iso 27001 lead auditor student handbook
DESCRIPTION
ÂTRANSCRIPT
llllllllll
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
Certified ISO/IEC 27001
Lead Auditor
Participant Hand book
Information Security Training
Copyright ISO 27001 Lead Auditor, Classroom course, release 5.0.0
Copyright and Trademark Information for Partners/Stakeholders.
ITpreneurs Nederland B.V. is affiliated to Veridion.
Copyright © 2013 ITpreneurs. All rights reserved.
Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.
The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1
Follow Us
Before you start the course, please take a moment to:
“Like us” on Facebook
http://www.facebook.com/ITpreneurs
“Follow us” on Twitter
http://twitter.com/ITpreneurs
"Add us in your circle" on Google Plus
http://gplus.to/ITpreneurs
"Link with us" on Linkedin
http://www.linkedin.com/company/ITpreneurs
"Watch us" on YouTube
http://www.youtube.com/user/ITpreneurs
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 3
Contents
Certified ISO/IEC 27001 Lead Auditor Day 1 ------------------------------------------------------------ 5 Day 2 ------------------------------------------------------------ 57 Day 3 ------------------------------------------------------------ 115 Day 4 ------------------------------------------------------------ 159 Appendix A: Case Study --------------------------------------- 209 Appendix B: Exercises List ---------------------------------- 233 Appendix C: Correction Key ---------------------------------- 2 7 Appendix D: Release Notes ----------------------------------- 287
This
page
has b
een l
eft bl
ank i
ntenti
onall
y
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 5
Day 1
ISO 27001 Lead Auditor
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 6
DAY 1
Certified ISO 27001Lead Auditor
2
Certified ISO 27001 Lead Auditor TrainingSection 1
a. Meet and greet
b. General information
c. Training objectives
d. Educational approach
e. Examination and certification
f. PECB
g. Schedule for the training
Course objectives and structure
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 7
3
Activity
Meet and greet
4
Smoking area
MealsTimetable and breaks
Use of mobile phones and recording devices
Absences
General Information
Use of a computer and access to the Internet
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 8
5
Understand the operation of an Information Security Management System based on ISO 27001 and its principal processes
Understand the goal, content and correlation between ISO 27001, ISO 27002 and other standards and regulatory frameworks
Understand an auditor’s role: to plan, lead and follow-up on a management system audit in accordance with ISO 19011
1
2
3
Training Objectives
Acquiring knowledge
6
Training Objectives
Development of competencies
Interpret the requirements of ISO 27001 in the context of an ISMS audit
Acquire the competencies of an auditor to: plan an audit, lead an audit, draft reports, and follow up on an audit in compliance with ISO 19011
Strengthen personal skills necessary for an auditor to act with due professional care during an audit
1
2
3
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 9
7
Educational Approach
Students at the center
8
Generally accepted audit standards
International Federation of Accountants
Information Systems Audit and Control Association
ISO 19011
Course Based
On audit best practices
Institute of internal auditors
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 10
9
Examination
Competency domains
1 Fundamental principles of information security
2 Information Security Management System
3 Fundamental concepts and principles of auditing
4 Preparation of an ISO 27001 audit
5 Conducting an ISO 27001 audit
6 Concluding an ISO 27001 audit
7 Managing an ISO 27001 audit programme
1
2
3
4
5
6
7
10
Certified ISO 27001 Lead Auditor
Prerequisites for Certification
Pass the exam
Adhere to the PECB Code of Ethics
5 years professional experience
2 years security experience
300 hours audit activity
123456
Professional references
Certified ISO 27001Lead Auditor
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 11
11
Certificates
Candidates who met all the prerequisites forcertification will receive a certificate:
12
What is PECB?
Main services: 1. Certification of personnel
(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers
Professional Evaluation and Certification Board
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 12
13
Qualifying oneself to conduct audits for a certification body
Formal and independent recognition of personal competencies
Certified professionals usually earn salaries higher than those of non-certified professionals
Why Become a Certified Auditor?
Advantages
14
Customer Service
Comments, questions and complaints
TrainingProviderTrainingParticipant
2. Answer in writing
Answer
1. Submit a complaint
Submit a
3. Appeal 4. Finalarbitration
PECB
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 13
1515
Schedule for the Week
16
QUESTIONS?
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 14
17
Certified ISO 27001 Lead Auditor TrainingSection 2
a. What is ISO?
b. Fundamental ISO principles
c. Management system standards
d. Integrated management system
e. Information security standards
f. ISO 27000 family
g. ISO 27001 advantages
h. Legal and regulatory conformity
Standard and regulatory framework
18
What is ISO?
