ISO 27001:2022 Lead Auditor

With Templates and Use Case

 The Instructor?
● Instructor : Dr. Amar Massood

● Over 33 years of industry experience

● PhD in Computer Science, 60+ IT certifications

● ISO 27001 Auditor, Security Plus, CEH, GSEC, ECSA, CISSP, and CISM
Why this Course?

Comprehensive coverage

Time effective

Learn by example, a use case

Your feedback is important

The Need for a Standard
Why do we need a standard for information security?

● Sensitive information security is critical

● Many orgs struggle with info security management
● ISMS framework protects sensitive information
● Clear and structured approach to managing risks
● Controls may not be integrated without ISMS
● Standard-based ISMS provides effective framework
● Benefits include improved compliance and customer trust
● Standard helps address challenges in protecting sensitive information
Example
● No clear and documented password policy
● Exchange of passwords
● Weak password
● No regular password changes

ISO 27001 :

● A systematic approach to manage risks to information

● A comprehensive approach to protect information
What is ISO 27001
● ISO 27001:2022 is an ISO standard that provides requirements for an

information security management system (ISMS)

● Written by the best security experts

● Allows organisations to be certified by a certification body

● The most popular information security standard

How Does ISO 27001 Work?
● ISO 27001 manages information security
● Based on risk management process
● Identify and evaluate risks
● Implement security controls
● Includes policies, access controls, encryption, etc.
● Reduces likelihood of security breach
● Protects sensitive information
 ISO 27001 Family of Standards
ISO 27000 : Overview and vocabulary

ISO 27001 : Information security management System requirements

ISO 27002 : Code of practice for information security controls

ISO 27003 : Information security management System implementation guidance

ISO 27004 : Information security management System measurement

ISO 27005 : information security risk management

ISO 27007 : Guidelines for Information security management Systems auditing

How is ISO 27001 organized?
● Main part
○ 11 clauses
○ 0-3 Definition of the standard
○ 4-10 Information Security Requirements
● Annex A
○ 4 Categories
○ 93 security controls
What is an ISMS?
Information Security Management System

● Establish, Implement, Operate, Monitor, Review, Maintain and Improve

Information Security
● Policies, procedures, practices
● Uses risk Management processes
● Systematic Approach
● Protect and secure information assets
● Minimize risk and ensure business continuity
Use Case : HealthBridge
HealthBridge Clinic is a growing small-to-medium sized healthcare provider

ISO 27001 Implementation will help in :

● Regulatory Compliance
● Enhancing Reputation
● Improving Security Posture
● Streamlining Processes
● Building Trust with Patients
● Facilitating Business Growth
 CIA Triad

ity

In
ial

te
Restricted Access Restricted Changes

nt

g
to authorised persons to authorised persons

de

rit
y
nfi
Co

Availability
Available when needed
Example of CIA
● You are the only one who can access your
bank account : Confidentiality
● No alteration to your account without valid
transactions : Integrity
● You can access your account anytime :
Availability
CIA for HealthBridge
● Confidentiality:
○ Authorized access to patient data
○ Measures to prevent access to wrong people

● Integrity:
Accurate and trustworthy patient data
Access control to prevent unauthorized alteration

● Availability:
○ Accessible patient data for authorized personnel
○ Redundant systems and backups
Basic Definitions
● Information Security Event : a change
that may violate a security policy or a
security control has failed.

● Information Security Incident : a security

event that have a significant probability
compromising information security
Example
● Information Security event : Spam email
because it may contain a malware

● Information Security incident : an

employee clicking on a link in spam email that
made it through spam filters.
Security Incident for HealthBridge
Data breach: unauthorized access to patient data

Phishing attack: staff disclosed login credentials

Malware attack: loss of important patient data

Proper security controls are crucial for healthcare providers

ISMS framework like ISO 27001 can mitigate potential risks.

Risk
Risk : Effect of uncertainty on objectives

Example : Adam has an exam at 8 AM.

● Objective : Arrive on time

● Uncertainty : Not waking up
● Effect of uncertainty : Missing the exam
Threat, Vulnerability and Risk
● Threat : Potential cause which may harm a system or an organisation
● Vulnerability : weakness of an asset or a resource that can be exploited
by one or more threats
● Risk : The potential of a loss or damage when a threat exploit a
vulnerability

Risk of taking control

Threat Vulnerability
HealthBridge Example
Vulnerability: outdated software on employee's computer.

Threat: a hacker exploiting the vulnerability to access patient data.

Risk: compromise of sensitive patient data.

Risk
Risk Owner : Accountable and has authority to manage the risk
Residual Risk
The remaining risk after treatment

● Example : Risk of car accident with the use of seat belt

Risk Acceptance

Informed decision to take a given risk

● Example : Accept the risk of not having a full car insurance

Example of HealthBridge

● CISO is risk owner

● Residual risk may remain

Example: patch management system

● Risk acceptance when not feasible

Example: physical security measures

PDCA Cycle : Plan-Do-Check-Act
Iterative method of continual improvement

PLAN : How to improve the current situation

DO: Execute the plan

CHECK : Evaluate results from the DO phase

ACT: Act upon the output of the CHECK phase

ISO 27001 as a PDCA Cycle
Plan
4-Context
5-Leadership
6-Planning
7-Support

Act 10-Improvement 8-Operation Do

9-Performance
evaluation

Check
4. Context of the Organisation
4.1 Understanding the organisation and its context

● Identify the internal issues.

● Identify the external issues.
● Review and monitor.
Internal Issues
● Objectives, Organisation Structure, Policies

● Resources, Capabilities

● Risk appetite

● Processes, Internal practices

● Documentation not required

HealthBridge Internal Issues
● Lack of clear policies and procedures for sensitive data handling
● Inconsistent security control implementation across the organization
● Insufficient staff training or awareness about security risks
● Limited resources for information security management
● Difficulty in managing access across IT systems and platforms
● Inadequate disaster recovery or business continuity plans
● Legacy IT systems vulnerable to security threats or incompatible with
current controls.
External Issues
● Social, technological, environmental, ethical, political, legal and
economic environment.
○ Government regulations
○ Market shifts
○ Competition
○ Events that affect your company
○ Technology changes
HealthBridge External Issues
● Healthcare regulations changes (HIPAA/GDPR)
● Emerging cyber threats targeting healthcare providers
● Advancements in telemedicine or electronic health records
● Supply chain risks with third-party healthcare vendors
● Public health crises increasing risk of cyber-attacks or data breaches
● Patient expectations or concerns related to privacy and security.
4.2 Understanding the need and expectations of interested parties
The organisation must determine

