Preparation a la Certification a

l’Audit de Securite
By
Egbe Besong Divine
CEHv9, ISO 27001 Lead Auditor
 Standard and Regulatory Framework
• What is ISO?
• Fundamental ISO principles
• Management system standards
• Integrated management system
• Information security standards
• ISO 27000 family
• ISO 27000 advantages
• Legal and regulatory conformity
• Note: During this training, we will adopt the following
convention ISO will be refer to standard instead of ISO/IEC
XXXXX:20XX
 What is ISO?
• ISO is a network of national standardization
bodies from over 160 countries

• The final results of ISO works are published as

international standards

• Over 19 000 standards have been published

since 1947
 Basic Principles – ISO Standards
1. Equal representation 1 vote per country
2. Voluntary membership: ISO does not have the
authority to force adoption of its standards
3. Business orientation: ISO only develops standard
for which a market demand exists.
4. Consensus approach: Looking for a large
consensus among the different stakeholders
5. International cooperation: Over 160 member
countries plus liaison bodies.
 Eight ISO Management Principles
• Customer Focus
• Leadership
• Involvement of people
• Process approach
• System approach to management
• Continual improvement
• Factual approach to decision making
• Mutually beneficial supplier relationships
 Management System Standards
• Primary standards against which an organization can be certified.

ISO 9001 ISO 14001 OHSAS 18001

Quality Environment Health and ISO 20000
Safety at work IT Service

ISO 22301 ISO 27001

ISO 22000 ISO 28000
Business Information
Food Safety Supply Chain
Continuity security
Security
Integrated Management System
Requirements ISO ISO ISO ISO ISO
9001:2008 14001:2004 20000:2011 22301:2012 27001:2013

Objectives of the 5.4.1 4.3.3 4.5.2 6.2 6.2

management
system

Policy of the 5.3 4.2 4.1.2 5.3 5.2

management
system

Management 5.1 4.4.1 4.1 5.2 5.1

commitment

Documentation 4.2 4.4 4.3 7.5 7.5

requirements

Internal audit 6.2.2 4.5.5 4.5.4.2 9.2 5.2

Continual 8.5.1 4.5.3 4.5.5 10 10.2

improvement

Management 5.6 4.6 4.5.4.3 9.3 9.3

review
Other Information Security Standards
• Examples

• ISO 9798 Entity Authentication

• ISO 11770 Key Management
• ISO 15408 Common Criteria
• ISO 21827 Capability Maturity Model
• ISO 24761 Biometrics
• ISO 27033 Network Security
 History of the ISO 27001 Series
• Important dates

2008- 2013
2005 2007 2012
2000
1995 1998
1990
New Edition of
Publication of
ISO 27006 ISO 27001 &
New Version of other Standards
ISO 17799 Certification ISO 27002
Code of best BS 7799-2 ISO 17799 of the
BS 7799-1 Best Practices Organization
Practice Published ISMS ISO 27001 27000 family
Code of Code Requirements
By a group of Certification publication
Best
companies Schema Revision of
Practice
ISO 27001
& ISO 27002
 ISO 27000 family
• Some important members of the family:
• ISO 27000: This information security standard develops the best concepts as well
as the vocabulary that applies when analyzing Information Security Management
Systems. A free copy of this standard can be downloaded from the ISO website.
• ISO 27001: This information security standard defines the requirements of the
Information Security Management System
• ISO 27002(previously ISO 17799): Guide for best practices for the management of
Information security. This standard defines objectives and recommendations in
terms of information security and anticipates meeting global concerns of
organization relating to information security for their overall activities.
• ISO 27005: Guide for information security risk management which complies with
concepts, models, and general processes specified in ISO 27001.
• ISO 27011: Guidelines for the use of ISO 27002 in telecommunication industry
• ISO 27031: Guidelines for information and communication technology readiness
for business continuity.
 ISO 27001
• Specifies requirements for ISMS management
(Clause 4 to 10)

