First Party Audit --> internal audit

A ---PWC---> A

Conflict of interest

least formal

Maximum time

Sample size is high

Second party --> Vendor Audit

A --> Vendor

World bank wants to outsource their digitisation project to TCS

World Bank --> KPMG --> TCS (data privacy)

Third party - Regulatory body, statutory body, ISO audit (neutral)

BSI --> A

RBI --> A

CA --> A

Sign a declaration - not audited, not provied consultancy, not being a teacher /
advisor in that company over last 24 months.

most formal audit --> ISO 19011 : 2018

Minimum time

Sample quality is the best

---------------------------------------------------------

Material Movement registe

Why do we need ISO 27001?

1. The cost of recovering from incidents is much higher than the investment towards
ISMS implementation - cost of breach
2. built confidence and provide assurance to clients that there information is safe

3. Adds market credentials - more and more customer will avail the services-
benefit to the company, being competive, attract customers

4. Implement the industry best practices into the organisation, frame policies /
SOP / process guidelines; Globally accepted

5. Identified the risks, assessed the implications and respective control measures
in place...such way you can create your sales pitch for new clients

6. 2nd party audit may not be required

7. ISO27001 certificate may be requirement to obtain business license for some

business - ISP, Telecom, Data center

8. you will not be able to take part in a TENDER. if not ISO 27001 certified.

andeep Sengupta: Risk Register

-----------------

Risk Identification:

Serial No.
Risk type - internal / external
risk category - technology, legal, Business Continuity (ISO 31000)
Threat - attack vector - criminals
Vulnerability - weakness - not having a strong lock
risk description - result - robbery, theft, money stolen
Risk Source
Key risk indicator (alerts, symptoms)
Risk applicable to which process/asset
Risk owner

Risk Assessment:
Financial Loss / RTO ---> BIA
Impact (1-5)
Past incidents / govt reports / Industry Trends
probability (1-5)
risk rating = impact x probability (1 - 25)

Risk Treatment:
Is above / equal / below the risk acceptance criteria (Risk Appetite)
Recommendation / remedy --> risk can be reduced, avoided, accepted, transferred,
increased (merger, outsourcing, fixed deposit --> equity / Mutual Fund)
Cost of control (Resource, money, effort ...)
Risk Mitigation Description
Link to policy, SOP

Mapping to Annex A (114) ---> STATEMENT OF APPLICATION (cl 6.1.3 d)

Residual Risk:
revised probability
revi

Mapping to Annex A (114) ---> STATEMENT OF APPLICATION (cl 6.1.3 d)

Residual Risk:
revised probability
revised Impact
revised risk rating = impact x probability (residual risk)
Risk Last reviewed
Current status
RTP#1

Risk Treatment plan:

Residual Risk - RTP#1
Description of Treatment plan
Responsible
Deadline
Review frequency
Last reviewed date
RCA for failure
Actual date of completion
Current status

Stage-1 Audit - Intent / Documentation (Mandatory documents) / strategy / Planning

- Policy, SOP, templates

--- one to three months-----

Stage-2 Audit - Implementation + Effectiveness

----- receives the certificate for first time----- valid for 3 years ------

Surveillance Audit / continuous assessment visit (CAV) - 2nd & 3rd years --- 5, 6,
8, 9, 11, 12, 14, 15 ....

ReCertification Audit - 4th year (Stage1&2), 7, 10, 13, 16 ....

Upgrade Audit - ISO / IEC 27001 : 2013 ---> ISO / IEC 27001 : 2021 (1 man day) -
Documentation

Extension to scope audit - addition in scope

Transfer audit - 1 man day audit to transfer the certificate from previous CB to
our CB. (The certificate is under IAF, previous NC are closed, NOC from the last
CB, compliance is okay or not)

Follow up Audit - close major NC

. Why do you need to contact the SPOC before the audit?

Ans: We contact the SPOC at the initiation phase of the audit to have an
understanding of the business and to know the scope of the audit.

2. What will you discuss with the SPOC while you have called during the initiation
phase of the audit?

Ans:

audit schedule
mode of communication
authority to conduct audit
Scope
objctive
criteria
arrangements for safety, health, security
confidentiality, NDA
applicable statutory and regulatory requiremets
attendees - observers, guides / interpreters
logistics (transport, location, time needed)
Audit plan / schedule
conflict of interest
Gate pass (govt id, laptop asset tags, etc)
Access to Wifi or Internet connection availability
what devices are allowed within premises / room
law & order in locality
time taken for issuing gate pass
Time from main gate to opening meeting room
Safety briefing at the main gate

Resources:

Auditors: ONE Lead Auditor (team leader), Co-auditors (team members), Technical
experts, Trainee auditors / Junior observers, Senior Observers, Interpreters

P code - professional code: qualify the LA exam from IRCA, 8 internal exams need to
qualify --> trainee auditor / Junior observer ---> 40 man days audit observations
[1 stage-I, 1 stage-II, 1 CAV, 1 reCert] --> 1st QR (Qualifying Review) --->
Auditor --> 40 man days audit observations [1 stage-I, 1 stage-II, 1 CAV, 1 reCert]
--> 2nd QR (Qualifying Review) ---> Lead Auditor

T code - technical code:

Auditee: Top Management, SPOC / client representative, dept representatives / risk

owners, Observers, Interpreters, consultants, guides, witnesses, coordinators,
logistics.

