Professional Documents
Culture Documents
ISO 27k Notes
ISO 27k Notes
ISO 27k Notes
A ---PWC---> A
Conflict of interest
least formal
Maximum time
A --> Vendor
BSI --> A
RBI --> A
CA --> A
Sign a declaration - not audited, not provied consultancy, not being a teacher /
advisor in that company over last 24 months.
Minimum time
---------------------------------------------------------
1. The cost of recovering from incidents is much higher than the investment towards
ISMS implementation - cost of breach
2. built confidence and provide assurance to clients that there information is safe
3. Adds market credentials - more and more customer will avail the services-
benefit to the company, being competive, attract customers
4. Implement the industry best practices into the organisation, frame policies /
SOP / process guidelines; Globally accepted
5. Identified the risks, assessed the implications and respective control measures
in place...such way you can create your sales pitch for new clients
8. you will not be able to take part in a TENDER. if not ISO 27001 certified.
Risk Identification:
Serial No.
Risk type - internal / external
risk category - technology, legal, Business Continuity (ISO 31000)
Threat - attack vector - criminals
Vulnerability - weakness - not having a strong lock
risk description - result - robbery, theft, money stolen
Risk Source
Key risk indicator (alerts, symptoms)
Risk applicable to which process/asset
Risk owner
Risk Assessment:
Financial Loss / RTO ---> BIA
Impact (1-5)
Past incidents / govt reports / Industry Trends
probability (1-5)
risk rating = impact x probability (1 - 25)
Risk Treatment:
Is above / equal / below the risk acceptance criteria (Risk Appetite)
Recommendation / remedy --> risk can be reduced, avoided, accepted, transferred,
increased (merger, outsourcing, fixed deposit --> equity / Mutual Fund)
Cost of control (Resource, money, effort ...)
Risk Mitigation Description
Link to policy, SOP
Residual Risk:
revised probability
revi
Residual Risk:
revised probability
revised Impact
revised risk rating = impact x probability (residual risk)
Risk Last reviewed
Current status
RTP#1
----- receives the certificate for first time----- valid for 3 years ------
Surveillance Audit / continuous assessment visit (CAV) - 2nd & 3rd years --- 5, 6,
8, 9, 11, 12, 14, 15 ....
Upgrade Audit - ISO / IEC 27001 : 2013 ---> ISO / IEC 27001 : 2021 (1 man day) -
Documentation
Transfer audit - 1 man day audit to transfer the certificate from previous CB to
our CB. (The certificate is under IAF, previous NC are closed, NOC from the last
CB, compliance is okay or not)
Ans: We contact the SPOC at the initiation phase of the audit to have an
understanding of the business and to know the scope of the audit.
2. What will you discuss with the SPOC while you have called during the initiation
phase of the audit?
Ans:
audit schedule
mode of communication
authority to conduct audit
Scope
objctive
criteria
arrangements for safety, health, security
confidentiality, NDA
applicable statutory and regulatory requiremets
attendees - observers, guides / interpreters
logistics (transport, location, time needed)
Audit plan / schedule
conflict of interest
Gate pass (govt id, laptop asset tags, etc)
Access to Wifi or Internet connection availability
what devices are allowed within premises / room
law & order in locality
time taken for issuing gate pass
Time from main gate to opening meeting room
Safety briefing at the main gate
Resources:
Auditors: ONE Lead Auditor (team leader), Co-auditors (team members), Technical
experts, Trainee auditors / Junior observers, Senior Observers, Interpreters
P code - professional code: qualify the LA exam from IRCA, 8 internal exams need to
qualify --> trainee auditor / Junior observer ---> 40 man days audit observations
[1 stage-I, 1 stage-II, 1 CAV, 1 reCert] --> 1st QR (Qualifying Review) --->
Auditor --> 40 man days audit observations [1 stage-I, 1 stage-II, 1 CAV, 1 reCert]
--> 2nd QR (Qualifying Review) ---> Lead Auditor
Opening Meeting
1. thank you note
2. Introduction
3. Scope
4. Objective
5. Criteria
6. Methodology, Language
7. Sampling
8. Confidentiality
9. Audit plan
11. Appeal
Objective Evidence?
Objective evidence means that Evidence is based on FACTS & can be verified.
During the walkthrough on 12 Dec 2021 at 1 PM it was observed that the finance
report was lying on the desk of cubicle 14 at Finance Dept, unattended, while the
file is classified as confidential.
The record shows that this laptop PC has been bought from the company by an
employee for their private use. When asked about this, the manager explains that
usable equipment is sold internally with proceeds going to a nominated charity. You
ask to see the equipment in use to see if information has been erased as stated in
the record. The manager starts the PC which boots up to show a Microsoft Windows
XP® operating system. Further inspection of File Explorer indicates that the file
system is apparently empty.
Marks = 10 (2 + 3 + 3 + 1 + 1)
NC Evidence (3) : Examining the disposal record for asset number 1234, a laptop, it
has been found that PC boots to WindowsXP, even though on final inspection records
the word ‘OK’ is written next to the statement, signifying that all information has
been securely erased from the device.
Clause / Control requirement (1): ISO 27001:2013 CL A.11.2.7 requires that all
items of equipment containing storage media shall be verified to ensure that any
sensitive data and licensed software has been removed or securely overwritten prior
to disposal or re-use.
During an audit of an insurance company, you ask the Training Manager to show you
the training records for three people who work in the Claims Department. You see
from the training records that each has attended a course on ‘care of customer
information’. The Training Manager explains that the course aims to maintain
awareness of operational information security practices. You ask the Training
Manager how they evaluated the training and are told “We ask every person who
attends a training course to complete a questionnaire on whether they enjoyed the
course, how useful they found the training and how good the tutor was. This
information helps us decide whether to send other staff on the course”. You examine
the questionnaires completed by the three people who attended the care of customer
information course. All three awarded high marks on how enjoyable they found the
course and the usefulness of the course. All three also awarded a satisfactory
score for the tutor.