• Requirements (clauses) are written using the

imperative verb “shall”.
• Annex A: 14 clauses containing 35 control
objectives and 114 controls.
• Organization can obtain certification against
this standard.
 ISO 27002
• Guide for code of practice for information
security controls (Reference document)
• Clause written using the imperative verb
“should”.
• Compose of 14 clauses containing 35 control
objectives and 114 controls.
• Organization can not obtain certification against
this standard.
• A.k.a ISO 17799
 ISO 27009+
• Within the 27000 series, ISO 27009 and the
subsequent numbers are reserved for the creation
of domain-specific standards.
 For industries:
 Telecommunication
 Health
 Finance
 For specific sectors related to information security:
 Application security
 Cyber security
 Security incident management
 Privacy protection
 ISO 27001 Advantages
• Improvement of security
• Good governance
• Conformity
• Cost reduction
• Marketing
 Legal Conformity
• The organization must comply with applicable
laws and regulations
• In most countries, the implementation of an ISO
standards is a voluntary decision of the
organization, not a legal requirement
• In all cases, laws take precedence over standards.
• ISO 27001 can be used to comply to several laws
and regulations
ISO 27001 and Regulatory Frameworks
• Example – US
Sarbanes-Oxley Act (2002)
HIPPA (1996) (Health Insurance Portability and Accountability Act)
NIST 800-53 (2006) (National Institute for standards and
Technology). Provide guidelines to secure information systems
within fed gov.
• Example – Europe
Directive 95/46/EC – Directive related to the protection of
individuals with regard to the processing of personal data and free
movement of such data.
Decision 92/242/EEC – Decision concerning attack against
information system.
 ISO 27001 and Regulatory Frameworks
• Example: International and industry repositories:
• OECD Principles (2002) Organization for Economic Cooperation and Development)
developed guidelines regulating the security of information systems and networks
based on nine principles : Awareness, responsibility, response, ethics, democracy, risk
assessments, security design and implementation, security management and
reassessment.
• Payment Card Industry Data Security Standard (2004): The PCI-DSS standard (data
security standard for the payment card industry) consist of a series of technical and
operational controls whose goal is to protect organization against fraud and other
threats related to credit cards
• COBIT (1994+): Developed by ISACA and the ITGI, CobiT ( Control Objectives for
Business and related Technology) is a reference framework to manage the governance
of information system.
• ITIL (1980+): Enacted by the Office of Government Commerce (OGC), Information
Technology Infrastructure Library is a set of works listing best practices for IT service
management (ITSM)
 Question??
• ???????
 IS Audit Training
Section 2
Fundamental Principles of Information Security:
a. Asset and Information asset
b. Information security
c. Confidentiality, Integrity and Availability
d. Vulnerability, Threat and Impact
e. Information security risk
f. Security objectives and controls
g. Classification of security Controls
h. Control environment
 Information and Asset (1)
• Information: Meaningful data
• Asset: anything that has value to the organization
• Note: There are many types of assets including:
Information
Software such as computer programs
Physical such as computer
Services
People, and their qualifications, skills and experiences
Intangibles, such as reputation and image.
 Information and Asset (2)
• Clause 8 of Annex A defines the objectives for the security control linked to the
management of assets

• ISO 27001. A.8.1 – Responsibility of assets

Objective: To identify organization assets and define appropriate protection
responsibility.

• A.8.1.1 Inventory of Assets

• A.8.1.2 Ownership of assets

• A.8.1.1 Acceptable use of assets

• A.8.1.1 Return of Assets

Document –Specification - Record
• Document: Information and its supporting
medium (can be paper, magnetic, electronic or
optical computer disc, photograph or a
combination of these.
• Documentation: A set of document
• Specification: Document stating requirements
• Record: Document stating results achieved or
providing evidence of activities performed.
 Information Security (1)
• ISO 27002 clause 0.1

