Isms

MODULE
INFORMATION SECURITY
MANAGEMENT SYSTEM
This material is copyrighted by ATL © Printed in 2016
0 |ATL Education Foundation

1 |©ATL Education Foundation
PROLOGUE
DESCRIPTION
This module will enable a learner to understand information security and implementing various
measures for managing security as it is rightly said:
“If your information is not safe,

The future of your business is not secure”
RATIONALE
Security is the degree of protection against danger, loss, and criminals.

Computer security is a branch of computer technology known as information security as applied to
computers and networks. The objective of computer security includes protection of information and
property from theft, corruption, or natural disaster, while allowing the information and property to
remain accessible and productive to its intended users. The terms computer system security, means
the collective processes and mechanisms by which sensitive and valuable information and services
are protected from publication, tampering or collapse by unauthorized activities or untrustworthy
individuals and unplanned events respectively. An information security management system
(ISMS) is, a set of policies concerned with information security and its management. For managing
security, assessment of any type of risk is important and then the practices are followed for security
management.
OBJECTIVES
This module helps to develop knowledge, skills and techniques in the design of security systems
using the theory and application of protection from hacking. It is planned that this will contribute to
the protection from Hacking CSTA (Certified Security Testing Associate) accreditation and also to
CISSP (Certified Information System Security Professional) accreditation. Students who want to
learn the fundamentals of computing and specialize in the fields of security specialist and forensic
computing will be really benefitted. This module focuses on the objectives of information security.

TABLE OF CONTENTS
UNIT 1 . ..................................................................................................................................................... 6
SECURITY AUDITING .................................................................................................................................. 6
1.1 INTRODUCTION. .............................................................................................................................. .6
1.1.1 PURPOSE OF AUDITS…………………………………………………………………………………………………….….6
1.1.2 SECURITYAUDITING OBJECTIVES……………………………………………………………………………………..….6
1.1.3 RISKS INVOLVED…………………………………………………………………………………………………………….…..7
1.1.4 AUDITING STEPS………………………………………………………………………………………………………….……..9
1.1.5 AUDITING PLANNING………………………………………………………………………………………………….………9
1.1.6 ESTABLISHING AUDITING OBJECTIVES………………………………………………………………………………..9
1.1.7 PERFORMING THE REVIEW………………………………………………………………………………………..……..10
1.1.8 NETWORK VULNERABILITITES………………………………………………………………………………………..…11
1.1.9 CONTROLS………………………………………………………………………………………………………………………..11
1.1.10 ENCRYTION AND IT AUDIT………………………………………………………………………………………………..12
1.1.11 LOGICAL SECURITY AUDIT…………………………………………………………………………………………………13
1.1.12 SPECIFIC TOOLS USED IN NETWORK SECURITY………………………………………………………………….14
1.1.13 APPLICATION SECURITY……………………………………………………………………………………………………14
1.1.14 SEGREGATION OF DUTIES………………………………………………………………………………………………..15
UNIT 2 . ................................................................................................................................................... 19
LEAD AUDITOR ........................................................................................................................................ 19
2.1 LEAD AUDITOR …………………………………………………………………………………………………………………………19.
2.2 INTRODUCTION………………………………………………………………………………………………………………………..20
2.3 HISTORY OF ISO 27001……………………………………………………………………………………………….…………21
2.4 PURPOSE OF STANDARDS……………………………………………………………………………………………….…….21
2.5 CONTROL OBJECTIVES AND CONTROLS IN ISO 27001…………………………………………………….…25
2.6 MANDATORY REQUIREMENTS………………………………………………………………………………………………31
UNIT 3 . ................................................................................................................................................... 66
SECURITY RELATED THREATS AND VULNERABILITIES EVALUATION . ........................................................ 66
3.1 THE DARK SIDE OF THE WEB WORLD……………………………………………………………………………………………66
3.2 UNDERSTANDING SECURITY CONTROLS………………………………………………………………………………………74

UNIT 1
SECURITY AUDITING
1.1 INTRODUCTION
1.1.1 PURPOSE OF AUDITS
Rapid and dramatic advances in information technology (IT), while offering tremendous benefits,
have also created significant and unprecedented risks to government operations. Federal, state, and
local governments depend heavily on information systems (IS) security measures to avoid data
tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in
critical operations. These risks are expected to only continue to escalate as wireless and other
technologies emerge. Government auditors, to be effective instruments of accountability, need to
be able to evaluate IS security and offer recommendations for reducing the security risk to an
acceptably low level. Further, the growing importance of IT in performing daily operational
activities, along with the elimination of paper-based evidence and trails, demands that auditors
consider the effectiveness of IT controls during the course of financial and performance audits.
To do so, auditors must acquire and maintain the appropriate resources and skill sets—a daunting
challenge in an era of rapid evolution and deployment of new information technology. Likewise,
government audit organizations need to take stock of their IS security audit capabilities and ensure
that strategies exist for their continued development and enhancement and auditors from local
governments in cooperation with staff of the United States. These include planning, developing a
strategy, implementing the capability, and assessing results.
1.1.2 SECURITY AUDITING OBJECTIVES

1. To ensure confidentiality, integrity & availability of data.
2. To protect hardware, software, and data from the environmental threats.
3. For proper management, design, performance and reliability of components.
“Until & unless you assess Security Standards and policies, It is impossible to maintain Security
Standards.”
1.1.3 RISK INVOLVED

You must have learnt about the objectives of security auditing by now. There are also some risks
involved in security audits which are also very essential to understand. When it is carried out,
hindrances are faced and it becomes a threat to security itself.
1. Disclosure of Corporate confidential data & information.
2. Unauthorized access to information systems & facilities
3. Fraud
4. Theft of data or other information assets
5. Modification or deletion of data & information
6. Non Compliance with policies, standards, quality and procedures.
1.1.4 AUDITING STEPS

There are four different audit steps followed: Planning and risk assessment, testing of internal
controls, substantive procedures, and finalization.
The purpose of these audit steps is to provide a standard process that is used in every audit. In most
organizations, an audit is conducted by the internal audit department or an external auditing or
accounting firm. Planning and risk assessment audit steps are typically conducted before the fiscal
year end and are used to gather information. The auditor takes the time to learn about the industry,
regulations, accounting policies, and information systems. During this stage, many auditors work
from a remote location, as most of this information is available from independent sources.
In order to effectively plan the audit, the overall scope must be evaluated and documented. A
standard financial audit is limited in scope to transactions that occurred in the current period and is
often completed at a summary level. The number of transactions and dollar values are used to
determine the upper and lower bounds that will be used to set the audit values. The industry,
strength of internal controls, and any issues raised by management determine the risk assessment
for the audit.
One of the most important of all the audit steps is the process of testing the internal controls. These
processes and procedures are used to ensure that proper approvals are in place before payment is
made or transactions entered in the system. The primary method of internal control testing is to
randomly select transactions and check the source documentation. If a random selection from a
representative sample finds controls were weak or missing, then the sample size must be increased.
A substantive procedure is the actual process of collecting physical evidence of transactions and
verifying the value posted to a specific account is supported by actual documents. This aspect of
the audit is the most time consuming and is very detailed work. The account selected for this type
of review varies, but is typically one that tracks a range of high and low dollar value activity.
The last stage of the audit is finalization. This is the creation of a report to management that
summarizes all the procedures used to conduct the audit, the result of the various processes, and
supporting documentation. Audit reports have a variety of formats or layouts used, depending on
the audience. For example, most banks require audited financial statements when applying for a
business loan. They often have a preferred format, making the comparison and review a simpler
process. After studying the four basic security audit steps, now we will quickly look at a sequence
which is followed with these steps as a base.
I. PREVIOUS CHECK
 Determine the previous audit and action taken by the team.
 Have an overview of previous reports.

 Existing NETWORK
II. PLANNING & ORGANISING
 Review the objective & network functions.
 Consider locations of facilities , cost effectiveness, feasibility & conf. of hardware
III. NETWORK CONTROL (POLICIES/STANDARDS)

 Review Control Standard, policies and procedure
 Verify the procedure for dataset compatibly, size and complexity.
 For audit trails, backup and recovery for network.
IV. NETWORK CONTROL- (HARDWARE & SOFTWARE )
 Determine the policies & Control feature installed on the network
 Access the integrity of HARDWARE & SOFTWARE over network
 Determine System Configuration.
V. NETWORK DATA STANDARD & DATA ACCESS
 Determine the documentation ,data standard, data access
 Verify the effectiveness of security procedures
 Determine the effectiveness of policies& procedures for sensitive data maintained
 Determine heavy traffic, level of review of HARDWARE
VI. HARDWARE & SOFTWARE BACKUP & RECOVERY
 Determine if hardware, software & data have backup on another site.
 Verify the network failure of one site is minimal effect on another site.
 Determine that adequate disaster recovery procedure have been taken
VII. SOFTWARE COMMUNICATION
 Review procedure for managing & monitoring the use of communication SOFTWARE
 Determine whether each transmitted message is delivered to the valid destination address.
 Determines whether the message have been retransmitted automatically if original rails.
 Review the transmission priorities.
 Verify that SOFTWARE used is built for error detection & correction
VIII. ACCESS NETWORK O.S SOFTWARE & FACILITIES
 Review security procedures for the main network facilities.
 Verify & test HARDWARE & SOFTWARE
 Physical Access must be checked.
IX. DATA ENCRYPTION & FILTERING
 Review procedure to determine the classification of data on the NETWORK
 Evaluate the effectiveness.
 Policies exist on firewall operation.
X. INTERNET APPLICATION
 Determine the type of app. SOFTWARE, tools & Service Providers.
 Determine the type of web browser
 Determine the type of ISP
XI. PASSWORD PROTECTION
 Is access control software used
 Password is case sensitive
 Minimal length, no./ character/patterns.
 Are p/w automatically disable after repeated unsuccessful sign –on attempts.
 Awareness of p/w protection
1.1.5 AUDIT PLANNING & PREPARATION
The auditor should be adequately educated about the company and its critical business activities
before conducting a data center review. The objective of the data center is to align data center
activities with the goals of the business while maintaining the security and integrity of critical
information and processes. To adequately determine if whether or not the client‘s goal is being
achieved, the auditor should perform the following before conducting the review:
 Meet with IT management to determine possible areas of concern

 Review the current IT organization chart
 Review job descriptions of data center employees
 Research all operating systems, software applications and data center equipment operating
within the data center
 Review the company‘s IT policies and procedures
 Evaluate the company‘s IT budget and systems planning documentation
 Review the data center‘s disaster recovery plan.
1.1.6 ESTABLISHING AUDIT OBJECTIVES
The next step in conducting a review of a corporate data center takes place when the auditor
outlines the data center audit objectives. Auditors consider multiple factors that relate to data center
procedures and activities that potentially identify audit risks in the operating environment and
assess the controls in place that mitigate those risks. After thorough testing and analysis, the auditor
is able to adequately determine if the data center maintains proper controls and is operating
efficiently and effectively.
Following is a list of objectives the auditor should review:
 Personnel procedures and responsibilities including systems and cross-functional training
 Change management processes are in place and followed by IT and management
personnel
 Appropriate back up procedures are in place to minimize downtime and prevent loss of
important data
 The data center has adequate physical security controls to prevent unauthorized access to
the data center
 Adequate environmental controls are in place to ensure equipment is protected from fire
and flooding.
1.1.7 PERFORMING THE REVIEW
The next step is collecting evidence to satisfy data center audit objectives. This involves traveling
to the data center location and observing processes and procedures performed within the data
center. The following review procedures should be conducted to satisfy the pre-determined audit
objectives:
 Data center personnel – All data center personnel should be authorized to access the data
center (key cards, login ID‘s, secure passwords, etc.). Data center employees are
adequately educated about data center equipment and properly perform their jobs. Vendor
service personnel are supervised when doing work on data center equipment. The auditor
should observe and interview data center employees to satisfy their objectives.
 Equipment – The auditor should verify that all data center equipment is working properly
and effectively. Equipment utilization reports, equipment inspection for damage and
functionality, system downtime records and equipment performance measurements all help
the auditor determine the state of data center equipment. Additionally, the auditor should
interview employees to determine if preventative maintenance policies are in place and
performed.
 Policies and Procedures – All data center policies and procedures should be documented
and located at the data center. Important documented procedures include: data center
personnel job responsibilities, back up policies, security policies, employee termination
policies, system operating procedures and an overview of operating systems.
 Physical security / environmental controls – The auditor should assess the security of the
client‘s data center. Physical security includes bodyguards, locked cages, man traps, single
entrances, bolted down equipment, and computer monitoring systems. Additionally,
environmental controls should be in place to ensure the security of data center equipment.
These include: Air conditioning units, raised floors, humidifiers and uninterruptible power
supply.
 Backup procedures – The auditor should verify that the client has backup procedures in
place in the case of system failure. Clients may maintain a backup data center at a separate
location that allows them to instantaneously continue operations in the instance of system
failure.
Issuing the review report
The data center review report should summarize the auditor‘s findings and be similar in format to a
standard review report. The review report should be dated as of the completion of the auditor's
inquiry and procedures. It should state what the review entailed and explain that a review provides
only "limited assurance" to third parties.
1.1.8 NETWORK VULNERABILITIES
 Interception: Data that is being transmitted over the network is vulnerable to being
intercepted by an unintended third party who could put the data to harmful use.
 Availability: Networks have become wide-spanning, crossing hundreds or thousands of
miles which many rely on to access company information, and lost connectivity could
cause business interruption.
 Access/entry point: Networks are vulnerable to unwanted access. A weak point in the
network can make that information available to intruders. It can also provide an entry point
for viruses and Trojan horses.
1.1.9 CONTROLS
 Interception controls: Interception can be partially deterred by physical access controls at