ISO is a network of national standardization bodies from over 160 countries
The final results of ISO works are published as international standards
Over 19 000 standards have been published since 1947
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 15
19
1. Equal representation: 1 vote per country
2. Voluntary membership: ISO does not have the authority to force adoption of its standards
3. Business orientation: ISO only develops standards for which a market demand exists
4. Consensus approach: looking for a large consensus among the different stakeholders
5. International cooperation: over 160 member countries plus liaison bodies
1. Equ
2. Vauth
3.sta
4. Ccon
5. Intercountri
Basic principles of
ISO standards
Basic Principles – ISO Standards
20
Eight ISO Management Principles
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 16
21
Management System StandardsPrimary standards against which an organization can be certified
ISO 9001Quality
ISO 14001Environment
OHSAS 18001Health and Safety
at work
ISO 20000IT Service
ISO 22000Food Safety
ISO 22301Business continuity
ISO 27001Information
security
ISO 28000Supply Chain
Security
22
Integrated Management System
Common structure of ISO standards
Requirements ISO9001:2008
ISO 14001:2004
ISO20000:2011
ISO22301:2012
ISO 27001:2005
Objectives of the management system 5.4.1 4.3.3 4.5.2 6.2 4.2.1
Policy of the management system 5.3 4. 2 4.1.2 5.3 4.2.1
Management commitment 5.1 4.4.1 4.1 5.2 5
Documentation requirements 4.2 4.4 4.3 7.5 4.3
Internal audit 8.2.2 4.5.5 4.5.4.2 9.2 6
Continual improvement 8.5.1 4.5.3 4.5.5 10 8
Management review 5.6 4.6 4.5.4.3 9.3 7
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 17
23
Other Information Security Standards
Examples
24
19901995
20002007 2008+
ISO 27006
Certification organization requirements
Publication ofother standards
of the 27000 family
Revision toISO 27001 &ISO 27002in progress
BS7799-1
Code of best practices
BS7799-2 ISMS
certification schema
Code of best practises
(Published by a group of
companies)
ISO 17799
Best practices code
New Version of ISO 17799 ISO 27001 publication
History of the ISO 27001 Series
Important dates
19982005
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 18
25
ISO 27000 Family
Voca
bula
ryR
equi
rem
ents
Gen
eral
guid
esIn
dust
ry
guid
es
ISO 27001ISMS
requirements
ISO 27006Certification organization requirements
ISO 27005Risk
management
ISO 27004Metrics
ISO 27003Implementation
guide
ISO 27002Code of
practices
ISO 27007-27008Audit guides
ISO 27011Telecommunications
ISO 27799Health
ISO 270XXothers
ISO 27000Vocabulary
26
ISO 27001
Specifies requirements for ISMS management (Clause 4 to 8)
Requirements (clauses) are written using the imperative verb “shall”Annex A: 11 clauses containing 39 control objectives and 133 controlsOrganization can obtain certification against this standard
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 19
27
ISO 27002
Guide for code of practice for information security management (Reference document)Clause written using the verb “should”Composed of 11 clauses, 39 control objectives and 133 controlsOrganization can not obtain certification against this standardA.k.a. ISO 17799
28
ISO 27009+
Within the 27000 series, ISO 27009 and the subsequent numbers are reserved for the creation of domain-specific standards:
For industries: – Telecommunication– Health– Finance and insurance…
For specific sectors related to information security:
– Application security – Cyber security– Security incident management – Privacy protection...
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 20
29
Exercise 1
Reasons to adopt ISO 27001
30
1. Improvement of security
2. Good governance
3. Conformity
4. Cost reduction
5. Marketing
1. Imp
2. G
3.
4. C
5. Ma
ADVANTAGES
ISO 27001 Advantages
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 21
31
Legal Conformity
The organization must comply with applicable laws and regulations
In most countries, the implementation of an ISO standard is a voluntary decision of the organization, not a legal requirement
In all cases, laws take precedence over standards
ISO 27001 can be used to comply to several laws and
regulations
32
Legal Aspects
Major topics to be monitored
1 Data protection
2 Privacy
3 Computer Crimes
4 Digital Signature
5 Intellectual Property
6 Electronic Payments
7 Records Management
1
2
3
4
5
6
7
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 22
33
QUESTIONS?
