iso 27001 lead auditor student handbook

llllllllll

lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

Certified ISO/IEC 27001

Lead Auditor

Participant Hand book

Information Security Training

Copyright ISO 27001 Lead Auditor, Classroom course, release 5.0.0

Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright © 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Follow Us

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Contents

Certified ISO/IEC 27001 Lead Auditor Day 1 ------------------------------------------------------------ 5 Day 2 ------------------------------------------------------------ 57 Day 3 ------------------------------------------------------------ 115 Day 4 ------------------------------------------------------------ 159 Appendix A: Case Study --------------------------------------- 209 Appendix B: Exercises List ---------------------------------- 233 Appendix C: Correction Key ---------------------------------- 2 7 Appendix D: Release Notes ----------------------------------- 287

This

page

has b

een l

eft bl

ank i

ntenti

onall

y



Day 1

ISO 27001 Lead Auditor



DAY 1

Certified ISO 27001Lead Auditor

2

Certified ISO 27001 Lead Auditor TrainingSection 1

a. Meet and greet

b. General information

c. Training objectives

d. Educational approach

e. Examination and certification

f. PECB

g. Schedule for the training

Course objectives and structure



3

Activity

Meet and greet

4

Smoking area

MealsTimetable and breaks

Use of mobile phones and recording devices

Absences

General Information

Use of a computer and access to the Internet



5

Understand the operation of an Information Security Management System based on ISO 27001 and its principal processes

Understand the goal, content and correlation between ISO 27001, ISO 27002 and other standards and regulatory frameworks

Understand an auditor’s role: to plan, lead and follow-up on a management system audit in accordance with ISO 19011

1

2

3

Training Objectives

Acquiring knowledge

6

Training Objectives

Development of competencies

Interpret the requirements of ISO 27001 in the context of an ISMS audit

Acquire the competencies of an auditor to: plan an audit, lead an audit, draft reports, and follow up on an audit in compliance with ISO 19011

Strengthen personal skills necessary for an auditor to act with due professional care during an audit

1

2

3



7

Educational Approach

Students at the center

8

Generally accepted audit standards

International Federation of Accountants

Information Systems Audit and Control Association

ISO 19011

Course Based

On audit best practices

Institute of internal auditors



9

Examination

Competency domains

1 Fundamental principles of information security

2 Information Security Management System

3 Fundamental concepts and principles of auditing

4 Preparation of an ISO 27001 audit

5 Conducting an ISO 27001 audit

6 Concluding an ISO 27001 audit

7 Managing an ISO 27001 audit programme

1

2

3

4

5

6

7

10

Certified ISO 27001 Lead Auditor

Prerequisites for Certification

Pass the exam

Adhere to the PECB Code of Ethics

5 years professional experience

2 years security experience

300 hours audit activity

123456

Professional references

Certified ISO 27001Lead Auditor



11

Certificates

Candidates who met all the prerequisites forcertification will receive a certificate:

12

What is PECB?

Main services: 1. Certification of personnel

(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers

Professional Evaluation and Certification Board



13

Qualifying oneself to conduct audits for a certification body

Formal and independent recognition of personal competencies

Certified professionals usually earn salaries higher than those of non-certified professionals

Why Become a Certified Auditor?

Advantages

14

Customer Service

Comments, questions and complaints

TrainingProviderTrainingParticipant

2. Answer in writing

Answer

1. Submit a complaint

Submit a

3. Appeal 4. Finalarbitration

PECB



1515

Schedule for the Week

16

QUESTIONS?



17


a. What is ISO?

b. Fundamental ISO principles

c. Management system standards

d. Integrated management system

e. Information security standards

f. ISO 27000 family

g. ISO 27001 advantages

h. Legal and regulatory conformity

Standard and regulatory framework

18

What is ISO?

