This document describes an online audit tool that helps auditors evaluate an organization's ISO 27001 compliance. The tool allows auditors to schedule and conduct audits, review policies and documentation, monitor reviews and updates, and report any noncompliances. Evidence of compliance is captured directly from normal business operations over time rather than just prior to audits. The tool aims to make the audit process less tedious and adversarial by integrating compliance activities into daily work. Auditors can evaluate different areas of compliance and see compliance dashboards to identify gaps. Noncompliances are reported back to the appropriate teams to take action and resolve issues.
1. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
ISO 27001 Audit evidence acquisition
THE NEXT GENERATION SECURITY AUDIT TOOL
Contents
Introduction ............................................................................................................................................ 3
IS Audit overview .................................................................................................................................... 4
Contact details ........................................................................................................................................ 4
The IS Auditor.......................................................................................................................................... 5
Audit calendar ................................................................................................................................. 5
Scheduling an audit ......................................................................................................................... 6
Audit alert ....................................................................................................................................... 6
The IS Audit operation ............................................................................................................................ 7
Security Policy ..................................................................................................................................... 7
The policy dashboard ...................................................................................................................... 7
Each policy with an automatic review date reminder .................................................................... 7
Organization of information security .................................................................................................. 8
Policies ............................................................................................................................................ 8
The internal organisation structure ................................................................................................ 8
The key personnel ........................................................................................................................... 8
Asset Management ............................................................................................................................. 9
Human resources security, Physical and Environmental Security, Communications and Operations
Management, Network Security Management, Access Control & Business Continuity Management
.......................................................................................................................................................... 10
Supporting policies procedures and guidelines ............................................................................ 10
Documents with automatic review dates ..................................................................................... 10
Information systems acquisition, development and maintenance .................................................. 11
Project risk assessment ................................................................................................................. 12
Residual risk .................................................................................................................................. 12
Information security incident management ..................................................................................... 13
Incident register ............................................................................................................................ 13
Compliance ....................................................................................................................................... 14
Compliance dashboard ................................................................................................................. 14
1
2. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Reporting noncompliance ................................................................................................................. 15
The end ............................................................................................................................................. 15
2
3. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Introduction
As an Auditor, quite often in your audit of your information security estate, you are
concerned with assuring yourself that there is enough evidence to support a compliance statement
that has been made. The process can be tedious and often adversarial causing significant amount of
time being invested that may be so unnecessarily.
This tool is designed to assist both the Internal Audit team as well as the business units in meeting
their obligations by integrating the compliance obligation into operations, the business unit by going
through the normal operation therefore exhibit the level of compliance to the standard.
www.InformationsecurityAudtors.com provides a web based tool
(www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001
compliance.
The difference the tool makes is the manner in which it acquires compliance evidence and
how the Auditor is able to determine the level of compliance and potential gaps.
Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly
going back for the last two quarters.
The solution is a web based tool that sits on the client’s site and access can be restricted or allowed
for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as
they have access to the intranet.
3
4. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
IS Audit overview
The diagram above depicts how the Auditor (Internal or external) is registered on the tool and
he/she is able to schedule an audit per business unit or for the entire organisation. It also depicts
how evidence is acquired in relation to the ISO27001 standard.
From each of the modules, the Audit can view the behaviour of the audit target in the findings and
can gather evidence to support the findings. Auditor can then register non compliances in the areas
where they exist and the non compliance is reported against policy or asset and the relevant
business unit in order for ownership to be taken and action implemented.
The Auditor can then recommend the steps to address the non compliances, once the business units
carry out the fixes, the Auditor is notified and if satisfied can close off the non compliance.
Once a non compliance is closed off it is archived, non compliances that have no fixes will remain on
the dashboard against the business unit, and policy or asset unit it is fixed. If the non compliance
represents a risk to the organisation, it can also be reported in the risk register until a fix is applied.
Contact details
For more information about acquiring the solution please contact
Ben Oguntala
Ben.oguntala@riesgoriskmanagement.com
Telephone - 02075929747
4
5. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
The IS Auditor
The IS Audit Department can set up accounts for Internal and external auditors, especially for the
external auditor, access to evidence is only granted for the period which the Audit is to be carried
out.
