SlideShare une entreprise Scribd logo

ISO 27001 Audit Evidence Acquisition

Ben Omoakin Oguntala, developingafrica(dot)net
Ben Omoakin Oguntala, developingafrica(dot)net

This document describes an online audit tool that helps auditors evaluate an organization's ISO 27001 compliance. The tool allows auditors to schedule and conduct audits, review policies and documentation, monitor reviews and updates, and report any noncompliances. Evidence of compliance is captured directly from normal business operations over time rather than just prior to audits. The tool aims to make the audit process less tedious and adversarial by integrating compliance activities into daily work. Auditors can evaluate different areas of compliance and see compliance dashboards to identify gaps. Noncompliances are reported back to the appropriate teams to take action and resolve issues.

Technologie
1  sur  15
Télécharger pour lire hors ligne
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com ISO 27001 Audit evidence acquisition THE NEXT GENERATION SECURITY AUDIT TOOL Contents Introduction ............................................................................................................................................ 3 IS Audit overview .................................................................................................................................... 4 Contact details ........................................................................................................................................ 4 The IS Auditor.......................................................................................................................................... 5 Audit calendar ................................................................................................................................. 5 Scheduling an audit ......................................................................................................................... 6 Audit alert ....................................................................................................................................... 6 The IS Audit operation ............................................................................................................................ 7 Security Policy ..................................................................................................................................... 7 The policy dashboard ...................................................................................................................... 7 Each policy with an automatic review date reminder .................................................................... 7 Organization of information security .................................................................................................. 8 Policies ............................................................................................................................................ 8 The internal organisation structure ................................................................................................ 8 The key personnel ........................................................................................................................... 8 Asset Management ............................................................................................................................. 9 Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management .......................................................................................................................................................... 10 Supporting policies procedures and guidelines ............................................................................ 10 Documents with automatic review dates ..................................................................................... 10 Information systems acquisition, development and maintenance .................................................. 11 Project risk assessment ................................................................................................................. 12 Residual risk .................................................................................................................................. 12 Information security incident management ..................................................................................... 13 Incident register ............................................................................................................................ 13 Compliance ....................................................................................................................................... 14 Compliance dashboard ................................................................................................................. 14 1
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Reporting noncompliance ................................................................................................................. 15 The end ............................................................................................................................................. 15 2
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Introduction As an Auditor, quite often in your audit of your information security estate, you are concerned with assuring yourself that there is enough evidence to support a compliance statement that has been made. The process can be tedious and often adversarial causing significant amount of time being invested that may be so unnecessarily. This tool is designed to assist both the Internal Audit team as well as the business units in meeting their obligations by integrating the compliance obligation into operations, the business unit by going through the normal operation therefore exhibit the level of compliance to the standard. www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance. The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps. Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters. The solution is a web based tool that sits on the client’s site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet. 3
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com IS Audit overview The diagram above depicts how the Auditor (Internal or external) is registered on the tool and he/she is able to schedule an audit per business unit or for the entire organisation. It also depicts how evidence is acquired in relation to the ISO27001 standard. From each of the modules, the Audit can view the behaviour of the audit target in the findings and can gather evidence to support the findings. Auditor can then register non compliances in the areas where they exist and the non compliance is reported against policy or asset and the relevant business unit in order for ownership to be taken and action implemented. The Auditor can then recommend the steps to address the non compliances, once the business units carry out the fixes, the Auditor is notified and if satisfied can close off the non compliance. Once a non compliance is closed off it is archived, non compliances that have no fixes will remain on the dashboard against the business unit, and policy or asset unit it is fixed. If the non compliance represents a risk to the organisation, it can also be reported in the risk register until a fix is applied. Contact details For more information about acquiring the solution please contact Ben Oguntala Ben.oguntala@riesgoriskmanagement.com Telephone - 02075929747 4
