iso 27001 audit evidence acquisition

ISO 27001 audit evidence acquisition

www.informationsecurityauditors.com powered by www.riesgoriskmanagement.com [email protected]

ISO 27001 Audit evidence acquisition

THE NEXT GENERATION SECURITY AUDIT TOOL

Contents Introduction ............................................................................................................................................ 3

IS Audit overview .................................................................................................................................... 4

Contact details ........................................................................................................................................ 4

The IS Auditor.......................................................................................................................................... 5

Audit calendar ..................................................................................................................................... 5

Audit scheduling ................................................................................................................................. 6

Audit schedule alert ............................................................................................................................ 6

The IS Audit operation ............................................................................................................................ 7

ISO policies and our solutions ............................................................................................................. 7

Organization of information security ...................................................................................................... 8

Policy dashboard ................................................................................................................................. 8

IS Policy with review dates.................................................................................................................. 8

Organisation chart .............................................................................................................................. 9

Procedure document supporting policy ............................................................................................. 9

Asset Management ................................................................................................................................. 9

Asset management policies .............................................................................................................. 10

Information asset register................................................................................................................. 10

Human resources security .................................................................................................................... 10

HR Security policies and procedures................................................................................................. 11

Physical and Environmental Security .................................................................................................... 11

Physical & environment security policies and procedures ............................................................... 11

Communications and Operations Management................................................................................... 11

Communications and operations management policies and procedures ........................................ 12

Access Control ....................................................................................................................................... 12

Access control policies and procedure ............................................................................................. 13

Information systems acquisition, development and maintenance ...................................................... 13

Information security incident management ......................................................................................... 14



Incident register ................................................................................................................................ 14

Business Continuity Management ........................................................................................................ 14

Compliance ........................................................................................................................................... 14

Reporting noncompliance ..................................................................................................................... 15

Non compliance – findings and recommendations .......................................................................... 15



Introduction

www.InformationsecurityAudtors.com provides a web based tool

(www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001

compliance.

The difference the tool makes is the manner in which it acquires compliance evidence and how the

Auditor is able to determine the level of compliance and potential gaps.

Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly

going back for the last two quarters.

The solution is a web based tool that sits on the client’s site and access can be restricted or allowed

for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as

they have access to the intranet.

http://www.informationsecurityaudtors.com/

http://www.riesgoriskmanagement.com/



IS Audit overview

Contact details For more information about acquiring the solution please contact

Ben Oguntala

[email protected]

Telephone - +44 7812 039 867

mailto:[email protected]



The IS Auditor

The IS Audit Department can set up accounts for Internal and external auditors, especially for the

external auditor, access to evidence is only granted for the period which the Audit is to be carried

out.

Access for Auditors limited to the Audit period only

An Auditor can schedule audits with business units using the Audit calendar , once scheduled an

Audit alert is sent to the business unit informing them of the Audit to take place.

Audit calendar



Audit scheduling

Audit schedule alert



The IS Audit operation

ISO policies and our solutions The evidence the tool gathers for ISO 27001 include:

Security Policy

o Information security policy

o Our solution

Where is the policy

Included

When was it published

Included

How was it disseminated

Included

When was it last updated

Included

Who is responsible for the policy

Included



Organization of information security

o Internal Organization

o External Parties

Policy dashboard

IS Policy with review dates



Organisation chart

Procedure document supporting policy

Asset Management

o Responsibility for assets

o Information classification



Asset management policies

Information asset register

Human resources security

o Prior to employment

o During employment

o Termination or change of employment



HR Security policies and procedures

Physical and Environmental Security

o Secure Areas

o Equipment Security

Physical & environment security policies and procedures

Communications and Operations Management

o Operational Procedures and responsibilities

o Third party service delivery management

o System planning and acceptance

o Protection against malicious and mobile code

o Backup



Communications and operations management policies and procedures

Access Control

o Business Requirement for Access Control

o User Access Management

o User Responsibilities

o Network Access Control

o Operating system access control

o Application and Information Access Control

o Mobile Computing and teleworking



Access control policies and procedure

Information systems acquisition, development and maintenance

Same as above



Information security incident management

o Reporting information security events and weaknesses

o Management of information security incidents and improvements

Incident register

Business Continuity Management

o Information security aspects of business continuity management

Same as above

Compliance

o Compliance with legal requirements

o Compliance with security policies and standards, and technical compliance

o Information Systems audit considerations



Reporting noncompliance

Once the audit is completed the Auditor will be able to report on each non compliance that were

discovered against a business unit, information Asset, policy or areas.

The idea behind the process is to ensure that each none compliance is reported to the most

appropriate person to take action on the non compliance. All the non compliances together make up

the report.

Non compliance – findings and recommendations

More and more non compliances, finding and recommendations can be recorded against the Audit

providing a one source of all the history of the non compliance.

The activity log provides a running commentary of actions that have been taken by the Auditor or

the business unit to resolve the non compliance.

iso 27001 audit evidence acquisition

Documents

web based

environment

operations

information

operations

business unit

environmental

business units