● Interested parties relevant to the ISMS and their requirements

○ Stakeholders that can influence ISMS operations
■ Suppliers
■ Government agencies/Regulators
○ The ones that are affected by the ISMS activities
■ Employees
■ Owners
Examples of requirements of interested parties
● A customer who requires a 99.99 % availability of a service
● Central bank requires from banks to comply with credit card security
standard like PCI-DSS.
● Owner of a company requires that all information is classified top secret
● Firefighting department may have some requirements
HealthBridge Interested Parties
● Patients rely on confidentiality, integrity, and availability of data
● Business partners share sensitive information with HealthBridge Clinic
● Employees must follow security policies and procedures
● Shareholders have financial interest in security posture
● Regulatory bodies mandate specific security controls and requirements
● Auditors evaluate compliance with ISO 27001 and other standards
● Media and the public can be impacted by security breaches.
4.3 Determining the Scope of the ISMS
● Locations
● Organizational units
● Processes and Services
● Assets, Technologies, Networks and Infrastructure
● Out of scope
● Validity
● Ownership
What Can Affect the Scope?
● Can be affected by :
○ Internal and external issues
○ Interested parties requirements
○ Organisation activities
○ Interaction with others
○ Size of the organisation
○ Attitude towards change
● Documentation is required by ISO 27001
Example of Scope Definition
● Locations : Second floor of company headquarters
● Organizational Units : Finance Department
● Processes and Services : Contract Management, Accounting Service
● Networks, IT Assets and infrastructure : IT Systems and network used
for backend finance business
● Out of scope : cafeteria
● Validity : 1 year
● Owner : CISO
Scope of HealthBridge
● Locations: All physical locations where HealthBridge conducts business
Organizational Units: All departments including administrative, medical, IT
● Processes and Services: All processes and services related to the healthcare
industry, including patient care, medical record management, and insurance billing.
● Networks, IT Assets, and Infrastructure: All IT systems, networks, and assets used
to support the organization's business processes and services
● Out of Scope: Any non-healthcare related processes or services, such as cafeteria
and non-medical areas..
● Validity: One year from the date of approval.
● Owner: Chief Information Security Officer (CISO) of HealthBridge.
5.1 Leadership and commitment
● Ensure information security policy and objectives are established
● Communicate importance of information security management and
conformance to ISMS requirements
● Ensure information security is integrated in the organisation processes
● Ensure that the ISMS achieves desired outcomes
● Ensuring availability necessary human and financial resources
● Promote continual improvement of the ISMS
5.2 Policy
● Tailored to the organization
● Includes the information security objectives
● Shows the management commitment
● Must be high level policy
● Must be communicated
● Must be reviewed regularly
● Must have an owner
Example of Policy of a Bank
● Objectives
○ Protect the organization’s information asset, customer data and transactions
○ Ensure Confidentiality, Integrity, Availability of Information
○ Meet Regulatory and legislative requirements

● CEO commitment and support

● Ownership : Board of directors
● Responsibilities : IT Security department, CISO, employees
● Policy is communicated by the CISO
● Should be reviewed every year
HealthBridge Policy
● Purpose: establish and maintain effective ISMS
● Scope: applies to all employees, contractors, and third-party providers
● Objectives: protect sensitive info, ensure compliance, improve ISMS
● Roles: CISO oversees ISMS, all responsible for compliance
● Risk management: regular risk assessments, prioritize security controls
● Information security controls: access controls, encryption, training,
incident response, testing
● Compliance: comply with all applicable laws, regulations, and standards
● Monitoring and review: monitor and review ISMS effectiveness and
compliance
● Review Frequency: Policy reviewed and updated annually or as needed
5.3 Organisational roles, responsibilities and authorities
● Assign and communicate responsibilities and roles for Information
security
● Assign the responsibility for
○ Ensuring the ISMS is conforms to ISO 27001 requirements
○ Reporting the performance of the ISMS

● Documentation is not required

Example of Roles in the ISMS
● Information Security Officer
○ Definitions, Supervision, coordination of ISMS activities
○ Communication of information related to the ISMS
○ Should have managerial, communication and technical skills
● IT Administrator
○ Responsible of security devices and technologies
○ Supervision of access rights
● Internal Auditor
○ Performs audits
○ Assesses compliance with ISO 27001 requirements
Roles and Responsibilities at HealthBridge
● CISO responsible for overall information security management.
● IT Security Manager responsible for day to day ISMS operations.
● IT Department responsible for implementing technical controls
● HR Manager manages employee security training.
● Legal department ensures compliance
● Employees must follow security policies and report incidents.
6. Planning
● Consider issues and requirements
● Determine risks and opportunities
● Ensure intended outcome and improvement
● Plan actions to address risks and opportunities
● Integrate actions into ISMS processes
● Evaluate effectiveness of actions
6.1.2 Information Security risk assessment
● Define and maintain risk criteria
● Ensure consistent, valid and comparable results
● Identify information security risks and owners
● Analyze potential consequences and likelihood
● Determine risk levels
● Evaluate against established criteria
● Prioritize risks for treatment
● Retain documented information
6.1.3 Information Security Risk Treatment Process
● Select appropriate risk treatment options
● Determine necessary controls
● Compare controls with Annex A
● Produce Statement of Applicability
● Formulate risk treatment plan
● Obtain risk owner approval
● Retain documented information
Example of Risk Assessment of HealthBridge
Risk Likelihood Impact Level

Unauthorized access to data High High High

Phishing attacks on employees Medium Medium Medium

Insider threat Low High Medium

Power outage Low Medium Low

Cyber attack High High High

Failure of backup systems Medium High Medium

Natural disaster Low High Medium

Equipment failure Medium Medium Medium

Statement of Applicability

● Summary of controls in use

● Justification for controls' inclusion/exclusion
● Applicability of controls
● State of controls' implementation
HeathBridge Statement of Applicability
Applicabl
Control Description e Justification

Access controls Limit access to authorized Yes Protects patient data from
individuals unauthorized access

Authentication Verify user identity before Yes Ensures only authorized

granting access individuals can access
patient data

Encryption Protect sensitive information Yes Protects patient data from

during transmission and unauthorized access
storage
6.2 Information Security Objectives and Planning to Achieve Them

● Set information security objectives consistent with policy

● Objectives should be measurable
● Consider applicable security requirements and risk assessment results
● Monitor objectives regularly
● Communicate objectives throughout the organization
● Update objectives when necessary
● Retain documented information on objectives
● Determine what, resources, who, when, and how for planning
● Evaluate results of objectives achieved
HealthBridge Information Security Objectives
● Protect patient data from unauthorized access and disclosure.
● Ensure compliance with regulations and standards (HIPAA, ISO 27001,
GDPR, NIST).
● Continually improve ISMS to adapt to changing threats and needs.
● Regularly assess and improve effectiveness of ISMS.
● Train employees on information security awareness.
6.3 Planning of Change
● Clause 6.3 Planning of changes is new to ISO 27001 2022 version.
● Changes to ISMS must be planned and approved before implementation.
● Scope and potential impact of changes must be determined.
● Changes must be communicated to stakeholders, and training/resources provided.
● Effectiveness of changes must be monitored and evaluated.
● Adjustments or corrective actions must be taken promptly.
● Systematic and controlled planning ensures effective information security.
● Ensures information security aligned with business objectives.
7. Support
7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented Information

7.1 Resources
● Organisation must ensure resources are available for
○ Day to day Operation of the ISMS
○ The continual improvement of the ISMS

● Resources are
○ Financial
○ Human

● Documentation is not required

Example of Resources
● Budget is a resource that requires investment to achieve information security

● People are key resources for taking care of information security and the ISMS

● Equipment support provides better defenses, detection, and reaction capabilities

● Tools such as software and hardware appliances are needed to maintain security

● Facilities must offer security levels proportional to the risk an organization faces
7.2 Competence
○ Ensure people managing ISMS have adequate competence
○ Measure and record competence level
○ Use internal or external resources for competence
○ Assess competence and identify gaps
○ Provide training, education or mentoring for maintaining IS
○ Identify and agree on organization's requirements
7.3 Awareness
● Persons aware of infosec policy, contributions and implications.

● Policy explained to employees.

● Employees aware of how their actions impact infosec.

● Non-compliance implications communicated.

7.4 Communication
The organisation shall determine the need for internal and external
communication relevant to the ISMS

● What needs to be communicated

● Who communicates
● With whom to communicate
● How to communicate Process affected by the communication
● When to communicate?
7.5 Documented information
● ISMS must have required documented information
● Also have necessary documented info
● Extent may vary based on organization
● Factors include size, type of activities, products/services
● Also complexity of processes and interactions
● Competence of persons involved is a factor
7.5.2 Creating and Updating
● Identify and describe documented information.

● Determine appropriate format and media.

● Review and approve for suitability and adequacy.

7.5.3 Control of documented information
● Documented information must be controlled to ensure availability and protection.

