© PECB official training – Reproduction prohibited without authorization 10

International Federation of Accountants - IFAC: This is the world accounting organization. It

© PECB official training – Reproduction prohibited without authorization 11

© PECB official training – Reproduction prohibited without authorization 12

© PECB official training – Reproduction prohibited without authorization 13

© PECB official training – Reproduction prohibited without authorization 14

© PECB official training – Reproduction prohibited without authorization 15

1. Establishing the minimum requirements necessary to qualify certified professionals;

© PECB official training – Reproduction prohibited without authorization 16

• An internationally recognized certification can help you maximize your career

© PECB official training – Reproduction prohibited without authorization 17

© PECB official training – Reproduction prohibited without authorization 18

Day 1: Introduction to information security and ISO 27001

Day 2: Audit principles, preparation and launching of an audit

Day 3: On-site audit activities

Day 4: Closing the audit

Day 5: Final exam

© PECB official training – Reproduction prohibited without authorization 19

© PECB official training – Reproduction prohibited without authorization 20

© PECB official training – Reproduction prohibited without authorization 21

© PECB official training – Reproduction prohibited without authorization 22

How ISO standards are developed?

International Standards are developed by a six-step process:

Stage 1: Proposal stage

Stage 2: Preparatory stage

Stage 3: Committee stage

Stage 4: Enquiry stage

Stage 5: Approval stage

Stage 6: Publication stage

© PECB official training – Reproduction prohibited without authorization 23

ISO basic principles

2. Voluntary: Adoption of ISO standards is voluntary. As a non-governmental

© PECB official training – Reproduction prohibited without authorization 24

4. Consensus approach: ISO standards are based on a representative consensus approach of

© PECB official training – Reproduction prohibited without authorization 25

© PECB official training – Reproduction prohibited without authorization 26

© PECB official training – Reproduction prohibited without authorization 27

© PECB official training – Reproduction prohibited without authorization 28

© PECB official training – Reproduction prohibited without authorization 29

There are several good reasons for integration, to:

© PECB official training – Reproduction prohibited without authorization 30

© PECB official training – Reproduction prohibited without authorization 31

© PECB official training – Reproduction prohibited without authorization 32

© PECB official training – Reproduction prohibited without authorization 33