• Effective information security reduces these

(Information Security) risks by protecting the
organization against threats and
vulnerabilities, and then reduces impacts to its
assets.
 Information Security (2)
• ISO 27002 clause 0.1

• Preservation of confidentiality, integrity and availability of

information.
• In addition, other properties, such as authenticity,
accountability, non-repudiation, and reliability can also be
involved.
• Note:
 Authenticity: Property that an entity is what it claims to be.
 Non-reputation: Ability to prove the occurrence of a claimed
event or action and its originating entities
 Property of consistent intended behaviour and results.
 Information security (3)
Covers information of all kinds

• Printed or hand written

• Recorded using technical support
• Transmitted by email or electronically
• Included in a website
• Shown on corporate videos
• Mention during conversation
• Etc
 Information security (4)
ISO 27001 is an information security standard . This means it applies to the
protection of information whatever its type, whether it is numeric, paper or human.

Annex A include control objectives related to classification of information

• ISO 27001, A8.2 – Information classification.
Objectives: To ensure the information receives an
appropriate level of protection in accordance with its
importance to the organization
• A8.2.1 Classification of Information
• A8.2.2 Labeling of information
• A8.2.3 Handling of Assets
 Information System
• A collection of Hardware, software, and organization
ways that allow to receive, store and process
information.
• Confidentiality: Property that information is not made
available or disclosed to unauthorized individuals,
entities, or processes.
• Integrity: Property of protecting the accuracy and
completeness of Information (assets).
• Availability: Property of being accessible and usable
upon demand by an authorized entity
 Vulnerability
• Weakness of an asset or control that can be exploited by one or more
threats.
• Vulnerability assessment can be complicated by a common misperception
that weaknesses or shortcomings are always associated with negative
characteristics for example information system where “patches” are not
updated.
• However weaknesses can also be associated with positive characteristics. For
example the mobility of laptops is a desirable benefit for which you pay a
higher price, but one advantage that makes them are likely to be stolen.
• Vulnerabilities can be intrinsic or extrinsic:
 Intrinsic vulnerabilities are related to the inherent characteristics of the assets.
 Extrinsic vulnerabilities are to characteristics of specific circumstances of the asset e.g
a server that has no capacity to process data is a victim of intrinsic vulnerability and if
this server is in the basement in a flood zone, it undergoes extrinsic vulnerability.
 Types of vulnerabilities
ISO 27005, Annex D
Type of vulnerability Examples
1. Hardware Insufficient maintenance
Portability
2. Software No registration logs
Complicated interfaces
3. Network Lack of encryption transfers
Single point of Access
4. Personnel Insufficient training
Lack of supervision
5. Site Site in an area susceptible to flood
Unstable electrical system
6. Organization’s structure Lack of segregation of duties
No job description
 Threats
• Potential cause of unwanted incident which
may result in harm to a system or an
organization
• A threat has the potential to harm assets such
as information, processes, and systems
therefore harm the organization
• Threats are associated with negative aspects
of risk
 Types of Threats
ISO 27005, Annex C
Threat type Examples
1. Physical damage Fire
Water damage
2. Natural disaster Earthquake
Flooding
3. Loss of essential service Power outage
Failure of air conditioning
4. Disruption caused by radiation Electromagnetic radiation
Thermal radiation
5. Information Compromised Wiretaps
Theft of documents
6. Technical failure Equipment failure
Network overload
7. Unauthorized action Unauthorized access
Use of pirated software
 Relationship: Vulnerability and
Threat
Example
Vulnerabilities Threats
Warehouse unprotected and without Theft
surveillance
Complicated data processing Data input error by personnel
procedure
No segregation of duties Fraud, unauthorized use of system
Unencrypted data Information theft
Use of pirated software Lawsuit, virus
No review of access rights Unauthorized access by persons who
have left the organization
No back up procedure Loss of information

Note: The presence of vulnerabilities doesn’t produce damage , a threat must exist
to exploit it. A vulnerability that does not correspond to a threat may not require the
set up of control , but must be identified and monitored in case of changes.
 Impact
ISO 27005, clause 3.1. For full list of several potential impact see ISO 27005,
Annex B.2)