ISO is a network of national standardization bodies from over 160 countries

The final results of ISO works are published as international standards

Over 19 000 standards have been published since 1947



19

1. Equal representation: 1 vote per country

2. Voluntary membership: ISO does not have the authority to force adoption of its standards

3. Business orientation: ISO only develops standards for which a market demand exists

4. Consensus approach: looking for a large consensus among the different stakeholders

5. International cooperation: over 160 member countries plus liaison bodies

1. Equ

2. Vauth

3.sta

4. Ccon

5. Intercountri

Basic principles of

ISO standards

Basic Principles – ISO Standards

20

Eight ISO Management Principles



21

Management System StandardsPrimary standards against which an organization can be certified

ISO 9001Quality

ISO 14001Environment

OHSAS 18001Health and Safety

at work

ISO 20000IT Service

ISO 22000Food Safety

ISO 22301Business continuity

ISO 27001Information

security

ISO 28000Supply Chain

Security

22

Integrated Management System

Common structure of ISO standards

Requirements ISO9001:2008

ISO 14001:2004

ISO20000:2011

ISO22301:2012

ISO 27001:2005

Objectives of the management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1

Policy of the management system 5.3 4. 2 4.1.2 5.3 4.2.1

Management commitment 5.1 4.4.1 4.1 5.2 5

Documentation requirements 4.2 4.4 4.3 7.5 4.3

Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6

Continual improvement 8.5.1 4.5.3 4.5.5 10 8

Management review 5.6 4.6 4.5.4.3 9.3 7



23

Other Information Security Standards

Examples

24

19901995

20002007 2008+

ISO 27006

Certification organization requirements

Publication ofother standards

of the 27000 family

Revision toISO 27001 &ISO 27002in progress

BS7799-1

Code of best practices

BS7799-2 ISMS

certification schema

Code of best practises

(Published by a group of

companies)

ISO 17799

Best practices code

New Version of ISO 17799 ISO 27001 publication

History of the ISO 27001 Series

Important dates

19982005



25

ISO 27000 Family

Voca

bula

ryR

equi

rem

ents

Gen

eral

guid

esIn

dust

ry

guid

es

ISO 27001ISMS

requirements

ISO 27006Certification organization requirements

ISO 27005Risk

management

ISO 27004Metrics

ISO 27003Implementation

guide

ISO 27002Code of

practices

ISO 27007-27008Audit guides

ISO 27011Telecommunications

ISO 27799Health

ISO 270XXothers

ISO 27000Vocabulary

26

ISO 27001

Specifies requirements for ISMS management (Clause 4 to 8)

Requirements (clauses) are written using the imperative verb “shall”Annex A: 11 clauses containing 39 control objectives and 133 controlsOrganization can obtain certification against this standard



27

ISO 27002

Guide for code of practice for information security management (Reference document)Clause written using the verb “should”Composed of 11 clauses, 39 control objectives and 133 controlsOrganization can not obtain certification against this standardA.k.a. ISO 17799

28

ISO 27009+

Within the 27000 series, ISO 27009 and the subsequent numbers are reserved for the creation of domain-specific standards:

For industries: – Telecommunication– Health– Finance and insurance…

For specific sectors related to information security:

– Application security – Cyber security– Security incident management – Privacy protection...



29

Exercise 1

Reasons to adopt ISO 27001

30

1. Improvement of security

2. Good governance

3. Conformity

4. Cost reduction

5. Marketing

1. Imp

2. G

3.

4. C

5. Ma

ADVANTAGES

ISO 27001 Advantages



31

Legal Conformity

The organization must comply with applicable laws and regulations

In most countries, the implementation of an ISO standard is a voluntary decision of the organization, not a legal requirement

In all cases, laws take precedence over standards

ISO 27001 can be used to comply to several laws and

regulations

32

Legal Aspects

Major topics to be monitored

1 Data protection

2 Privacy

3 Computer Crimes

4 Digital Signature

5 Intellectual Property

6 Electronic Payments

7 Records Management

1

2

3

4

5

6

7



33

QUESTIONS?