Opening Meeting
1. thank you note

2. Introduction

3. Scope

4. Objective

5. Criteria

6. Methodology, Language

7. Sampling

8. Confidentiality

9. Audit plan

10. Possible Outcome

11. Appeal

Objective Evidence?

Objective evidence means that Evidence is based on FACTS & can be verified.

Finding - Clear desk

During the walkthrough on 12 Dec 2021 at 1 PM it was observed that the finance
report was lying on the desk of cubicle 14 at Finance Dept, unattended, while the
file is classified as confidential.

In an area dedicated to disposal of failed and redundant IT equipment you are

examining the disposal record for asset number 1234, a laptop PC. You note that in
the final inspection records the word ‘OK’ is written next to the statement that
all information has been securely erased from the device.

The record shows that this laptop PC has been bought from the company by an
employee for their private use. When asked about this, the manager explains that
usable equipment is sold internally with proceeds going to a nominated charity. You
ask to see the equipment in use to see if information has been erased as stated in
the record. The manager starts the PC which boots up to show a Microsoft Windows
XP® operating system. Further inspection of File Explorer indicates that the file
system is apparently empty.

Marks = 10 (2 + 3 + 3 + 1 + 1)

This is a NC. (2)

NC Statement (3) : Data has not been properly erased from the laptop harddisk which
is supposed to be given away for charity; and may casue confidential data leakage.

NC Evidence (3) : Examining the disposal record for asset number 1234, a laptop, it
has been found that PC boots to WindowsXP, even though on final inspection records
the word ‘OK’ is written next to the statement, signifying that all information has
been securely erased from the device.

Clause / Control requirement (1): ISO 27001:2013 CL A.11.2.7 requires that all
items of equipment containing storage media shall be verified to ensure that any
sensitive data and licensed software has been removed or securely overwritten prior
to disposal or re-use.

1 marks for over all clarity

During an audit of an insurance company, you ask the Training Manager to show you
the training records for three people who work in the Claims Department. You see
from the training records that each has attended a course on ‘care of customer
information’. The Training Manager explains that the course aims to maintain
awareness of operational information security practices. You ask the Training
Manager how they evaluated the training and are told “We ask every person who
attends a training course to complete a questionnaire on whether they enjoyed the
course, how useful they found the training and how good the tutor was. This
information helps us decide whether to send other staff on the course”. You examine
the questionnaires completed by the three people who attended the care of customer
information course. All three awarded high marks on how enjoyable they found the
course and the usefulness of the course. All three also awarded a satisfactory
score for the tutor.

2 + 2 marks x 4 trailing questions (q=1 marks, evidence = 1 marks)

There is no nonconformity and further investigation is needed to determine how the

organisation evaluates the effectiveness of training. (2)

1. Do you conduct any post training quiz or evaluation?

Evidence: Score sheet for post training evaluation

2. Do you have any criteria set for passing?

Evidence: marks/score awarding criteria. Qualifying score. Training policy & SOP.

3. If the candidate fails, how the re evaluation is done?

evidence: Score sheets of candidates, training calendar, restest scores

4. Do you allow to retake the quiz to acheive the required %?

Is the a specific timeline or no. of attempts for re evaluation?

Evidence: Training policy & SOP, training calendar

5. what was the mode of training?

Evidence: Training materials, SOP

6. How do you draft & evaluate the training content?

Evidence: Training content, PPT, PDF, Videos of training session

7. How do you select the participants?

Ans: Pre training evaluation

8. Do you match any incident with the training effectiveness?

Evidence: Training calendar, incident register, RCA & training mapping

9. how offen the training is taken?

Evidence: Training calendar

You are auditing the management of patient records in a large European private
medical business. You note that a recent change has been made to the document
management workflow and that paper patient records are now being scanned and
electronically stored.

You ask for further information and the Records Manager describes how patient
records are batched, scanned and stored in a proprietary document management
system. You ask how the information is backed up to ensure availability and note
that a back-up copy is periodically transmitted to a new office in Singapore.
Later, you follow-up this information with the IT Manager and he confirms that the
new Singapore office has a state-of-the-art data centre which stores the data back-
ups from all of the European sites. On examining the ISMS documented scope
statement, it is clear that the Singapore office is not included. When you query
this, the IT Manager states that it doesn't matter as the data is encrypted before
being transmitted to Singapore.

