ISMS Internal Audit-1 PDF

Information Security Management
System (ISMS): Internal Auditor

Training Course (BS ISO/IEC
27001:2013)
v1.0 October 2013

Copyright © 2013 BSI. All rights reserved. ISM03001ENGX
BSI Training Course Structure
Business and Systems
Role Awareness Implementation Auditing Improvement
Management Management Management Lean Six-Sigma

Management
Briefing Briefing Briefing Champion Course
Team-Board
ISEB/ IOSH/
BSI BSI Registered Lean Six-Sigma
NEBOSH
Conferences Auditor/ Lead Green Belt
Qualifications
Auditor
BSI Lead
Management Implementer
Representative / BSI Lean Six-Sigma
Advanced
Project Leaders Webinars Black Belt
auditing skills
BSI Distance
Learning
Qualifications
Understanding
Lead Auditor Lean Practitioner
Course
BSI Implementing Course
Course
Internal Auditor Understanding BSI Implementing Internal Auditor Lean Six-Sigma

and Project Team Course Course Course Yellow Belt
Awareness Briefing
All Employees Briefing or E- Briefing or E- Lean Six-Sigma
or E-Learning
Learning Module Learning Module Yellow Belt
Module
2
Copyright © 2013 BSI. All rights reserved.
Benefits to you!
3
Welcome!
4
Activity 1
• Delegate Introductions
10 minutes
Click here
to start
5
Course Aim
To provide guidance and practical

experience in planning, executing, and
reporting Information Security
Management System Audits.
6
Learning Objectives
To have understanding in the areas Have the skills to:

of: •Initiating the audit
•The principles of auditing to •Preparing the audit activities
ISO/IEC 27001:20013 •Conducting audit activities
• Audit activites •Preparing and distributing the audit
report
•Completing the audit
•Audit follow-up
•
KNOWLEDGE SKILLS
Explain the role of an auditor to

plan, conduct, report and follow up …an audit of an ISMS to establish
an ISMS audit in accordance with conformity (or otherwise) with
ISO 19011 ISO 27001
7
Course Structure
Materials
• Delegate workbook
• Loan copy of ISO/IEC 27001:2013
Course Format
• Individual assignments
• Group activities
• Classroom discussions
8
Information Security
• What’s an ISMS?
9
Information?
Information asset
• Knowledge or data that has value to

the organisation
10
Storing and communicating
information
11
What is information security?
ISO 27001 defines Information Security as the preservation of:
• Confidentiality
• Integrity
• Availability
Note: In addition, other properties such as authenticity, accountability,

non-repudiation and reliability can also be involved
12
Need for internal audit
ISO/IEC 27001 Clause 9.2
13
ISO 27007
ISO 27007 provides

guidance on:
• Managing an ISMS
• Managing IS audit programmes
• Conducting ISMS internal and
external audits
• Competence of ISMS auditors
14
Activity 2
• Auditing terms and definitions
10 minutes
Click here
to start
15
Management System Auditing
What is an audit?
• Systematic, independent
and documented process
for obtaining audit evidence
and evaluating it
objectively to determine the
extent to which audit
criteria are fulfilled
(Clause 3.1, BS EN ISO 19011)
17
Activity 3
• Definition of an audit
10 minutes
Click here
to start
18
Plan, Execute, Report, Close-out/down
PLAN
Pellentesque mollis felis
dolor, quis aliquet sapien
dapibus tempus lectus.

Nulla sed posuere velit,
ut gravida nibh.
REPORT
Pellentesque mollis felis dolor, quis aliquet
sapien
dapibus tempus lectus. Nulla sed posuere

velit, ut gravida nibh.
am interdum velit sed lacus tristique
lorem. Praesent sollicitudin non odio eget

leo.
19
Independent and Documented?
• Independent?
• Can you audit your own work?
• Documented?
• What is a document or
‘documented information’?
• What is a record?
20
Process?
PROCEDURE
(Specified way to safely carry out an activity or
process – may be documented or not)
Input PROCESS Output

