iso 27001 audit evidence acquisition
Post on 13-Sep-2014
2.472 views
DESCRIPTION
www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance. The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps. Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters. The solution is a web based tool that sits on the client’s site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet.TRANSCRIPT
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
ISO 27001 Audit evidence acquisition
THE NEXT GENERATION SECURITY AUDIT TOOL
Contents Introduction ............................................................................................................................................ 3
IS Audit overview .................................................................................................................................... 4
Contact details ........................................................................................................................................ 4
The IS Auditor.......................................................................................................................................... 5
Audit calendar ..................................................................................................................................... 5
Audit scheduling ................................................................................................................................. 6
Audit schedule alert ............................................................................................................................ 6
The IS Audit operation ............................................................................................................................ 7
ISO policies and our solutions ............................................................................................................. 7
Organization of information security ...................................................................................................... 8
Policy dashboard ................................................................................................................................. 8
IS Policy with review dates.................................................................................................................. 8
Organisation chart .............................................................................................................................. 9
Procedure document supporting policy ............................................................................................. 9
Asset Management ................................................................................................................................. 9
Asset management policies .............................................................................................................. 10
Information asset register................................................................................................................. 10
Human resources security .................................................................................................................... 10
HR Security policies and procedures................................................................................................. 11
Physical and Environmental Security .................................................................................................... 11
Physical & environment security policies and procedures ............................................................... 11
Communications and Operations Management................................................................................... 11
Communications and operations management policies and procedures ........................................ 12
Access Control ....................................................................................................................................... 12
Access control policies and procedure ............................................................................................. 13
Information systems acquisition, development and maintenance ...................................................... 13
Information security incident management ......................................................................................... 14
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Incident register ................................................................................................................................ 14
Business Continuity Management ........................................................................................................ 14
Compliance ........................................................................................................................................... 14
Reporting noncompliance ..................................................................................................................... 15
Non compliance – findings and recommendations .......................................................................... 15
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Introduction
www.InformationsecurityAudtors.com provides a web based tool
(www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001
compliance.
The difference the tool makes is the manner in which it acquires compliance evidence and how the
Auditor is able to determine the level of compliance and potential gaps.
Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly
going back for the last two quarters.
The solution is a web based tool that sits on the client’s site and access can be restricted or allowed
for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as
they have access to the intranet.
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
IS Audit overview
Contact details For more information about acquiring the solution please contact
Ben Oguntala
Telephone - +44 7812 039 867
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
The IS Auditor
The IS Audit Department can set up accounts for Internal and external auditors, especially for the
external auditor, access to evidence is only granted for the period which the Audit is to be carried
out.
Access for Auditors limited to the Audit period only
An Auditor can schedule audits with business units using the Audit calendar , once scheduled an
Audit alert is sent to the business unit informing them of the Audit to take place.
Audit calendar
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Audit scheduling
Audit schedule alert
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
The IS Audit operation
ISO policies and our solutions The evidence the tool gathers for ISO 27001 include:
Security Policy
o Information security policy
o Our solution
Where is the policy
Included
When was it published
Included
How was it disseminated
Included
When was it last updated
Included
Who is responsible for the policy
Included
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Organization of information security
o Internal Organization
o External Parties
Policy dashboard
IS Policy with review dates
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Organisation chart
Procedure document supporting policy
Asset Management
o Responsibility for assets
o Information classification
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Asset management policies
Information asset register
Human resources security
o Prior to employment
o During employment
o Termination or change of employment
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
HR Security policies and procedures
Physical and Environmental Security
o Secure Areas
o Equipment Security
Physical & environment security policies and procedures
Communications and Operations Management
o Operational Procedures and responsibilities
o Third party service delivery management
o System planning and acceptance
o Protection against malicious and mobile code
o Backup
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Communications and operations management policies and procedures
Access Control
o Business Requirement for Access Control
o User Access Management
o User Responsibilities
o Network Access Control
o Operating system access control
o Application and Information Access Control
o Mobile Computing and teleworking
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Access control policies and procedure
Information systems acquisition, development and maintenance
Same as above
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Information security incident management
o Reporting information security events and weaknesses
o Management of information security incidents and improvements
Incident register
Business Continuity Management
o Information security aspects of business continuity management
Same as above
Compliance
o Compliance with legal requirements
o Compliance with security policies and standards, and technical compliance
o Information Systems audit considerations
ISO 27001 audit evidence acquisition
www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]
Reporting noncompliance
Once the audit is completed the Auditor will be able to report on each non compliance that were
discovered against a business unit, information Asset, policy or areas.
The idea behind the process is to ensure that each none compliance is reported to the most
appropriate person to take action on the non compliance. All the non compliances together make up
the report.
Non compliance – findings and recommendations
More and more non compliances, finding and recommendations can be recorded against the Audit
providing a one source of all the history of the non compliance.
The activity log provides a running commentary of actions that have been taken by the Auditor or
the business unit to resolve the non compliance.