Evidence: marks/score awarding criteria. Qualifying score. Training policy & SOP.
You are auditing the management of patient records in a large European private
medical business. You note that a recent change has been made to the document
management workflow and that paper patient records are now being scanned and
electronically stored.
You ask for further information and the Records Manager describes how patient
records are batched, scanned and stored in a proprietary document management
system. You ask how the information is backed up to ensure availability and note
that a back-up copy is periodically transmitted to a new office in Singapore.
Later, you follow-up this information with the IT Manager and he confirms that the
new Singapore office has a state-of-the-art data centre which stores the data back-
ups from all of the European sites. On examining the ISMS documented scope
statement, it is clear that the Singapore office is not included. When you query
this, the IT Manager states that it doesn't matter as the data is encrypted before
being transmitted to Singapore.
There is no nonconformity as data was encrypted and it is not clear if there has
been a data breach. Further investigation is needed to determine how the
organisation has maintained the data at remote location. It is not mandatory to
have all locations within scope (2)
1. What type of encryption has been used to encrypt data?
Evidence : Data protection & privacy policy, any incident, any penalty
ow we are removing the confidentail data not required after a period of time
5. Did you take consent from the patients before transferring data to singapore?
Section 1 - 10mins
Section 2 - 15 mins
Section 3 - 45mins
Section 4 - 30 mins
2 hours 2 mins
We have to cover every dept within scope and mentioned in audit plan. Leaving out a
dept will keep the audit incomplete.
- We need to look into those NC from internal audit and check the effectiveness of
the corrective actions implemented so far.
- We may find additional gaps in the dept
- We may have findings which has dependencies on other dept.
- We can understand the competency of the internal auditor
4.1 - did you determine the internal & external issues? Evidence: Context of the
organisation
4.2 - did you determine the needs and expectations of interested parties? Evidence:
Context of the organisation
6.1.3 - What controls have been identified? Evidence - Risk Treatment plan
9.2 - Did you conduct internal audit in this dept? Evidence - Internal audit report
9.3 - did you discuss the risk in this dept to top management? Evidence - MOM of
MRM
2. Bank statement
4. Agreements / NDA
6. Employee CVs
3. helps to concentrate on most relevant information which can help to cover in the
scheduled time.
Closing Meetings -
1. Welcome
5. Scope
8. Sampling risks
9. Confidentiality
13. Verdict
14. Appeal
1. Top Management -
b) Expansion plans are you having? What's there in future - 1 year? Whats the
future growth strategy?
d) On-going employement -
1. awareness training?
2. content of training
3. choice of faculty
4. training calendar
9. How do you keep the documents? Physical security? Access control to the records?
Fire detection and supression control systems. Whether you have a shredder?
e) Exit / transfer -
4. How do you recover the assets after they leave job? Did they return all assets
on or before last date of job?
6. Do you conduct exit interviews? Do you ask him about ISMS gaps in the interview?
9. If you are giving the same machine / PC / laptop to another person, how do IT
sanitise it?
10. How do you measure the competency of the employee? Have you mapped competency
requirements?
11. Show me the ORG CHART? Is job descriptions well defined? Is ISMS responsibility
mentioned in each role?
12. Who is the internal auditor? Is there any conflict of interest? What is his
competency? Is he Lead Auditor certified? Does he audit his own dept?
13. Any employee code of conduct? Employee handbook where ISMS is also mentioned
15. How do you take care of mental health, depression among the employees who are
locked during lockdown.
3. Do you have any vendor (HRMS) for HR? What is their BCP for critical vendors?
6. How do you ensure that your HR data is safe on cloud / vendor portal?
3. How frequently do you update the Secure coding policy / SOP? When was the last
time that you have updated?
How many team members in coding, testing?
Did they sign NDA? Are those agencies ISO27001 compliant? Do they conduct
background verification for their developers?
Who has the IP rights to the code? Agency or you? Is it clearly mentioned in the
contract?
How do you ensure there is no IP violation in the source code? How do you stop copy
paste of code from copyrighted sources to your software? Is this awareness provided
to designers / developers?
TFS? Github?
How to review access? Deactivate access when a developer / designer has left the
organisation or moved to different project?
Are these testers certified on any global ethical hacking certificate? Do they have
enough expertise to run the tools or manual testing or penetration testing?
Show some test cases and test data related to security testing.
If developers are working from home, do they login to VDI to code? Or the code is
downloaded to their laptop local drive (localhost)?
If a copy of the code is in laptop, how did you encrypt the local disc drive.
Did you use DLP in the endpoints used for coding? Is USB open or blocked?
Can the developers access public mail or public FTP from the laptops?
If they use VDI, did you check whether hardenning has been done in VDI so that code
is not downloaded from VDI to local machines? VDI has latest patches, DLP?
Is the tool open source? How do you patch the tool or upgrade to latest version?
How do you check licensing issues? Do you have redundant licenses for all
developers, if you are using proprietary tools like MS Visual Studio, etc. Do you
conduct SAM audit?
How do you manage Zero Day vulnerabilities for the software / programming languages
/ database you use for your development?
When was the last time you have provided information security training to the
developers / testers?
How many of these gaps are closed? What is the policy of gap closdure?
Did you manage to close the gaps within deadine? or there was delay?
Is the delay justified? Mentioned in MRM?
Business Continuity: RTO / RPO measurement has been done for the process?
Plan - clause 4, 5, 6, 7
Do - 8 (operations)
Act - 10 (improvement)