● The organization should address distribution, access, retrieval, storage, and changes.

● Retention and disposition of documented information should be controlled.

● Documented information from external sources must be identified and controlled.

● Access permissions should be determined based on the level of authority needed.

8. Operations
● Establish criteria for processes

● Implement control of processes according to criteria

● Ensure documented information available to verify processes carried out as

planned

● Control planned changes and review consequences of unintended changes

● Mitigate adverse effects of unintended changes

● Ensure externally provided processes, products, or services are controlled.

8.2 Information Security Risk Assessment
Regularly assess information security risks
Identify potential threats and vulnerabilities
Evaluate likelihood and impact of each risk
Take into account legal, regulatory and contractual requirements
Consider objectives and assets needing protection
Document and retain results of risk assessments
Include identified risks, likelihood and impact, and controls implemented
Track effectiveness of risk management activities
Inform decisions about future investments in security controls
8.3 Information Security Risk Treatment Plan
Risk Treatment Plan has to be implemented and documented

● Which controls to implement

● Who is responsible for them
● What are the deadlines
● Which resources are required
Example of Risk Treatment Plan
Control to be Risk reference Responsible Deadline Resources Results
implemented person

Install disk Risk 46: data System 16 April 2023 -2 man/days Implemented
encryption on on lost or stolen administrator -bitlocker
all laptops to laptops can be
protect data compromised

Install smart Risk 54: data Facility 03 May 2023 Finances for Progress
card physical center can be manager control
control for data accessed by
center anyone
9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal Audit

9.3 Management Review

9.1 Monitoring, Measurement, Analysis and Evaluation
Organisation should provide

● Metrics for the ISMS performance regarding

● Compliance with standard
● Alignment with policies
● Achievement of objectives
● Take into consideration
■ What need to be monitored and measured
■ Methods of monitoring and measurement
■ Frequency to perform monitoring and evaluation
■ Who is responsible
● Performance results should be retained
Examples of measurements
● Number of information security incidents
● Number of security breaches
● Duration of service interruption
● MTTRS : Meantime to restore service
● Number of security related downtimes
● Accomplishment of information security objectives
Measurements of HealthBridge ISMS
● Number of information security incidents
● Percentage of employees trained in information security
● Time to detect and respond to security incidents
● Compliance with regulatory requirements
● Availability of critical systems and data
● Customer satisfaction with information security
9.2 Internal Audit
● Performed at planned intervals
● Auditors should be independent
● Audit program should be documented
● Criteria and scope must be defined
● Non conformities should be reported
● Audit program and records should be retained
9.3 Management Review
● Must be done at planned interval
● Status of actions from previous reviews
● ISMS performance
○ Nonconformities and corrective actions
○ Monitoring and measurement results
○ Fulfillment of information security objectives

● Improvement opportunities
● Must be documented
10. Improvement
10.1 Nonconformity and corrective action

● Identify nonconformities in the ISMS

● Tale corrective actions
● Keep records

10.2 Continual Improvement

● Improve the effectiveness of the ISMS

● Review the ISMS periodically
10.1 Nonconformity and corrective action

Internal Audit

Management
Nonconformity Corrective action
Review

Performance
Evaluation
Examples of Nonconformities
● The failure to comply with clause 4.1 lack of defining the scope
● No ISMS policy,
● No risk assessment,
● Absence of statement of applicability
● Failure to comply with Clause 7: Management review of the
ISMS.
● Failure to comply with the Internal ISMS audit (Clause 6)
10.1 Nonconformity and corrective action
In the event of nonconformity

● Take action to correct it

● Deal with the consequence
● Review effectiveness of corrective action
● Documentation

Evaluate the need for action to eliminate causes by

● Review of the nonconformity

● Determine the cause
● Determine if similar non conformity exist or may occur.
Example of corrective action
Nonconformity : 2 of 10 PCs have no antivirus installed

Corrective action : install antivirus on the 2 PCs

Cause : finance department buy its own PCs directly

Similar non conformities : check if any other departments are buying their PCs
directly.

Root cause corrective action : set up a procurement process for PCs and
enforce it.
10.2 Continual Improvement
Continual improvement is key to achieve and maintain

● Suitability
● Effectiveness

of the ISMS
Annexe A:2022
● Annexe A is a list of 93 security controls
● Control : Measure that modifies risk
● Control Objective : Statement stating what is to be achieved as a result
of implementing a control
● 4 Control categories
What is ISO 27001:2022 Annex A?
● Reorganized and refined
● Better represent current risks
● Focus on
○ 1. Organizational: Governance, risk, policy, structure.
○ 2. People: Training, awareness, reporting, culture.
○ 3. Physical: Access, environment, surveillance, protection.
○ 4. Technological: Encryption, authentication, detection, defense.
5. Organizational Controls
● 37 controls
● Structured approach to managing risks
● Align policies with business objectives
● Address legal, regulatory requirements
● Emphasize human factors in security
● Manage physical and digital assets
● Monitor and review supplier services
Organizational Controls (5.1-5.5)
5.1 Policies for Information Security : Define, approve, publish,
communicate policies to all.

5.2 Information Security Roles and Responsibilities : Define and allocate

the responsibilities for information security.

5.3 Segregation of Duties : Duties and areas of responsibility should be

segregated to avoid conflicts.

5.4 Management Responsibilities : Ensure management knows their role in

infosec and promotes awareness.

5.5 Contact with Authorities : Encourage proactive security and facilitate

timely sharing of critical information.
Organizational Controls (5.6-5.10)
5.6 Contact with Special Interest Groups : Maintain contacts with special
interest groups to stay updated regarding information security

5.7 Threat Intelligence : Gathering and analysing information about current

and future cyber attacks

5.8 Information Security in Project Management : Addresses information

security in project management

5.9 Inventory of Information and Other Associated Assets : Identify

Information assets and owners to preserve their security

5.10 Acceptable Use of Information and Other Associated Assets :Define

and Document the rules of acceptable use of assets
Organizational Controls (5.11-5.15)
5.11 Return of Assets : Protect assets when changing or terminating
employment

5.12 Classification of Information : Identification of protection needs of

information in accordance with its importance

5.13 Labeling of Information : To facilitate the communication of information

classification

5.14 Information Transfer : Protect information in transfer from

interception, copying, modification, mis-routing and destruction

5.15 Access Control : To secure authorized access and prevent unauthorized

access to information and assets.
Organizational Controls (5.16-5.20)
5.16 Identity Management : Uniquely identify individuals and systems accessing
an organization's information assets and assign appropriate access rights.

5.17 Authentication Information : To ensure proper entity authentication and

prevent failures of authentication processes.

5.18 Access Rights : Define and authorise access according to business

requirements

5.19 Information Security in Supplier Relationships : Mitigate the risks on

information assets accessible by suppliers.

5.20 Addressing Security Within Supplier Agreements : Establish and agree al

relevant information security requirements.
Organizational Controls (5.21-5.25)
5.21 Managing Information Security in the ICT Supply Chain: Address risks of
the provided information and communication technology services

5.22 Monitoring, Review & Change Management of Supplier Services:

Regularly monitor, review and audit supplier service delivery.

5.23 Information Security for Use of Cloud Services : To specify and manage
information security for the use of cloud services.

5.24 Information Security Incident Management Planning and Preparation:

Ensure effective response to security incidents.

5.25 Assessment and Decision on Information Security Events: Assess events,

categorize as security incidents.
Organizational Controls (5.26-5.30)
5.26 Response to Information Security Incidents: To ensure efficient and
effective response to information security incidents

5.27 Learning from Information Security Incidents: Reduce the likelihood

or consequences of future incidents

5.28 Collection of Evidence: Ensure effective evidence management for legal

purposes

5.29 Information Security During Disruption: Protect information and other

associated assets during disruption

5.30 ICT Readiness for Business Continuity: Ensure availability of

information during disruption
Organizational Controls (5.31-5.35)
5.31 Statutory, Regulatory and Contractual Requirements: Comply with
legal, regulatory, and contract requirements.