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com The IS Auditor The IS Audit Department can set up accounts for Internal and external auditors, especially for the external auditor, access to evidence is only granted for the period which the Audit is to be carried out. The internal Auditor will always have access however, if an external auditor wants to carry out an audit, access will only be granted for the specified audit period only. An Auditor can schedule audits with business units using the Audit calendar Audit calendar 5
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Scheduling an audit Once an audit scheduled an Audit alert is sent to the business unit informing them of the Audit due to take place. Audit alert 6
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com The IS Audit operation : Security Policy The key questions asked and answered by the tool include:  Where is the policy  When was it published  How was it disseminated  When was it last updated  Who is responsible for the policy The policy dashboard Each policy with an automatic review date reminder 7
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Organization of information security o Internal Organization o External Parties Policies The internal organisation structure The key personnel The following key accounts are enabled - Information security manager - Policy manager - Freedom of information manager (if public sector - Data protection officer - Administrator 8
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Asset Management o Responsibility for assets o Information classification This view depicts the number of assets per business units regardless of the geographical location, it also show the Asset ID, risk index, classification and asset owner and the number of risks associated with the asset and any Audit entries against the audit. Each business unit will be able to maintain its own asset register and the information security team that handles security incidents and the risk register can report security incidents and risks associated with the asset. 9
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management We have grouped these modules together due to the fact that the same audit principle applies, the diagram below breaks each one down and will show if there are group policies or Supporting policies procedures and guidelines For each document uploaded there is an automatic date associated as well as a review period, in order to prevent documents from been irrelevant and redundant there is also a review period, the Auditor can check to see if there has been a review or not. Documents with automatic review dates 10
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Information systems acquisition, development and maintenance o Security requirements of information systems o Correct processing in applications o Cryptographic controls o Security of system files o Security in development and support processes o Technical Vulnerability Management The auditor can review the project risk management process in action to reveal how risk management is handled by the organisation. We provide a project risk management solution to address this element. If the organisation considers projects involving ISD & M as assets, then our information asset register can be used in this scenario as well with the following. - Projects register assets o Project management office will be a separate business unit o Register each project as an asset o The information security team will be able to assess each project and raised risks and potential mitigation - Risk assessment carried out for each project asset o The information security team will be the appropriate team to carry out risk assessment 11
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com o The Information security team is notified when a new project is registered as an asset and they will be able to carry out the risk assessment for the project, give it a risk rating and link its associated documents - Risk assessment - CIA assessment for the project is recorded o Risks assessment will be carried in accordance with the industry standard, confidentiality, integrity and availability (CIA) Project risk assessment Residual risk The residual risk associated with the asset is recorded and kept on the central register. 12
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Information security incident management Incident register The risk register diagram below depicts the number of incidents raised by all the business units in the organisation and the number of them that have been resolved and those that are active.  Reporting information security events and weaknesses  Management of information security incidents and improvements  The incident register will show all the record of incidents that were reported by the business units and the resolutions 13
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Compliance Compliance dashboard In built is an indicative element for the Auditor to assess the main areas on the business unit or organisation’s failure to comply with this module. The module requires:  Compliance with legal requirements  Compliance with security policies and standards, and technical compliance  Information Systems audit considerations The compliance box to the right of the picture above will turn to pass when the following are in place: - All policies are uploaded - All policies have been reviewed and non outstanding - Departmental policies have been uploaded - A responsibility is assigned to each procedure - No outstanding incidents - No outstanding audit risks 14
www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Reporting noncompliance Once the audit is completed the Auditor will be able to report on each non compliance that were discovered against a business unit, information Asset, policy or areas. The idea behind the process is to ensure that each none compliance is reported to the most appropriate person to take action on the non compliance. All the non compliances together make up the report. More and more non compliances, finding and recommendations can be recorded against the Audit providing a one source of all the history of the non compliance. The activity log provides a running commentary of actions that have been taken by the Auditor or the business unit to resolve the non compliance. The end 15