Adverse change to the level of business

objectives achieved.
Examples of impact on Examples of impact on Examples of impact son
confidentiality integrity availability
• Invasion of privacy of • Accidental change • Performance
users or customers • Deliberate change degradation
• Invasion of privacy of • Incorrect results • Service interruption
employees • Incomplete results • Unavailability of service
• Confidential image • Loss of data • Disruption of
leakage operations.
 Information Security Risk
• Potential that a given threat will exploit
vulnerabilities of an asset or group of assets
and thereby cause harm to the organization
• Note: It is measured in terms of a combination of likelihood of an event
and the consequences.

Likelihood Consequences
(Occurrence) (Impact) Risk
 Information Security Risk (2)
Key Definitions
Residual risk: The risk remaining after risk treatment
Risk acceptance: Decision to accept risk
Risk analysis: process to comprehend the nature of risk and to determine the
level of risk
Risk assessment: Overall process of risk identification, risk analysis and risk
evaluation
Risk evaluation: Process of comparing the result of risk analysis with risk criteria
to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk management: Coordinated activities to direct and control an organization
with regard to risk.
Risk Treatment: Process of selection and implementation of measures to modify
risk.
 Risk Scenario
Example
United Kingdom
Corruption of several websites of the Conservative Party
The text of the corruption encourages Web site visitors to vote for the Labour Party . Messages left by the
attackers include security evaluation of the site and political slogan.

Information asset Content of the Conservative party website

Other asset Server hosting the Conservative party website
Security Aspect Integrity
Vulnerability Security holes in the web server
Threat Hackers
Impact Image of the conservative party

A risk scenario (or event) includes the various components that constitute a risk:
asset, security aspect, vulnerability, threat and impact
 Exercise 1
• Determine the threats and vulnerabilities associated to the following
situations and indicate the possible impacts. Also indicate if the impact
would affect confidentiality, integrity and availability. Complete the risk
matrix.
1. The former vice president of Accounting is hired by a competitor
2. A removable disk containing backups of source code of the application
developed by MTN can not be found at the head office.
3. The webmaster who design the corporate website for ORANGE takes
care of updates and uploading of the site.
4. All the telecommunications equipment have the same password. Only
the programmers and the technicians know the password.
 Security Requirements
• It is essential for organization to identifies its security
requirements.
• Three main sources of security requirements:
 Assessing risk to organization taking into account the organization’s
overall business strategy and objectives. Through risk assessment
threats to assets are identified, vulnerabilities to and likelihood of
occurrence is evaluated and potential impact is estimated
 Legal, statutory, regulatory and contractual requirements that an
organization, its trading partners, contractors and service providers
have to satisfy, and their socio-cultural environment.
 Set of principles, objectives and business requirements for information
handling, processing, storing, communicating and archiving that
organization has developed to support its operations.
 Control Objective and Control
Control objective
 Statement describing what is to achieved as a result of implementing controls
Control
• Methods to manage the risk
• Include policies, procedures, guidelines, and practices or organizational structures
• Synonym, measure, counter-measure, security device

1. Technical Control: Controls related to the use of technical measures or

technologies such as firewalls, alarm systems, surveillance cameras, intrusion
detection systems (IDS), etc
2. Administrative Control: Control related to organizational structure such as
segregation of duties, job rotation, job descriptions, approval processes, etc
3. Managerial Control: Control related to management of personnel, including
training and coaching of employees, management reviews and audits.
4. Legal control: Control related to applications of legislation, regulatory
requirements and contractual obligations.
 Link between Security Objectives and
Controls
Examples

Security Objectives Security Control

• To ensure that information receives an • Classification of Information (A8.2.1)
appropriate level of protection in • Labeling of Information (A8.2.2)
accordance with its importance to the • Handling of assets (A8.2.3)
organization. (A8.2)