5.32 Intellectual Property Rights: Comply with legal requirements for

intellectual property rights and proprietary products

5.33 Protection of records: Ensure compliance with legal, regulatory, and

contractual requirements

5.34 Privacy and Protection of PII: Compliance with legal requirements for
PII protection

5.35 Independent Review of Information Security: Ensure ongoing effective

information security management
Organizational Controls (5.36-5.37)
5.36 Compliance with Policies, Rules and Standards for Information
Security: To ensure information security compliance with policy.

5.37 Documented operating procedures: Ensure secure and correct

operation of information facilities.
6. People Controls
8 Controls

Remote work
Ensure confidentiality
Non-disclosure agreements
Screen employees
People Control (6.1-6.4)
6.1 Screening: Ensure personnel eligibility and suitability during employment

6.2 Terms and Conditions of Employment: Ensure personnel understand

their security responsibilities

6.3 Information Security Awareness, Education and training: Ensure

awareness of information security responsibilities.

6.4 Disciplinary Process: Ensure consequences understood, deter and deal

with violators
People Control (6.5-6.8)
6.5 Responsibilities After Termination or Change of Employment: Protect
org during employment or contract changes/terminations

6.6 Confidentiality or Non-disclosure Agreements: To maintain information

confidentiality by all stakeholders

6.7 Remote working: To secure remote work information

6.8 Information Security Event Reporting: To support reporting of security

events by personnel.
 7. Physical Controls
14 Controls

● Physical control category aims to prevent unauthorized access

● Covers a range of controls related to physical security
● Includes prevention of unauthorized access to facilities
● Protects equipment and assets from damage or theft
● Includes management of physical security breaches
● Measures can include security guards, access control systems, locks, security, cameras
● Also includes secure storage and transportation of information
● Annex A recognizes importance of physical security in information security
● Helps ensure security and integrity of information and assets
Physical Controls (7.1-7.5)
7.1 Physical Security Perimeters: Prevent unauthorized physical access and
damage to assets.

7.2 Physical Entry: Authorize physical access to protect organization's

information

7.3 Securing Offices, Rooms and Facilities: Prevent unauthorized access and
damage to assets.

7.4 Physical security monitoring: Prevent and identify unauthorized physical

access

7.5 Protecting Against Physical and Environmental Threat: Prevent

damage from physical and environmental threats
Physical Controls (7.6-7.10)
7.6 Working in Secure Areas: Protect secure areas and assets from internal
damage and unauthorized access.

7.7 Clear Desk and Clear Screen: Minimize unauthorized access to info on
desks/screens during and outside working hours.

7.8 Equipment Siting and Protection: Minimize impact of physical,

environmental threats and unauthorized access.

7.9 Security of Assets Off-premises: Protect organization from disruptions &

unauthorized access to off-site devices.

7.10 Storage Media: Protect stored information from unauthorized access,

modification, or destruction
Physical Controls (7.11-7.14)
7.11 Supporting Utilities: Prevent information loss or disruption due to utility
failures

7.12 Cabling Security: Protect information, assets, and operations from

cable-related issues

7.13 Equipment maintenance: Prevent damage, theft, compromise of assets

and operational interruptions from maintenance neglect.

7.14 Secure Disposal or Reuse of Equipment: To avoid leakage of

information when disposing or reusing equipment.
8 Technological Controls
34 Controls

● Technological controls are security measures for IT systems.

● These controls are used to prevent unauthorized access.
● Examples include access controls and encryption.
● Monitoring and logging are also important controls.
● These controls help detect and prevent security incidents.
● Backup and recovery procedures are part of technological controls.
● Physical security measures also fall under technological controls.
● These controls are implemented to protect data confidentiality.
● They are also used to ensure data integrity and availability.
● Technological controls should be regularly reviewed and updated.
Technological Controls (8.1-8.5)
8.1 User Endpoint Devices: Protect information from user endpoint device
threats

8.2 Privileged access rights: Ensure authorized privileged access rights only
granted

8.3 Information Access Restriction: To restrict access to authorized users

only

8.4 Access To Source Code: Prevent unauthorized changes & maintain

intellectual property confidentiality

8.5 Secure Authentication: Ensure secure access via authentication for

systems, apps, services
Technological Controls (8.6-8.10)
8.6 Capacity Management: Ensure sufficient resources for information
processing and facilities

8.7 Protection Against Malware: Protect information and assets against

malware

8.8 Management of Technical Vulnerabilities: To prevent exploitation of

technical vulnerabilities

8.9 Configuration Management: To avoid sensitive data exposure and meet

legal, regulatory, and contractual obligations

8.10 Information deletion: To ensure compliant information deletion and

avoid exposure of sensitive data.
Technological Controls (8.11-8.15)
8.11 Data Masking: Ensure compliance with regulations and protect sensitive
data

8.12 Data Leakage Prevention: Prevent unauthorized information

disclosure/extraction by individuals or systems

8.13 Information Backup: To enable recovery from loss of data or systems.

8.14 Redundancy of Information Processing Facilities: Ensure the

continuous operation of information processing facilities

8.15 Logging: To capture events, maintain log integrity, detect security events,
prevent unauthorized access, support investigations.
Technological Controls (8.16-8.20)
8.16 Monitoring Activities: To detect anomalous behaviour and information
security incidents

8.17 Clock Synchronization: Support analysis of security events and

investigations

8.18 Use of Privileged Utility Programs: Ensure safe use of utility programs
for security

8.19 Installation of Software on Operational Systems: Ensure system

integrity, prevent vulnerabilities

8.20 Networks Security: Protect network information from compromise

Technological Controls (8.21-8.25)
8.21 Security of Network Services: To ensure security in the use of network
services

8.22 Segregation of Networks: Segment network for controlled traffic based

on business needs.

8.23 Web Filtering: Protect systems from malware and unauthorized web
access.

8.24 Use of Cryptography: Protect information using cryptography that

meets legal requirements.

8.25 Secure Development Life Cycle: Ensure secure development life cycle of
software and systems.
Technological Controls (8.26-8.30)
8.26 Application Security Requirements: Address all security requirements
when developing or acquiring applications.

8.27 Secure System Architecture and Engineering Principles: Securely

design, implement, and operate information systems in development life cycle

8.28 Secure Coding: Ensure secure software to reduce vulnerabilities.

8.29 Security Testing in Development and Acceptance: Validate security

requirements during code deployment

8.30 Outsourced Development: Ensure infosec measures in outsourced

development
Technological Controls (8.31-8.34)
8.31 Separation of Development, Test and Production Environments:
Protect production and data from dev/test compromis

8.32 Change Management: To preserve information security when executing

changes

8.33 Test Information: Ensure relevant testing & protect operational

information used for testing

8.34 Protection of Information Systems During Audit Testing: Prevent

unauthorized access and damage to assets.
Audit Introduction
● Explore audit process to become ISO 27001 Lead Auditor
● Understand effective steps: planning, objectives, scope, team assembly
● Learn evidence gathering, data analysis, and compliance evaluation
● Emphasize communication, interviews, conflict management, and
professional relationships
● Practical examples and scenarios for enhanced understanding
● Gain expertise to confidently lead ISO 27001 audits and ensure
compliance
Audit Fundamentals
● Internal Audit vs. External Audit
● Nonconformities
● Observations
● Document Review
● Interviews
● Testing and Sampling
● Data Analysis
Audit Findings
● Nonconformities: Deviations from ISO 27001 requirements, indicating
necessary corrective actions.