34


a. Certification process

b. Certification schema

c. Accreditation authority

d. Certification body

e. Certification Bodies of Persons

Certification process



35

1. Implementationof the management

system

Certification Process

2. Internal audit and review by

top management

3. Selection of a certification body

5. Stage 1 audit4. Pre-assessment audit (optional)

7. Follow-up audit(if applicable)

8. Confirmation of registration

6. Stage 2 audit(on-site visit)

Bef

ore

the

audi

tIn

itial

aud

itFo

llow

ing

the

audi

t

9. Continualimprovement and surveillance audits

36

Accreditation authoritiesEx: ANSI / ANAB (USA) – SCC (Canada) – UKAS (UK)

COFRAC (France) – BELAC (Belgium) – SAS (Switzerland)

Certification bodiesEx: SGS – Bureau Veritas – DNV – Swiss TS Personnel certification bodies

Ex: PECB

Auditee Auditors Training organizations

Certify organizations

Certify auditors

Hire auditors Certify training providers and trainers

Train the auditors

Audit the auditees

Accredit

Certification Schema



37

Accreditation Authority

ISO 17011

National organization which supervises certificationprograms (organizations and professionals) andwhich makes sure that national or internationalcriteria are respected

38

Certification Body

ISO 17021

Certification body: Third party that performs theassessment of conformity of management systems

Certification: Procedure in which a third party attests inwriting that a product, process, or service is conformantto specified criteria



39

Personnel Certification Bodies

ISO 17024

The role of a personnel certification body is to certifyprofessionals

ISO 17024 specifies the criteria for an organization thatconducts certification of persons in relation to specificrequirements, including developing and maintaining acertification scheme for persons

40

QUESTIONS?



41


a. Asset and information asset

b. Information security

c. Confidentiality, integrity and availability

d. Vulnerability, threat and impact

e. Information security risk

f. Security objectives and controls

g. Classification of security controls

h. Control environment

Fundamental Principles of Information Security

42

Asset and Information Asset

ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8

Information: meaningful dataAsset: All elements having value for the organization Information asset: Knowledge or data that has value to the organization

42



43

Document

Specification

Record

Document stating requirements

Document stating results achieved or providing evidence of activities performed

Information and its supporting medium

Document – Specification – Record

ISO 9000, clause 3.7

44

Information Security


Information security is the protection of information

from a wide range of threats in order to ensure

business continuity, minimize business risk, and

maximize return on investments and business

opportunities



45



Preservation of confidentiality, integrity and

availability of information

Note: In addition, other properties, such as

authenticity, accountability, non-repudiation, and

reliability can also be involved

46


Covers information of all kinds

Printed or hand written

Recorded using technical support

Transmitted by email or electronically

Included in a website

Shown on corporate videos

Mentioned during conversations

Etc.



47

Confidentiality


Property that information is not madeavailable or disclosed to unauthorizedindividuals, entities, or processes

47

48

Integrity


Property of protecting the accuracy andcompleteness of assets



49

Availability


Property of being accessible and usableupon demand by an authorized entity

49

50

Vulnerability


Weakness of an asset or a security control that can be exploited by a threat



51

Types of Vulnerabilities

ISO 27005, Annex D

Type of vulnerability Examples1 Hardware Insufficient maintenance

Portability

2 Software No registration logsComplicated interfaces

3 Network Lack of encryption transfersSingle Point of Access

4 Personnel Insufficient trainingLack of supervision

5 Site Unstable electrical systemSite in an area susceptible to flood

6 Organization's structure Lack of segregation of dutiesNo job descriptions

52

Threats


Potential cause of an unwanted incident which may result in harm to a system or an organization



53

Types of Threats

ISO 27005, Annex C

Threat type Example1 Physical damage Fire

Water damage

2 Natural disaster EarthquakeFlooding

3 Loss of essential service Failure of air conditioningPower outage

4 Disruption caused by radiation Electromagnetic radiationThermal radiation

5 Information compromised WiretapsTheft of documents

6 Technical failure Equipment failureNetwork overload

7 Unauthorized action Unauthorized accessUse of pirated software

54

Relationship: Vulnerability and Threat

Examples

Vulnerabilities ThreatsWarehouse unprotected and without surveillance

Theft

Complicated data processing procedures Data input error by personnel

No segregation of duties Fraud, unauthorized use of a system

Unencrypted data Information theftUse of pirated software Lawsuit, virus

No review of access rights Unauthorized access by persons who have left the organization