Recommandé

Iso 27001 Audit Evidence Acquisition
Iso 27001 Audit Evidence AcquisitionIso 27001 Audit Evidence Acquisition
Iso 27001 Audit Evidence AcquisitionBen Omoakin Oguntala, developingafrica(dot)net
 
Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2bitsgian
 
IPSec_Case_Study_DEECD_Managed_Security_Services
IPSec_Case_Study_DEECD_Managed_Security_ServicesIPSec_Case_Study_DEECD_Managed_Security_Services
IPSec_Case_Study_DEECD_Managed_Security_ServicesIby Boztepe
 
Risk Assessment And Risk Treatment
Risk Assessment And Risk TreatmentRisk Assessment And Risk Treatment
Risk Assessment And Risk TreatmentBen Omoakin Oguntala, developingafrica(dot)net
 
Vss wht paper sustainable sox c ompliance made easy
Vss wht paper sustainable sox c ompliance made easyVss wht paper sustainable sox c ompliance made easy
Vss wht paper sustainable sox c ompliance made easyLaurie LeBlanc
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxINTERCERT
 
Perform 7 Steps To Information Protection
Perform 7 Steps To Information ProtectionPerform 7 Steps To Information Protection
Perform 7 Steps To Information ProtectionSajjad Haider
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 

Recommandé

Iso 27001 Audit Evidence Acquisition
Iso 27001 Audit Evidence AcquisitionIso 27001 Audit Evidence Acquisition
Iso 27001 Audit Evidence AcquisitionBen Omoakin Oguntala, developingafrica(dot)net
 
Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2Aips guide element 6 process safety knowledge rev 2
Aips guide element 6 process safety knowledge rev 2bitsgian
 
IPSec_Case_Study_DEECD_Managed_Security_Services
IPSec_Case_Study_DEECD_Managed_Security_ServicesIPSec_Case_Study_DEECD_Managed_Security_Services
IPSec_Case_Study_DEECD_Managed_Security_ServicesIby Boztepe
 
Risk Assessment And Risk Treatment
Risk Assessment And Risk TreatmentRisk Assessment And Risk Treatment
Risk Assessment And Risk TreatmentBen Omoakin Oguntala, developingafrica(dot)net
 
Vss wht paper sustainable sox c ompliance made easy
Vss wht paper sustainable sox c ompliance made easyVss wht paper sustainable sox c ompliance made easy
Vss wht paper sustainable sox c ompliance made easyLaurie LeBlanc
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxINTERCERT
 
Perform 7 Steps To Information Protection
Perform 7 Steps To Information ProtectionPerform 7 Steps To Information Protection
Perform 7 Steps To Information ProtectionSajjad Haider
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Audit And Assurance Class Notes
Audit And Assurance Class NotesAudit And Assurance Class Notes
Audit And Assurance Class NotesSandra Valenzuela
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)MUHAMMAD HUZAIFA CHAUDHARY
 
The 10 recommended audit management solution providers, 2018
The 10 recommended audit management solution providers, 2018The 10 recommended audit management solution providers, 2018
The 10 recommended audit management solution providers, 2018Insights success media and technology pvt ltd
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterpriseGRC Solutions, Inc.
 
Protiviti-Governance-Portal-Client-Insights
Protiviti-Governance-Portal-Client-InsightsProtiviti-Governance-Portal-Client-Insights
Protiviti-Governance-Portal-Client-InsightsMarco Villacorta Olano
 
AppSec Quick Start Guide 011215-2 (1)
AppSec Quick Start Guide 011215-2 (1)AppSec Quick Start Guide 011215-2 (1)
AppSec Quick Start Guide 011215-2 (1)Bilha Diaz
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...MaoTseTungBritoSilva1
 
Audit & Assurance BA(Hons) Accounting & Finance- Year 3
Audit & Assurance BA(Hons) Accounting & Finance- Year 3Audit & Assurance BA(Hons) Accounting & Finance- Year 3
Audit & Assurance BA(Hons) Accounting & Finance- Year 3Sutharsanarao Kalla Rama Rao
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architectureFelipe Prado
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptxPandiya Rajan
 
Acc 490 entire course
Acc 490 entire courseAcc 490 entire course
Acc 490 entire courseacatnicy1981
 
White paper warranty_management
White paper warranty_managementWhite paper warranty_management
White paper warranty_managementSreeram Yegappan
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbookErnest Staats
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Developing Africa Ode Remo brochure
Developing Africa Ode Remo brochureDeveloping Africa Ode Remo brochure
Developing Africa Ode Remo brochureBen Omoakin Oguntala, developingafrica(dot)net
 
Developing Africa - Ode Remo
Developing Africa - Ode RemoDeveloping Africa - Ode Remo
Developing Africa - Ode RemoBen Omoakin Oguntala, developingafrica(dot)net
 

Contenu connexe

Similaire à ISO 27001 Audit Evidence Acquisition

Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Audit And Assurance Class Notes
Audit And Assurance Class NotesAudit And Assurance Class Notes
Audit And Assurance Class NotesSandra Valenzuela
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)MUHAMMAD HUZAIFA CHAUDHARY
 