2 + 2 marks x 4 trailing questions (q=1 marks, evidence = 1 marks)

There is no nonconformity as data was encrypted and it is not clear if there has
been a data breach. Further investigation is needed to determine how the
organisation has maintained the data at remote location. It is not mandatory to
have all locations within scope (2)
1. What type of encryption has been used to encrypt data?

What is the encryption algorithm used?

Evidence: cryptography policy

2. Need to investigate more on PII data traveling to singapore DC as per

requirements of GDPR.

Evidence : Data protection & privacy policy, any incident, any penalty

3. How long will you retain the data in the DC?

ow we are removing the confidentail data not required after a period of time

Evidence: data archival or destruction policy

4. How is the competency given to the resources working in Singapore?

Evidence: Skill matrix, training, evaluation score

5. Did you take consent from the patients before transferring data to singapore?

Evidence: Consent form with signatures

Section 1 - 10mins

Section 2 - 15 mins

Section 3 - 45mins

Section 4 - 30 mins

2 hours 2 mins

Internal audit already done, so not required.

We have to cover every dept within scope and mentioned in audit plan. Leaving out a
dept will keep the audit incomplete.
- We need to look into those NC from internal audit and check the effectiveness of
the corrective actions implemented so far.
- We may find additional gaps in the dept
- We may have findings which has dependencies on other dept.
- We can understand the competency of the internal auditor

A.10.1 - What is the level of encryption? Evidence - Cryptographic Policy

4.1 - did you determine the internal & external issues? Evidence: Context of the
organisation
4.2 - did you determine the needs and expectations of interested parties? Evidence:
Context of the organisation

5.2 - did you formulate a policy? Evidence - approved policy

6.1.2 - Did you assess the risk? Evidence - risk register

6.1.3 - What controls have been identified? Evidence - Risk Treatment plan

6.1.3 d - Is there any exclusion in the controls? Evidence - SoA

9.2 - Did you conduct internal audit in this dept? Evidence - Internal audit report

9.3 - did you discuss the risk in this dept to top management? Evidence - MOM of
MRM

10.1 - what corrective actions are taken? Evidence - CAP

what is an example of documented information of external origin?

1. third party audit reports

2. Bank statement

3. Invoices, purchase orders

4. Agreements / NDA

5. Govt certificates, compliance certificates (Trade License)

6. Employee CVs

7. Legal notices, court orders

Advantage of having good documentation?

1. Process oriented company - Gives clarity to employees and process is clearly

followed

2. handover to another person easy

3. helps to concentrate on most relevant information which can help to cover in the
scheduled time.

4. Helps in training employees and giving proper awarenss

Disadvatage of having too much documentation?

1. time consuming / focus away from real work

2. updating the document is diffcult

3. Retrieving the right information from the document is difficult

On what factor does this documentation depend on ?

1. knowledge of the document creator

2. Size of the company

3. Number of resources allocated for the documentation

Closing Meetings -

1. Welcome

2. Thanks for the coorperation & hospitality

3. Thanks for allowing BSI to be a partner in assessing the ISMS

4. Auditors who partcipated

5. Scope

6. Objective & criteria of the audit

7. Methods used in audit

8. Sampling risks

9. Confidentiality

10. Positive findings

11. Gaps - NC, OFI

12. Summary of the findings - calculations

13. Verdict

14. Appeal

15. Next follow up steps

16. Next date of audit

1. Top Management -

a) How is business going?

b) Expansion plans are you having? What's there in future - 1 year? Whats the
future growth strategy?

c) Why are you going for ISO27001?

d) How is ISO27001 helping you out? Any value addition?

e) Any dept specific dept that you want me to focus in depth?

f) Any challeneges that you are facing in ISO 27k implementation?

f) Any incident over the last 1 year?

g) What do you think is the major risk to your organisation?

d) On-going employement -

1. awareness training?

2. content of training

3. choice of faculty

4. training calendar

5. method - elearning, F2F classroom, mock drills, screensavers, newsletters,

posters, quiz, circulars, meeting, anti phishing simulatios, etc.

6. post training evaluation

7. How do you ensure segregation of duties?

8. policy - grievance / POSH / REPORTING INCIDENTS / whistleblower

9. How do you keep the documents? Physical security? Access control to the records?
Fire detection and supression control systems. Whether you have a shredder?

e) Exit / transfer -

1. How do you handle absconding cases

2. What is the procedure of termination?

3. Are there any responsibilities of the employees/contractors even after leaving

your organization?