34
Certified ISO 27001 Lead Auditor TrainingSection 3
a. Certification process
b. Certification schema
c. Accreditation authority
d. Certification body
e. Certification Bodies of Persons
Certification process
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 23
35
1. Implementationof the management
system
Certification Process
2. Internal audit and review by
top management
3. Selection of a certification body
5. Stage 1 audit4. Pre-assessment audit (optional)
7. Follow-up audit(if applicable)
8. Confirmation of registration
6. Stage 2 audit(on-site visit)
Bef
ore
the
audi
tIn
itial
aud
itFo
llow
ing
the
audi
t
9. Continualimprovement and surveillance audits
36
Accreditation authoritiesEx: ANSI / ANAB (USA) – SCC (Canada) – UKAS (UK)
COFRAC (France) – BELAC (Belgium) – SAS (Switzerland)
Certification bodiesEx: SGS – Bureau Veritas – DNV – Swiss TS Personnel certification bodies
Ex: PECB
Auditee Auditors Training organizations
Certify organizations
Certify auditors
Hire auditors Certify training providers and trainers
Train the auditors
Audit the auditees
Accredit
Certification Schema
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 24
37
Accreditation Authority
ISO 17011
National organization which supervises certificationprograms (organizations and professionals) andwhich makes sure that national or internationalcriteria are respected
38
Certification Body
ISO 17021
Certification body: Third party that performs theassessment of conformity of management systems
Certification: Procedure in which a third party attests inwriting that a product, process, or service is conformantto specified criteria
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 25
39
Personnel Certification Bodies
ISO 17024
The role of a personnel certification body is to certifyprofessionals
ISO 17024 specifies the criteria for an organization thatconducts certification of persons in relation to specificrequirements, including developing and maintaining acertification scheme for persons
40
QUESTIONS?
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 26
41
Certified ISO 27001 Lead Auditor TrainingSection 4
a. Asset and information asset
b. Information security
c. Confidentiality, integrity and availability
d. Vulnerability, threat and impact
e. Information security risk
f. Security objectives and controls
g. Classification of security controls
h. Control environment
Fundamental Principles of Information Security
42
Asset and Information Asset
ISO 9000, clause 7.3.1; ISO 27000, clause 2.3 & 2.8
Information: meaningful dataAsset: All elements having value for the organization Information asset: Knowledge or data that has value to the organization
42
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 27
43
Document
Specification
Record
Document stating requirements
Document stating results achieved or providing evidence of activities performed
Information and its supporting medium
Document – Specification – Record
ISO 9000, clause 3.7
44
Information Security
ISO 27002, clause 0.1
Information security is the protection of information
from a wide range of threats in order to ensure
business continuity, minimize business risk, and
maximize return on investments and business
opportunities
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 28
45
Information Security
ISO 27000, clause 2.19
Preservation of confidentiality, integrity and
availability of information
Note: In addition, other properties, such as
authenticity, accountability, non-repudiation, and
reliability can also be involved
46
Information Security
Covers information of all kinds
Printed or hand written
Recorded using technical support
Transmitted by email or electronically
Included in a website
Shown on corporate videos
Mentioned during conversations
Etc.
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 29
47
Confidentiality
ISO 27000, clause 2.9
Property that information is not madeavailable or disclosed to unauthorizedindividuals, entities, or processes
47
48
Integrity
ISO 27000, clause 2.25
Property of protecting the accuracy andcompleteness of assets
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 30
49
Availability
ISO 27000, clause 2.7
Property of being accessible and usableupon demand by an authorized entity
49
50
Vulnerability
ISO 27000, clause 2.46
Weakness of an asset or a security control that can be exploited by a threat
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 31
51
Types of Vulnerabilities
ISO 27005, Annex D
Type of vulnerability Examples1 Hardware Insufficient maintenance
Portability
2 Software No registration logsComplicated interfaces
3 Network Lack of encryption transfersSingle Point of Access
4 Personnel Insufficient trainingLack of supervision
5 Site Unstable electrical systemSite in an area susceptible to flood
6 Organization's structure Lack of segregation of dutiesNo job descriptions
52
Threats
ISO 27000, clause 2.45
Potential cause of an unwanted incident which may result in harm to a system or an organization
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 32
53
Types of Threats
ISO 27005, Annex C
Threat type Example1 Physical damage Fire
Water damage
2 Natural disaster EarthquakeFlooding
3 Loss of essential service Failure of air conditioningPower outage
4 Disruption caused by radiation Electromagnetic radiationThermal radiation
5 Information compromised WiretapsTheft of documents
6 Technical failure Equipment failureNetwork overload
7 Unauthorized action Unauthorized accessUse of pirated software
54
Relationship: Vulnerability and Threat
Examples
Vulnerabilities ThreatsWarehouse unprotected and without surveillance
Theft
Complicated data processing procedures Data input error by personnel
No segregation of duties Fraud, unauthorized use of a system
Unencrypted data Information theftUse of pirated software Lawsuit, virus
No review of access rights Unauthorized access by persons who have left the organization
No backup procedures Loss of information
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 33
55
Impact
ISO 27000, clause 2.17
Adverse change to the level of businessobjectives achieved
Examples of impacts on availability
Examples of impacts on integrity
Examples of impacts on confidentiality
Performance degradationService interruptionUnavailability of serviceDisruption of operations
Accidental changeDeliberate changeIncorrect resultsIncomplete resultsLoss of data
Invasion of privacy of users or customersInvasion of privacy of employeesConfidential information leakage
56
Information Security Risk
ISO 27000, clause 2.24
Potential that a given threat will exploitvulnerabilities of an asset or group of assets andthereby cause harm to the organizationNote: It is measured in terms of a combination of the likelihood of anevent and its consequence
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 34
57
Risk Scenario
Example
United KingdomCorruption of several websites of the Conservative Party(Vital Security 01/03/2010)
The text of the corruption encourages Web site visitors to vote for the LabourParty. Messages left by the attackers include security evaluation of the site andpolitical slogans.