data centers and offices, including where communication links terminate and where the
network wiring and distributions are located. Encryption also helps to secure wireless
networks.
 Availability controls: The best control for this is to have excellent network architecture and
monitoring. The network should have redundant paths between every resource and an
access point and automatic routing to switch the traffic to the available path without loss of
data or time.
 Access/entry point controls: Most network controls are put at the point where the network
connects with external network. These controls limit the traffic that pass through the
network. These can include firewalls, intrusion detection systems, and antivirus software.
The auditor should ask certain questions to better understand the network and its vulnerabilities.
The auditor should first assess what the extent of the network is and how it is structured. A network
diagram can assist the auditor in this process. The next question an auditor should ask is what
critical information this network must protect. Things such as enterprise systems, mail servers, web
servers, and host applications accessed by customers are typically areas of focus. It is also
important to know who has access and to what parts. Do customers and vendors have access to
systems on the network? Can employees access information from home? Lastly the auditor should
assess how the network is connected to external networks and how it is protected. Most networks
are at least connected to the internet, which could be a point of vulnerability. These are critical
questions in protecting networks.
1.1.10 ENCRYPTION AND IT AUDIT
In assessing the need for a client to implement encryption policies for their organization, the
Auditor should conduct an analysis of the client‘s risk and data value. Companies with multiple
external users, e-commerce applications, and sensitive customer/employee information should
maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in
the data collection process. Auditors should continually evaluate their client‘s encryption policies
and procedures. Companies that are heavily reliant on e-commerce systems and wireless
networks are extremely vulnerable to the theft and loss of critical information in transmission.
Policies and procedures should be documented and carried out to ensure that all transmitted data is
protected. Companies can base their policies on the Control Objectives for Information and related
Technology (COBIT) guidelines established by the IT Governance Institute (ITGI) and Information
Systems Audit and Control Association (ISACA). The IT auditor should be adequately informed
about COBIT guidelines.
The auditor should verify that management has controls in place over the data encryption
management process. Access to keys should require dual control, keys should be composed of two
separate components and should be maintained on a computer that is not accessible to
programmers or outside users. Furthermore, management should attest that encryption policies
ensure data protection at the desired level and verify that the cost of encrypting the data does not
exceed the value of the information itself. All data that is required to be maintained for an
extensive amount of time should be encrypted and transported to a remote location. Procedures
should be in place to guarantee that all encrypted sensitive information arrives at its location and is
stored properly. Finally the auditor should attain verification from management that the encryption
system is strong, not attackable and compliant with all local and international laws and regulations.
1.1.11 LOGICAL SECURITY AUDIT

The first step in an audit of any system is to seek to understand its components and its structure.
When auditing logical security the auditor should investigate what security controls are in place,
and how they work. In particular, the following areas are key points in auditing logical security:
 Passwords: Every company should have written policies regarding passwords, and
employee‘s use of them. Passwords should not be shared and employees should have
mandatory scheduled changes. Employees should have user rights that are in line with their
job functions. They should also be aware of proper log on/ log off procedures. Also helpful
are security tokens, small devices that authorized users of computer programs or networks
carry to assist in identity confirmation. They can also store cryptographic keys and
biometric data. The most popular type of security token (RSA‘s SecurID) displays a
number which changes every minute. Users are authenticated by entering a personal
identification number and the number on the token.
 Termination Procedures: Proper termination procedures so that old employees can no
longer access the network. This can be done by changing passwords and codes. Also, all id
cards and badges that are in circulation should be documented and accounted for.
 Special User Accounts: Special User Accounts and other privileged accounts should be
monitored and have proper controls in place.
 Remote Access: Remote access is often a point where intruders can enter a system. The
logical security tools used for remote access should be very strict. Remote access should be
logged.
1.1.12 SPECIFIC TOOLS USED IN NETWORK SECURITY

Network security is achieved by various tools including firewalls and proxy servers, encryption,
logical security and access controls, anti-virus software, and auditing systems such as log
management.
Firewalls are a very basic part of network security. They are often placed between the private local
network and the internet. Firewalls provide a flow through for traffic in which it can be
authenticated, monitored, logged, and reported. Some different types of firewalls include: network
layer firewalls, screened subnet firewalls, packet filter firewalls, dynamic packet filtering firewalls,
hybrid firewalls, transparent firewalls, and application-level firewalls.
Did You Know!
Courseware Piracy is the unauthorized duplication of an original recording for

commercial gain without the consent of the rights owner. So don’t be a victim of
it.
 Look if your books and CD’s contain ATL’s Hologram or not.

 Check for an ATL’s Authentic Certificate.
If you find yourself to be a victim of courseware Piracy, immediately write to us

at: courseware@atlemail.com
The process of encryption involves converting plain text into a series of unreadable characters
known as the ciphertext. If the encrypted text is stolen or attained while in transit, the content is
unreadable to the viewer. This guarantees secure transmission and is extremely useful to companies
sending/receiving critical information. Once encrypted information arrives at its intended recipient,
the decryption process is deployed to restore the ciphertext back to plaintext.
Proxy servers hide the true address of the client workstation and can also act as a firewall. Proxy
server firewalls have special software to enforce authentication. Proxy server firewalls act as a
middle man for user requests.
Antivirus software programs such as McAfee and Symantec software locate and dispose of
malicious content. These virus protection programs run live updates to ensure they have the latest
information about known computer viruses.
Logical security includes software safeguards for an organization‘s systems, including user ID and
password access, authentication, access rights and authority levels. These measures are to ensure
that only authorized users are able to perform actions or access information in a network or a
workstation.

Auditing systems, track and record what happens over an organization‘s network. Log
Management solutions are often used to centrally collect audit trails from heterogeneous systems
for analysis and forensics. Log management is excellent for tracking and identifying unauthorized
users that might be trying to access the network, and what authorized users have been accessing in
the network and changes to user authorities. Software that record and index user activities within
window sessions such as ObserveIT provide comprehensive audit trail of user activities when
connected remotely through terminal services, Citrix and other remote access software.
According to a 2006 survey of 3243 Nmap users by Insecure.Org, Nessus, Wireshark,
and Snort were some top-rated network security tools. According to the same survey,
the BackTrack Live CD is the top rated information security auditing and penetration
testing distribution. Nessus is a remote security scanner that performs over 1200 security checks for
Linux, BSD, and Solaris. Wireshark analyzes network protocol for Unix and Windows, and Snort
is an intrusion detection system that also supports Microsoft Windows. Nessus, Wireshark, and
Snort are free. Some other popular products for network security include OmniGuard, Guardian,
and LANGuard. Omniguard is a firewall, as is Guardian which also provides virus protection.
LANGuard provides network auditing, intrusion detection, and network management. For log
management, solutions from vendors such as SenSage and others are the choice for government
agencies and highly regulated industries.
1.1.13 APPLICATION SECURITY
Application Security centers around three main functions:
 Programming
 Processing
 Access
When it comes to programming it is important to ensure proper physical and password protection
exists around servers and mainframes for the development and update of key systems. Having
physical access security at your data center or office such as electronic badges and badge readers,
security guards, choke points, and security cameras is vitally important to ensuring the security of
your applications and data. Then you need to have security around changes to the system. Those
usually have to do with proper security access to make the changes and having proper authorization
procedures in place for pulling through programming changes from development through test and
finally into production.
With processing it is important that procedures and monitoring of a few different aspects such as
the input of falsified or erroneous data, incomplete processing, duplicate transactions and untimely
processing are in place. Making sure that input is randomly reviewed or that all processing has
proper approval is a way to ensure this. It is important to be able to identify incomplete processing
and ensure that proper procedures are in place for either completing it, or deleting it from the
system if it was in error. There should also be procedures to identify and correct duplicate entries.
Finally when it comes to processing that is not being done on a timely basis you should back-track
the associated data to see where the delay is coming from and identify whether or not this delay
creates any control concerns.
Finally, access, it is important to realize that maintaining network security against unauthorized
access is one of the major focuses for companies as threats can come from a few sources. First you
have internal unauthorized access. It is very important to have system access passwords that must
be changed regularly and that there is a way to track access and changes so you are able to identify
who made what changes. All activity should be logged. The second arena to be concerned with is
remote access, people accessing your system from the outside through the internet. Setting up
firewalls and password protection to on-line data changes are key to protecting against
unauthorized remote access. One way to identify weaknesses in access controls is to bring in a
hacker to try and crack your system by either gaining entry to the building and using an internal
terminal or hacking in from the outside through remote access.
1.1.14 SEGREGATION OF DUTIES

When you have a function that deals with money either incoming or outgoing it is very important
to make sure that duties are segregated to minimize and hopefully prevent fraud. One of the key
ways to ensure proper segregation of duties (SoD) from a systems perspective is to review
individuals‘ access authorizations. Certain systems such as SAP claim to come with the capability
to perform SoD tests, but the functionality provided is elementary, requiring very time consuming
queries to be built and is limited to the transaction level only with little or no use of the object or
field values assigned to the user through the transaction, which often produces misleading results.
For complex systems such as SAP, it is often preferred to use tools developed specifically to assess
and analyze SoD conflicts and other types of system activity. For other systems or for multiple
system formats you should monitor which users may have super user access to the system giving
them unlimited access to all aspects of the system. Also, developing a matrix for all functions
highlighting the points where proper segregation of duties has been breached will help identify
potential material weaknesses by cross checking each employee‘s available accesses. This is as
important if not more so in the development function as it is in production. Ensuring that people
who develop the programs are not the ones who are authorized to pull it into production is key to
preventing unauthorized programs into the production environment where they can be used to
perpetrate fraud.
CASE STUDY
A Security Audit program was conducted by ATL Security Group for a client of ATL(* Name
of Client is kept confidential). Let us study the areas concentrated by this program to make
ourselves more clear on Security Auditing.
This Security Audit program contains over 400 unique tasks divided into 11 areas of audit focus
which are the divided into 38 separate task groupings. The audit program is one that either an
external auditor, internal auditor can use to validate the compliance of the Information Technology
and the enterprise to ISO 27000 Series (ISO 27001 & ISO 27002), Sarbanes-Oxley, HIPAA, and
PCI-DSS.

The 11 areas of audit focus and objectives are:
 Corporate Security Management
 Systems Development and Maintenance
 Information Access Control Management
 Compliance Management
 Human Resource Security Management
 Information Security Incident Management
 Communications and Operations Management
 Organizational Asset Management
 Physical and Environmental Security Management
 Security Policy Management
 Disaster Recovery Plan and Business Continuity
Included with this program were Microsoft (2003 and 2007 format) Excel workbooks and an
indexed PDF document that contain the following:
 Sample Audit Program Graphic - This is a copy of the Audit Program Graphic with links
changed to point to the Sample Audit Program plus a chart has been added to show the
positive and negative points of the audit. (see chart below) .
Figure: Security audit summary results
 Read me - General instructions on the use of the Excel worksheets

 Audit Program Summary - Lists the 11 areas of audit focus and the 38 task groupings
that are included within the audit. The point summary on this work sheet is calculated
automatically by Excel.
 Audit Program Detail - Lists over 400 detail tasks the need to be completed in the audit
and the relative point value of each task. The only thing that the user needs to do is check
the yes or no on each item and re-assign a relative point value for each task.
 Audit Program Graphic - Lists the 11 areas of audit focus and a bar graph which shows
the weights that are assigned to each area. The point summary on this work sheet is
calculated automatically by Excel and the graph is automatically updated.

 Sample Audit Program - This is copy of the Audit Program Detail with data entered into
the individual tasks.
 Sample Audit Program Summary - This is a copy of the Audit Program Summary with
the links changed to point to the Sample Audit Program.
SUMMARY
Auditing is a privileged function and should be controlled by management. It is also important that
management support this function and that it be aware of the results on an ongoing basis. The
auditing process includes the creation of audit files by the system. When the network administrator
enables auditing, AUDITCON automatically creates files to record the audited events and the
auditor's actions.
AUDITCON creates separate files for each container and volume in which auditing is enabled. At
the NDS level, the data is stored in the Audit Data files. At the volume level, the data is stored in
the Audit Data records of the Audit History file. The auditor maintains the audit files and uses the
data collected in the files to create reports.
The audit spotlight now shines on IT. After years of regulation and embarrassing data breaches, the
highest levels of management now comfortably discuss IT controls and audit results. However,
their quality expectations are rising. Where IT once performed audits annually, many now support
quarterly, monthly, and ad hoc exercises. Each audit expands the scope of the technologies
assessed, measured, and proven compliant. Broader scope means more complexity and more work.
With the Security Audit Program you can increase timeliness and accuracy of audit data while
reducing IT audit effort, disruption, and cost.
EXERCISE
Q 1. We have recent off-site backups and current anti-virus on all desktops and servers. Off-site
tape backups and anti-virus updates protect you from accidentally deleted files or virus infected
systems. Network assessments ensure protection of information assets.
a) Yes
b) No
Q 2. We have had an external firewall penetration assessment within the past 12 months. Networks
are attacked on a daily basis. External penetration assessments review your firewalls, your first
line of defense against hackers and other external threats.
a) Yes
b) No
Q 3.Our security policies have been audited by an independent organization. Experts recommend
you have your policies and procedures audited by an outside organization. Don't have all your
policies documented? Altius IT offers Policy templates.
a) Yes
b) No
Q 4.Our web site interfaces with customers and has been audited to ensure security. Web
applications are the most vulnerable element of an organization‘s IT infrastructure. Web
application and database assessments identify your web site vulnerabilities.
a) Yes
b) No
Q 5.We encrypt our confidential documents and E-mail messages. Encryption prevents third parties
from opening confidential documents or incorrectly addressed E-mail. Security consulting helps
identify your user related risks.
a) Yes
b) No
Answers: 1) a, 2) a, 3) a, 4) a, 5) a

