Beruflich Dokumente
Kultur Dokumente
About us
Introductions
Note: This page is in Section 1 of your manual along with space to write your notes
• Please interview your neighbour for 5 minutes (Please sit next to someone
you don't already know)
• Find out
– Who they are
– Where they are from
– What they hope to get out of the Course
– Summary of existing knowledge on ISO 27001
– How many Audits they've done
– Anything else of interest - Sports, Hobbies, Family, (claim to fame), etc.
• Be ready to briefly introduce your new friend to the rest of the class.
Note:
1. Please put your phone to silent mode while class is in progress
2. Do fill out the name you wish to be called in the name card provided
using marker pen.
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
… and skills:
• plan, conduct, report and follow-up an
ISO/IEC 27001 (with ISO/IEC 27002) audit
effectively in accordance to
• ISO 19011
• ISO 17021
Global Partner for Business Success
ISMS Auditor/Lead Auditor Training Course Issue 1.1
Criteria for
‘SUCCESSFUL COMPLETION OF COURSE’
Or else,
you will receive Certificate of Attendance.
Take note:
1. Delegates must attend the entire course duration to qualify for a certificate.
2. Exam covers expected prior knowledge and this course content.
3. Retake of exam is allowed once within 12 months from the date of last exam.
4. Delegates to try out specimen exam paper.
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Learning Cycle
Participate in activities
OVERVIEW OF INFORMATION
2 SECURITY
AUDITS AND AUDITING
Learning Objectives:
• To obtain an overview of the audit lifecycle
• To understand parties involved in audit
• To understand the principles of auditing
• To understand the differences between 1st, 2nd and
3rd Party Audits
• To understand the characters of an auditor
What is a Audit?
Systematic, independent
and documented process
Definition from
Parties in an audit ISO 19011:2011
Auditor Technical
expert
Audit team
One or more auditors conducting an audit,
supported if needed by technical experts (3.10)
Definition from
Parties in an audit ISO 19011:2011
Auditee
Audit Organization
being audited
Audit team (3.7)
Guide Observer
Principles of Auditing
a) Integrity
- Foundation of professionalism
b) Fair presentation
- Obligation to report truthfully and accurately
c) Due professional care
- Application of diligence and judgement in auditing
d) Confidentiality Audit Principles
- Security of information
e) Independence
- Basis for impartiality of audit and objectivity of the audit conclusions
f) Evidence-based approach
- Rational method for reaching reliable and reproducible audit conclusions
Reference ISO 19011:2011, Clause 4
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Your own
1st
Organisation
Party
Certification 3rd
Body Party
Subcontractor
2nd
or Supplier
Party
Learning Objectives:
• To be able to explain the purpose of ISO 27000
series, ISO 19011 and ISO 17021
• To be able to explain terminology used in ISO
27000
Sector Specific • ISO 27010, ISO 27011, ISO TR 27015, ISO TS 27017
Auditing
Guide • ISO 19011 Guidelines for Auditing Management Systems
ISO Committee on
Conformity • ISO 17021 Conformity Assessment : Requirements for Bodies Providing
Assessment Audit and Certification of Management System
(CASCO)
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Certification
Let’s discuss:
What is the benefit of certification?
Accreditation
Accreditation
Certification
ISO 27001 Company e.g. Bloggs and Co.
Audit
(2.5)
Learning Objectives:
• To be able to explain the PDCA Concept
implementation in ISO 27001
• To be able to explain step to establish Information
Security Management System
An ISMS is
PLAN
ACT DO
CHECK
Process Model
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Process Approach
Example of a
process approach
system
Plan-Do-Check-Act Framework
PLAN
P Establish objectives and processes
ACT DO
D Implement the processes
CHECK
C Monitor and measure
other processes
Interaction with
Interaction with
INPUTS OUTPUTS
Do – Carry out
the process
Check –
monitor/measure
process performance
Importance of ISMS?
Let’s discuss:
What are the business
benefits of a ISMS to:
- Owners & Shareholders
- Customers
- Suppliers & business
partners
- Society/community
- Employee?