• To ensure correct and secure • Documented operating procedures (A.12.1.1)

operations of information processing • Change Management (A12.1.2)
facilities (A12.1) • Capacity Management (A12.1.3)
• Separation of development, testing and
operational environments (A12.1.4)

• To limit access to information and • Access control policy (A9.1.1)

information processing facilities. • Access to networks and network services
(A9.1) (A9.1.2)
 Controls
• Policies, procedures, practices and
organizational structures implemented to
reduce risks are refer to internal controls.
• Two key aspects that control should address:
 What should be achieved
 What should be avoided
• Control should address business/operational
objectives and undesired events through
prevention, detection and correction.
 Classification of security controls
Preventive Controls
• Discourage or prevent the
appearance of problems
• Publish an information
security policy
• Have a confidentiality
agreement signed
• Hire only qualified
personnel
• Identify risk coming from
third parties
• Segregation of duty
Detective Controls
• Search for, detect, and
identify problems
• Monitor and review third
party services
• Monitor the resources
used by system
• Alarm triggering e.g when
sensing fire
• Review of user access
rights
• Analysis of audit logs
Corrective Controls
• Solve problems found and
prevent recurrence
• Technical and legal
investigation (forensic)
following a security
incident.
• Enabling the business
continuity plan after the
occurrence of a disaster
• Implementation of
patches following the
identification of technical
vulnerabilities
 Security Controls
• Operational Mode: Three types
 Manual Controls: These are controls that mainly requires human intervention to be
effective for examples conducting interviews, observing and inventory.
 Less expensive to implement
 More expensive to operate
 Usually generate more errors.

 Automated Controls: Controls operated by a logical system (validating data input in a

payroll software)
 More expensive to implement
 Less expensive to operate
 Usually generate less errors

 Mixed Controls: Control requiring both human activity and at least one automated
control to be in-use for example automated backup of files and verification of data
integrity of backup by a technician
 Strategic, General, and Application Oriented
Controls
Controls
Strategic
Risk
Control Monitoring and Management Continual
Management ISMS policy
(Clause 4 to ISMS review Review Improvement
10)

General Incident Control

Asset
Control Management Systems Physical Security Access Control
Management
(Annex A) Development

Strategic Finance
Application Intranet CRM Database
Control related application
Applications
(Not Covered in
ISO 27001) Control Input data validation Control of internal processing Output data validation
 Control Environment
• Layered approach
1. Conformity Management
2. Internal Controls
3. Internal Audits
4. External Audits
5. Professional Association
6. Legal Framework
Relationship between Information Security
Aspects
• Overview
To reduce
Controls
Can have

Can reduce

Vulnerabilities increase

Can harm
exploit Risks

Threats increase Assets

Have
 Exercise 2
• For each risks that were identified in the
preceding exercise, identify the appropriate
controls (by providing the clause number of
the control ) which can reduce, transfer or
avoid risks.
 Information Security Management System
(ISMS)
Section 5

• Definition of ISMS
• Process Approach
• ISMS implementation
• Overview – Clause 4 to 10
• Overview – Annex A
• Statement of applicability
 Definition of ISMS

• An information Security Management System (ISMS)

consists of the policies, procedures, guidelines, and
associated resources and activities, collectively managed
by an organization, in the pursuit of protecting its
information asset.
• An ISMS is a systematic approach for establishing,
implementing, operating, monitoring, reviewing,
maintaining and improving an organization’s information
security to achieve business objectives. It is based upon a
risk assessment and the organization’s risk acceptance
levels designed to effectively treat and manage risks
 Process Approach
Overview

Interested Plan Interested

Parties
Parties
Planning

Act Do
Information Improvement
security Performance Operation Managed
Information
requirements evaluation Security
expectations
Check
 Audit and Process Approach
• The application of the process approach will
vary from one organization to the next
depending on its size, complexity and
activities.
• Auditees often identify too many processes
Control