UNIT 2
LEAD AUDITOR
How do attackers exploit the lack of this control?How can this control be implemented, automated,
and its effectiveness measured?How do attackers exploit the lack of this control?How can this
control be implemented and its effectiveness measured?How do attackers exploit the lack of this
control?How do attackers exploit the lack of this control?How do attackers exploit the lack of this
control?
2.1 INTORDUCTION
What is information security?
We all store valuable information either in our memories or in paper documents and in the world of
IT on computer and other digital storage devices. For every information user is a node where the
information can leak out. Thus Information Security is essentially a process for securing the
Information of any user. For example if your
house is having a number lock, you would
always store the password of the lock either in
your mind or in a piece of paper or perhaps on
your cell phone. All of these are possible
points where this password could be leaked
out. A pretending friend may take out this
information (password) from your head using
certain tactics which is commonly termed as
social engineering in the world of hacking. Or
someone may steal the piece of paper where
you have written the password or someone
may send an SMS or stored password as a
business card. Securing this information is
nothing but an example of information
security. For example – You may take
precautions by trying not to tell your
password to friends or may write the
password in a coded form on paper (age old
technique for storing valuable information). Figure: CIA of Information Security

Information Security is to avoid unauthorized access to the Data/Information. Suitable protection
can be defined in terms of preservation of critical information for which characteristics are:
Confidentiality: Safeguarding the accuracy and completeness of Information and processing
methods.
Integrity: Ensuring that authorized users have access to information and associated assets when
required.
Availability: Ensuring that information is accessible only to those authorized to have access.
It is also known as the CIA. The critical features can be extended to include:
 Utility
 Authenticity
 Possession
It includes the following in the world of IT:

 Data Security
 Computer Security
 LAN or Network Security
 Internet Security
All the above mentioned terms are subsets of Information Security and are covered under it. Also
any definition of Information Security is irrelevant before understanding hacking because you are
preventing your information from hackers. Hacking is defined as unauthorized use or attempts to
circumvent or bypass the security mechanisms of an Information System like a
computer/server/network. In this book we will discuss various hacking attempts and solutions to
prevent them. Always remember that Information Security is useless to understand if you don‗t
know whom you are preventing your information from.
The last few years have seen board corporate governance requirements increasingly more defined
and specific. As information technology has become pervasive, underpinning and supporting
almost every aspect of the organization, manipulating and storing the information on which the
organization depends for its survival, so the role of IT in corporate governance has become more
clearly defined and IT governance is increasingly recognized as a specific area for board and
corporate attention. A fundamental aspect of IT governance is the protection of the information –
its availability, confidentiality and integrity – on which everything else depends. In parallel,
international standards related to information security have emerged and have become one of the
cornerstones of an effective IT governance framework. Now we will go into some details about the
International Standards.
“Security doesn’t means that Lock every Thing since Availability of data at right time is as
important as securing a data.”
2.2 HISTORY OF ISO 27001

ISO 27001 is the first of a planned series of standards covering information security. It was
published by the International Organization for Standardization (ISO) on 15 October 2005
essentially replacing the old BS7799-2 standard. It is the specification for ISMS, an Information
Security Management System. BS7799 itself was a long standing standard, first published in the
nineties as a code of practice. As this matured, a second part emerged to cover management
systems. It is this against which certification is granted. Today in excess of a thousand certificates
are in place, across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme
has been introduced by various certification bodies for conversion from BS7799 certification to
ISO27001 certification. Essentially, ISO/IEC 27001 defines an Information Security Management
System (ISMS) and complements the ISO/IEC 17799 'code of practice' standard, itself first
published as BS 7799-1.
A UNIFIED SET OF CONTROLS
ISO 27001 and ISO 27002 naturally map and align with other standards and compliance
frameworks. For organizations dealing with Sarbanes-Oxley, IT general controls, and SAS 70s,
ISO 27001 naturally maps into the security- and risk-related portions of the Control Objectives for
Information and related Technology (COBIT) framework. For other compliance requirements such
as GLBA, HIPAA, and PCI, ISO 27001 provides a superset of controls that covers and
encompasses all of the security and risk-related controls.
When implementing single ISMS with the intent of covering multiple compliance requirements, an
organization first identifies the scope of the compliance requirements as they pertain to its assets,
business operations, facilities, and IT processes. This drives the development of the necessary
process flows. The process flows can then be aggregated into a single set or union of processes that
fall under all of the compliance requirements. The organization also must identify the mATLgs
between the various compliance requirements to the ISO 27001 controls. These mATLgs should
include the specific control requirements for each compliance initiative, which helps ensure that all
requirements are addressed.
2.3 INFORMATION SECURITY MANAGEMENT SYSTEM

I. ISMS
Information is a fundamental asset to the business. Security (that is confidentiality, integrity and
availability) of information is therefore critically important to us. We have invested in information
security technologies such as antivirus software and firewalls to protect our information assets.
However, we are left with significant information security risks as a result of the accidental or
deliberate actions and inactions of our people.
An Information Security Management System (ISMS) is a controlled approach to managing

sensitive company information so that it remains secure. It encompasses people, processes, and
Information Management Security Systems. It includes all of the policies, procedures, plans,
processes, practices, roles, responsibilities, resources, and structures that are used to

protect and preserve information. It includes all of the elements that organizations use to manage
and control their information security risks. An ISMS is part of a larger management system.
 a systematic approach to the organization's information security

 establishes a framework to manage and harmonize information security practices
 designed to ensure adequate and appropriate security controls that adequately protect
information assets
 ensures continual improvement of organizations information security by exploiting a
process approach
 protect confidentiality, integrity and availability of the information while it is being
processed, transmitted and stored we shall consider policy, education and technology
Figure: We ignore the human aspects of information security at our peril

II. ISMS IMPLEMENTATION
The process approach for information security management presented in this International Standard
encourages its users to emphasize the importance of:
 Understanding an organization‘s information security requirements and the need to
establish policy and objectives for information security
 Implementing and operating controls to manage an organization's information security
risks in the context of the organization‘s overall business risks
 Monitoring and reviewing the performance and effectiveness of the ISMS; and
 Continual improvement based on objective measurement.
PDCA MODEL
This International Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to
structure all ISMS processes. Figure 1 illustrates how an ISMS takes as input the information
security requirements and an expectation of the interested parties and through the necessary actions
and processes produces information security outcomes that meets those requirements and
expectations. The adoption of the PDCA model will also reflect the principles as set out in the
OECD Guidelines (2002) governing the security of information systems and networks. This
International Standard provides a robust model for implementing the principles in those guidelines
governing risk assessment, security design and implementation, security management and
reassessment. The main point of the ISO/IEC 27001 is the continual improvement of the processed
that produce the effects by applying this PDCA model.
Figure: PDCA cycle

STEP 1 - PLAN: ESTABLISH THE ISMS
Establish ISMS policy, objectives, processes and procedures relevant to managing risk and
improving information security to deliver results in accordance with an organization‘s overall
policies and objectives.
 STUDY GENERAL ISMS REQUIREMENTS
 Define your organization‘s ISMS.
 Implement your organization‘s ISMS.
 Operate your organization‘s ISMS.
 Monitor your organization‘s ISMS.
 Review your organization‘s ISMS.
 Maintain your organization‘s ISMS.
 Improve your organization‘s ISMS.
 Document your organization‘s ISMS.
 DEFINE AND PLAN YOUR ISMS

 Define the scope and boundaries of your ISMS.
 Define your organization‘s ISMS policy.

 Define your approach to risk assessment.
 Identify your organization‘s security risks.
 Analyze and evaluate your organization‘s security risks.
 Identify and evaluate risk treatment options and actions.
 Select control objectives and controls to treat risks.
 Make sure that management formally approves all
residual risks (those that are left over after you‘ve
implemented your risk treatment decisions).
 Get authorization from management before you
implement and operate your organization‘s ISMS.
 Prepare a Statement of Applicability that lists your
organization‘s specific control objectives and controls.
STEP 2 - DO: IMPLEMENT AND OPERATE THE ISMS
Implement and operate the ISMS policy, controls, processes and procedures.
 IMPLEMENT AND OPERATE YOUR ISMS
 Develop a risk treatment plan to manage your organization‘s information security risks.
 Implement your organization‘s risk treatment plan.
 Implement your organization‘s security controls.
 Implement your organization‘s educational programs.
 Manage and operate your organization‘s ISMS.
 Manage your organization‘s ISMS resources.
 Implement your organization‘s security procedures.
STEP 3 - CHECK: MONITOR AND REVIEW THE ISMS

Assess and, where applicable, measure process performance against ISMS policy, objectives and
practical experience and report the results to management for review.
 MONITOR AND REVIEW YOUR ISMS

 Use procedures and controls to monitor your ISMS.
 Use procedures and controls to review your ISMS.
 Perform regular reviews of your ISMS.
 Verify that your security requirements are being met.
 Review your risk assessments on a regular basis.
 Review your residual risks on a regular basis.
 Review acceptable levels of risk on a regular basis.
 Perform regular internal audits of your ISMS.
 Perform regular management reviews of your ISMS.
 Update your information security plans.
 Maintain a record of ISMS events and actions.
STEP 4 - ACT: MAINTAIN AND IMPROVE THE ISMS

Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the ISMS.

 MAINTAIN AND IMPROVE YOUR ISMS
 Implement your ISMS improvements.
 Take appropriate corrective actions.
 Take appropriate preventive actions.
 Apply the security lessons that you have learned.
 Communicate ISMS changes to all interested parties.
 Make sure that your organization‘s ISMS changes achieve the intended objectives.
 DEVELOP ISMS DOCUMENTS AND RECORDS

 Establish records that document decisions.
 Document your organization‘s ISMS.
 CONTROL YOUR ISMS DOCUMENTS

 Protect and control your ISMS documents.
 Establish a procedure to control ISMS documents.
 Establish records for your organization‘s ISMS.
 Maintain records for your organization‘s ISMS.
2.4 PURPOSE OF STANDRADS

Evolution of ISO 27001
Figure: Evolution of ISO 27001

“An Information Security Management System is a Management process that integrates people,
process and technology.”

STANDARDS AND INTERNATIONAL ORGANIZATION FOR STANDARDIZATION
Standards make an enormous and positive contribution to most aspects of our lives. Standards
ensure desirable characteristics of products and services such as quality, environmental
friendliness, safety, reliability, efficiency and interchangeability - and at an economical cost.
ISO (International Organization for Standardization) is the world's largest developer and publisher
of International Standards. It is a network of the national standards institutes of 157 countries, one
member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the
system. It is a non-governmental organization that forms a bridge between the public and private
sectors. On the one hand, many of its member institutes are part of the governmental structure of
their countries, or are mandated by their government. On the other hand, other members have their
roots uniquely in the private sector, having been set up by national partnerships of industry
associations.
 ISO 27001, ISO17799 & BS7799 STANDARDS

ISO/IEC 17799 = BS 7799-PART 1
Code of Practice for Information Security Management
 Provides a comprehensive set of security controls
 Based on best information security practices
 It cannot be used for assessment and registration
ISO 27001 = BS 7799-PART 2
Specification for Information Security Management Systems
 Specifies requirements for establishing, implementing, and documenting Information
Security Management Systems (ISMS)
 Specifies requirements for security controls to be implemented
 Can be used for assessment and registration
BS7799
 BS 7799-1:1999 Code of practice for information security management
 BS 7799-2:1999 Specification for information security management systems
ISO17799
 BS ISO/IEC 17799:2000 (BS 7799-1:2000) Information technology - Code of practice for
information security management
WHY DID WE MOVE TO ISO 27001 FROM BS7799?

 Elevation to international standard status
 More organizations are expected to adopt it
 Clarifications and Improvements made by the International Organization for
Standardization
 Definition alignment with other ISO standards (such as ISO/IEC 13335-1:2004 and
ISO/IEC TR 18044:2004)
ISO 27001: OVERVIEW
ISO 27001 is the management system around ISO/IEC 27002:2005 (ISO 27002), which until
recently was commonly known as ISO/IEC 17799:2005. While ISO 27001 is already fairly well
known and accepted outside of the United States, it is slowly gaining awareness and acceptance
within the U.S. Implementing ISO 27001 requires an organization to create an Information Security
Management System (ISMS). Establishing ISMS around its information security program enables
an organization to use a risk-based approach to identifying and satisfying all compliance
requirements, justify the selection and implementation of controls, and provide measurable
evidence that the controls are operating effectively.
The adoption of ISO 27001 as a security control framework offers several benefits for executive
management and the groups and individuals responsible for risk, security, compliance, and audit.
The inherent benefits include:
 A unified set of controls: Organizations can centralize, manage, and satisfy multiple
regulatory and compliance requirements through a single, unified set of controls.
 Simplified production of audit evidence: Evidence and metrics supporting the
operational effectiveness of the controls can be reused, simplifying and reducing efforts
required by external auditors and assessors for regulatory and compliance requirements
such as Sarbanes-Oxley, SAS 70s, Health Insurance Portability and Accountability Act
(HIPAA), Payment Card Industry (PCI) mandates and Gramm-Leach-Bliley Act (GLBA).
 Performance improvements: Processes supporting the control objectives are assessed,
refined, and improved, resulting in continued performance improvement of the security
program.
“The adoption of ISO27001 as a security control framework offers several benefits for executive
management and the groups and individuals responsible for risk, security, compliance, and
audit.”
ISO 27001 DESCRIBES A 6 STAGE PROCESS
1. Define an information security policy

2. Define scope of the information security management system
3. Perform a security risk assessment
4. Manage the identified risk
5. Select controls to be implemented and applied
6. Prepare an SOA (a "statement of applicability").
The objective of the standard itself is to "provide a model for establishing, implementing,
operating, monitoring, reviewing, maintaining, and improving an Information Security
Management System". Regarding its adoption, this should be a strategic decision. Further, "The
design and implementation of an organization's ISMS is influenced by their needs and objectives,
security requirements, the process employed and the size and structure of the organization".

