Professional Documents
Culture Documents
ISO+27001 2022+Lead+Auditor-2
ISO+27001 2022+Lead+Auditor-2
● ISO 27001 Auditor, Security Plus, CEH, GSEC, ECSA, CISSP, and CISM
Why this Course?
Comprehensive coverage
Time effective
ISO 27001 :
● Regulatory Compliance
● Enhancing Reputation
● Improving Security Posture
● Streamlining Processes
● Building Trust with Patients
● Facilitating Business Growth
CIA Triad
ity
In
ial
te
Restricted Access Restricted Changes
nt
g
to authorised persons to authorised persons
de
rit
y
nfi
Co
Availability
Available when needed
Example of CIA
● You are the only one who can access your
bank account : Confidentiality
● No alteration to your account without valid
transactions : Integrity
● You can access your account anytime :
Availability
CIA for HealthBridge
● Confidentiality:
○ Authorized access to patient data
○ Measures to prevent access to wrong people
● Integrity:
Accurate and trustworthy patient data
Access control to prevent unauthorized alteration
● Availability:
○ Accessible patient data for authorized personnel
○ Redundant systems and backups
Basic Definitions
● Information Security Event : a change
that may violate a security policy or a
security control has failed.
Threat Vulnerability
HealthBridge Example
Vulnerability: outdated software on employee's computer.
Risk Acceptance
9-Performance
evaluation
Check
4. Context of the Organisation
4.1 Understanding the organisation and its context
● Resources, Capabilities
● Risk appetite
Access controls Limit access to authorized Yes Protects patient data from
individuals unauthorized access
7.2 Competence
7.3 Awareness
7.4 Communication
● Resources are
○ Financial
○ Human
● People are key resources for taking care of information security and the ISMS
● Tools such as software and hardware appliances are needed to maintain security
● Facilities must offer security levels proportional to the risk an organization faces
7.2 Competence
○ Ensure people managing ISMS have adequate competence
○ Measure and record competence level
○ Use internal or external resources for competence
○ Assess competence and identify gaps
○ Provide training, education or mentoring for maintaining IS
○ Identify and agree on organization's requirements
7.3 Awareness
● Persons aware of infosec policy, contributions and implications.
● The organization should address distribution, access, retrieval, storage, and changes.
planned
Install disk Risk 46: data System 16 April 2023 -2 man/days Implemented
encryption on on lost or stolen administrator -bitlocker
all laptops to laptops can be
protect data compromised
Install smart Risk 54: data Facility 03 May 2023 Finances for Progress
card physical center can be manager control
control for data accessed by
center anyone
9. Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
● Improvement opportunities
● Must be documented
10. Improvement
10.1 Nonconformity and corrective action
Internal Audit
Management
Nonconformity Corrective action
Review
Performance
Evaluation
Examples of Nonconformities
● The failure to comply with clause 4.1 lack of defining the scope
● No ISMS policy,
● No risk assessment,
● Absence of statement of applicability
● Failure to comply with Clause 7: Management review of the
ISMS.
● Failure to comply with the Internal ISMS audit (Clause 6)
10.1 Nonconformity and corrective action
In the event of nonconformity
Similar non conformities : check if any other departments are buying their PCs
directly.
Root cause corrective action : set up a procurement process for PCs and
enforce it.
10.2 Continual Improvement
Continual improvement is key to achieve and maintain
● Suitability
● Effectiveness
of the ISMS
Annexe A:2022
● Annexe A is a list of 93 security controls
● Control : Measure that modifies risk
● Control Objective : Statement stating what is to be achieved as a result
of implementing a control
● 4 Control categories
What is ISO 27001:2022 Annex A?
● Reorganized and refined
● Better represent current risks
● Focus on
○ 1. Organizational: Governance, risk, policy, structure.
○ 2. People: Training, awareness, reporting, culture.
○ 3. Physical: Access, environment, surveillance, protection.
○ 4. Technological: Encryption, authentication, detection, defense.
5. Organizational Controls
● 37 controls
● Structured approach to managing risks
● Align policies with business objectives
● Address legal, regulatory requirements
● Emphasize human factors in security
● Manage physical and digital assets
● Monitor and review supplier services
Organizational Controls (5.1-5.5)
5.1 Policies for Information Security : Define, approve, publish,
communicate policies to all.
5.23 Information Security for Use of Cloud Services : To specify and manage
information security for the use of cloud services.
5.34 Privacy and Protection of PII: Compliance with legal requirements for
PII protection
Remote work
Ensure confidentiality
Non-disclosure agreements
Screen employees
People Control (6.1-6.4)
6.1 Screening: Ensure personnel eligibility and suitability during employment
7.3 Securing Offices, Rooms and Facilities: Prevent unauthorized access and
damage to assets.
7.7 Clear Desk and Clear Screen: Minimize unauthorized access to info on
desks/screens during and outside working hours.
8.2 Privileged access rights: Ensure authorized privileged access rights only
granted
8.15 Logging: To capture events, maintain log integrity, detect security events,
prevent unauthorized access, support investigations.
Technological Controls (8.16-8.20)
8.16 Monitoring Activities: To detect anomalous behaviour and information
security incidents
8.18 Use of Privileged Utility Programs: Ensure safe use of utility programs
for security
8.23 Web Filtering: Protect systems from malware and unauthorized web
access.
8.25 Secure Development Life Cycle: Ensure secure development life cycle of
software and systems.
Technological Controls (8.26-8.30)
8.26 Application Security Requirements: Address all security requirements
when developing or acquiring applications.