Input Activities Output

 ISMS Implementation
1. 2. 3. 4.
PLAN Do CHECK ACT
1.1 Understanding 2.1 Organization
the organization structure
3.1 Monitoring and 4.1 Identification and
1.2 Analysis of 2.2 Document review non-conformities
existing system management process
1.3 Formalization of 2.3 Modeling of
the project processes and
controls 3.2 Measurement 4.2 Treatment of non
1.4 Scope
2.4 Specific policies and evaluation of – conformities
1.5 Security policy and procedures effectiveness
1.6 Risk assessment 2.5 Training,
1.7 Risk treatment awareness and
and risk acceptance communication
3.3 Internal audit 4.3 Continual
1.8 Statement of 2.6 Implementation improvement
applicability of processes and
controls 3.4 Management
review
2.7 Incident
Management
1.8 Operational
Management
Structure of the ISO 27001 Standard
• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement
• Annex A: control objectives and controls
• Organization seeking certification to ISO 27001 must
comply with all terms defined in sections 4 to 10 of the
standard, define in the statement of applicability, the
applicable controls and justify the inapplicable controls.
 Define the Scope and Exclusions
ISO 27001 clause 4.3 & 6.1.3d

• Key process
• A department
• The whole organization
• The organization and stakeholders
• Also define the scope in terms of:
 Business processes
 Organizational units
 Locations
 Assets
 Technologies
• Consider interfaces with:
 Other system
 Organizations
 Suppliers
 Dependencies
Leadership and management commitment
ISO 27001, clause 5.1

Strategic Orientation
• Ensure the ISMS is compatible with
strategic orientation of the organization
• Integrate the ISMS requirements into
the organizational business process

Make resources available

• Management shall determine and
provide the necessary resources for the
ISMS

Communication
• Management shall communicate the
importance of effective Information
Security Management and conformance
to the ISMS processes
 Information Security Policy
• Top management shall establish an information security
policy that:
 is appropriate to the purpose of the organization
 provides a framework for setting information security
objectives
 include a commitment to satisfy applicable requirements
 include a commitment to continual improvement of the ISMS
• The ISMS policy shall
 be available as documented information
 be communicated within the organization
 be available to interested parties as appropriate
 Define the Risk Assessment Approach

• This consist of:

1. Identify a methodology
2. Determine the risk acceptance criteria
3. Identify the acceptable level of risk
 Choose a Risk Assessment Methodology
• Any risk assessment methodology that complies with the minimum
ISO 27001 criteria acceptable, even methodology developed
internally.
• Some known methodology are:
 OCTAVE (Operational Critical Threat, Vulnerability Evaluation): allows to
evaluate the values threatened, the most formidable risk as well as
vulnerability of the defense based on a standardized knowledge base.
 EBIOS (Expression des Besoins et Identification des Objectives de Securite)
allows to evaluate and act on risk related to information systems security
and proposes a security policy adapted to the needs of an organization
 MEHARI (Methode Harmonisee d’Analyse Risques – Harmonized method
of risk analysis): Involve analysis of security issues based the criteria
confidentiality, integrity, and availability
 Identify the Risks
• Apply the information security risk assessment
process to identify risks associated with the
loss of confidentiality, integrity, and availability
for information within the scope of the ISMS
• Identify the risk owners
 Identify Risks
ISO 27001 clause 6.1.2c

Identify Identify
Identify
the the Identify the Identify the
the
existing Vulnerabilities consequences
assets Threats
controls
Identify Identify Identify Identify Identify the
assets threats the vulnerabili impact that
that falls that existing ties that losses to
within assets control to can be confidentialit
the faced avoid exploited y, integrity
scope of unnecess by the and
ISMS and ary work threats availability
their and cost have on
owners assets
 Analyze and Evaluate the Risks
ISO 27001 clause 6.1.2c