The standard defines its 'process approach' as "The application of a system of processes within an
organization, together with the identification and interactions of these processes, and their
management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and
reflects the principles set out in the OECG guidelines.
Figure: Security and risks

THE ISO 27000 SERIES
 ISO 27000 – principles and vocabulary (in development)

 ISO 27001 – ISMS requirements (BS7799 – Part 2)
 ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)
 ISO 27003 – ISMS Implementation guidelines (due 2007)
 ISO 27004 – ISMS Metrics and measurement (due 2007)
 ISO 27005 – ISMS Risk Management
 ISO 27006 – 27010 – allocation for future use
ISO/IEC 27001 AUDITORS

AUDITOR’S ROLES AND RESPONSIBILITIES
In most countries the auditor has a statutory duty to make a report to the entity‘s members on the
truth and fairness of the entity‘s annual accounts. As we have seen in the foregoing section, this
report must state the auditor‘s opinion on whether the statements have been prepared in accordance
with the relevant legislation and whether they give a true and fair view of the profit or loss for the
year and state of affairs at the year end.
The duty to report on the truth and fairness of the financial statements is the primary duty
associated with the external audit. The auditor has a duty to form an opinion on certain other
matters and to report any reservations. The auditor must consider whether:
 The entity has kept proper accounting records.
 The entity‘s balance sheet and income statement agree with the underlying accounting
records.
 All the information and explanations that the auditor considers necessary for the purposes
of the audit have been obtained and whether adequate returns for their audit have been
received from branches not visited during the audit.
 The entity has complied with the relevant legislation‘s requirements in respect of the
necessary disclosures. If the entity has not made all the disclosures required the audit report
should, if possible, contain a statement of the required particulars.
We do not need to elaborate on the above, although it is worth noting that above effectively gives
the auditor the right of access to any information or material that seems relevant to checking the
financial statements. The entity cannot refuse this request. The auditor has a limited duty to review
the other information issued alongside the audited financial statements. For example, the auditor
must consider whether the information in any reports published with the financial statements are
consistent with the information in the income statement and balance sheet. Any inconsistency
should be disclosed in the audit report. The auditor must gather information and evidence in order
to support an opinion on the truth and fairness of the financial statements. There is, however, no
need to guarantee that the statements give a true and fair view.
ISO 27001:2005 STRUCTURE

FIVE MANDATORY REQUIREMENTS OF THE STANDARD:
1. Information Security Management System

 General requirements
 Establishing and managing the ISMS (e.g. Risk Assessment)
 Documentation Requirements
Figure: Auditor’s Role

2. Management Responsibility
 Management Commitment
 Resource Management (e.g. Training, Awareness)
3. Internal ISMS Audits
4. Management Review of the ISMS
 Review Input (e.g. Audits, Measurement, Recommendations)
 Review Output (e.g. Update Risk Treatment Plan, New Recourses)
5. ISMS Improvement
 Continual Improvement
 Corrective Action
 Preventive Action
ISO 27001 IMPLEMENTATION
Figure: Implementation process
Review of the ISO 27001:2005

The “management review of the ISMS” in the context of ISO 27001 refers to the annual activity,
where management reviews the organization’s information security management system (ISMS),
ensuring its’ continuing “suitability, adequacy and effectiveness” (ISO 27001).
 DOMAIN OF BS 7799-1
BS 7799 contains 10 security domains

1. Security Policy
2. Security Organization
3. Computer & Network Management
4. Personnel Security
5. Compliance
6. Classification & Control of Assets
7. Environmental & Physical Security
8. System Development & Maintenance
9. Business Continuity Planning
10. System Access Controls
UNDERSTANDING OF THE RELATION BETWEEN ISO 27001:2005 AND ISO/IEC

17799:2005.
 IMPROVEMENT IN ISO 27001 OVER BS 7799
Figure: BS7799 vs ISO 27001

“A properly implemented ISMS gives external auditors everything they need with respect to the
validation of security controls. They will be able to re-validate that there is a formal risk
assessment process in place and that the risk assessment process determined the appropriate
control that mitigated the perceived risk.”
2.5 CONTROL OBJECTIVE AND CONTROLS IN ISO 27001

CONTROL OBJECTIVE:
Control Objectives provides the critical insight needed to delineate a clear policy and good practice
for IT controls. It includes the statements of desired results or purposes to be achieved by
implementing the specific, detailed controls. There are 39 control objectives.
CONTROLS:
A control is any administrative, management, technical or legal method that is used to manage
risk. Controls are safeguards or countermeasures. Controls include things like practices, policies,
procedures, programs, techniques, technologies, guidelines, and organizational structures. There
are 133 controls in the ISO 27001.
Figure: Control objectives

Here are the ISO 27001 security policies and domains as mention in Standard with the proper
extension:
A.5 SECURITY POLICY
A.5.1 Information security policy
Objective: To provide management direction and support for information security in accordance
with business requirements and relevant laws and regulations.
A.5.1.1 Information security policy document

Control
An information security policy document shall be approved by management, and published and
communicated to all employees and relevant external parties.
A.5.1.2 Review of the information security policy

Control
The information security policy shall be reviewed at planned intervals or if significant changes
occur to ensure its continuing suitability, adequacy, and effectiveness.

A.6 ORGANIZATION OF INFORMATION SECURITY
A.6.1 Internal organization
Objective: To manage information security within the organization.
A.6.1.1 Management commitment to information security

Control
Management shall actively support security within the organization through clear direction,
demonstrated commitment, explicit assignment, and acknowledgment of information security
responsibilities.
A.6.1.2 Information security coordination

Control
Information security activities shall be coordinated by representatives from different parts of the
organization with relevant roles and job functions.
A.6.1.3 Allocation of information security responsibilities

Control
All information security responsibilities shall be clearly defined.
A.6.1.4 Authorization process for information processing facilities

Control
A management authorization process for new information processing facilities shall be defined and
implemented.
A.6.1.5 Confidentiality agreements

Control
Requirements for confidentiality or non-disclosure agreements reflecting the organization‘s needs
for the protection of information shall be identified and regularly reviewed.
A.6.1.6 Contact with authorities

Control
Appropriate contacts with relevant authorities shall be maintained.
A.6.1.7 Contact with special interest groups

Control
Appropriate contacts with special interest groups or other specialist security forums and
professional associations shall be maintained.
A.6.1.8 Independent review of information security

Control
The organization‘s approach to managing information security and its implementation (i.e. control
objectives, controls, policies, processes, and procedures for information security) shall be reviewed

independently at planned intervals, or when significant changes to the security implementation
occur.
A.6.2 External parties
Objective: To maintain the security of the organization‘s information and information processing
facilities that are accessed, processed, communicated to, or managed by external parties.
A.6.2.1 Identification of risks related to external parties

Control
The risks to the organization‘s information and information processing facilities from business
processes involving external parties shall be identified and appropriate controls implemented
before granting access.
A.6.2.2 Addressing security when dealing with customers

Control
All identified security requirements shall be addressed before giving customers access to the
organization‘s information or assets.
A.6.2.3 Addressing security in third party agreements

Control
Agreements with third parties involving accessing, processing, communicating or managing the
organization‘s information or information processing facilities, or adding products or services to
information processing facilities shall cover all relevant security requirements.
A.7 ASSET MANAGEMENT
A.7.1 Responsibility for assets

Objective: To achieve and maintain appropriate protection of organizational assets.
A.7.1.1 Inventory of assets

Control
All assets shall be clearly identified and an inventory of all important assets drawn up and
maintained.
A.7.1.2 Ownership of assets

Control
All information and assets associated with information processing facilities shall be ‗owned‘ by a
designated part of the organization.
A.7.1.3 Acceptable use of assets

Control
Rules for the acceptable use of information and assets associated with information processing
facilities shall be identified, documented, and implemented.

A.7.2 Information classification
Objective: To ensure that information receives an appropriate level of protection.
A.7.2.1 Classification guidelines

Control
Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to
the organization.
A.7.2.2 Information labeling and handling

Control
An appropriate set of procedures for information labeling and handling shall be developed and
implemented in accordance with the classification scheme adopted by the organization.
A.8 HUMAN RESOURCES SECURITY
A.8.1 Prior to employment
Objective: To ensure that employees, contractors and third party users understand their
responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft,
fraud or misuse of facilities.
A.8.1.1 Roles and responsibilities
Control
Security roles and responsibilities of employees, contractors and third party users shall be defined
and documented in accordance with the organization‘s information security policy.
A.8.1.2 Screening
Control
Background verification checks on all candidates for employment, contractors, and third party
users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional
to the business requirements, the classification of the information to be accessed, and the perceived
risks.
A.8.1.3 Terms and conditions of employment
Control
As part of their contractual obligation, employees, contractors and third party users shall agree and
sign the terms and conditions of their employment contract, which shall state their and the
organization‘s responsibilities for information security.
A.8.2 During employment
Objective: To ensure that all employees, contractors and third party users are aware of information
security threats and concerns, their responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work, and to reduce the risk of human
error.

A.8.2.1 Management responsibilities
Control
Management shall require employees, contractors and third party users to apply security in
accordance with established policies and procedures of the organization.
A.8.2.2 Information security awareness, education and training

Control All employees of the organization and, where relevant, contractors and third party users
shall receive appropriate awareness training and regular updates in organizational policies and
procedures, as relevant for their job function.
 Look if your books and CD’s contain ATL’s Hologram or not.

 Check for an ATL’s Authentic Certificate.
If you find yourself to be a victim of courseware Piracy, immediately write to us at:
support@atlfoundation.com
A.8.2.3 Disciplinary process

Control
There shall be a formal disciplinary process for employees who have committed a security breach.
A.8.3 Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or
change employment in an orderly manner.
A.8.3.1 Termination responsibilities
Control
Responsibilities for performing employment termination or change of employment shall be clearly
defined and assigned.
A.8.3.2 Return of assets
Control
All employees, contractors and third party users shall return all of the organization‘s assets in their
possession upon termination of their employment, contract or agreement.
A.8.3.3 Removal of access rights
Control
The access rights of all employees, contractors and third party users to information and information
processing facilities shall be removed upon termination of their employment, contract or
agreement, or adjusted upon change.
A.9 PHYSICAL AND ENVIRONMENTAL SECURITY

A.9.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization‘s
premises and information.
A.9.1.1 Physical security perimeter
Control
Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks)
shall be used to protect areas that contain information and information processing facilities.
A.9.1.2 Physical entry controls

Control
Secure areas shall be protected by appropriate entry controls to ensure that only authorized
personnel are allowed access.
A.9.1.3 Securing offices, rooms and facilities

Control
Physical security for offices, rooms, and facilities shall be designed and applied.
A.9.1.4 Protecting against external and environmental threats

Control
Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other
forms of natural or man-made disaster shall be designed and applied.
A.9.1.5 Working in secure areas

Control
Physical protection and guidelines for working in secure areas shall be designed and applied.
A.9.1.6 Public access, delivery and loading areas

Control
Access points such as delivery and loading areas and other points where unauthorized persons may
enter the premises shall be controlled and, if possible, isolated from information processing
facilities to avoid unauthorized access.
A.9.2 Equipment security

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the
organization‘s activities.
A.9.2.1 Equipment sitting and protection

Control
Equipment shall be sited or protected to reduce the risks from environmental threats and hazards,
and opportunities for unauthorized access.
A.9.2.2 Supporting utilities

Control
Equipment shall be protected from power failures and other disruptions caused by failures in
supporting utilities.

A.9.2.3 Cabling security
Control
Power and telecommunications cabling carrying data or supporting information services shall be
protected from interception or damage.
A.9.2.4 Equipment maintenance

Control
Equipment shall be correctly maintained to ensure its continued availability and integrity.
A.9.2.5 Security of equipment off premises

Control
Security shall be applied to off-site equipment taking into account the different risks of working
outside the organization‘s premises.
A.9.2.6 Secure disposal or re-use of equipment

Control
All items of equipment containing storage media shall be checked to ensure that any sensitive data
and licensed software has been removed or securely overwritten prior to disposal.
A.9.2.7 Removal of property

Control
Equipment, information or software shall not be taken off-site without prior authorization.
A.10 COMMUNICATIONS AND OPERATIONS MANAGEMENT
A.10.1 Operational procedures and responsibilities

Objective: To ensure the correct and secure operation of information processing facilities.
A.10.1.1 Documented operating procedures

Control
Operating procedures shall be documented, maintained, and made available to all users who need
them.
A.10.1.2 Change management

Control
Changes to information processing facilities and systems shall be controlled.
A.10.1.3 Segregation of duties

Control
Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of the organization‘s assets.

A.10.1.4 Separation of development, test and operational facilities
Control
Development, test and operational facilities shall be separated to reduce the risks of unauthorized
access or changes to the operational system.
A.10.2 Third party service delivery management

Objective: To implement and maintain the appropriate level of information security and service
delivery in line with third party service delivery agreements.
A.10.2.1 Service delivery

Control
It shall be ensured that the security controls, service definitions and delivery levels included in the
third party service delivery agreement are implemented, operated, and maintained by the third
party.
A.10.2.2 Monitoring and review of third party services

Control
The services, reports and records provided by the third party shall be regularly monitored and
reviewed, and audits shall be carried out regularly.
A.10.2.3 Managing changes to third party services
Control
Changes to the provision of services, including maintaining and improving existing information
security policies, procedures and controls, shall be managed, taking account of the criticality of
business systems and processes involved and re-assessment of risks.
A.10.3 System planning and acceptance
Objective: To minimize the risk of systems failures.
A.10.3.1 Capacity management
Control
The use of resources shall be monitored, tuned, and projections made of future capacity
requirements to ensure the required system performance.
A.10.3.2 System acceptance
Control
Acceptance criteria for new information systems, upgrades, and new versions shall be established
and suitable tests of the system(s) carried out during development and prior to acceptance.
A.10.4 Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
A.10.4.1 Controls against malicious code
Control
Detection, prevention, and recovery controls to protect against malicious code and appropriate user
awareness procedures shall be implemented.
A.10.4.2 Controls against mobile code
Control
Where the use of mobile code is authorized, the configuration shall ensure that the authorized
mobile code operates according to a clearly defined security policy, and unauthorized mobile code
shall be prevented from executing.
A.10.5 Back-up
Objective: To maintain the integrity and availability of information and information processing
facilities.
A.10.5.1 Information back-up

Control
Back-up copies of information and software shall be taken and tested regularly in accordance with
the agreed backup policy.
A.10.6 Network security management

Objective: To ensure the protection of information in networks and the protection of the
supporting infrastructure.
A.10.6.1 Network controls

Control
Networks shall be adequately managed and controlled, in order to be protected from threats, and to
maintain security for the systems and applications using the network, including information in
transit.
A.10.6.2 Security of network services

Control
Security features, service levels, and management requirements of all network services shall be
identified and included in any network services agreement, whether these services are provided in-
house or outsourced.
A.10.7 Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and
interruption to business activities.
A.10.7.1 Management of removable media

Control
There shall be procedures in place for the management of removable media.
A.10.7.2 Disposal of media

Control
Media shall be disposed of securely and safely when no longer required, using formal procedures.

