Professional Documents
Culture Documents
Preparation A La Certification A L'audit de Securite
Preparation A La Certification A L'audit de Securite
l’Audit de Securite
By
Egbe Besong Divine
CEHv9, ISO 27001 Lead Auditor
Standard and Regulatory Framework
• What is ISO?
• Fundamental ISO principles
• Management system standards
• Integrated management system
• Information security standards
• ISO 27000 family
• ISO 27000 advantages
• Legal and regulatory conformity
• Note: During this training, we will adopt the following
convention ISO will be refer to standard instead of ISO/IEC
XXXXX:20XX
What is ISO?
• ISO is a network of national standardization
bodies from over 160 countries
2008- 2013
2005 2007 2012
2000
1995 1998
1990
New Edition of
Publication of
ISO 27006 ISO 27001 &
New Version of other Standards
ISO 17799 Certification ISO 27002
Code of best BS 7799-2 ISO 17799 of the
BS 7799-1 Best Practices Organization
Practice Published ISMS ISO 27001 27000 family
Code of Code Requirements
By a group of Certification publication
Best
companies Schema Revision of
Practice
ISO 27001
& ISO 27002
ISO 27000 family
• Some important members of the family:
• ISO 27000: This information security standard develops the best concepts as well
as the vocabulary that applies when analyzing Information Security Management
Systems. A free copy of this standard can be downloaded from the ISO website.
• ISO 27001: This information security standard defines the requirements of the
Information Security Management System
• ISO 27002(previously ISO 17799): Guide for best practices for the management of
Information security. This standard defines objectives and recommendations in
terms of information security and anticipates meeting global concerns of
organization relating to information security for their overall activities.
• ISO 27005: Guide for information security risk management which complies with
concepts, models, and general processes specified in ISO 27001.
• ISO 27011: Guidelines for the use of ISO 27002 in telecommunication industry
• ISO 27031: Guidelines for information and communication technology readiness
for business continuity.
ISO 27001
• Specifies requirements for ISMS management
(Clause 4 to 10)
Note: The presence of vulnerabilities doesn’t produce damage , a threat must exist
to exploit it. A vulnerability that does not correspond to a threat may not require the
set up of control , but must be identified and monitored in case of changes.
Impact
ISO 27005, clause 3.1. For full list of several potential impact see ISO 27005,
Annex B.2)
Likelihood Consequences
(Occurrence) (Impact) Risk
Information Security Risk (2)
Key Definitions
Residual risk: The risk remaining after risk treatment
Risk acceptance: Decision to accept risk
Risk analysis: process to comprehend the nature of risk and to determine the
level of risk
Risk assessment: Overall process of risk identification, risk analysis and risk
evaluation
Risk evaluation: Process of comparing the result of risk analysis with risk criteria
to determine whether the risk and/or its magnitude is acceptable or tolerable.
Risk management: Coordinated activities to direct and control an organization
with regard to risk.
Risk Treatment: Process of selection and implementation of measures to modify
risk.
Risk Scenario
Example
United Kingdom
Corruption of several websites of the Conservative Party
The text of the corruption encourages Web site visitors to vote for the Labour Party . Messages left by the
attackers include security evaluation of the site and political slogan.
A risk scenario (or event) includes the various components that constitute a risk:
asset, security aspect, vulnerability, threat and impact
Exercise 1
• Determine the threats and vulnerabilities associated to the following
situations and indicate the possible impacts. Also indicate if the impact
would affect confidentiality, integrity and availability. Complete the risk
matrix.
1. The former vice president of Accounting is hired by a competitor
2. A removable disk containing backups of source code of the application
developed by MTN can not be found at the head office.
3. The webmaster who design the corporate website for ORANGE takes
care of updates and uploading of the site.
4. All the telecommunications equipment have the same password. Only
the programmers and the technicians know the password.
Security Requirements
• It is essential for organization to identifies its security
requirements.
• Three main sources of security requirements:
Assessing risk to organization taking into account the organization’s
overall business strategy and objectives. Through risk assessment
threats to assets are identified, vulnerabilities to and likelihood of
occurrence is evaluated and potential impact is estimated
Legal, statutory, regulatory and contractual requirements that an
organization, its trading partners, contractors and service providers
have to satisfy, and their socio-cultural environment.
Set of principles, objectives and business requirements for information
handling, processing, storing, communicating and archiving that
organization has developed to support its operations.
Control Objective and Control
Control objective
Statement describing what is to achieved as a result of implementing controls
Control
• Methods to manage the risk
• Include policies, procedures, guidelines, and practices or organizational structures
• Synonym, measure, counter-measure, security device
Mixed Controls: Control requiring both human activity and at least one automated
control to be in-use for example automated backup of files and verification of data
integrity of backup by a technician
Strategic, General, and Application Oriented
Controls
Controls
Strategic
Risk
Control Monitoring and Management Continual
Management ISMS policy
(Clause 4 to ISMS review Review Improvement
10)
Strategic Finance
Application Intranet CRM Database
Control related application
Applications
(Not Covered in
ISO 27001) Control Input data validation Control of internal processing Output data validation
Control Environment
• Layered approach
1. Conformity Management
2. Internal Controls
3. Internal Audits
4. External Audits
5. Professional Association
6. Legal Framework
Relationship between Information Security
Aspects
• Overview
To reduce
Controls
Can have
Can reduce
Vulnerabilities increase
Can harm
exploit Risks
• Definition of ISMS
• Process Approach
• ISMS implementation
• Overview – Clause 4 to 10
• Overview – Annex A
• Statement of applicability
Definition of ISMS
Act Do
Information Improvement
security Performance Operation Managed
Information
requirements evaluation Security
expectations
Check
Audit and Process Approach
• The application of the process approach will
vary from one organization to the next
depending on its size, complexity and
activities.