The internal Auditor will always have access however, if an external auditor wants to carry out an
audit, access will only be granted for the specified audit period only.
An Auditor can schedule audits with business units using the Audit calendar
Audit calendar
5
7. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
The IS Audit operation
:
Security Policy
The key questions asked and answered by the tool include:
Where is the policy
When was it published
How was it disseminated
When was it last updated
Who is responsible for the policy
The policy dashboard
Each policy with an automatic review date reminder
7
8. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Organization of information security
o Internal Organization
o External Parties
Policies
The internal organisation structure
The key personnel
The following key accounts are enabled
- Information security manager
- Policy manager
- Freedom of information manager (if public sector
- Data protection officer
- Administrator
8
9. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Asset Management
o Responsibility for assets
o Information classification
This view depicts the number of assets per business units regardless of the
geographical location, it also show the Asset ID, risk index, classification and asset
owner and the number of risks associated with the asset and any Audit entries against
the audit.
Each business unit will be able to maintain its own asset register and the information
security team that handles security incidents and the risk register can report security
incidents and risks associated with the asset.
9
10. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Human resources security, Physical and Environmental Security,
Communications and Operations Management, Network Security
Management, Access Control & Business Continuity Management
We have grouped these modules together due to the fact that the same audit principle applies,
the diagram below breaks each one down and will show if there are group policies or
Supporting policies procedures and guidelines
For each document uploaded there is an automatic date associated as well as a review period,
in order to prevent documents from been irrelevant and redundant there is also a review
period, the Auditor can check to see if there has been a review or not.
Documents with automatic review dates
10
11. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Information systems acquisition, development and maintenance
o Security requirements of information systems
o Correct processing in applications
o Cryptographic controls
o Security of system files
o Security in development and support processes
o Technical Vulnerability Management
The auditor can review the project risk management process in action to reveal how risk
management is handled by the organisation. We provide a project risk management solution
to address this element.
If the organisation considers projects involving ISD & M as assets, then our information asset
register can be used in this scenario as well with the following.
- Projects register assets
o Project management office will be a separate business unit
o Register each project as an asset
o The information security team will be able to assess each project and raised
risks and potential mitigation
- Risk assessment carried out for each project asset
o The information security team will be the appropriate team to carry out risk
assessment
11
12. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
o The Information security team is notified when a new project is registered as
an asset and they will be able to carry out the risk assessment for the project,
give it a risk rating and link its associated documents
- Risk assessment - CIA assessment for the project is recorded
o Risks assessment will be carried in accordance with the industry standard,
confidentiality, integrity and availability (CIA)
Project risk assessment
Residual risk
The residual risk associated with the asset is recorded and kept on the central register.
12
13. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Information security incident management
Incident register
The risk register diagram below depicts the number of incidents raised by all the business units in
the organisation and the number of them that have been resolved and those that are active.
Reporting information security events and weaknesses
Management of information security incidents and improvements
The incident register will show all the record of incidents that were reported by the
business units and the resolutions
13
14. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Compliance
Compliance dashboard
In built is an indicative element for the Auditor to assess the main areas on the business unit or
organisation’s failure to comply with this module.
The module requires:
Compliance with legal requirements
Compliance with security policies and standards, and technical compliance
Information Systems audit considerations
The compliance box to the right of the picture above will turn to pass when the following are
in place:
- All policies are uploaded
- All policies have been reviewed and non outstanding
- Departmental policies have been uploaded
- A responsibility is assigned to each procedure
- No outstanding incidents
- No outstanding audit risks
14
15. www.riesgoriskmanagement.com www.informationsecurityauditors.com
info@riesgoriskmanagement.com
Reporting noncompliance
Once the audit is completed the Auditor will be able to report on each non compliance that were
discovered against a business unit, information Asset, policy or areas.
The idea behind the process is to ensure that each none compliance is reported to the most
appropriate person to take action on the non compliance. All the non compliances together make up
the report.
More and more non compliances, finding and recommendations can be recorded against the Audit
providing a one source of all the history of the non compliance.
The activity log provides a running commentary of actions that have been taken by the Auditor or
the business unit to resolve the non compliance.
The end
15