Protiviti-Governance-Portal-Client-Insights
Protiviti-Governance-Portal-Client-InsightsProtiviti-Governance-Portal-Client-Insights
Protiviti-Governance-Portal-Client-InsightsMarco Villacorta Olano
 
AppSec Quick Start Guide 011215-2 (1)
AppSec Quick Start Guide 011215-2 (1)AppSec Quick Start Guide 011215-2 (1)
AppSec Quick Start Guide 011215-2 (1)Bilha Diaz
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...MaoTseTungBritoSilva1
 
Audit & Assurance BA(Hons) Accounting & Finance- Year 3
Audit & Assurance BA(Hons) Accounting & Finance- Year 3Audit & Assurance BA(Hons) Accounting & Finance- Year 3
Audit & Assurance BA(Hons) Accounting & Finance- Year 3Sutharsanarao Kalla Rama Rao
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk ConsultingPrashant Jain
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architectureFelipe Prado
 
Acc 490 entire course
Acc 490 entire courseAcc 490 entire course
Acc 490 entire courseacatnicy1981
 
White paper warranty_management
White paper warranty_managementWhite paper warranty_management
White paper warranty_managementSreeram Yegappan
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbookErnest Staats
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 

Similaire à ISO 27001 Audit Evidence Acquisition (20)

Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Audit And Assurance Class Notes
Audit And Assurance Class NotesAudit And Assurance Class Notes
Audit And Assurance Class Notes
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)
 
The 10 recommended audit management solution providers, 2018
The 10 recommended audit management solution providers, 2018The 10 recommended audit management solution providers, 2018
The 10 recommended audit management solution providers, 2018
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Protiviti-Governance-Portal-Client-Insights
Protiviti-Governance-Portal-Client-InsightsProtiviti-Governance-Portal-Client-Insights
Protiviti-Governance-Portal-Client-Insights
 
AppSec Quick Start Guide 011215-2 (1)
AppSec Quick Start Guide 011215-2 (1)AppSec Quick Start Guide 011215-2 (1)
AppSec Quick Start Guide 011215-2 (1)
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
Cyber+Capability+Toolkit+-+Cyber+Incident+Response+-+Cyber+Incident+Response+...
 
Audit & Assurance BA(Hons) Accounting & Finance- Year 3
Audit & Assurance BA(Hons) Accounting & Finance- Year 3Audit & Assurance BA(Hons) Accounting & Finance- Year 3
Audit & Assurance BA(Hons) Accounting & Finance- Year 3
 
Spire Brief - Risk Consulting
Spire Brief - Risk ConsultingSpire Brief - Risk Consulting
Spire Brief - Risk Consulting
 
Scada implement secure - architecture
Scada implement secure - architectureScada implement secure - architecture
Scada implement secure - architecture
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Acc 490 entire course
Acc 490 entire courseAcc 490 entire course
Acc 490 entire course
 
White paper warranty_management
White paper warranty_managementWhite paper warranty_management
White paper warranty_management
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbook
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 

Plus de Ben Omoakin Oguntala, developingafrica(dot)net

Plus de Ben Omoakin Oguntala, developingafrica(dot)net (14)

Developing Africa Ode Remo brochure
Developing Africa Ode Remo brochureDeveloping Africa Ode Remo brochure
Developing Africa Ode Remo brochure
 
Developing Africa - Ode Remo
Developing Africa - Ode RemoDeveloping Africa - Ode Remo
Developing Africa - Ode Remo
 
Thisday story with Oguntala
Thisday story with OguntalaThisday story with Oguntala
Thisday story with Oguntala
 
Africa secretariat - The Home of African raw materials
Africa secretariat - The Home of African raw materials Africa secretariat - The Home of African raw materials
Africa secretariat - The Home of African raw materials
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Data Protection Compliance In Economically Depressing Times
Data Protection Compliance In Economically Depressing TimesData Protection Compliance In Economically Depressing Times
Data Protection Compliance In Economically Depressing Times
 
Privacy Impact Assessment Final
Privacy Impact Assessment FinalPrivacy Impact Assessment Final
Privacy Impact Assessment Final
 
Managing Information Asset Register
Managing Information Asset RegisterManaging Information Asset Register
Managing Information Asset Register
 