● Observations: Opportunities for improvement in information security

practices, providing suggestions.
NonConformities
Definition : situation where ISMS does not meet ISO 27001 requirements

Examples :

● Missing Controls
● Inadequate Risk Assessment
● Insufficient Documentation
● Ineffective Incident Response
● Noncompliance with Legal and Regulatory Requirements
Nonconformities Examples in HealthBridge
● Missing Access Controls: Unauthorized access to sensitive patient information.
● Inadequate Risk Assessment: Insufficient identification and evaluation of data
breach risks.
● Insufficient Documentation: Lack of incident response policies and procedures.
● Ineffective Staff Training: Inadequate information security training for
employees.
● Noncompliance with HIPAA: Failure to meet HIPAA's data protection
requirements.
Observations
Definition: Notable findings or insights that auditors make during the audit
process

Examples

● Opportunities for Improvement

● Best Practices
● Emerging Risks or Trends
● Suggestions for Efficiency
Observation Examples in HealthBridge
● Opportunities for Improvement: Implement two-factor authentication
for sensitive systems.
● Best Practices: Robust incident response plan with regular testing and
training.
● Emerging Risks or Trends: Increasing phishing attacks, recommend
additional awareness training.
● Suggestions for Efficiency: Streamline documentation through a
centralized system.
How to Find Evidences
● Document Review
● Interviews
● Observation
● Testing and Sampling
● Data Analysis
● Evidence Gathering Tools
Document Review
● Document Identification: Identify relevant documents (policies, procedures,
records) for review.
● Document Examination: Assess document content, clarity, completeness, and
organization.
● Alignment with ISO 27001 Requirements: Evaluate policy and procedure
compliance with ISO 27001.
● Evidence of Implementation: Seek evidence of policy/procedure implementation
through records and reports.
● Compliance Assessment: Determine organization's level of compliance with ISO
27001.
● Recommendations: Provide suggestions for enhancing documentation and
addressing gaps or inconsistencies.
Interviews
● Relevant interviewees: Interview individuals with pertinent roles within
the scope of the audit.
● Ideal timing and location: Schedule interviews during working hours at the
interviewee's workplace.
● Establish rapport: Create a comfortable environment and explain the
purpose and note-taking process.
● Start with work description: Initiate the interview by asking interviewees
to describe their tasks.
Interviews (2)
● Careful question selection: Use different question types effectively
(open-ended, closed-ended, leading).
● Summarize and review: Summarize results and review with the
interviewee for clarification and accuracy.
● Express gratitude: Thank interviewees for their participation and
cooperation.
Example of Interview in HealthBridge
● What is your role in information security at HealthBridge Clinic?

● How is sensitive patient data protected at HealthBridge Clinic?

● How does HealthBridge Clinic ensure compliance with regulations like HIPAA?

● What are the procedures for handling security incidents at HealthBridge Clinic?
Example of Interview in HealthBridge (2)
● Have there been any recent initiatives to enhance information security at
HealthBridge Clinic?
● How are employees educated about information security threats and best
practices?
● How is the network monitored, and how is access to critical systems controlled?
● Are multi-factor authentication measures implemented for any systems?
Testing and Sampling
● Select representative subset for evaluation
● Define objectives and sample criteria
● Choose sample using various methods
● Analyze for control effectiveness and compliance gaps
● Draw conclusions on ISMS performance
● Document findings for assessment and audit report
● Efficient and cost-effective approach
● Provides reasonable assurance on performance and compliance
● Manages time and resource constraints.
Sampling in HealthBridge Audit
● Testing Access Controls
● Sampling Incident Logs
● Testing Data Encryption
● Sampling Security Awareness Training Records
● Testing Vulnerability Assessments
● Sampling Incident Response Plans
● Testing Backup and Recovery Processes
Data Analysis
● Incident analysis: Reviewing logs and records to identify security incident
trends.
● Risk management assessment: Analyzing risk assessment data to
evaluate controls effectiveness.
● System log analysis: Examining logs for anomalies, unauthorized access,
and policy compliance.
● Compliance assessment: Analyzing audit and control review data for ISO
27001 compliance.
● Performance metric analysis: Evaluating security objectives through
performance metrics and data analysis.
Example of HealthBridge
● Incident analysis: Identifying trends and patterns in security incidents.
● Risk management evaluation: Assessing risks specific to healthcare privacy.
● System log analysis: Detecting anomalies and unauthorized access
attempts.
● Compliance assessment: Ensuring adherence to healthcare regulations
and policies.
● Performance metrics analysis: Evaluating healthcare-specific information
security objectives.
Evidence Gathering Tools
● Log Analysis Tools: Analyze system and network logs for security
incidents.
● Vulnerability Scanning Tools: Identify vulnerabilities in networks,
systems, and applications.
● Data Analysis Tools: Analyze data to identify patterns, trends, and
anomalies.
● Configuration Assessment Tools: Evaluate system and network
configuration settings.
● Documentation Management Tools: Organize and manage ISMS-related
documentation.
● Forensic Tools: Collect and analyze digital evidence in security incidents.
Internal Audit vs External Audit
Internal audits:

● Conducted by internal auditors or employees

● Evaluate compliance with internal policies, procedures, and controls
● Assess effectiveness and efficiency of ISMS
● Identify areas for improvement
● Periodic monitoring and review activities
● Findings and recommendations reported internally
Internal Audit vs External Audit (2)
External audits:

● Conducted by independent third-party auditors

● Assess compliance with external requirements (e.g., ISO 27001)
● Verify adherence to ISO 27001 requirements and controls
● Typically conducted less frequently (e.g., once a year)
● Audit report used for certification or compliance purposes
● Provides independent validation of ISMS
Audit Program

Audit Period Scope Criteria Method Auditors

Q1 2023 HR HR information Interview, documentation John Doe, Jane

Department system security review, vulnerability Smith
scanning

Q1 2023 Finance Financial data Interview, documentation John Doe, Jane

Department protection and review, penetration testing Smith
privacy
The Audit Plan
Time Department Process Contact Clause

08:00 IT Access Control Operations Manager Annex A 5.15

10:00 HR Screening HR Manager Annex A. 6.1, 6.3

Awareness and Training
Audit Checklist
Clause Requirement of the standard Compliant (Yes/No) Evidence

A.8.3 Backup policy (clause A.8.13) Backup logs

A.5.9 Inventory of Assets The asset register exists and

contains assets observed

6.3.1 Is Statement of Applicability created?

Change control procedure

6.1.3 Does Risk treatment plan exist?

Business continuity procedures

Audit Report
Nonconformity : Non-fulfillment of a requirement

Observation : Not enough evidence for a Nonconformity

Report document is mandatory

Audit Report :