(set of interrelated or
interacting activities that transform
inputs into outputs)
Resources
(to enable transformation to occur )
Monitoring and Measurement Opportunities

(Before, During, and After the Process)
21
Activity 4
• Process
10 minutes
Click here
to start
22
Audit Process
INPUTS AUDIT ACTIVITY OUTPUTS
Audit Criteria
(Requirements) Audit Findings
EVALUATION
Audit Evidence
(Objective)
23
Audit objectives
• Determine
• Evaluate
• Evaluate
• Identify
24
Activity 5
• Principles of Auditing
10 minutes
Click here
to start
25
Activity 6
• Auditor Competence and attributes
15 minutes
Click here
to start
26
Auditor Responsibilities
1. Arrive on time
2. Maintain confidentiality
3. Be objective and ethical
4. Support the audit team and team leader
5. Plan and prepare work documents
6. Inform auditee of the audit process
7. Document and support all findings
8. Keep auditee informed
9. Safeguard all documents
10. Prepare the audit report
27
The Audit Triangle
By Sight By Sound
Objective
Evidence
Documents
and Records
29
Activity 7
• Audit Process
15 minutes
Click here
to start
30
First, Second & Third-party Certification audits
1st Party: 2nd Party: 3rd Party:

Internal Customer on Supplier Certification or
Independent
31
Audit Process
• Similarities
• 1st, 2nd 3rd party certification
audit
Prezi PowerPoint
32
ISO 19011 – Figure 2: Typical Audit Activities
6.2 Initiating the audit
6.2.1 General
6.2.2 Establishing initial contact with the auditee
6.2.3 Determining the feasibility of the audit
6.3 Preparing audit activities

6.3.1 Performing document review in preparation for the audit
6.3.2 Preparing the audit plan
6.3.3 Assigning work to the audit team
6.3.4 Preparing work documents
6.4 Conducting the audit activities

6.4.1 General
6.4.2 Conducting the opening meeting
6.4.3 Performing document review while conducting the audit
6.4.4 Communicating during the audit
6.4.5 Assigning roles and responsibilities of guides and observers
6.4.6 Collecting and verifying information
6.4.7 Generating audit findings
6.4.8 Preparing audit conclusions
6.4.9 Conducting the closing meeting
6.5 Preparing and distributing the audit report

6.5.1 Preparing the audit report
6.5.2 Distributing the audit report
NOTE:
6.6 Completing the audit Subclause
numbering refers to
6.7 Conducting audit follow-up the relevant
(if specified in the audit plan) subclauses of this
International
Standard.
33
Activity 8
• Audit plan
20 minutes
Click here
to start
34
Check Lists
• What is a check list?
36
Activity 9
• Check Lists
30 minutes
Click here
to start
37
Effective Communication
Body Language: 55%
Tone of Voice: 38%
Words: 7%
Source: Oklahoma State University

http://www.oces.okstate.edu/washita/uploaded_files/4h_Learning_Styles.doc
38
Activity 10
• Opening meeting
15 minutes
Click here
to start
39
The opening meeting
• Introductions – record attendees • Confirm

• Set the tone of the audit o Reporting methods
• Confirm the purpose and scope of the audit o Audit is based on sampling
• Review and confirm the audit plan methods
• Allocate guides for the audit team o Confidentiality
• Communicate the audit method o Time of closing meeting
• Establish any restrictions o Logistics
• Seek clarifications
40
Activity 11
• Conduct an Audit
60 minutes
Click here
to start
41
Evening Work
- Read through course notes for today – quiz tomorrow

- Familiarize yourself with ISO 27001:2013
- Read case study notes
42
ISMS Internal Auditor
(ISO 27001:2013)
Day 2

Activity 12
• Closed book quiz
30 minutes
Click here
to start
44
Activity 13
• Work documents
30 minutes
Click here
to start
46
Activity 14
• Conduct an Audit
60 minutes
Click here
to start
47
Nonconformities
v1.0 October 2013