Fraud Monitoring Solution
Fraud Monitoring SolutionFraud Monitoring Solution
Fraud Monitoring Solution
 
Conformidad De Seguridad De InformacióNv2
Conformidad De Seguridad De InformacióNv2Conformidad De Seguridad De InformacióNv2
Conformidad De Seguridad De InformacióNv2
 
Gprs/3G Troubleshooter
Gprs/3G TroubleshooterGprs/3G Troubleshooter
Gprs/3G Troubleshooter
 
Pci V2
Pci V2Pci V2
Pci V2
 
FoI
FoIFoI
FoI
 
Dpa V3
Dpa V3Dpa V3
Dpa V3
 

Dernier

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Dernier (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

ISO 27001 Audit Evidence Acquisition

  • 1. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com ISO 27001 Audit evidence acquisition THE NEXT GENERATION SECURITY AUDIT TOOL Contents Introduction ............................................................................................................................................ 3 IS Audit overview .................................................................................................................................... 4 Contact details ........................................................................................................................................ 4 The IS Auditor.......................................................................................................................................... 5 Audit calendar ................................................................................................................................. 5 Scheduling an audit ......................................................................................................................... 6 Audit alert ....................................................................................................................................... 6 The IS Audit operation ............................................................................................................................ 7 Security Policy ..................................................................................................................................... 7 The policy dashboard ...................................................................................................................... 7 Each policy with an automatic review date reminder .................................................................... 7 Organization of information security .................................................................................................. 8 Policies ............................................................................................................................................ 8 The internal organisation structure ................................................................................................ 8 The key personnel ........................................................................................................................... 8 Asset Management ............................................................................................................................. 9 Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management .......................................................................................................................................................... 10 Supporting policies procedures and guidelines ............................................................................ 10 Documents with automatic review dates ..................................................................................... 10 Information systems acquisition, development and maintenance .................................................. 11 Project risk assessment ................................................................................................................. 12 Residual risk .................................................................................................................................. 12 Information security incident management ..................................................................................... 13 Incident register ............................................................................................................................ 13 Compliance ....................................................................................................................................... 14 Compliance dashboard ................................................................................................................. 14 1
  • 2. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Reporting noncompliance ................................................................................................................. 15 The end ............................................................................................................................................. 15 2
  • 3. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Introduction As an Auditor, quite often in your audit of your information security estate, you are concerned with assuring yourself that there is enough evidence to support a compliance statement that has been made. The process can be tedious and often adversarial causing significant amount of time being invested that may be so unnecessarily. This tool is designed to assist both the Internal Audit team as well as the business units in meeting their obligations by integrating the compliance obligation into operations, the business unit by going through the normal operation therefore exhibit the level of compliance to the standard. www.InformationsecurityAudtors.com provides a web based tool (www.riesgoriskmanagement.com) for Auditors to capture information relating to ISO27001 compliance. The difference the tool makes is the manner in which it acquires compliance evidence and how the Auditor is able to determine the level of compliance and potential gaps. Evidence reflects an organisation’s behaviour not just prior to the arrival of the auditors but possibly going back for the last two quarters. The solution is a web based tool that sits on the client’s site and access can be restricted or allowed for 3rd parties. Internal auditors will be able to ensure compliance across all business units as long as they have access to the intranet. 3
  • 4. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com IS Audit overview The diagram above depicts how the Auditor (Internal or external) is registered on the tool and he/she is able to schedule an audit per business unit or for the entire organisation. It also depicts how evidence is acquired in relation to the ISO27001 standard. From each of the modules, the Audit can view the behaviour of the audit target in the findings and can gather evidence to support the findings. Auditor can then register non compliances in the areas where they exist and the non compliance is reported against policy or asset and the relevant business unit in order for ownership to be taken and action implemented. The Auditor can then recommend the steps to address the non compliances, once the business units carry out the fixes, the Auditor is notified and if satisfied can close off the non compliance. Once a non compliance is closed off it is archived, non compliances that have no fixes will remain on the dashboard against the business unit, and policy or asset unit it is fixed. If the non compliance represents a risk to the organisation, it can also be reported in the risk register until a fix is applied. Contact details For more information about acquiring the solution please contact Ben Oguntala Ben.oguntala@riesgoriskmanagement.com Telephone - 02075929747 4