• Auditees often identify too many processes
Control
• Key process
• A department
• The whole organization
• The organization and stakeholders
• Also define the scope in terms of:
Business processes
Organizational units
Locations
Assets
Technologies
• Consider interfaces with:
Other system
Organizations
Suppliers
Dependencies
Leadership and management commitment
ISO 27001, clause 5.1
Strategic Orientation
• Ensure the ISMS is compatible with
strategic orientation of the organization
• Integrate the ISMS requirements into
the organizational business process
Communication
• Management shall communicate the
importance of effective Information
Security Management and conformance
to the ISMS processes
Information Security Policy
• Top management shall establish an information security
policy that:
is appropriate to the purpose of the organization
provides a framework for setting information security
objectives
include a commitment to satisfy applicable requirements
include a commitment to continual improvement of the ISMS
• The ISMS policy shall
be available as documented information
be communicated within the organization
be available to interested parties as appropriate
Define the Risk Assessment Approach
Identify Identify
Identify
the the Identify the Identify the
the
existing Vulnerabilities consequences
assets Threats
controls
Identify Identify Identify Identify Identify the
assets threats the vulnerabili impact that
that falls that existing ties that losses to
within assets control to can be confidentialit
the faced avoid exploited y, integrity
scope of unnecess by the and
ISMS and ary work threats availability
their and cost have on
owners assets
Analyze and Evaluate the Risks
ISO 27001 clause 6.1.2c
Assess the
Assess the
likelihood Determine
potential Evaluate risks
of levels of risk
consequences
occurrence
Assess the business Compare the
Assess the Estimate
impact on the results of risk
organization that
realistic the levels
likelihood of of risk analysis with the
might result in
security failures risk criteria
security failures,
taking into account identified established in
the consequences the risk
of a loss assessment
confidentiality,
integrity and Prioritize the
availability of assets analyzed risk for
risk treatment
Evaluate the Risk Treatment Options
ISO 27001, Clause 6.1.3a
• Risk Reduction: Appropriate and justified controls should be
selected to reduce the risk
• Risk Retention: Management decides to take the risk. It is
possible that there are certain risk for which the organization
will not be able to identified controls or the cost of these
controls is higher than the potential loss by the risk
materializing.
• Risk Transfer: Decisions to share risk with external parties such
as insurance and outsourcing
• Risk Avoidance: Cancellation or modification of an activity or set
of activities related to risk
Select Controls
ISO 27001, clause 6.1.3. b-c
• Determine all controls necessary to implement the
information security risk treatment option(s) chosen
• Selected control can be drawn directly from Annex A,
and can also be derived from other sources
• Compare the controls determined in 6.1.3 b with
those in Annex A and verify that no necessary
controls have been omitted
Produce a Statement of Applicability
ISO 27001 Clause 6.1.3d
• Documented declaration that contains the necessary controls
and justification for inclusion, whether they are implemented
or not, and justification for exclusions of controls from Annex
A
Approval of Residual Risks
• Residual Risk: Risk remaining after treatment of
risk
• Treated Risk: Risk eliminated with controls
• Inherent Risk: All risk without accounting for
controls
• Residual Risk = Inherent Risk – Risk treated with
controls.
• Risk owners must be aware the residual risks and
accept responsibility for them
Documented Information
• Procedure must be established to manage the document
life cycle
Creation
Identification
Classification and security
Modification
Approval
Distributed
Adequate use
Archiving
Disposal
ISMS Monitoring and Review
• Monitoring and review of detection and security
event prevention procedure
• Regular interview of the effectiveness of ISMS taking
into account feedback and suggestion of stakeholders
• Measurement of effectiveness of processes and
controls
• Review of risk assessment and risk treatment
• Conducting the internal audit
• Management review and update of security plan.
ISMS Internal Audit
• The organization shall conduct ISMS internal
audits at regular intervals
• An audit program must be planned taking into
account the importance of processes and
scopes to audit, as well as previous audit
result.
ISMS Management Review
ISO 27001 Clause 9.3
Management review input elements Management review output
• The status of action from previous elements
management review • Decisions related to continual
• Changes to external and internal improvement opportunity
issues that are relevant to the ISMS • Any results for changes to the
• Nonconformities and corrective ISMS
actions
• Monitoring and measurement results
• Audit results
• Fulfillment of information security
objectives Management review allows the
• Feedback from interested parties management of the organization
• Results of risk assessment and status to periodically review the level of
of risk treatment plan performance (Relevance,
• Opportunity for continual
improvement appropriateness, effectiveness
and efficiency) of the
management system in place.
ISMS Improvement
ISO 27001, clause 10
• The organization shall continually improve the
suitability, adequacy, or effectiveness of the ISMS
• When a nonconformity occurs, the organization shall:
– React to the nonconformity
– Evaluate the need for action to eliminate the causes of
nonconformity, in order that it does not reoccur or occur
elsewhere
– Implement any action needed
– Review the effectiveness of any corrective action taken
– Make changes to the ISMS
HMWK 1
• Determine how you would verify each of the following
controls. You must provide examples of evidence you
would look for reasonable assurance that the control has
been effectively implemented. State at least two element
of prove for it.
1. Information security policy document (A.5.1.1)
2. Removal or adjustments of access rights (A.9.2.6)
3. Controls against malware (A.12.2.1)
4. Confidentiality of non disclosure agreements (A.13.2.4)
5. Review of user access rights (A.9.2.5)