● Header
● Nonconformities
● Observations
ISO 27001 Certification
● ISO 27001 certification demonstrates commitment to information security.
● Voluntary process showcasing effective Information Security Management System.
● Driven by regulatory compliance, client demands, and industry best practices.
● Provides reputation, trust, and credibility to stakeholders.
● Granted by accredited certification bodies.
● Bodies assess organization's ISMS for compliance.
● Thorough audits, evaluations, and assessments conducted.
● Certification validates adherence to recognized standards.
Certification Process
● Preparation: Establish or update ISMS to meet requirements.
● Select certification body with expertise in information security.
● Initial assessment: Review documentation, conduct interviews.
● Stage 1 audit: Verify necessary documentation compliance.
● Stage 2 audit: Evaluate ISMS implementation effectiveness.
● Address nonconformities and implement corrective actions.
● Certification decision: Issue ISO 27001 certificate.
● Periodic surveillance audits to ensure ongoing compliance.
● Re-certification process before expiry date.
ISO 17021
● ISO/IEC 17021 is a standard for certification bodies.
● It ensures competence, consistency, and impartiality.
● Certification bodies must meet its criteria for accreditation.
● ISO/IEC 17021 is used in ISO 27001 audits.
● It establishes requirements for organizational structure and competence.
● It guides the planning, conduct, and reporting of audits.
● Certification bodies adhere to ISO/IEC 17021 to ensure credibility.
● It ensures reliable and trustworthy certification services.
ISO 19011
● ISO 19011 is an international auditing standard.
● It provides guidance for management system audits.
● Emphasizes integrity, confidentiality, and evidence-based decision making.
● Uses a risk-based approach in audits.
● Addresses auditor competence and evaluation.
● Outlines steps in planning, conducting, and reporting audits.
● Requires follow-up activities to verify corrective actions.
Principles of Auditing
● Integrity: Auditors should act with honesty, diligence, and responsibility.
● Fair presentation: Audit findings, conclusions, and reports must be
accurate.
● Due professional care: Auditors should exercise diligence and judgment.
● Confidentiality: Auditors should handle information with discretion and
protect confidentiality.
● Independence: Auditors should be unbiased and independent in their
assessments.
● Evidence-based approach: Audit conclusions should be based on
verifiable evidence.
Audit Roles and Responsibilities
Lead Auditor: Oversees the entire audit process and ensures compliance.

Auditor: Conducts audit activities, gathers evidence, and evaluates compliance.

Subject Matter Expert: Provides specialized knowledge and guidance in specific areas.

Audit Client: Requests the audit and seeks certification or assessment.

Audit Coordinator: Manages logistics and facilitates communication between

stakeholders.

Auditee: The organization being audited, provides access to information and

implements corrective actions.
Lead Auditor
● The Lead Auditor plans and coordinates the ISO 27001 audit.
● They lead the on-site audit activities and ensure compliance.
● Effective communication with the auditee is essential.
● They review and approve audit documentation and reports.
● The Lead Auditor prepares a comprehensive audit report.
● They verify the implementation of corrective actions.
● Maintaining audit integrity and quality is their responsibility.
● They ensure compliance with ISO 27001 requirements and auditing
principles.
Auditor
● The Auditor conducts the ISO 27001 audit process.
● They gather and analyze relevant information and evidence.
● Auditors assess the organization's compliance with ISO 27001 requirements.
● They evaluate the effectiveness of information security controls and practices.
● Auditors identify any non-conformities or areas of improvement.
● They provide recommendations for addressing identified issues.
● Auditors communicate findings and observations to the auditee.
● They collaborate with the Lead Auditor throughout the audit process.
Subject Matter Expert
● Subject Matter Experts (SMEs) provide specialized knowledge and expertise.
● They support auditors in assessing compliance with ISO 27001 requirements.
● SMEs offer insights, guidance, and technical expertise in their respective
domains.
● They contribute to audit planning, checklists, and evaluation criteria.
● SMEs participate in interviews, observations, and technical assessments.
● They provide insights into industry trends and emerging threats.
● SMEs help auditors interpret and apply ISO 27001 requirements accurately.
● Their presence enhances the depth and accuracy of the audit.
● SMEs assist in identifying risks, vulnerabilities, and recommendations for
improvement.
 Audit Client
● Audit client is the organization being audited in ISO 27001.
● They provide access to documentation, records, and evidence.
● Cooperate with auditors and facilitate the audit process.
● Participate in interviews and provide explanations when necessary.
● Responsible for transparency, accuracy, and prompt response to queries.
● Actively involved in addressing findings and implementing recommendations.
● Demonstrates commitment to information security and continuous
improvement.
Audit Coordinator
● Audit Coordinator facilitates and coordinates ISO 27001 audit process.
● Acts as the main point of contact between auditors and auditee.
● Coordinates audit activities, such as interviews and document reviews.
● Provides access to relevant documentation and records for the auditors.
● Facilitates communication and resolves logistical or administrative issues.
● Supports audit team by providing information and clarifications during audit.
● Monitors progress and ensures activities align with planned schedule.
● Encourages active participation and cooperation from the auditee.
● Assists in preparing audit reports and follow-up actions.
● Plays a vital role in ensuring a successful and well-coordinated audit.
Auditee
● Active engagement and cooperation with the audit team
● Providing accurate and complete information and documentation
● Offering insights and explanations during interviews and discussions
● Demonstrating compliance with ISO 27001 requirements and applicable
standards
● Taking prompt action to address identified nonconformities or areas for
improvement
● Maintaining open and transparent communication with the audit team
Managing an Audit Programme

Benefits of Audit Planning

● Effective audit planning is crucial for successful outcomes.
● Allocate sufficient time and effort to the planning phase.
● Clearly define roles and responsibilities of the auditee and audit team.
● Assess and allocate necessary resources for the audit.
● Anticipate and address potential challenges and risks.
Key Stages of Audit Planning
● Define audit objectives and determine the audit scope.
● Identify audit criteria and requirements to be assessed.
● Establish the audit team composition and assign roles.
● Develop a detailed audit plan with timelines and activities.
● Review documentation and assess potential risks.
● Ensure feasibility and alignment of the audit plan.
● Communicate concerns to the certification body if necessary.
Define the Audit Objectives
● Audit program objectives align with management system policy and
objectives.
● Consider management priorities, business intentions, and characteristics
of processes/products/projects.
● Address management system, legal/contractual requirements, and
supplier evaluation.
● Reflect needs/expectations of interested parties and auditee's
performance level.
● Account for risks, results of previous audits, and system maturity.
Examples of Audit Objectives
● Assess effectiveness of information security controls and processes
● Ensure compliance with ISO 27001 requirements and industry standards
● Identify and mitigate risks to information assets
● Validate implementation and maintenance of an ISMS
● Evaluate incident response procedures and capabilities
● Assess access controls and user management processes
● Review security awareness and training programs
● Evaluate backup and recovery processes for business continuity
● Assess security of network infrastructure, systems, and applications
● Identify opportunities for improvement and provide recommendations
Audit Criteria
● Standards for evaluating performance, effectiveness, and compliance in
audits.
● Based on ISO 27001 requirements, industry best practices, and
legal/regulatory requirements.
● Includes organization-specific controls and internal policies/procedures.
● Incorporates performance objectives and targets for measuring
effectiveness.
● Guides auditors in assessing ISMS compliance and identifying
improvement opportunities.
Define Audit Scope
● The audit scope in ISO 27001 defines the boundaries and extent of the audit.
● It identifies the specific areas, processes, and systems to be audited.
● The scope clarifies what will be included and excluded from the audit.
● It may specify the controls, policies, or procedures to be evaluated.
● The audit scope adopts a risk-based approach, focusing on high-risk areas.
● It considers the available time and resources for conducting the audit.
● The scope is reviewed and approved by relevant stakeholders.
● Clear communication of the audit scope is essential for cooperation and
collaboration.
● It ensures the audit focuses on critical areas of information security management.
● The audit scope helps achieve audit objectives effectively.
Selecting Audit Methods
● Document Review: Thorough examination of relevant documents,
policies, and records.
● Interviews: Interactions with personnel to validate understanding and
implementation of controls.
● Observations: Directly observing activities, practices, and processes
related to information security.
● Testing and Sampling: Selecting representative samples for evaluation of
effectiveness and compliance.
● Data Analysis: Analyzing data sources to identify patterns, trends, and
effectiveness of controls.
How to Select Audit Methods
● Define audit objectives and relevant criteria.
● Assess risks, controls, scope, and resources.
● Choose appropriate audit methods for evaluation.
● Consider combining methods for comprehensive assessment.
● Tailor methods to the ISMS and organization.
● Maintain objectivity, independence, and expertise.
● Apply methods to evaluate control effectiveness and compliance.
● Provide valuable recommendations for information security
enhancement.
Audit Team Selection
Financial Resources

