Beruflich Dokumente
Kultur Dokumente
Information Security
Management System
ISO/IEC 27001:2005
Internal Audit
MANAGEMENT SYSTEM
INTERNAL AUDIT FOR
ISO/IEC 27001:2005
Topics
3
What is Audit?
Auditor Attributes
Auditor Responsibilities
Topics
4
(Cont.)
Planning Output
Conducting Audit
Why Checklist?
Questioning Techniques
Audit Evidence
Taking Notes
Topics
5
(Cont.)
Effective Communication
Audit Report
Following Up
ISO/IEC 19011:2011
ISO/IEC 27007:2011
6
Its current title is Information technology -- Security techniques -Guidelines for Information security management systems auditing.
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO
standard for auditing quality and environmental management systems management systems of course being the common factor linking it to
the ISO27k standards. It provides additional ISMS-specific guidance.
ISO/IEC 27007:2011
7
ISO/IEC 27007 will provide guidance for those auditing ISMSs for
various purposes other than certified compliance with ISO/IEC 27001
(which is covered by ISO/IEC 27006), purposes such as:
ISO/IEC 27008:2011
9
ISO/IEC 27008:2011
10
ISO/IEC 27008:2011
11
The standard:
ISO/IEC 27008:2011
12
(Cont.)
Further adds value and enhances the quality and benefit of the
ISO27k standards by closing the gap between reviewing the ISMS
in theory and, when needed, verifying evidence of implemented
ISMS controls (e.g. in the ISO27k user organizations, assessing
security elements of business processes, IT systems and IT
operating environments)
ISO/IEC 27008:2011
13
(Cont.)
What is Audit?
16
Definition:
Good planning.
Communicational skills.
Time management.
Follow up.
Non conformity :
Non fulfillment of a
requirement
Corrective action:
Action to eliminate the cause of
detected nonconformity
Preventive action:
Action to eliminate the cause of
potential nonconformity
22
Audit Criteria :
Auditor :
23
Audit Plan:
description of the activities and
arrangements for an audit
Auditee:
Auditor Attributes
24
Open minded.
Diplomacy.
Decisive.
Firm.
Fair.
Patient.
Cooperating.
Auditor Attributes
25
Listen to others
Document non-compliances.
Auditor Responsibilities
26
Auditee Responsibilities
27
28
Initiate
Research
Prepare
plan
Communicate
Planning Output
31
Checklist.
Audit Plan.
Conducting Audit
33
Interviewing people
Refer to
check list
Ask open
ended
question
(how,
when,
where,
what,
who).
Take
notes.
Examine
evidence.
Why Checklist?
35
Questioning Techniques
36
Open Questions
ii.
Probing Questions
iii.
Closed Questions
Audit Evidence
37
Record or Document
Physical Entity
Condition
Verbal Statement
Taking Notes
38
Effective Communication
39
Rapport:
Voice, language, appearance/clothing, gesture, posture and
expression
Effective Communication
40
(Cont.)
Audit findings:
Observations:
Nonconformities
Noteworthy efforts:
What is Non-Conformity?
42
Conditions of a contract
ISMS Standard
ISMS Control
Non-Conformity explained
43
the process does not comply with the requirements of the standard;
b)
the process has not been put into practice is the way the procedure
describes;
c)
the practice (what is actually being done) is not effective, i.e. the
required objective is not achieved.
Magnitude of Non-Conformity
44
Conformity:
What exists, is what should be.
(Major) Non-Conformity:
What exists, is significantly different than what should be.
Minor Non-Conformity:
There are minor differences between what exists and what should
be.
Requirem
ent
48
Failure
Evidence
NC=R+F+E
People:
Documents / Records:
identification, issue, content, correctness and distribution
retention, preservation, legibility, accessibility
Audit Report
50
Objectives
Audit scope
Date and place where the on-site audit activities were conducted
Conclusions
Following Up
52
53
ISO/IEC 19011:2011
GUIDELINES FOR AUDITING
MANAGEMENT SYSTEMS
ISO 19011:2011
54
(Cont.)
(Cont.)
Understand how to develop harmonious working relationships
amongst audit team members.
Understand how to help audit team members reach reliable audit
conclusions.
Understand how to prepare and complete accurate, clear, and
concise audit reports.
Any questions?
109