Information assetOther assetSecurity aspectVulnerabilityThreatImpact
Content of the Conservative party website
IntegritySecurity holes in the Web server
Server hosting the Conservative party website
Image of the Conservative partyHackers
58
Exercise 2
Identification of threats, vulnerabilities and impacts
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 35
59
Control Objective
Statement describing what is to be achieved as a result of implementing controls
Control Objective and Control
ISO 27000, clause 2.10-11
ControlMethods to manage a riskInclude policies, procedures, guidelines and practices or organizational structuresSynonym: measure, counter-measure, security device
Technical control
Administrative control
Legal controlManagerial
control
60
Link between Security Objectives and ControlsExample
Security Objectives Security Controls
To ensure that information receives an appropriate level of protection(A.7.2)
To minimize the risk of systems failures (A.10.3)
To prevent unauthorized access to networked services (A.11.4)
Classification guidelines(A.7.2.1)Information labeling and handling (A.7.2.2)
Capacity management (A.10.3.1)System acceptance (A.10.3.2)
Policy on use of network services(A.11.4.1)User authentication for external connections (A.11.4.2)Equipment identification in networks (A.11.4.3)Remote diagnostic and configuration port protection(A.11.4.4)
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 36
61
Control
Classification
Preventive controlDiscourage or prevent the appearance of problems
Detective controlSearch for, detect and identify problems
Corrective controlSolve problems found and prevent the recurrence
Preventive
Detective Corrective
62
Classification of Security Controls
Examples
Preventive Controls Detective Controls Corrective Controls
Publish an information security policy
Have a confidentiality agreement signed
Hire only qualified personnel
Identify risks coming from third parties
Segregation of duties
Monitor and review third-party services
Monitor the resources used by systems
Alarm triggering e.g. when sensing, fire
Review of user access rights
Analysis of audit logs
Technical and legal investigation (forensics) following a security incidentEnabling the business continuity plan after the occurrence of a disasterImplementation of patches following the identification of technical vulnerabilitiess
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 37
63
Mixed AutomatedManual
Automated controlsMore expensive to implementLess expensive to operateUsually generate less errors
Manual controlsLess expensive to implementMore expensive to operateUsually generate more errors
Operational Mode
Security Controls
Operational mode
64
Strategic, General and Application Oriented Controls
Strategiccontrols
(Clause 4 to 8)
Control of Systems
developmentPhysical security Access
controlAsset
managementIncident
management
Finance application Intranet CRM Database
Input data validation , Control of internal processing, Output data validation
ISMS policyMonitoring and ISMS review
Management review
Continual Improvement
Risk management
Application
Controls
General controls(Annex A)
ASpecific controls
related to applications(not covered in
ISO 27001)
Certified ISO/IEC 27001 | Lead Auditor | Participant Handbook
Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 38
65
Control Environment
Layered approach
65
6. Legal framework
5. Professional associations
4. External audits
3. Internal audits
2. Internal controls
1. Conformitymanagement
The strength of a control environment is ensured by the separation of tasks between the different actors and the multiple layers of successive control
66
Relationships between Information Security ConceptsOverview
Controls
Vulnerabilities
Risks
Threats
Assets
To reduce
can have
can reduce
incr
ease
expl
oit
increase
have
can harm