Examples :
● Missing Controls
● Inadequate Risk Assessment
● Insufficient Documentation
● Ineffective Incident Response
● Noncompliance with Legal and Regulatory Requirements
Nonconformities Examples in HealthBridge
● Missing Access Controls: Unauthorized access to sensitive patient information.
● Inadequate Risk Assessment: Insufficient identification and evaluation of data
breach risks.
● Insufficient Documentation: Lack of incident response policies and procedures.
● Ineffective Staff Training: Inadequate information security training for
employees.
● Noncompliance with HIPAA: Failure to meet HIPAA's data protection
requirements.
Observations
Definition: Notable findings or insights that auditors make during the audit
process
Examples
● How does HealthBridge Clinic ensure compliance with regulations like HIPAA?
● What are the procedures for handling security incidents at HealthBridge Clinic?
Example of Interview in HealthBridge (2)
● Have there been any recent initiatives to enhance information security at
HealthBridge Clinic?
● How are employees educated about information security threats and best
practices?
● How is the network monitored, and how is access to critical systems controlled?
● Are multi-factor authentication measures implemented for any systems?
Testing and Sampling
● Select representative subset for evaluation
● Define objectives and sample criteria
● Choose sample using various methods
● Analyze for control effectiveness and compliance gaps
● Draw conclusions on ISMS performance
● Document findings for assessment and audit report
● Efficient and cost-effective approach
● Provides reasonable assurance on performance and compliance
● Manages time and resource constraints.
Sampling in HealthBridge Audit
● Testing Access Controls
● Sampling Incident Logs
● Testing Data Encryption
● Sampling Security Awareness Training Records
● Testing Vulnerability Assessments
● Sampling Incident Response Plans
● Testing Backup and Recovery Processes
Data Analysis
● Incident analysis: Reviewing logs and records to identify security incident
trends.
● Risk management assessment: Analyzing risk assessment data to
evaluate controls effectiveness.
● System log analysis: Examining logs for anomalies, unauthorized access,
and policy compliance.
● Compliance assessment: Analyzing audit and control review data for ISO
27001 compliance.
● Performance metric analysis: Evaluating security objectives through
performance metrics and data analysis.
Example of HealthBridge
● Incident analysis: Identifying trends and patterns in security incidents.
● Risk management evaluation: Assessing risks specific to healthcare privacy.
● System log analysis: Detecting anomalies and unauthorized access
attempts.
● Compliance assessment: Ensuring adherence to healthcare regulations
and policies.
● Performance metrics analysis: Evaluating healthcare-specific information
security objectives.
Evidence Gathering Tools
● Log Analysis Tools: Analyze system and network logs for security
incidents.
● Vulnerability Scanning Tools: Identify vulnerabilities in networks,
systems, and applications.
● Data Analysis Tools: Analyze data to identify patterns, trends, and
anomalies.
● Configuration Assessment Tools: Evaluate system and network
configuration settings.
● Documentation Management Tools: Organize and manage ISMS-related
documentation.
● Forensic Tools: Collect and analyze digital evidence in security incidents.
Internal Audit vs External Audit
Internal audits:
Audit Report :
● Header
● Nonconformities
● Observations
ISO 27001 Certification
● ISO 27001 certification demonstrates commitment to information security.
● Voluntary process showcasing effective Information Security Management System.
● Driven by regulatory compliance, client demands, and industry best practices.
● Provides reputation, trust, and credibility to stakeholders.
● Granted by accredited certification bodies.
● Bodies assess organization's ISMS for compliance.
● Thorough audits, evaluations, and assessments conducted.
● Certification validates adherence to recognized standards.
Certification Process
● Preparation: Establish or update ISMS to meet requirements.
● Select certification body with expertise in information security.
● Initial assessment: Review documentation, conduct interviews.
● Stage 1 audit: Verify necessary documentation compliance.
● Stage 2 audit: Evaluate ISMS implementation effectiveness.
● Address nonconformities and implement corrective actions.
● Certification decision: Issue ISO 27001 certificate.
● Periodic surveillance audits to ensure ongoing compliance.
● Re-certification process before expiry date.
ISO 17021
● ISO/IEC 17021 is a standard for certification bodies.
● It ensures competence, consistency, and impartiality.
● Certification bodies must meet its criteria for accreditation.
● ISO/IEC 17021 is used in ISO 27001 audits.
● It establishes requirements for organizational structure and competence.
● It guides the planning, conduct, and reporting of audits.
● Certification bodies adhere to ISO/IEC 17021 to ensure credibility.
● It ensures reliable and trustworthy certification services.
ISO 19011
● ISO 19011 is an international auditing standard.
● It provides guidance for management system audits.
● Emphasizes integrity, confidentiality, and evidence-based decision making.
● Uses a risk-based approach in audits.
● Addresses auditor competence and evaluation.
● Outlines steps in planning, conducting, and reporting audits.
● Requires follow-up activities to verify corrective actions.
Principles of Auditing
● Integrity: Auditors should act with honesty, diligence, and responsibility.
● Fair presentation: Audit findings, conclusions, and reports must be
accurate.
● Due professional care: Auditors should exercise diligence and judgment.
● Confidentiality: Auditors should handle information with discretion and
protect confidentiality.
● Independence: Auditors should be unbiased and independent in their
assessments.
● Evidence-based approach: Audit conclusions should be based on
verifiable evidence.
Audit Roles and Responsibilities
Lead Auditor: Oversees the entire audit process and ensures compliance.
Subject Matter Expert: Provides specialized knowledge and guidance in specific areas.
Audit Methods