  • 5. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com The IS Auditor The IS Audit Department can set up accounts for Internal and external auditors, especially for the external auditor, access to evidence is only granted for the period which the Audit is to be carried out. The internal Auditor will always have access however, if an external auditor wants to carry out an audit, access will only be granted for the specified audit period only. An Auditor can schedule audits with business units using the Audit calendar Audit calendar 5
  • 6. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Scheduling an audit Once an audit scheduled an Audit alert is sent to the business unit informing them of the Audit due to take place. Audit alert 6
  • 7. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com The IS Audit operation : Security Policy The key questions asked and answered by the tool include:  Where is the policy  When was it published  How was it disseminated  When was it last updated  Who is responsible for the policy The policy dashboard Each policy with an automatic review date reminder 7
  • 8. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Organization of information security o Internal Organization o External Parties Policies The internal organisation structure The key personnel The following key accounts are enabled - Information security manager - Policy manager - Freedom of information manager (if public sector - Data protection officer - Administrator 8
  • 9. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Asset Management o Responsibility for assets o Information classification This view depicts the number of assets per business units regardless of the geographical location, it also show the Asset ID, risk index, classification and asset owner and the number of risks associated with the asset and any Audit entries against the audit. Each business unit will be able to maintain its own asset register and the information security team that handles security incidents and the risk register can report security incidents and risks associated with the asset. 9
  • 10. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Human resources security, Physical and Environmental Security, Communications and Operations Management, Network Security Management, Access Control & Business Continuity Management We have grouped these modules together due to the fact that the same audit principle applies, the diagram below breaks each one down and will show if there are group policies or Supporting policies procedures and guidelines For each document uploaded there is an automatic date associated as well as a review period, in order to prevent documents from been irrelevant and redundant there is also a review period, the Auditor can check to see if there has been a review or not. Documents with automatic review dates 10
  • 11. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Information systems acquisition, development and maintenance o Security requirements of information systems o Correct processing in applications o Cryptographic controls o Security of system files o Security in development and support processes o Technical Vulnerability Management The auditor can review the project risk management process in action to reveal how risk management is handled by the organisation. We provide a project risk management solution to address this element. If the organisation considers projects involving ISD & M as assets, then our information asset register can be used in this scenario as well with the following. - Projects register assets o Project management office will be a separate business unit o Register each project as an asset o The information security team will be able to assess each project and raised risks and potential mitigation - Risk assessment carried out for each project asset o The information security team will be the appropriate team to carry out risk assessment 11
  • 12. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com o The Information security team is notified when a new project is registered as an asset and they will be able to carry out the risk assessment for the project, give it a risk rating and link its associated documents - Risk assessment - CIA assessment for the project is recorded o Risks assessment will be carried in accordance with the industry standard, confidentiality, integrity and availability (CIA) Project risk assessment Residual risk The residual risk associated with the asset is recorded and kept on the central register. 12
  • 13. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Information security incident management Incident register The risk register diagram below depicts the number of incidents raised by all the business units in the organisation and the number of them that have been resolved and those that are active.  Reporting information security events and weaknesses  Management of information security incidents and improvements  The incident register will show all the record of incidents that were reported by the business units and the resolutions 13
  • 14. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Compliance Compliance dashboard In built is an indicative element for the Auditor to assess the main areas on the business unit or organisation’s failure to comply with this module. The module requires:  Compliance with legal requirements  Compliance with security policies and standards, and technical compliance  Information Systems audit considerations The compliance box to the right of the picture above will turn to pass when the following are in place: - All policies are uploaded - All policies have been reviewed and non outstanding - Departmental policies have been uploaded - A responsibility is assigned to each procedure - No outstanding incidents - No outstanding audit risks 14
  • 15. www.riesgoriskmanagement.com www.informationsecurityauditors.com info@riesgoriskmanagement.com Reporting noncompliance Once the audit is completed the Auditor will be able to report on each non compliance that were discovered against a business unit, information Asset, policy or areas. The idea behind the process is to ensure that each none compliance is reported to the most appropriate person to take action on the non compliance. All the non compliances together make up the report. More and more non compliances, finding and recommendations can be recorded against the Audit providing a one source of all the history of the non compliance. The activity log provides a running commentary of actions that have been taken by the Auditor or the business unit to resolve the non compliance. The end 15