Learning Objectives:
1 Scope 7 Support
2 Normative reference 7.1 Resources
3 Terms and defenitions 7.2 Competence
4 Context of the Organization 7.3 Awareness
4.1 Understanding the organization and its context 7.4 Communication
Understanding the needs and expectations of 7.5 Document Information
4.2
interested parties 7.5.1 General
Determining the scope of the information 7.5.2 Creating and updating
4.3
security management system 7.5.3 Control of documented Information
4.4 Information Security Management System 8 Operation
5 Leadership 8.1 Operational Planning and Control
5.1 Leadership and commitment 8.2 Information Security Risk Assessment
5.2 Policy 8.3 Information Security Risk Treatment
Organizational roles, responsibilities and 9 Performance Evaluation
5.3
authorities Monitoring, measurement, analysis and
9.1
6 Planning evaluation
6.1 Actions to address risks and opportunities 9.2 Internal Audit
6.1.1 General 9.3 Management Review
6.1.2 Information Security Risk Assessment 10 Improvement
6.1.3 Information Security Risk Treatment 10.1 Nonconformity and Corrective Action
Information security objectives and planning to 10.2 Continual Improvement
6.2
achieve them
Exercise
- Exercise 8
Context of the
6 Organisation
Learning Objectives:
Business
Environment
Monitor
(see 9.1)
Owners
Determine relevant
Suppliers & Partners requirements
Unions
Review
Determine
Regulators (see 9.3)
Society (competitors/
pressure groups)
Bankers Monitor
(see 9.1)
Employees
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Scope of ISMS
Establish
*Consider:
Conformity with
External & internal issues
ISO 27001
Implement
Requirements of relevant interested parties
Products and services
Maintain
Process 1 Process 2 Process x
Continually
improve
Exercise
AUDIT PREPARATION
8 Receiving Audit Brief (Sec 8)
Preparation
Identify Resources (Sec 8)
required prior to audit
• Establish audit resource Document Review (Sec 9)
Audit Programme
Audit Objectives
• Purpose determined by audit manager
• Can include:
– To assess whether ISMS designed to meet the requirements of
standard (stage 1)
– To verify whether ISMS is effectively implemented as per
standard and organization’s requirements (stage 2)
– To determine whether the ISMS continues to meet requirements
(surveillance)
– To assess the supplier’s ISMS for the purpose of approval (2nd
party)
Audit Scope
• Size, complexity of
Company (Scope of audit)
• Time available
Resource requirements
• Logistics:
• time, date, travel arrangement,
etc
Preparation
documentation Identify Resources (Sec 8)
• legislation is in place
• interfaces and trails Consistent
Stage-1 Audit
Document review
Let us try :
Identify the required ISMS documentation
- Exercise 13A
10 AUDIT PLAN
Receiving Audit Brief (Sec 8)
Learning Objectives:
Identify Scope (Sec 8)
Identify objectives and arrangements
Preparation
for an audit plan Identify Resources (Sec 8)
Audit Plan
• Sequence and timing of audit activties
• Details who looks at what and when
• Should ‘follow the process’ e.g. process map Agenda?
• Surveillance Audit
– Changes to system
– Follow-up on nonconformities
– Previous audit plan
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Sales
Document &
Record Control
Production
Planning Infrastructur
Design
e
Calibration
Material
Stores Dispatch Human
Training Resources
After Sales
Customer
Service
Satisfaction
• Opening meeting
• Conducting audit according to
trail
• Audit area covering the scope
and ISO 27001
• Review and feedback meeting
• Preparing audit findings
• Closing meeting
• Has to be done on-site
Audit Plan
Learning Objectives:
What is a Process?
Note: The key processes, with their lines of flow, make up what we
called the Business Process Map
INPUT(S) OUTPUT(S)
Information Information
[MATERIALS] PROCESS WIP
WIP
Products
InfoSec
Programs Activity within the Organization that turns an input
into an output to achieve the objectives set.
