CYBER SECURITY STANDARDS AND POLICIES

CSA 581

1
 TODAY WE WILL TALK ABOUT:
 COMPLIANCE
 THE ISO27001 AUDIT

2
 A.15 COMPLIANCE

 A.15.1 Compliance with legal requirements

 A.15.2 Compliance with security policies and
standards, and technical
compliance
 A.15.3 Information systems audit
considerations

3
 A.15.1 Compliance with legal
requirements

Objective:
To avoid breaches of any law, statutory,
regulatory or contractual obligations, and of any
security requirements.

4
 A.15.1 Compliance with legal
requirements
 A.15.1.1 Identification of applicable legislation
 A.15.1.2 Intellectual property rights
 A.15.1.3 Safeguarding of organizational records
 A.15.1.4 Data protection and privacy of personal
information
 A.15.1.5 Prevention of misuse of information
processing facilities
 A.15.1.6 Regulation of cryptographic controls

5
 A.15.1.1 Identification of applicable
legislation

Control:
All relevant statutory, regulatory and
contractual requirements and the organization’s
approach to meet these requirements shall be
explicitly defined, documented, and kept up to
date for each information system and the
organization.

6
 A.15.1.2 Intellectual property rights

Control:
Appropriate procedures shall be implemented
to ensure compliance with legislative,
regulatory, and contractual requirements on the
use of material in respect of which there may
be intellectual property rights and on the use of
proprietary software products.

7
 A.15.1.3 Safeguarding of
organizational records

Control:
Important records shall be protected from loss,
destruction and falsification, in accordance with
statutory, regulatory, contractual, and business
requirements.

8
 A.15.1.4 Data protection and
privacy of personal information

Control:
Data protection and privacy shall be ensured
as required in relevant legislation, regulations,
and, if applicable, contractual clauses.

9
 A.15.1.5 Prevention of misuse of
information processing facilities

Control:
Users shall be deterred from using information
processing facilities for unauthorized purposes.

10
 A.15.1.6 Regulation of cryptographic
controls

Control:
Cryptographic controls shall be used in
compliance with all relevant agreements, laws,
and regulations.

11
 A.15.2 Compliance with security policies
and standards, and technical compliance

Objective:
To ensure compliance of systems with
organizational security policies and standards.

12
 A.15.2 Compliance with security policies
and standards, and technical compliance

 A.15.2.1 Compliance with security policies

and standards
 A.15.2.2 Technical compliance checking

13
 A.15.2.1 Compliance with security
policies and standards

Control:
Managers shall ensure that all security
procedures within their area of responsibility
are carried out correctly to achieve compliance
with security policies and standards.

14
 A.15.2.2 Technical compliance
checking

Control:
Information systems shall be regularly checked
for compliance with security implementation
standards.

15
 A.15.3 Information systems audit
considerations

Objective:
To maximize the effectiveness of and to
minimize interference to/from the information
systems audit process.

16
 A.15.3 Information systems audit
considerations

 A.15.3.1 Information systems audit controls

 A.15.3.2 Protection of information systems
audit tools

17
 A.15.3.1 Information systems audit
controls

Control:
Audit requirements and activities involving
checks on operational systems shall be
carefully planned and agreed to minimize the
risk of disruptions to business processes.

18
 A.15.3.2 Protection of information
systems audit tools

Control:
Access to information systems audit tools shall
be protected to prevent any possible misuse or
compromise.

19
 THE ISO27001 AUDIT

 Larger, organizations will debate the value of

actual ISO27001 certification (arguing that
what matters is the implementation of an
effective ISMS rather than a badge).
 A major objective of this course is to help
those organizations that see the value in
certification to be successful in achieving it.

20
 THE ISO27001 AUDIT
 A certification audit will use negative reporting (that
is, it will identify inadequacies rather than
adequacies) to assess an ISMS to ensure that its
documented procedures and processes, the actual
activities of the organization and the records of
implementation meet the requirements of ISO27001
and the declared scope of the system.

 The outcome of the audit will be a written audit report (usually

available at completion of the audit) and a number of non-
conformances and observations together with necessary
21 corrective actions and agreed time-frames.
 Selection of auditors

Any organization seeking certification will want to

be sure that there is a cultural fit between itself and
its supplier of certification services, and there will
certainly be all the normal issues of ensuring that
there is alignment between the desires of the buyer
and the offering, including pricing and service, of
the vendor.
It is completely appropriate to treat the selection of
a certification body with the same professionalism
as the selection of any other supplier.
22
 Selection of auditors

Two key issues (the first is relevant to organizations

that already have one or more externally certified
management systems in place and the second applies
specifically to organizations tackling ISO27001):
1. It is essential that your ISMS is fully integrated into
your organization; it will not work effectively if it is a
separate management system and exists outside of
and parallel to any other management systems
2. You should take into account when selecting your
supplier of certification services is their approach to
23 certification itself.
 Initial audit

The first formal audit, known as the

initial audit, will take place over two
stages.
• Stage 1, a documentation audit
• Stage 2, the compliance audit

24
 Initial audit

 The audit process involves testing the

organization’s documented processes (the
ISMS) against the requirements of the
standard (Stage 1, a documentation audit),
 to confirm that the organization has set out to
comply with the standard, and then testing
actual compliance by the organization with its
ISMS (Stage 2, the compliance audit).

25
 Initial audit

There are two components to carrying out

successful certification audits.
 The first is the level of preparedness of the
organization’s ISMS and
 the second is the way in which the
employees of the organization are
themselves prepared for the audit.

26
 Preparation for audit

 No audit can take place until sufficient time

has passed for the organization to
demonstrate compliance with both the full
PDCA cycle and with clause 7, the
requirement for continual improvement. In
other words, auditors will be looking for
evidence that the ISMS is continuing to
improve, not merely that it has been
implemented.
27
 Preparation for audit

 This means that a period of time will have to

elapse between completion of the
implementation and commencement of audit.

28