Audit Methods

Availability of Auditors and Technical Experts

Extent of the Audit Programme and Risks

Traveling Time, Cost, and Accommodation

Availability of Information and Communication Technologies

HealthBridge Audit Team Selection Example
● HealthBridge ISO 27001 audit: Resource identification.
● Budget allocation: $25,000 for audit programme expenses.
● Audit methods: On-site and remote approaches selected.
● Audit team: 3 auditors, 1 technical expert.
● Budget: $10,000 for recruitment and remuneration.
● Audit programme scope: Covers two main facilities.
● Budget: $2,500 for travel and accommodation.
● Communication technologies: $7,500 investment for efficiency.
● Thorough and rigorous audit ensures compliance and improvement.
● Valuable insights enhance information security practices at HealthBridge.
Audit Risk Management
● Planning: Failure to set relevant audit objectives and determine the
extent of the audit programme.
● Resources: Allowing insufficient time for developing the audit programme
or conducting audits.
● Selection of the audit team: The team lacking the collective competence
to conduct effective audits.
● Implementation: Ineffective communication of the audit programme.
● Records and their controls: Failure to adequately protect audit records
to demonstrate programme effectiveness.
● Monitoring, reviewing, and improving the audit programme: Ineffective
monitoring of programme outcomes.
Performing the Audit
● Initiating the audit:
○ Establishing initial contact with the auditee
○ Determining the feasibility of the audit

● Preparing audit activities:

○ Performing document review in preparation for the audit
○ Preparing the audit plan
○ Assigning work to the audit team
○ Preparing work documents
Performing the Audit
● Conducting the audit activities:
○ Conducting the opening meeting
○ Performing document review while conducting the audit
○ Communicating during the audit
○ Assigning roles and responsibilities of guides and observers
○ Collecting and verifying information
○ Generating audit findings
○ Preparing audit conclusions
○ Conducting the closing meeting
● Preparing and distributing the audit report:
○ Preparing the audit report
○ Distributing the audit report
○ Completing the audit
● Conducting audit follow-up (if specified in the audit plan)
Initiating the Audit
● Establish initial contact with the auditee
● Discuss audit objectives, scope, and feasibility
● Ensure availability of relevant audit resources
 Establishing Initial Contact With the Auditee
● Establish communication and rapport with auditee's representatives.
● Confirm authority to conduct the audit.
● Provide information on audit objectives, scope, methods, and team
composition.
● Request access to relevant documents and records for planning.
● Determine legal, contractual, and other requirements applicable to auditee.
● Agree on extent of disclosure and treatment of confidential information.
● Schedule audit dates and address location-specific requirements.
● Discuss auditee's concerns and areas of interest for the audit.
HealthBridge Initial Contact
● HealthBridge: ISO 27001 audit begins with initial contact.
● Audit team leader: Sarah Thompson communicates with auditee.
● Clarify audit objectives, scope, and team composition.
● Request access to relevant documents and records.
● Confirm audit confidentiality and treatment of information.
● Collaborate on audit dates and location-specific requirements.
● Address HealthBridge's areas of interest or concerns.
● Establish open communication for a successful audit.
Determine the Feasibility of the Audit
● Availability of sufficient and appropriate audit information
● Adequate cooperation from the auditee
● Sufficient time allocation for the audit
● Adequate resources for conducting the audit
● Insufficient information from the auditee
● Lack of cooperation or support from the auditee
● Time constraints impacting the thoroughness of the audit
● Insufficient resources hindering the audit process
Preparing Audit Activities
● Perform document review for essential information gathering.
● Develop an audit plan outlining objectives, scope, and timeline.
● Assign tasks to audit team members based on expertise.
● Prepare work documents such as checklists and templates.
Performing Document Review in Preparation for the Audit
● Review auditee's ISMS documentation
● Gather information for audit activities and work documents
● Detect possible gaps in system documentation
● Consider size, nature, and complexity of auditee's management system
● Include management system documents, records, and previous audit
reports
Audit Plan Preparation
● Time: Specifies dates, duration, and start/end times of the audit.
● Activities: Lists tasks to be performed during the audit, such as document
review, interviews, and observations.
● Purpose: Clearly states the objectives and goals of the audit.
● Location: Identifies the physical location(s) where the audit will take place.
● Host: Specifies the organization being audited and their role in supporting
the audit.
● Auditee: Identifies the individual or team being audited and defines the
scope of the audit.
HealthBridge Audit Plan

Time Activity Purpose Location Host Auditee

Assess compliance with John Smith

June 1-3 Document Review ISO 27001 requirements Healthbridge (CISO) Mark Johnson (IT Manager)

Evaluate understanding Sarah Johnson

June 4-5 Interviews and implementation Healthbridge (HR) Emma Davis (Marketing Manager)

On-site Verify effectiveness of Mary Thompson

June 6 observations information security Healthbridge (IT) James Anderson (Network Engineer)