A.10.7.3 Information handling procedures
Control
Procedures for the handling and storage of information shall be established to protect this
information from unauthorized disclosure or misuse.
A.10.7.4 Security of system documentation

Control
System documentation shall be protected against unauthorized access.
A.10.8 Exchange of information

Objective: To maintain the security of information and software exchanged within an organization
and with any external entity.
A.10.8.1 Information exchange policies and procedures
Control
Formal exchange policies, procedures, and controls shall be in place to protect the exchange of
information through the use of all types of communication facilities.
A.10.8.2 Exchange agreements

Control
Agreements shall be established for the exchange of information and software between the
organization and external parties.
A.10.8.3 Physical media in transit

Control
Media containing information shall be protected against unauthorized access, misuse or corruption
during transportation beyond an organization‘s physical boundaries.
A.10.8.4 Electronic messaging

Control
Information involved in electronic messaging shall be appropriately protected.
A.10.8.5 Business information systems

Control
Policies and procedures shall be developed and implemented to protect information associated with
the interconnection of business information systems.
A.10.9 Electronic commerce services

Objective: To ensure the security of electronic commerce services, and their secure use.
A.10.9.1 Electronic commerce

Control
Information involved in electronic commerce passing over public networks shall be protected from
fraudulent activity, contract dispute, and unauthorized disclosure and modification.

A.10.9.2 On-line transactions
Control
Information involved in on-line transactions shall be protected to prevent incomplete transmission,
mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message
duplication or replay.
A.10.9.3 Publicly available information

Control
The integrity of information being made available on a publicly available system shall be protected
to prevent unauthorized modification.
A.10.10 Monitoring
Objective: To detect unauthorized information processing activities.
A.10.10.1 Audit logging

Control
Audit logs recording user activities, exceptions, and information security events shall be produced
and kept for an agreed period to assist in future investigations and access control monitoring.
A.10.10.2 Monitoring system use

Control
Procedures for monitoring use of information processing facilities shall be established and the
results of the monitoring activities reviewed regularly.
A.10.10.3 Protection of log information

Control
Logging facilities and log information shall be protected against tampering and unauthorized
access.
A.10.10.4 Administrator and operator logs

Control
System administrator and system operator activities shall be logged.
A.10.10.5 Fault logging

Control
Faults shall be logged, analyzed, and appropriate action taken.
A.10.10.6 Clock synchronization

Control
The clocks of all relevant information processing systems within an organization or security
domain shall be synchronized with an agreed accurate time source.

A.11 ACCESS CONTROL
A.11.1 Business requirement for access control

Objective: To control access to information.
A.11.1.1 Access control policy

Control
An access control policy shall be established, documented, and reviewed based on business and
security requirements for access.
A.11.2 User access management

Objective: To ensure authorized user access and to prevent unauthorized access to information
systems.
A.11.2.1 User registration
Control
There shall be a formal user registration and de-registration procedure in place for granting and
revoking access to all information systems and services.
A.11.2.2 Privilege management

Control
The allocation and use of privileges shall be restricted and controlled.
A.11.2.3 User password management

Control
The allocation of passwords shall be controlled through a formal management process. A.11.2.4
Review of user access rights
A.11.3 User responsibilities

Objective: To prevent unauthorized user access, and compromise or theft of information and
information processing facilities.
A.11.3.1 Password use

Control
Users shall be required to follow good security practices in the selection and use of passwords.
A.11.3.2 Unattended user equipment

Control
Users shall ensure that unattended equipment has appropriate protection.
A.11.3.3 Clear desk and clear screen policy

Control
A clear desk policy for papers and removable storage media and a clear screen policy for
information processing facilities shall be adopted.

A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.
A.11.4.1 Policy on use of network services

Control
Users shall only be provided with access to the services that they have been specifically authorized
to use.
A.11.4.2 User authentication for external connections

Control
Appropriate authentication methods shall be used to control access by remote users.
A.11.4.3 Equipment identification in networks

Control
Automatic equipment identification shall be considered as a means to authenticate connections
from specific locations and equipment.
A.11.4.4 Remote diagnostic and configuration port protection

Control
Physical and logical access to diagnostic and configuration ports shall be controlled.
A.11.4.5 Segregation in networks

Control
Groups of information services, users, and information systems shall be segregated on networks.
A.11.4.6 Network connection control

Control
For shared networks, especially those extending across the organization‘s boundaries, the
capability of users to connect to the network shall be restricted, in line with the access control
policy and requirements of the business applications (see 11.1).
A.11.4.7 Network routing control

Control
Routing controls shall be implemented for networks to ensure that computer connections and
information flows do not breach the access control policy of the business applications.
A.11.5 Operating system access control

Objective: To prevent unauthorized access to operating systems.
A.11.5.1 Secure log-on procedures

Control
Access to operating systems shall be controlled by a secure log-on procedure.

A.11.5.2 User identification and authentication
Control
All users shall have a unique identifier (user ID) for their personal use only, and a suitable
authentication technique shall be chosen to substantiate the claimed identity of a user.
A.11.5.3 Password management system

Control
Systems for managing passwords shall be interactive and shall ensure quality passwords.
A.11.5.4 Use of system utilities

Control
The use of utility programs that might be capable of overriding system and application controls
shall be restricted and tightly controlled.
A.11.5.5 Session time-out

Control
Inactive sessions shall shut down after a defined period of inactivity.
A.11.5.6 Limitation of connection time

Control
Restrictions on connection times shall be used to provide additional security for high-risk
applications.
A.11.6 Application and information access control

Objective: To prevent unauthorized access to information held in application systems.
A.11.6.1 Information access restriction

Control
Access to information and application system functions by users and support personnel shall be
restricted in accordance with the defined access control policy.
A.11.6.2 Sensitive system isolation

Control
Sensitive systems shall have a dedicated (isolated) computing environment.
A.11.7 Mobile computing and teleworking

Objective: To ensure information security when using mobile computing and teleworking
facilities.
A.11.7.1 Mobile computing and communications

Control
A formal policy shall be in place, and appropriate security measures shall be adopted to protect
against the risks of using mobile computing and communication facilities.

A.11.7.2 Teleworking
Control
A policy, operational plans and procedures shall be developed and implemented for teleworking
activities.
A.12 INFORMATION SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
A.12.1 Security requirements of information systems

Objective: To ensure that security is an integral part of information systems.
A.12.1.1 Security requirements analysis and specification

Control
Statements of business requirements for new information systems, or enhancements to existing
information systems shall specify the requirements for security controls.
A.12.2 Correct processing in applications

Objective: To prevent errors, loss, unauthorized modification or misuse of information in
applications.
A.12.2.1 Input data validation

Control
Data input to applications shall be validated to ensure that this data is correct and appropriate.
A.12.2.2 Control of internal processing

Control
Validation checks shall be incorporated into applications to detect any corruption of information
through processing errors or deliberate acts.
A.12.2.3 Message integrity

Control
Requirements for ensuring authenticity and protecting message integrity in applications shall be
identified, and appropriate controls identified and implemented.
A.12.2.4 Output data validation

Control
Data output from an application shall be validated to ensure that the processing of stored
information is correct and appropriate to the circumstances.
A.12.3 Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic
means.

A.12.3.1 Policy on the use of cryptographic controls
Control
A policy on the use of cryptographic controls for protection of information shall be developed and
implemented.
A.12.3.2 Key management

Control
Key management shall be in place to support the organization‘s use of cryptographic techniques.
A.12.4 Security of system files

Objective: To ensure the security of system files.
A.12.4.1 Control of operational software

Control
There shall be procedures in place to control the installation of software on operational systems.
A.12.4.2 Protection of system test data

Control
Test data shall be selected carefully, and protected and controlled.
A.12.4.3 Access control to program source code

Control
Access to program source code shall be restricted.
A.12.5 Security in development and support processes

Objective: To maintain the security of application system software and information.
A.12.5.1 Change control procedures

Control
The implementation of changes shall be controlled by the use of formal change control procedures.
A.12.5.2 Technical review of applications after operating system changes

Control
When operating systems are changed, business critical applications shall be reviewed and tested to
ensure there is no adverse impact on organizational operations or security.
A.12.5.3 Restrictions on changes to software packages

Control
Modifications to software packages shall be discouraged, limited to necessary changes, and all
changes shall be strictly controlled.
A.12.5.4 Information leakage

Control
Opportunities for information leakage shall be prevented.
A.12.5.5 Outsourced software development
Control
Outsourced software development shall be supervised and monitored by the organization.
A.12.6 Technical Vulnerability Management

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
A.12.6.1 Control of technical vulnerabilities

Control
Timely information about technical vulnerabilities of information systems being used shall be
obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures
taken to address the associated risk.
A.13 Information security incident management
A.13.1 Reporting information security events and weaknesses

Objective: To ensure information security events and weaknesses associated with information
systems are communicated in a manner allowing timely corrective action to be taken.
A.13.1.1 Reporting information security events

Control
Information security events shall be reported through appropriate management channels as quickly
as possible.
A.13.1.2 Reporting security weaknesses

Control
All employees, contractors and third party users of information systems and services shall be
required to note and report any observed or suspected security weaknesses in systems or services.
A.13.2 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach is applied to the management of
information security incidents.
A.13.2.1 Responsibilities and procedures

Control
Management responsibilities and procedures shall be established to ensure a quick, effective, and
orderly response to information security incidents.
A.13.2.2 Learning from information security incidents

Control
There shall be mechanisms in place to enable the types, volumes, and costs of information security
incidents to be quantified and monitored.

A.13.2.3 Collection of evidence
Control
Where a follow-up action against a person or organization after an information security incident
involves legal action (either civil or criminal), evidence shall be collected, retained, and presented
to conform to the rules for evidence laid down in the relevant jurisdiction(s).
A.14 BUSINESS CONTINUITY MANAGEMENT
A.14.1 Information security aspects of business continuity management

Objective: To counteract interruptions to business activities and to protect critical business
processes from the effects of major failures of information systems or disasters and to ensure their
timely resumption.
A.14.1.1 Including information security in the business continuity management process

Control
A managed process shall be developed and maintained for business continuity throughout the
organization that addresses the information security requirements needed for the organization‘s
business continuity.
A.14.1.2 Business continuity and risk assessment

Control
Events that can cause interruptions to business processes shall be identified, along with the
probability and impact of such interruptions and their consequences for information security.
A.14.1.3 Developing and implementing continuity plans including information security
Control
Plans shall be developed and implemented to maintain or restore operations and ensure availability
of information at the required level and in the required time scales following interruption to, or
failure of, critical business processes.
A.14.1.4 Business continuity planning framework

Control
A single framework of business continuity plans shall be maintained to ensure all plans are
consistent, to consistently address information security requirements, and to identify priorities for
testing and maintenance.
A.14.1.5 Testing, maintaining and reassessing business continuity plans

Control
Business continuity plans shall be tested and updated regularly to ensure that they are up to date
and effective.

A.15 COMPLIANCE
A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of
any security requirements.
A.15.1.1 Identification of applicable legislation

Control
All relevant statutory, regulatory and contractual requirements and the organization‘s approach to
meet these requirements shall be explicitly defined, documented, and kept up to date for each
information system and the organization.
A.15.1.2 Intellectual property rights (IPR)

Control
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory,
and contractual requirements on the use of material in respect of which there may be intellectual
property rights and on the use of proprietary software products.
A.15.1.3 Protection of organizational records

Control
Important records shall be protected from loss, destruction and falsification, in accordance with
statutory, regulatory, contractual, and business requirements.
A.15.1.4 Data protection and privacy of personal information

Control
Data protection and privacy shall be ensured as required in relevant legislation, regulations, and, if
applicable, contractual clauses.
A.15.1.5 Prevention of misuse of information processing facilities

Control
Users shall be deterred from using information processing facilities for unauthorized purposes.
A.15.1.6 Regulation of cryptographic controls

Control
Cryptographic controls shall be used in compliance with all relevant agreements, laws, and
regulations.
A.15.2 Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
A.15.2.1 Compliance with security policies and standards

Control
Managers shall ensure that all security procedures within their area of responsibility are carried out
correctly to achieve compliance with security policies and standards.
A.15.2.2 Technical compliance checking
Control
Information systems shall be regularly checked for compliance with security implementation
standards.
A.15.3 Information systems audit considerations

Objective: To maximize the effectiveness of and to minimize interference to/from the information
systems audit process.
A.15.3.1 Information systems audit controls

Control
Audit requirements and activities involving checks on operational systems shall be carefully
planned and agreed to minimize the risk of disruptions to business processes.
A.15.3.2 Protection of information systems audit tools

Control
Access to information systems audit tools shall be protected to prevent any possible misuse or
compromise.

PRACTICE SESSION OF ISO 27001
Here is an ISO 27001 Controls and objectives sheet as an example for the practice purpose.