Assess the
Assess the
likelihood Determine
potential Evaluate risks
of levels of risk
consequences
occurrence
Assess the business Compare the
Assess the Estimate
impact on the results of risk
organization that
realistic the levels
likelihood of of risk analysis with the
might result in
security failures risk criteria
security failures,
taking into account identified established in
the consequences the risk
of a loss assessment
confidentiality,
integrity and Prioritize the
availability of assets analyzed risk for
risk treatment
 Evaluate the Risk Treatment Options
ISO 27001, Clause 6.1.3a
• Risk Reduction: Appropriate and justified controls should be
selected to reduce the risk
• Risk Retention: Management decides to take the risk. It is
possible that there are certain risk for which the organization
will not be able to identified controls or the cost of these
controls is higher than the potential loss by the risk
materializing.
• Risk Transfer: Decisions to share risk with external parties such
as insurance and outsourcing
• Risk Avoidance: Cancellation or modification of an activity or set
of activities related to risk
 Select Controls
ISO 27001, clause 6.1.3. b-c
• Determine all controls necessary to implement the
information security risk treatment option(s) chosen
• Selected control can be drawn directly from Annex A,
and can also be derived from other sources
• Compare the controls determined in 6.1.3 b with
those in Annex A and verify that no necessary
controls have been omitted
 Produce a Statement of Applicability
ISO 27001 Clause 6.1.3d
• Documented declaration that contains the necessary controls
and justification for inclusion, whether they are implemented
or not, and justification for exclusions of controls from Annex
A
 Approval of Residual Risks
• Residual Risk: Risk remaining after treatment of
risk
• Treated Risk: Risk eliminated with controls
• Inherent Risk: All risk without accounting for
controls
• Residual Risk = Inherent Risk – Risk treated with
controls.
• Risk owners must be aware the residual risks and
accept responsibility for them
 Documented Information
• Procedure must be established to manage the document
life cycle
Creation
Identification
Classification and security
Modification
Approval
Distributed
Adequate use
Archiving
Disposal
 ISMS Monitoring and Review
• Monitoring and review of detection and security
event prevention procedure
• Regular interview of the effectiveness of ISMS taking
into account feedback and suggestion of stakeholders
• Measurement of effectiveness of processes and
controls
• Review of risk assessment and risk treatment
• Conducting the internal audit
• Management review and update of security plan.
 ISMS Internal Audit
• The organization shall conduct ISMS internal
audits at regular intervals
• An audit program must be planned taking into
account the importance of processes and
scopes to audit, as well as previous audit
result.
 ISMS Management Review
ISO 27001 Clause 9.3
Management review input elements Management review output
• The status of action from previous elements
management review • Decisions related to continual
• Changes to external and internal improvement opportunity
issues that are relevant to the ISMS • Any results for changes to the
• Nonconformities and corrective ISMS
actions
• Monitoring and measurement results
• Audit results
• Fulfillment of information security
objectives Management review allows the
• Feedback from interested parties management of the organization
• Results of risk assessment and status to periodically review the level of
of risk treatment plan performance (Relevance,
• Opportunity for continual
improvement appropriateness, effectiveness
and efficiency) of the
management system in place.
 ISMS Improvement
ISO 27001, clause 10
• The organization shall continually improve the
suitability, adequacy, or effectiveness of the ISMS
• When a nonconformity occurs, the organization shall:
– React to the nonconformity
– Evaluate the need for action to eliminate the causes of
nonconformity, in order that it does not reoccur or occur
elsewhere
– Implement any action needed
– Review the effectiveness of any corrective action taken
– Make changes to the ISMS
 HMWK 1
• Determine how you would verify each of the following
controls. You must provide examples of evidence you
would look for reasonable assurance that the control has
been effectively implemented. State at least two element
of prove for it.
1. Information security policy document (A.5.1.1)
2. Removal or adjustments of access rights (A.9.2.6)
3. Controls against malware (A.12.2.1)
4. Confidentiality of non disclosure agreements (A.13.2.4)
5. Review of user access rights (A.9.2.5)