4. How do you recover the assets after they leave job? Did they return all assets
on or before last date of job?

5. Did all Ids are deactivated on or before last date of job?

6. Do you conduct exit interviews? Do you ask him about ISMS gaps in the interview?

7. Retention policy of the employee related information / data / personal data

files (if any) and can a person rejoin?

9. If you are giving the same machine / PC / laptop to another person, how do IT
sanitise it?

10. How do you measure the competency of the employee? Have you mapped competency
requirements?

11. Show me the ORG CHART? Is job descriptions well defined? Is ISMS responsibility
mentioned in each role?

12. Who is the internal auditor? Is there any conflict of interest? What is his
competency? Is he Lead Auditor certified? Does he audit his own dept?

13. Any employee code of conduct? Employee handbook where ISMS is also mentioned

14. Do you have teleworking policy?

15. How do you take care of mental health, depression among the employees who are
locked during lockdown.

f) HR Incidents / Disciplinary actions -

1. How many incidents over last 1 year?

2. Where to report the incident?

3. If POSH / Data protection / privacy is reported to highest authority directly?

4. What is RCA, correction, CAP? Closure status?

5. Disciplinary action has been taken

g) Business Continuity (related to staff availability)

1. How do you manage succession plans?

2. What is your plans for business continuity during unavailability of people

during pandemic?

3. Do you have any vendor (HRMS) for HR? What is their BCP for critical vendors?

4. Do you have multiple vendors for critical services?

5. Did you do VAPT for any SAS based HRMS solution?

6. How do you ensure that your HR data is safe on cloud / vendor portal?

Software - Control number: A.14

1. What is your secure coding framework? - OWASP / NIST?

2. Show your secure code policy, SOP.

3. How frequently do you update the Secure coding policy / SOP? When was the last
time that you have updated?
How many team members in coding, testing?

Is the entire process in-house? or any part outsourced?

If outsourced, do the outsourced developer develop the code in your VDI?

Or they develop in their system and transfer the code to you?

Did they sign NDA? Are those agencies ISO27001 compliant? Do they conduct
background verification for their developers?

Who has the IP rights to the code? Agency or you? Is it clearly mentioned in the
contract?

How do you ensure there is no IP violation in the source code? How do you stop copy
paste of code from copyrighted sources to your software? Is this awareness provided
to designers / developers?

how do you do the version control of the code?

TFS? Github?

How do you control registration of new developers / designers to code respository?

How to review access? Deactivate access when a developer / designer has left the
organisation or moved to different project?

How have you assessed the vulnerabilty in the application?

Did you conduct VAPT? Source code review?

VAPT has been done by external agency or internal team members?

If external agency, are they CERT empaneled?

If internal, what tools have been used?

How do you define the competency of the developers and testers?

Are these testers certified on any global ethical hacking certificate? Do they have
enough expertise to run the tools or manual testing or penetration testing?

Have you done unit testing? VAPT? UAT?

Show the customer UAT sign off document.

Do you include security testing scenarios in your test cases?

Show some test cases and test data related to security testing.

How do you protect test data?

Is the Development, QC & Live / production environment seggregated?

Who has access to Production environment?

Do you use FTP / sFTP / RDP?

If developers are working from home, do they login to VDI to code? Or the code is
downloaded to their laptop local drive (localhost)?

If a copy of the code is in laptop, how did you encrypt the local disc drive.

Did you use DLP in the endpoints used for coding? Is USB open or blocked?

Can the developers access public mail or public FTP from the laptops?

If they use VDI, did you check whether hardenning has been done in VDI so that code
is not downloaded from VDI to local machines? VDI has latest patches, DLP?

Do you use any project management or bug tracking tool?

Is the tool accessible through public network?

Is the tool open source? How do you patch the tool or upgrade to latest version?

Show the asset register for the dept.

Are the assets tagged?

Do you have any approved software list for the dept?

How do you check licensing issues? Do you have redundant licenses for all
developers, if you are using proprietary tools like MS Visual Studio, etc. Do you
conduct SAM audit?

If there is any change to the code, how to manage the change?

Risk assessment is done while you make changes to code library?

How do you manage Zero Day vulnerabilities for the software / programming languages
/ database you use for your development?

When was the last time you have provided information security training to the
developers / testers?

Was the training generic or related to their work?

Did you train them on latest OWASP top 10 risks?

When did you have internal audit in the dept?

What are the gaps identified?

How many of these gaps are closed? What is the policy of gap closdure?

Did you manage to close the gaps within deadine? or there was delay?
Is the delay justified? Mentioned in MRM?

Business Continuity: RTO / RPO measurement has been done for the process?

Plan - clause 4, 5, 6, 7

Do - 8 (operations)

Check - 9 (performance evaluation)

Act - 10 (improvement)