Copyright © 2013 BSI. All rights reserved. ISM03001ENGX
Nonconformity
“Non-fulfilment of a requirement”
• A non-fulfilment of a specified
requirement in …
• The security policy
• The ISO 27001 information security
management standard
• The ISMS processes or procedures
• Performance targets for processes or controls
(effectiveness)
• Legal or regulatory requirements
49
Nonconformity (Knowledge)
• Minor
• Major
50
Activity 15
• Nonconformities
40 minutes
Click here
to start
51
Example nonconformity – good
• ISO 2700127001 Clause 4.1.3.d requires the exclusion of

controls from Annex A to be justified.
• The organisation outsources software development to a 3rd

party but in the SoA (document number ABC 99 version
1.5) the justification for the exclusion of Control A.14.2.7
“Outsourced Development” is missing
54
Nonconformity
(Good Report Example)
ISMS Audit Nonconformity report Incident number : 1
Company under audit: Lake Dale Call Centre
Area under audit: Software Development ISO 27001 Clause: CL 6.3.1.d
Requirement:
ISO27001:2013 Clause 6.3.1.d requires that the exclusion of controls be justified
Nonconformity finding:
The organisation outsources software development to a 3rd party but in the SoA (document
number ABC 99 version 1.5) the justification for the exclusion of Control A.14.2.7
“Outsourced Development” is missing.
55
Closing meeting
Team Leader prepares and works to an agenda and controls the

meeting
• 1. Attendees • 7. Audit summary report

• 2. Thanks • 8. Agreement
• 3. Objective/scope • 9. Recommendation
• 4. Reporting system • 10. Clarification
• 5. Limitations • 11. Depart
• 6. Confidentiality
56
Audit Report
• Contents
57
Activity 16
• Audit report
60 minutes
Click here
to start
58
Audit Report
AUDIT REPORT RELEASE
DATE:
REVIEW:
APPROVAL:
59
Activity 17
• Audit follow-up
10 minutes
Click here
to start
60
Course Review and Final Questions
• Knowledge
• Skills
61
Contact Information
Address: BSI
Kitemark Court
Davy Avenue, Knowlhill
Milton Keynes, MK5 8PP
United Kingdom
Telephone: 0845 086 9000

Email: training@bsigroup.com
Links: www.bsigroup.co.uk/training
62

ISMS Internal Audit-1 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ISMS Internal Audit-1 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Information Security Management

System (ISMS): Internal Auditor

v1.0 October 2013

Management Management Management Lean Six-Sigma

Internal Auditor Understanding BSI Implementing Internal Auditor Lean Six-Sigma

To provide guidance and practical

To have understanding in the areas Have the skills to:

Explain the role of an auditor to

• Knowledge or data that has value to

ISO 27001 defines Information Security as the preservation of:

Note: In addition, other properties such as authenticity, accountability,

ISO/IEC 27001 Clause 9.2

ISO 27007 provides

• Auditing terms and definitions

dapibus tempus lectus.

dapibus tempus lectus. Nulla sed posuere

lorem. Praesent sollicitudin non odio eget

Input PROCESS Output

Monitoring and Measurement Opportunities

INPUTS AUDIT ACTIVITY OUTPUTS

• Auditor Competence and attributes

1st Party: 2nd Party: 3rd Party:

6.3 Preparing audit activities

6.4 Conducting the audit activities

6.5 Preparing and distributing the audit report

• What is a check list?

Body Language: 55%

Tone of Voice: 38%

Source: Oklahoma State University

• Introductions – record attendees • Confirm

- Read through course notes for today – quiz tomorrow

Copyright © 2013 BSI. All rights reserved.

• Closed book quiz

v1.0 October 2013

• ISO 2700127001 Clause 4.1.3.d requires the exclusion of

• The organisation outsources software development to a 3rd

ISMS Audit Nonconformity report Incident number : 1

Company under audit: Lake Dale Call Centre

Area under audit: Software Development ISO 27001 Clause: CL 6.3.1.d

ISO27001:2013 Clause 6.3.1.d requires that the exclusion of controls be justified

Team Leader prepares and works to an agenda and controls the

• 1. Attendees • 7. Audit summary report

Telephone: 0845 086 9000

Das könnte Ihnen auch gefallen