2.6 MANDATORY REQUIREMENTS
As per standard there are some mandatory requirements
I. INFORMATION SECURITY MANAGEMENT SYSTEM
 General requirements
 Establishing and managing the ISMS (e.g. Risk Assessment)
 Documentation Requirements
An Information Security Management System is a management system that integrates people,
process and technology. ISMS include technical controls, administrative controls, and physical
controls. A company‘s ISMS can be certified against BS 7799
II. MANAGEMENT RESPONSIBILITY
 Management Commitment
 Resource Management (e.g. Training, Awareness)
 Internal ISMS Audits

III. MANAGEMENT REVIEW OF THE ISMS
The purpose of a management review is to evaluate the overall performance of an organization's
information security management system and to identify improvement opportunities.
 PERFORM MANAGEMENT REVIEWS
 Carry out management reviews of your ISMS.

 Make sure that your organization‘s management people review your ISMS at planned
intervals.
 Examine the performance of your ISMS.
 Examine the ongoing suitability of your ISMS.
 Examine the ongoing adequacy of your ISMS.
 Examine the ongoing effectiveness of your ISMS.
 Assess whether or not your organization‘s ISMS should be changed or improved.
 Assess whether or not your information security policy should be changed or improved.
 Assess whether or not your information security objectives should be changed or
improved.
 Keep a record of your ISMS management reviews.
 Record the results of ISMS management reviews.
 EXAMINE MANAGEMENT REVIEW INPUTS
 Examine information about your ISMS (inputs).

 Examine the results of prior management reviews.
 Examine the results of previous ISMS audits.
 Examine previous ISMS measurement results.
 Examine the status of previous remedial actions.
 Examine security issues that were inadequately addressed during the previous risk
assessment.
 Examine opportunities to improve your ISMS.
 Examine changes that might affect your ISMS.
 GENERATE MANAGEMENT REVIEW OUTPUTS
 Generate decisions and actions (outputs).

 Generate management review decisions and actions to improve your organization‘s ISMS.
 Generate management review decisions and actions to update your organization‘s ISMS.
 Generate management review decisions and actions to respond to events that affect the
ISMS.
 Generate management review decisions and actions to address your ISMS resource needs.
IV. ISMS IMPROVEMENT
 CONTINUALLY IMPROVE YOUR ISMS

 Improve the effectiveness of your ISMS.
 Use your security policy to continually improve the effectiveness of your ISMS.
 Use your security objectives to continually improve the effectiveness of your ISMS.
 Use your security audit results to continually improve the effectiveness of your ISMS.
 Use your management reviews to continually improve the effectiveness of your ISMS.
 Use your corrective actions to continually improve the effectiveness of your ISMS.
 Use your preventive actions to continually improve the effectiveness of your ISMS.
 Use your monitoring process to continually improve the effectiveness of your ISMS.
 CORRECT ACTUAL ISMS NONCONFORMITIES
 Establish a corrective action procedure to prevent the recurrence of actual

nonconformities. Corrective actions are steps that are taken to address existing
nonconformities and make improvements. Corrective actions deal with actual
nonconformities (problems), ones that have already occurred. They solve existing
problems by removing their causes. In general, the corrective action process can be
thought of as a problem solving process.
 Make sure that your corrective action procedure expects you to identify actual
nonconformities.
 Make sure that your corrective action procedure expects you to identify the causes of your
nonconformities.
 Make sure that your procedure expects you to evaluate whether you need to take action.
 Make sure that your procedure expects you to develop corrective actions when they are
needed.
 Make sure that your procedure expects you to prevent the recurrence of actual
nonconformities.
 Make sure that your corrective action procedure expects you to eliminate the causes of
your organization‘s nonconformities.
 Make sure that your procedure expects you to record the results of any corrective actions
taken.
 Make sure that your procedure expects you to review the results of any corrective actions
taken.
 Document your corrective action procedure.
 Implement your corrective action procedure.
 Use your organization‘s corrective action procedure to identify nonconformities.
 Use your organization‘s corrective action procedure to identify causes.
 Use your procedure to evaluate whether or not you need to take corrective action.
 Use your procedure to develop corrective actions whenever corrective actions are actually
needed.
 Use your procedure to take corrective actions.
 Use your procedure to prevent the recurrence of actual nonconformities.
 Use your procedure to eliminate the causes of actual nonconformities.
 Use your procedure to record the results of any corrective actions taken.
 Use your procedure to review the corrective actions that have been taken.
 Maintain your corrective action procedure.
Whereas most organizations address their compliance requirements individually in a‘ stovepipe‘
fashion, identifying the mATLgs between ISO 27001 and the other compliance requirements, an
organization can implement a single security control framework in a manner that will satisfy all
compliance requirements. Once in place, this single framework can simplify auditing and reporting
requirements, reduce the amount of documentation to manage and records to retain, and facilitate
demonstrable process and performance improvements.
Now let us see an implementation project for ISO 27001 done by ATL Security Group for a client
of ATL (name confidential) where an insight view can be clearly seen how ISO standards are
implemented.

UNIT 3
SECURITY RELATED THREAT AND VULNERABILITIES
EVALUATION
3.1 SECURITY FRAMEWORKS

WHAT IS SECURITY?
Security is defined as the condition of being protected
against danger or loss. It is a condition that results from
the establishment and maintenance of protective measures
that ensure a state of inviolability from hostile acts or
influences.
It is important that security be balanced with usability
(and accessibility).
 Most secure system = useless.
 Most useful system = insecure.
Figure: Security framework
“Security is a continues process of Protecting Valuable thing from someone (Hacker/Cracker)”
WHAT ABOUT ADEQUATE SECURITY?
CERT usefully suggests:
―A desired enterprise security state is the condition where the protection strategies for an
organization's critical assets and business processes are commensurate with the organization's risk
appetite and risk tolerances.‖
Risk Appetite
 It is defined through executive decision, influences amount of risk worth taking to achieve
enterprise goals and missions.
 It relates to risks that must be mitigated and managed.
Risk Tolerance
 It is the residual risk accepted.

 It relates to risk for which no mitigation would be in place.

WHAT IS REQUIRED FOR ADEQUATE SECURITY?
 Asset list.
 Threat analysis to identify risks.
 Risk impact estimate for each asset.
 Ongoing process for reviewing assets, threats and risks.
 Someone responsible for this process.
Operational procedures for responding to changing conditions (emergencies, high risk etc.).
ASPECTS OF SECURITY
Static Aspects:
 Confidentiality: The data/service provides no useful information to unauthorized people.

 Integrity: If anyone tampers with an asset it will be immediately evident.
 Authenticity: It can be verified that asset is attributable to its authors or caretakers.
 Identity: It can be verified who is the specific individual entity associated with an asset.
 Non-repudiation: The author or owner or caretaker of an asset cannot deny that they are
associated with it.
Courseware Piracy – Don’t be a victim!

World wide it is recognized that courseware piracy is a serious offence which not only
affects the creative potential of society also causes economic losses to all those who
had invested their money in bringing out pirated materials in various forms for use by
end-users.
Always look forward to Authentic Certificates and ATL holograms.

If you find your course material to be pirated, immediately contact us at:
courseware@atlemail.com
Dynamic Aspects:
 Authorization: It is clear what actions are permitted with respect to an asset.

 Loss: Asset is irrecoverably lost (or the cost of recovery is too high).
 Denial of access (or denial of service): Access to asset is temporarily impossible.
FRAMEWORK 1: DEFENSE IN DEPTH (DID)
 Defense in depth is the concept of protecting a computer network with a series of defensive
mechanisms such that if one mechanism fails, another will already be in place to thwart an
attack.

 It is originally a military strategy which seeks to delay rather than prevent the advance of
an attacker, buying time by yielding space.
 In terms of computer network defense, defense in depth measures should not only prevent
security breaches, but buy an organization time to
detect and respond to an attack, therefore reducing and
mitigating the breach's impact.
 For example, to protect against an unskilled hacker or
against somebody who does not have much knowledge
about the organization‘s networks, the first layer of
defense would be a firewall. Firewalls are can be
extremely effective, but at the same time they cannot
be relied on as the only means of securing a network
perimeter. Network based intrusion detection systems
(IDS) can provide the other layer of perimeter defense.
A network based IDS can identify attacks that could
otherwise go undetected, will sometimes take
defensive measures such as interacting with the
firewall to stop certain traffic, alert an administrator of
a problem and can help identify the vulnerability that
was exploited in the event of a successful attack. Figure: Framework 1
 Systems need to be further hardened by ensuring that the system has all current vendor
patches installed, that anti-virus software is current and that all unused services are
disabled.
 Using such a layered approach:
– Increases an attacker‘s risk of detection.
– Reduces an attacker‘s chance of success.
 For further reference, read: Implementation of DiD at a university DiD security for a laptop
DiD for a small ISP.
Secure Environment
A secure environment is a combination of:
 Hardened hosts (nodes).
 Intrusion Detection System (IDS).
 Operating Processes: Standard and Emergency such as ISO 27001, ISO 17799.
 Threat Modeling and Analysis.
 Dedicated Responsible Staff: Chief Security Officer (CSO) responsible for all.
 Continuous Training for users and security staff against ―social engineering‖.
“Environmental security is as important as the other important assets”

FRAMEWORK 2: OCTAVE
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is an
information security risk evaluation that is comprehensive, systematic, and context driven.
 Developed and launched in 2001
 Currently used by US military and a growing
number of larger organizations
 Concept of OCTAVE: OCTAVE is a risk based
strategic assessment and planning technique for
security. OCTAVE is self-directed, meaning that
people from an organization assume responsibility
for setting the organization‘s security strategy.
 OCTAVE is targeted at organizational risk and
focused on strategic, practice-related issues.
 When applying OCTAVE, a small team of people
from the operational (or business) units and the
information technology (IT) department work
together to address the security needs of the
organization, balancing the three key aspects of
operational risk, security practices, and technology. Figure: Cycle of the process
 While OCTAVE is meant for large organizations, a second process OCTAVE-S was
developed and tested for small organizations, ranging from 20 to 80 people. It is designed
for organizations that can empower a team of three to five people to conduct all evaluation
activities, without the need for formal data-gathering activities.
The OCTAVE Process

Using a three-phase approach, OCTAVE examines organizational and technology issues to
assemble a comprehensive picture of the information security needs of an organization. The phases
of OCTAVE are:
 Phase 1: Build Asset-Based Threat Profiles – This is an organizational evaluation. Staff

members within the organization identify important information assets, the threats to those
assets, and the security requirements of the assets. They determine what the organization is
currently doing to protect its information assets (protection strategy practices) and identify
weaknesses in organizational policies and practice (organizational vulnerabilities).
 Phase 2: Identify Infrastructure Vulnerabilities – This is an evaluation of the information
infrastructure. The key operational components of the information technology infrastructure
are identified based on the information gathered during Phase 1 and then examined for
weaknesses (technology vulnerabilities) that can lead to unauthorized action.
 Phase 3: Develop Security Strategy and Plans – Risks are analyzed in this phase. The
information generated by the organizational and information infrastructure evaluations (Phases
1 and 2) are analyzed to identify risks to the organization and to evaluate the risks based on
their impact to the organization‘s mission. In addition, a protection strategy for the
organization and mitigation plans addressing the highest priority risks is developed.
“The OCTAVE Method is self directed. A small team of the organization’s personnel (called the
analysis team) manages the process and analyzes all information. The analysis team is an
interdisciplinary team comprising representatives from both the business lines and the IT
department of the organization.”
FRAMEWORK 3: SECURITY RISK ANALYSIS

The steps involved in this process are-
 Creation of an asset list.
 Risk impact assessment.
 Risk probability assessment.
 Risk Exposure and Risk List.
 Mitigation and Contingency.
Creating an Asset List
 All named assets (such as documents, software, hardware etc.) are listed starting with the
most sensitive.
 The list is never complete. It has to be periodically updated.
 Default ―all other assets‖ entries are also created.
These are divided into logical groups based on their probability of attacks or the risk of their
―location‖ between perimeters.
Risk Impact Assessment
 For each asset and risk, a measure of impact is attached.

 Monetary scale if possible (difficult) or relative numbers with agreed meaning are used For
e.g.: If we associate 1 with a trivel risk, 2 with a low risk, 3 with a medium risk, 4 with a
high risk and 5 with a catastrophic risk.
 Ex:
– Asset: Internal MD mailbox.
– Risk: Access to content by press.
– Impact: Catastrophic.
Risk Probability Assessment
 For each entry, probability of the occurrence of the loss is measured.

 Real probabilities are difficult to measure. Therefore, a relative scale is used such as:
Low (0.3), Medium (0.6), and High (0.9)
 Ex:
– Asset: Internal MD mailbox.
– Risk: Access to content by press.
– Probability: Low (0.3)

Risk Exposure and Risk List
 The probability for each entry is multiplied by its impact

Exposure = Probability x Impact
 The entries are then sorted by exposure.
– High-exposure risks need very strong security measures.
– Lowest-exposure risks can be covered by default mechanisms or ignored.
 For example:
– Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.
Mitigation and Contingency
For high-exposure risks, the following need to be planned:

 Mitigation: Reduce its probability or impact (so exposure).
 Transfer: Make someone else responsible for the risk.
 Avoidance: avoid the risk by not having the asset.
 Contingency: what to do if the risk becomes reality.
FRAMEWORK 4: THREAT MODELING

Threat modeling is a strategic way of building security into applications by enumerating threats
relevant to the solution. Also known as application risk assessment, it helps application designers
to think in both an offensive and defensive manner, thereby allowing timely identification of
potential threats, vulnerabilities, attacks and corresponding countermeasures. In other words, threat
modeling is aimed at:
 Finding infrastructure vulnerabilities.