Present audit findings

June 7 Closing Meeting and recommendations Healthbridge Alex Davis (CEO) Laura Roberts (Quality Manager)
 Assigning Work to the Audit Team
● Audit team leader assigns specific responsibilities to each team member.
● Assignments consider auditor independence, competence, and efficient resource
utilization.
● Responsibilities may involve auditing processes, activities, functions, or locations.
● Roles and responsibilities of auditors, auditors-in-training, and technical experts are
considered.
● Audit team briefings are conducted to allocate work assignments and discuss changes.
● Work assignments may be adjusted during the audit to achieve audit objectives.
HealthBridge Example
● HealthBridge ISO 27001 Audit - Sarah Thompson leads the team.
● Assigns tasks based on expertise - John, Emily, Michael, Rachel.
● Audit team briefing for clear communication and coordination.
● Regular check-ins and adjustments during the audit.
● Collaborative approach fosters valuable insights and findings.
● Recommendations for enhancing information security practices.
 Conducting Audit Activities
● Conduct opening meeting and discuss audit objectives
● Perform document review throughout the audit process
● Maintain effective communication with the auditee
● Assign roles and responsibilities to guides and observers
● Collect and verify information through interviews, observations, and analysis
● Generate audit findings based on the collected evidence
● Prepare audit conclusions and recommendations
● Conduct a closing meeting to discuss results and follow-up actions
Conducting the Opening Meeting
● Initiate audit with opening meeting.
● Confirm agreement and introduce team.
● Outline audit objectives, scope, criteria.
● Explain audit methods and evidence.
● Establish communication channels.
● Keep auditee informed of progress.
● Verify resources and facilities availability.
● Address confidentiality and security matters.
● Discuss reporting and grading methods.
● Provide feedback mechanisms for auditee.
 Opening Meeting At HealthBridge
● Introduction and participant roles.
● Clarifying audit objectives and criteria.
● Reviewing the detailed audit plan.
● Confirming arrangements with the auditee.●
● Explaining audit methods and evidence.
● Managing risks and confidentiality.
● Establishing communication channels.
● Ensuring resource availability.
● Addressing health and safety procedures.
● Describing audit reporting and grading.
Informing about possible audit termination.
● Handling findings and feedback process.
● Detailing the closing meeting procedure.
● Q&A session for clarifications.
Performing Document Review
● Document review assesses conformity with audit criteria.
● Gathers information to support audit activities.
● Ensures auditee's system complies with ISO 27001 standards.
● Foundation for various audit activities.
● Continues throughout the audit process if feasible.
● Integrates with other audit tasks effectively.
● Promptly informs if documentation is inadequate.
● Follow guidance in Clause B.2 of ISO 19011 standard.
Document Review Example At HealthBridge
● HealthBridge, a healthcare organization, prepares for an ISO 27001 audit.
● Audit team led by Sarah Johnson, the Lead Auditor.
● Team members: David Lee (Risk Management Expert) and John Smith
(Information Security Specialist).
● Purpose: Assess HealthBridge's ISMS compliance with ISO 27001
standards.
● Sarah reviews information security policies, access controls, and incident
response plans.
● David evaluates risk assessments and risk treatment plans.
Document Review Example At HealthBridge (2)
● John examines incident reports and corrective action records.
● Collaborative cross-referencing of policies, procedures, and records for
verification.
● Ongoing document review throughout the audit process.
● Communication with HealthBridge's management and information
security personnel.
● Findings documented for discussion in the closing meeting.
● Emphasis on ISO 27001 alignment and areas for improvement.
● Strengthening information security practices and data protection.
 Communicating During the Audit
● Effective communication for audit success and risk mitigation
● Audit team leader establishes formal communication arrangements
● Regular team conferences for information exchange and progress assessment
● Ongoing communication with auditee and audit client
● Prompt reporting of significant risks to auditee and client
● Addressing concerns beyond audit scope with the team leader
● Reporting obstacles to achieving audit objectives
● Changes to the audit plan are reviewed and approved
● Proactive communication ensures a successful audit process.
Example of Communication at HealthBridge
● Regular progress updates to HealthBridge's management
● Communication with HealthBridge's IT team for insights
● Prompt reporting of non-compliances and risks
● Coordination meetings among audit team members
● Engaging with HR and legal departments
● Immediate reporting of critical security risks
● Reviewing and adjusting audit objectives
● Detailed post-audit recommendations to management
Assigning Roles and Responsibilities of Guides and Observers
● Guides and observers accompany the audit team.
● They should not influence the audit process.
● Audit team leader can deny observer participation.
● Health, safety, and confidentiality managed by audit client.
● Guides assist auditors, arrange access, and ensure safety.
● Guides may witness the audit and provide clarification.
Information Collection and Verification
● Collect and verify relevant information for audit objectives.
● Use appropriate sampling methods for data collection.
● Accept only verifiable information as audit evidence.
● Record audit evidence leading to findings.
● Address new or changed circumstances or risks promptly.
● Employ interviews, observations, and document reviews.
● Consider guidance from ISO 19011 standard.
● Ensure evidence supports final audit conclusions and
recommendations.
Information Collection and Verification at Healthbridge
● Interviews with CISO, IT managers, and department heads.
● On-site observations of physical security measures.
● Review ISMS documentation for ISO 27001 alignment.
● Examine records of previous security incidents.
● Perform vulnerability assessments and penetration tests.
● Sample data for compliance and data protection.
● Conduct employee surveys on information security awareness.
● Cross-reference evidence for consistency and accuracy.
Generating Audit Findings
● Gather evidence, assess compliance, and identify findings.
● Findings indicate conformity or nonconformity with criteria.
● Record nonconformities and provide supporting evidence.
● Review nonconformities with the auditee for acknowledgement.
● Resolve diverging opinions on audit evidence or findings.
● Regular team meetings to review audit findings.
● Ensure clear and well-documented audit findings.
● Provide valuable insights and recommendations for improvement.
Audit Findings Examples at Healthbridge

● Incident response plan nonconformity (Absence of documented plan).

● Conformity: Effective access controls for sensitive data.
● Opportunity: Improve staff training on data handling.
● Good practice: Robust data backup system.
● Graded nonconformity: Data encryption inconsistencies (Grade 2).
Preparing Audit Conclusions
● Audit team reviews findings and information.
● Agrees on audit conclusions considering uncertainty.
● Prepares recommendations if specified in plan.
● Addresses conformity, management system, and audit objectives.
● Assesses root causes and identifies trends.
● Considers achievement, coverage, and audit criteria.
● May lead to improvement recommendations or future audits.
Preparing Audit Conclusions at Healthbridge
● Conformity: High compliance with ISO 27001, access controls, and incident response.
● Robust Management System: Effective protection of sensitive data, strong security measures.
● Effective Implementation: Maintained information security controls, well-functioning procedures.
● Management Review: Ensures continual suitability, adequacy, and improvement.
● Achieved Objectives: Thorough assessment of critical security aspects.
● Root Causes: Minor non-conformities in data classification, access privileges.
● Trends: Similar findings, highlight data access issues.
● Recommendations: Enhance data classification, reinforce access controls.
● Closing Meeting: Audit conclusions presented, management commits to improvements.
● Valuable Tool: Audit aids continuous improvement of information security.
Conducting the Closing Meeting
● Closing meeting led by audit team leader.
● Participants: auditee's management, relevant stakeholders.
● Transparency regarding encountered audit situations.
● Establish time frame for action plan.
● Tailored detail based on auditee's familiarity.
● Explanation of audit evidence basis.
● Clear communication of findings and conclusions.
● Address handling of audit findings and consequences.
● Ensure auditee's comprehension and acknowledgment.
● Openly discuss and record any diverging opinions.
Closing Meeting at Healthbridge
● Led by Sarah Thompson, the audit team leader.
● Includes HealthBridge's management and relevant stakeholders.
● Presents clear audit findings and conclusions.
● Highlights conformity and good practices.
● Discusses nonconformities, including the absence of an incident response plan.
● Auditee's management acknowledges findings and commits to improvements.
● Explains post-audit activities, such as implementing corrective actions.
● Emphasizes continuous improvement in information security management.
● Meeting concludes collaboratively with a commitment to enhancing practices.
● Audit report finalized and shared for continual improvement efforts.
Preparing and Distributing the Audit Report

● Preparing the audit report

● Distributing the audit report

Preparing the Audit Report
● Audit objectives, scope, and participants listed.
● Dates and locations of audit activities mentioned.
● Audit criteria and findings presented.
● Conclusions on fulfillment of audit criteria.
● Obstacles affecting reliability noted.
● Confirmation of achieved objectives and scope.
● Uncovered areas within scope listed.
Preparing the Audit Report (2)
● Summary of main findings and conclusions.
● Diverging opinions recorded for resolution.
● Opportunities for improvement highlighted.
● Good practices observed mentioned.
● Agreed follow-up action plans included.
● Statement on confidentiality of report.
● Implications for audit program discussed.
● Distribution list for the report provided.
Distributing the Audit Report
● Audit report issued within agreed timeframe.
● Communicate reasons for any delays.
● Report dated, reviewed, and approved.
● Distribution to defined recipients.
● Key stakeholders receive the report.
● Report guides improvement and decision-making.
● Enhances operational efficiency and compliance.
● Promotes accountability and collaboration.
● Fosters a culture of continuous improvement.
Completing the Audit
● Audit completed when planned or as agreed with client.
● Manage documents per program procedures and requirements.
● Maintain confidentiality; seek approval for disclosure.
● Lessons learned enhance continual improvement.
● Implement lessons for improved practices and performance.
Audit Follow up
● Audit conclusions may lead to corrections, improvements, and preventive
actions.
● Auditee implements actions within agreed timeframe.
● Keep audit program and team informed of progress.
● Verify completion and effectiveness of actions.
● Subsequent audit may include verification process.
The Certification Review
● ISO 27001 certification review evaluates ISMS compliance periodically.
● Surveillance audits monitor ongoing compliance and performance.
● Recertification audit every three years for full evaluation.
● Non-conformities require corrective actions and follow-up verification.
● Review encourages continual improvement in information security practices.
● Certification status is renewed upon meeting all requirements.
● Demonstrates commitment to safeguarding information assets.
Conclusion
● Congratulations on completing ISO 27001:2200 Lead Auditor course!
● Equipped with valuable information security auditing skills.
● Profound understanding of ISO 27001:2200 requirements achieved.
● You play a crucial role in safeguarding data.
● Your expertise enhances information security practices.
● Thank you for your commitment to excellence.
● Impactful contribution to organizations' success.
● Building a secure digital future together.
● Best of luck in your future endeavors!