No backup procedures Loss of information



55

Impact


Adverse change to the level of businessobjectives achieved

Examples of impacts on availability

Examples of impacts on integrity

Examples of impacts on confidentiality

Performance degradationService interruptionUnavailability of serviceDisruption of operations

Accidental changeDeliberate changeIncorrect resultsIncomplete resultsLoss of data

Invasion of privacy of users or customersInvasion of privacy of employeesConfidential information leakage

56

Information Security Risk


Potential that a given threat will exploitvulnerabilities of an asset or group of assets andthereby cause harm to the organizationNote: It is measured in terms of a combination of the likelihood of anevent and its consequence



57

Risk Scenario

Example

United KingdomCorruption of several websites of the Conservative Party(Vital Security 01/03/2010)

The text of the corruption encourages Web site visitors to vote for the LabourParty. Messages left by the attackers include security evaluation of the site andpolitical slogans.

Information assetOther assetSecurity aspectVulnerabilityThreatImpact

Content of the Conservative party website

IntegritySecurity holes in the Web server

Server hosting the Conservative party website

Image of the Conservative partyHackers

58

Exercise 2

Identification of threats, vulnerabilities and impacts



59

Control Objective

Statement describing what is to be achieved as a result of implementing controls

Control Objective and Control

ISO 27000, clause 2.10-11

ControlMethods to manage a riskInclude policies, procedures, guidelines and practices or organizational structuresSynonym: measure, counter-measure, security device

Technical control

Administrative control

Legal controlManagerial

control

60

Link between Security Objectives and ControlsExample

Security Objectives Security Controls

To ensure that information receives an appropriate level of protection(A.7.2)

To minimize the risk of systems failures (A.10.3)

To prevent unauthorized access to networked services (A.11.4)

Classification guidelines(A.7.2.1)Information labeling and handling (A.7.2.2)

Capacity management (A.10.3.1)System acceptance (A.10.3.2)

Policy on use of network services(A.11.4.1)User authentication for external connections (A.11.4.2)Equipment identification in networks (A.11.4.3)Remote diagnostic and configuration port protection(A.11.4.4)



61

Control

Classification

Preventive controlDiscourage or prevent the appearance of problems

Detective controlSearch for, detect and identify problems

Corrective controlSolve problems found and prevent the recurrence

Preventive

Detective Corrective

62

Classification of Security Controls

Examples

Preventive Controls Detective Controls Corrective Controls

Publish an information security policy

Have a confidentiality agreement signed

Hire only qualified personnel

Identify risks coming from third parties

Segregation of duties

Monitor and review third-party services

Monitor the resources used by systems

Alarm triggering e.g. when sensing, fire

Review of user access rights

Analysis of audit logs

Technical and legal investigation (forensics) following a security incidentEnabling the business continuity plan after the occurrence of a disasterImplementation of patches following the identification of technical vulnerabilitiess



63

Mixed AutomatedManual

Automated controlsMore expensive to implementLess expensive to operateUsually generate less errors

Manual controlsLess expensive to implementMore expensive to operateUsually generate more errors

Operational Mode

Security Controls

Operational mode

64

Strategic, General and Application Oriented Controls

Strategiccontrols

(Clause 4 to 8)

Control of Systems

developmentPhysical security Access

controlAsset

managementIncident

management

Finance application Intranet CRM Database

Input data validation , Control of internal processing, Output data validation

ISMS policyMonitoring and ISMS review

Management review

Continual Improvement

Risk management

Application

Controls

General controls(Annex A)

ASpecific controls

related to applications(not covered in

ISO 27001)



65

Control Environment

Layered approach

65

6. Legal framework

5. Professional associations

4. External audits

3. Internal audits

2. Internal controls

1. Conformitymanagement

The strength of a control environment is ensured by the separation of tasks between the different actors and the multiple layers of successive control

66

Relationships between Information Security ConceptsOverview

Controls

Vulnerabilities

Risks

Threats

Assets

To reduce

can have

can reduce

incr

ease

expl

oit

increase

have

can harm

iso 27001 lead auditor student handbook

Documents

lead auditor certified

lead auditor day

lead auditor trainingsection

lead auditor2certified

structure certified

contents certified isoiec

us english

twitter http