 Evaluating security threats.
 Identifying countermeasures
Threat Modeling
The steps involved in threat modeling are-
1. Identification of Assets
 What needs to be protected e.g. confidential data, websites etc.
2. Creating an Architecture Overview
 Identifying what the application does.
 Creating an architecture diagram describing the composition and structure of the
application and its subsystems as well as its physical deployment characteristics.
 Identifying the distinct technologies that are used to implement the solution.
3. Decomposing the Application
 Identifying entry points, exit points, trust boundaries, data flow Descriptions, the
privilege for various categories of code etc.
4. Identifying the Threats
 Thinking about how application can be attacked (using STRIDE, vulnerability
Databases, experience).
5. Documenting the Threats
 Specify the threat target, the risk to the target, attack techniques and countermeasures.
6. Rating the threats (using DREAD)
Read about • Threat Modeling for security tokens on a web server.
For Tool • Threat Analysis and Modeling tool.
COBIT
The Control Objectives for Information and related Technology (COBIT) is a set of best
practices (framework) for information technology (IT) management created by the Information
Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996.
COBIT provides managers, auditors, and IT users with a set of generally accepted measures,
indicators, processes and best practices to assist them in maximizing the benefits derived through
the use of information technology and developing appropriate IT governance and control in a
company.
COBIT structure
COBIT covers four domains:
 Plan and Organize
o Define a Strategic IT Plan and direction
o Define the Information Architecture
o Determine Technological Direction
o Define the IT Processes, Organization and Relationships
o Manage the IT Investment
o Communicate Management Aims and Direction
o Manage IT Human Resources
o Manage Quality
o Access and Manage IT Risks
o Manage Projects
 Acquire and Implement: The Acquire and Implement domain covers identifying IT
requirements, acquiring the technology, and implementing it within the company‘s current
business processes. This domain also addresses the development of a maintenance plan that
a company should adopt in order to prolong the life of an IT system and its components.
The following table lists the IT processes contained in the Acquire and Implement domain.
 Deliver and Support: The Deliver and Support domain focuses on the delivery aspects of
the information technology. It covers areas such as the execution of the applications within
the IT system and its results, as well as, the support processes that enable the effective and
efficient execution of these IT systems. These support processes include security issues and
training. The following table lists the IT processes contained in the Deliver and Support
domain.
 Monitor and Evaluate: The Monitor and Evaluate domain deals with a company‘s strategy
in assessing the needs of the company and whether or not the current IT system still meets
the objectives for which it was designed and the controls necessary to comply with
regulatory requirements. Monitoring also covers the issue of an independent assessment of
the effectiveness of IT system in its ability to meet business objectives and the company‘s
control processes by internal and external auditors. The following table lists the IT
processes contained in the Monitor and Evaluate domain.
The complete COBIT package consists of:
 Executive Summary
 Governance and Control Framework
 Control Objectives
 Management Guidelines
 Implementation Guide
 IT Assurance Guide
STRIDE
It is a technique for Threat Identification which attempts to categorize potential security threats by
matching them to six categories.
The threat categories are:
1. Spoofing Identity which means illegally obtaining access and use of another person's
authentication information, such as a user name or password, that is, impersonate another
user.
2. Tampering with data which means malicious modification of data. An attacker who
maliciously changes data is often much harder to detect, and does much more damage, than
a smash-and-grab Web site defacer or disk reformatter. Why? First, you might not find the
modified data until some time has passed; once you find one tampered item, you'll have to
thoroughly check all the other data on your systems to ensure that nothing else was
tampered with.
3. Repudiation: It represents the risk that a legitimate transaction will be disowned by one of
the participants. Non repudiation means that it can be verified that the sender and the
recipient were, in fact, the parties who claimed to send or receive the message,
respectively.
4. Information disclosure which means that an attacker can gain access, without permission,
to data that the owner doesn't want him or her to have.
5. Denial of service (DoS) which means an explicit attempt to prevent legitimate users from
using a service or system. It involves the overuse of legitimate resources. Such attacks can
be stopped by removing the resource used by the attacker, but then real users can't use the
resource either.
6. Escalation of privilege which means an unprivileged user gains privileged access. An
example of privilege elevation would be an unprivileged user who comes up with a way to
be added to the Administrators group.

THREAT TREE
It is a structure used to represent threats and vulnerabilities. Threat trees comprise threats as the
parent nodes with child nodes being vulnerabilities required for those threats to actually manifest.
A list of comprehensive threat trees also makes it easy to derive security test cases corresponding
to each vulnerability (i.e. child node). This can be made clearer by the example of an application
which implements multiple roles/access privileges and allows users to upload and delete files. It
consists of an admin role which has the privilege to delete any user file and also schedule system
level commands.
DREAD
It is a technique developed by Microsoft to rate the possible threats (Step 6). It is important as the
implementation of countermeasures and test case development requires the prioritization of issues
identified so that the most critical findings can be resolved first. DREAD stands for-
 Damage potential: How great is the damage if the vulnerability is exploited?

 Reproducibility: How easy is it to reproduce the attack?
 Exploitability: How easy is it to launch an attack?
 Affected users: As a rough percentage, how many users are affected?
 Discoverability: How easy is it to find the vulnerability?
Each category of threat is rated as High (3), medium (2) and low (1).
After each of the above questions has been asked, the values (1–3) for a given threat should be
counted. The result can fall in the range of 5–15. Then the threats with overall ratings of 12–15 can
be treated as High risk, 8–11 as Medium risk, and 5–7 as Low risk.
3.2 UNDERSTANDING OF THE SECURITY CONTROLS AND

COUNTERMEASURES
Objectives of Security Controls
The prime objective of security controls is to reduce the effects of security threats and
vulnerabilities to a level that an organization can tolerate. This goal entails determining the impact
that a threat might have on an organization and the likelihood that the threat could occur. The
process that analyzes the threat scenario and produces a representative value of the estimated
potential loss is called Risk Analysis (RA).
RISK ASSESSMENT
Risk
Risk is the possibility of loss resulting from a threat, security incident, or event.
Assets
Any real or personal property, tangible or intangible, that a company or individual owns that can be

given or assigned a monetary value. Intangible property includes things such as goodwill,
proprietary information, and related property. For purposes of this guideline, people are included as
assets.
Consequential
A secondary result ensuing from an action or decision is consequential. From an insurance or
security standpoint, costs, loss, or damage beyond the market value of the asset lost or damaged,
including other indirect costs.
Cost/benefit analysis
Process in planning, related to the decision to commit funds or assets. This is a systematic attempt
to measure or analyze the value of all the benefits that accrue from a particular expenditure.
Usually, this process involves three steps:
 Identification of all direct and indirect consequences of the expenditure.
 Assignment of a monetary value to all costs and benefits resulting from the expenditure.
 Discounting expected future costs and revenues accruing from the expenditure to express
those costs and revenues in current monetary values.

Criticality
The impact of a loss event, typically calculated as the net cost of that event. Impact can range from
fatal, resulting in a total recapitalization, abandonment, or long-term discontinuance of the
enterprise, to relatively unimportant.
Events
Something that happens; a noteworthy happening is event. In the security context, this usually
represents an occurrence such as a security incident, alarm, medical emergency, or related episode
or experience.
Goodwill
The value of a business that has been built up through the reputation of the business concern and its
owners is goodwill.
Loss Event
It is an occurrence that actually produces a financial loss or negative impact on assets. Examples
include security incidents, crimes, war, natural hazards, or disasters.
Natural Disaster
It is a naturally occurring calamitous event bringing great damage, loss, or destruction such as
tornadoes, e.g. Hurricanes, earthquakes and related occurrences.
Probability
It is the chance, or in some cases, the mathematical certainty that a given event will occur; the ratio
of the number of outcomes in an exhaustive set of equally likely outcomes that produce a given
event to the total number of possible outcomes.
Risk Analysis
A detailed examination including risk assessment, risk evaluation, and risk management
alternatives, performed to understand the nature of unwanted, negative consequences to human life,
health, property, or the environment; an analytical process to provide information regarding
undesirable events; the process of quantification of the probabilities and expected consequences for
identified risks.
Risk Assessment
It is the process of assessing security-related risks from internal and external threats to an entity, its
assets, or personnel.
Security Incident
It is a security-related occurrence or action likely to lead to death, injury, or monetary loss. An
assault against an employee, customer, or supplier on company property would be one example of
a security incident.
Security Vulnerability
It is an exploitable capability; an exploitable security weakness or deficiency at a facility, entity,
venue, or of a person.

Site
It‘s a spatial location that can be designated by longitude and latitude.
State-of-the-Art
The most advanced level of knowledge and technology currently achieved in any field at any given
time.
Statistics
A branch of mathematics dealing with the collection, analysis, interpretation, and presentation of
masses of numerical data is statics. In security, this could represent a collection of quantitative data
such as security incidents, crime reports, and related information that, together with other like
information, serves as security-related statistics used for a number of applications including risk
and vulnerability evaluations.
Threat
Intent of damage or injury; an indication of something impending is threat.
I. WHAT IS RISK?
Risk can be defined as the combination of the probability of an event and its consequences. In all
types of undertaking, there is the potential for events and consequences that constitute
opportunities for benefit (upside) or threats to success (downside).
Risk Management is increasingly recognized as being concerned with both positive and negative
aspects of risk. Therefore this standard considers risk from both perspectives. In the safety field, it
is generally recognized that consequences are only negative and therefore the management of
safety risk is focused on prevention and mitigation of harm.
II. WHAT IS RISK ASSESSMENT?

Risk assessment is a step in a risk management process. Risk assessment is the determination of
quantitative or qualitative value of risk related to a concrete situation and a recognized threat.
ISMS must be developed and designed to meet the individual requirements of each organization.
Not only does every organization have its own specific business model, objectives, unique selling
features and culture, it also has its different appetites for risk. In other words, something that one
organization sees as a threat against which it must guard, another might see that same threat as an
opportunity that it should grasp. Similarly, one organization might be less prepared to invest in
defenses against an identified risk than another. For this, and other reasons, every organization that
implements ISMS must do so against the findings of a risk assessment whose methodology,
findings and recommendations have been approved by the board of directors. While there are only
a few standard methods of assessing and measuring risk, there are a number of tools for simplifying
and automating the process.
III. RISK ANALYSIS
Risk mitigation is achieved through the deployment of new/additional security measures.
Security measures can be placed into broad categories.
 People (Behavior)
 Process (Actions)
 Technology (architecture)
IV. KINDS OF RISK
Assessing risk is one element of a broader set of risk management activities. Other elements
include establishing a central management focal point, implementing appropriate policies and
related controls, promoting awareness, and monitoring and evaluating policy and control
effectiveness.
Although all elements of the risk management cycle are important, risk assessments provide the
foundation for other elements of the cycle. In particular, risk assessments provide a basis for
establishing appropriate policies and selecting cost-effective techniques to implement these
policies. Since risks and threats change over time, it is important that organizations periodically
reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they
have selected. This continuing cycle of activity, including risk assessment, is illustrated in the
following depiction of the risk management cycle. Risk assessments, whether they pertain to
information security or other types of risk, are a means of providing decision makers with
information needed to understand factors that can negatively influence operations and outcomes
and make informed judgments concerning the extent of actions needed to reduce risk. For example,
bank officials have conducted risk assessments to manage the risk of default associated with their
loan portfolios, and nuclear power plant engineers have conducted such assessments to manage
risks to public health and safety. As reliance on computer systems and electronic data has grown,
information security risk has joined the array of risks that governments and businesses must
manage. Regardless of the types of risk being considered, all risk assessments generally include the
following elements. Identifying threats is essential that could harm and thus adversely affect
critical operations and assets. Threats include such things as intruders, criminals, disgruntled
employees, terrorists, and natural disasters. The following are RA terms that the candidate will
need to know:
Asset: An asset is a resource, process, product, computing infrastructure, and so forth that an
organization has determined must be protected. The loss of the asset could affect C.I.A.,
confidentiality, integrity, or availability or have an overall effect, or it could have a discrete dollar
value—tangible or intangible. It could also affect the full ability of an organization to continue in
business. The value of an asset is composed of all of the elements that are related to that asset—its
creation, development, support, replacement, public credibility, considered costs, and ownership
values.
Threat: Simply put, the presence of any potential event that causes an undesirable impact on the
organization is called a threat. As we will discuss in the Operations Domain, a threat could be man-
made or natural and have a small or large effect on a company‘s security or viability.
Vulnerability: The absence or weakness of a safeguard constitutes vulnerability. A minor threat
has the potential to become a greater threat, or a more frequent threat, because of vulnerability.
Think of vulnerability as the threat that gets through a safeguard into the system. Combined with
the terms asset and threat, vulnerability is the third part of an element that is called a triple in risk
management.
Asset: An asset is a resource, process, product, computing infrastructure, and so forth that an
organization has determined must be protected. The loss of the asset could affect C.I.A.,
confidentiality, integrity, or availability or have an overall effect, or it could have a discrete dollar
value—tangible or intangible. It could also affect the full ability of an organization to continue in
business. The value of an asset is composed of all of the elements that are related to that asset—its
creation, development, support, replacement, public credibility, considered costs, and ownership
values.
Threat: Simply put, the presence of any potential event that causes an undesirable impact on the
organization is called a threat. As we will discuss in the Operations Domain, a threat could be man-
made or natural and have a small or large effect on a company‘s security or viability.
Vulnerability: The absence or weakness of a safeguard constitutes vulnerability. A minor threat
has the potential to become a greater threat, or a more frequent threat, because of vulnerability.
Think of vulnerability as the threat that gets through a safeguard into the system. Combined with
the terms asset and threat, vulnerability is the third part of an element that is called a triple in risk
management.
Safeguard: A safeguard is the control or countermeasure employed to reduce the risk associated
with a specific threat or group of threats.
Exposure Factor (EF): The EF represents the percentage of loss that a realized threat event would
have on a specific asset. This value is necessary to compute the Single Loss Expectancy (SLE),
which in turn is necessary to compute the Annualized Loss Expectancy (ALE). The EF can be a
small percentage, such as the effect of a loss of some hardware, or a very large percentage, such as
the catastrophic loss of all computing resources.
Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single event. It
represents an organization‘s loss from a single threat and is derived from the following formula:
Asset Value ($) Exposure Factor (EF) = SLE
For example, an asset valued at $100,000 that is subjected to an exposure factor of 30 percent
would yield an SLE of $30,000. While this figure is primarily defined in order to create the
Annualized Loss Expectancy (ALE), it is occasionally used by itself to describe a disastrous event
for a Business Impact Assessment (BIA).
Annualized Rate of Occurrence (ARO): The ARO is a number that represents the estimated
frequency with which a threat is expected to occur. The range for this value can be from 0.0 (never)
to a large number (for minor threats, such as misspellings of names in data entry). How this number
is derived can be very complicated. It is usually created based upon the likelihood of the event and
the number of employees that could make that error occurs. The loss incurred by this event is not a
concern here, only how often it does occur.
For example, a meteorite damaging the data center could be estimated to occur only once every
100,000 years and will have an ARO of .00001. In contrast, 100 data entry operators attempting an
unauthorized access attempt could be estimated at six times a year per operator and will have an
ARO of 600.
Annualized Loss Expectancy (ALE): The ALE, a dollar value, is derived from the following
formula: Single Loss Expectancy (SLE) Annualized Rate of Occurrence (ARO) = ALE.
V. STAGES OF RISK ASSESSMENT

STAGE 1: HAZARD IDENTIFICATION
Pretend you are new and look at everything with a fresh view, are what you record reasonable or
should changes be made. Everyone in the workplace will have an opinion, seek them out and
evaluate their comments. Manufacturer data sheets are an excellent resource for hazard information
on machinery and chemicals. Use them as a reference for your risk assessments.
Information that is already in your business's possession may also be useful, like accident and ill
health records; they can often identify hazards which are less obvious. Not all hazards are
immediately obvious, noise and exposure to dust for instance may not manifest themselves for
some years.
Look for hazards by walking around the workplace. List the hazards that could reasonably be
expected to cause harm. Ask for the opinion of employees as they may have noticed things that are
not immediately obvious. Examples of hazards include:
 Cables trailing over floors
 Fire
 Chemicals
 Work benches which are too high or too low
 Electricity
 Loads which have to be moved manually
 Work equipment
 Working environment e.g. ventilation, lighting, heating.
STEP 2: WHO IS AT RISK AND HOW?
Compile a list of all persons; individuals who may be at risk then you will be able to manage it.
You may need to consider them as groups rather than as individuals.
Descriptions of harm are needed, type of injury, e.g. repetitive tasks like on a production line.
There are special requirements for some groups of workers like young people, pregnant women,
and disabled persons. Extra thought will be needed for some hazards workers in particular
disciplines such as cleaners, visitors, contractors, maintenance workers etc, may not be in the
workplace all the time. Also consider members of the public if they could be hurt by your
activities. If you share your workplace, you will need to think about how your work affects others
present, as well as how their work affects your staff: talk to them and ask your staff if they can
think of anyone you may have missed.
List groups of people and individuals who may be affected by the hazards:
 Staff
 Members of the public
 Contractors on the premises.
Pay particular attention to vulnerable persons, e.g. those with disabilities, visitors, female
employees who are pregnant or who have recently returned to work after having a baby,
inexperienced employees or young persons.
STEP 3: EVALUATE THE RISKS AND DECIDE ON PRECAUTIONS
There are Approved Codes of Practice available from the HSE which are taken to be industry best
practice. What are you going to do about the hazards; everything reasonably practicable is the
answer.
Is what you are doing sufficient? Use the ACOPs to measure your performance.
Use the ERICPD acronym to check that you Eliminate, Reduce, Isolate, Control, PPE (personal
protective equipment), Discipline of the workforce to work correctly. Evaluate the risks arising
from the hazards and decide whether existing precautions are adequate or if more should be done.
When evaluating the extent of the risk, account should be taken of the chance of some harm
occurring, the likely severity of this, and the number of people who could be affected. The simplest

way of describing the evaluation is by designating 'extreme', 'high', 'medium', 'low' or 'insignificant'
ratings. (See table below).
Risk Ratings
Slightly harmful Harmful Extremely harmful
Highly Unlikely Insignificant risk Low risk Medium risk
Unlikely Low risk Medium risk High risk
Likely Medium risk High risk Extreme risk
Even after all precautions have been taken some risk may remain. Ensure the precautions in place
meet standards set by legal requirements; comply with a recognized standard, represent good
practice and reduce the risk as far as is reasonably practicable. Where additional controls or further
action are necessary to reduce the risk, decide what more could reasonably be done by adopting the
following principles:
 Avoid the risk completely

 Evaluate risks which cannot be avoided
 Combat risks at source
 Adapt work to the individual
 Make use of technical progress
 Replace the dangerous with non or less dangerous
 Develop an overall prevention policy
 Give priority to measures which protect the greatest number of people
 Give appropriate instructions to employees.
IMPLEMENTING AN ACTION PLAN
Once the level of risk has been determined and the control measures needed to reduce or eliminate
the risk established, an action plan should be drawn up with timescales for implementation of the
control measures. The table below may be used as a guide for devising such an action plan.
RISK LEVEL ACTION AND TIMESCALE
Insignificant No action is required and no documentary records need to be kept.

Low No additional controls are required. Consideration may be given to a more cost
effective solution or improvement that imposes little or no additional cost
burden. Monitoring is required to ensure that controls are maintained.
Medium Efforts should be made to reduce the risk, but the costs of prevention should be
carefully measured. Risk reduction measures should be implemented within a
defined time period.
Where the moderate risk is associated with extremely harmful consequences,
further assessment may be necessary to establish more precisely the likelihood of
harm as a basis for determining the need for improved control measures.
High Work should not be started until the risk has been reduced. Considerable
resources may have to be allocated to reduce the risk. Where the risk involves
work in progress, urgent action should be taken.
Extreme Work should not be started or continued until the risk has been reduced. If it is
not possible to reduce risk even with unlimited resources, work has to remain
prohibited.
Examples of suitable control measures are given in the table below:
Hazards Example Controls

Manual handling Mechanical aids, hoists, getting assistance, breaking loads into
smaller units
Hazardous substances Substitution for less hazardous alternatives, extract ventilation,
personal protective equipment
Work equipment (ladders, Guarding, demarcation of danger zones, restricted operation and
machinery, tools, etc.) use, planned preventative maintenance
Electricity Insulated tools, residual circuit breakers, fuses, earthing, inspection
and testing of systems and appliances
Stairs, etc. Good lighting, handrails, non-slip surfaces, slightly
raised/highlighted front edges
Fire Detectionetworkarning systems, suitable storage facilities for
substances and goods, fire retardant furniture and fittings
Noise Reduction at source, isolation, ear protection, demarcation of danger
zones

Stress Reduce/increase workload, more control over work, work suitable
for individual, avoidance of monotonous repetitive work
Work environment Good lighting, ventilation, redesign layout of area, heaters/coolers
STEP 4: RECORD YOUR FINDINGS AND IMPLEMENT THEM
All findings should be written down, kept simple and not too elaborate. For example 'Tripping over
rubbish bins provided', Staff instructed, Housekeeping checks now in place weekly. Welding fume,
local exhaust ventilation used and inspected regularly
Risk assessments need to, be sufficient and suitable, they are rarely perfect, but need to evaluate the
hazard properly. You need to be able to show:
 a proper check was made
 who might be affected
 the significant hazards are controlled
 all people potentially involved
 precautions are reasonable
 staff were involved
 the remaining risk is low
Don‘t try to do everything at once. Make a plan of action to deal with the most important things
first. Health and safety inspectors acknowledge the efforts of businesses that are clearly trying to
make improvements.
 Quick fixes
 Medium and long term goals
 Training
If you have less than five employees, risk assessments do not have to be written down. If you
employ five or more people, the significant findings of the assessment must be recorded. However
you are advised to keep records even where there are less than five employees since these provide
evidence that something has been done. Keep any written assessments for future reference and
ensure that employees are informed of the findings and control measures, either existing or
additional, those have to be observed and used. In some circumstances the findings of the risk
assessment should also be given to others who could be affected, for example agency workers,
contractors etc.
STEP 5: REVIEW YOUR RISK ASSESSMENT AND UPDATE IF NECESSARY
Review at least annually nothing stays the same

 Changes
 Improvements
 Any near misses or accidents
 Ask the workers if everything is OK
 If you know there has been a change review immediately.
EXERCISE
Q 1. We have an electronic document archival and destruction procedure. Old versions of
electronic documents can be used against you in a court of law. Anetwork assessment of your
archival and destruction procedures can help you manage these risks.
a) Yes
b) No
Q 2. We've audited our site for compliance with California's On-line Privacy Protection Act. Not
only is a web site the first contact with a prospect, it reflects on your organization‘s image. In
addition to interfacing with customers, web sites must comply with legislation.
a) Yes
b) No
Q 3. We've had an outside independent IT security audit within the past 12 months. Every system
has limitations. In addition, new and emerging threats develop on a regular basis. An
independent security audit helps you identify and eliminate your vulnerabilities.
a) Yes
b) No
Q 4. We have an incident response plan if someone has broken into our network. Ad hoc
investigations may do more harm than good. Organizations need a formal incident
response policy and plan to provide appropriate notification and analysis of a crime scene.
a) Yes
b) No
Q 5. Our users and IT staff regularly attend training on IT security threats. User education and
training is important to stay ahead of new and emerging threats. Security workshops at your
location are a cost effective and easy way to keep up-to-date.
a) Yes
b) No
Answers: 1) a, 2) a, 3) a, 4) a, 5) a

REFERENCES
 Information Security Breaches: Avoidance and Treatment based on ISO27001, by Michael
Krausz.
 Assessing Information Security: Strategies, Tactics, Logic and Framework, Dr Andrew
Vladimirov.
 ISO 17799 – Information Technology – Code of Practice for Information Security
Management, www.iso.org/iso/en/CatalogueDetailPage.
 ISO 17799, A Code of Practice for Information Security Management (BritishStandard 7799),
National Communications System, Public Switched Network Security Assessment Guidelines,
September 2005. The basics of an IT Security Policy from ISO Web Sites,
http://security.vt.edu/,http://security.isu.edu/,http://www.itso.iu.edu/,
http://www.ox.ac.uk/it/compsecurity/
 BS 7799 – Parts 1&2 Code Practice for Information Security Management London, 2005
(British Standards Institute), www.bsi.org.uk.
 Information Security Policy Papers : http://www.sans.org/rr/policy.
 IT Governance Implementation Guide,
http://www.isaca.org/Template.cfm?Section=Browse_By_Topic
 What makes a good Security Policy?

http://www.giac.org/practical/jack_albright_gsec.doc

NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
NOTES
Session #
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

Isms

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isms

Uploaded by

Copyright:

Available Formats

MODULE

This material is copyrighted by ATL © Printed in 2016

0 |ATL Education Foundation

“If your information is not safe,

Security is the degree of protection against danger, loss, and criminals.

2 |©ATL Education Foundation

4 |©ATL Education Foundation

1.1.2 SECURITY AUDITING OBJECTIVES

1.1.3 RISK INVOLVED

1.1.4 AUDITING STEPS

7 |©ATL Education Foundation

III. NETWORK CONTROL (POLICIES/STANDARDS)

 Meet with IT management to determine possible areas of concern

1.1.6 ESTABLISHING AUDIT OBJECTIVES

1.1.7 PERFORMING THE REVIEW

Issuing the review report

 Interception controls: Interception can be partially deterred by physical access controls at

1.1.10 ENCRYPTION AND IT AUDIT

1.1.11 LOGICAL SECURITY AUDIT

12 |©ATL Education Foundation

Did You Know!

Courseware Piracy is the unauthorized duplication of an original recording for

 Look if your books and CD’s contain ATL’s Hologram or not.

If you find yourself to be a victim of courseware Piracy, immediately write to us

13 |©ATL Education Foundation

1.1.13 APPLICATION SECURITY

Application Security centers around three main functions:

1.1.14 SEGREGATION OF DUTIES

15 |©ATL Education Foundation

Figure: Security audit summary results

 Read me - General instructions on the use of the Excel worksheets

16 |©ATL Education Foundation

18 |©ATL Education Foundation

19 |©ATL Education Foundation

It includes the following in the world of IT:

2.2 HISTORY OF ISO 27001

2.3 INFORMATION SECURITY MANAGEMENT SYSTEM

An Information Security Management System (ISMS) is a controlled approach to managing

21 |©ATL Education Foundation

 a systematic approach to the organization's information security

Figure: We ignore the human aspects of information security at our peril

Figure: PDCA cycle

 DEFINE AND PLAN YOUR ISMS

23 |©ATL Education Foundation

STEP 3 - CHECK: MONITOR AND REVIEW THE ISMS

 MONITOR AND REVIEW YOUR ISMS

STEP 4 - ACT: MAINTAIN AND IMPROVE THE ISMS

24 |©ATL Education Foundation

 DEVELOP ISMS DOCUMENTS AND RECORDS

 CONTROL YOUR ISMS DOCUMENTS

2.4 PURPOSE OF STANDRADS

Figure: Evolution of ISO 27001

25 |©ATL Education Foundation

 ISO 27001, ISO17799 & BS7799 STANDARDS

WHY DID WE MOVE TO ISO 27001 FROM BS7799?

ISO 27001 DESCRIBES A 6 STAGE PROCESS

1. Define an information security policy

27 |©ATL Education Foundation

Figure: Security and risks

 ISO 27000 – principles and vocabulary (in development)

ISO/IEC 27001 AUDITORS

ISO 27001:2005 STRUCTURE

1. Information Security Management System

Figure: Auditor’s Role