Process
12 AUDIT CHECKLIST
Receiving Audit Brief (Sec 8)
Learning Objectives:
Identify Scope (Sec 8)
Preparation
Use, benefits and potential Identify Resources (Sec 8)
Checklists
• Help if stuck
• More professional
• ISO 27001
• Company DISMS
• Ideas from others
• Knowledge of Industry
• Previous Checklists
Example mindmap
Example checklists
• Clipboard
• Log Book
• ISO 27001 Standard
• Checklists
• Report Forms
• Audit Plan
13 OPENING MEETING
Opening Meeting (Sec 13)
Learning Objectives:
Conducting
Auditing
Audit Team
Meetings
Focus of Stage 1 Focus of Stage 2
(Sec 14)
Documentation Audit (Sec Verification of CA for Stage 1
Understand the purpose 6)
QMS fundamental
Process-Based Auditing
(Sec 9)
of and typical content of requirements
Review audit scope
Assess compliance to
Standard requirements
Auditee
Feedback
Readiness for Stage 2 Assess effectiveness of
audit Opening Meeting Implementation
Meetings
(Sec 14)
Opening Meeting
• Purpose: Introduction and confirm arrangements including plan
• Establishes authority from top management for the audit
• Shows openness
• Auditor can
– Explain process
– Set expectations
– Confirm plan
– Answer questions
– Get co-operation
• Opening Meeting for Stage 1 Audit is less formal than Stage 2 Audit
Let’s discuss: Agenda
Who needs to be present for stage 1 & 2? Mindmap
What is the agenda?
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Opening Meeting
Let’s practice
How to run opening & closing
meetings – Exercises 16A
How to handling difficult situations
Exercise 16B
Conducting
Learning Objectives: Auditing
Audit Team
Meetings
Focus of Stage 1 Focus of Stage 2
(Sec 14)
Documentation Audit (Sec Verification of CA for Stage 1
Understand how the 6)
QMS fundamental
Process-Based Auditing
(Sec 9)
Assess compliance to
audit should be carried requirements
Review audit scope Standard requirements
Auditee
Feedback
Readiness for Stage 2 Assess effectiveness of
out Implementation
Meetings
(Sec 14)
Open questions
-Suspected nonconformities
Observe (What they do)
-Information to be provided later
-Items to be followed up
Probing -Sample examined
questions
-Improvement ideas
Question Check (Compare
(What they documentation)
Close questions
do?)
Are they in
Sampling Examine for : CONTROL?
Judgement-base sampling
- Conformity to
- Experience - Confidence Level requirements
Statistical sampling plan - Legal compliance
- Use of suitable sampling plan
- Effectiveness
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Auditors Should
• Avoid ‘nit-picking’
• Take good points into account
• Be punctual
• Perform all tasks
• Avoid argument
• Audit against specification
• Audit system not individual
• Be sensitive to local customs
• Respect confidentiality at all stages
• Obey any rules / regulations of Auditee
• Be facilitating the audit e.g put people at ease
• Be Assertive – express your needs, stand up for your right, honest
& work towards satisfying all parties.
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Definition from
Audit Findings and Conclusion ISO 19011:2011
Audit Conclusion
Audit Findings
Outcome of an audit after
Results of the evaluation consideration of the audit
of the collected objectives and all audit
audit evidence against findings (3.5)
audit criteria (3.4)
Compliance Noncompliance
(if criteria is legal (if criteria is legal
requirements) requirements)
Can be done:
• When they are found
• At the end of the Audit
• At regular Review Points
e.g. Client Feedback
Meeting
Review Meetings
REPORTING AND
15 GRADING FINDINGS
Learning Objectives:
• Typical content of an
audit report Closing Meeting (Sec 16)
Nonconformities Must
• Be factual/objective Problem
• Be clear and concise Statement
• Give clause number of Quality Standard
• Be locatable by other Auditors
• Define the exact instance –
Objective Evidence NC
• Not include individual names
• Be given a unique identifier Evidence Requirement
• Be categorised (e.g. minor/major) if third
party audit
• Be acknowledged / signed by Company
Nonconformity Statement
Categorise Nonconformities
MINOR
Either a failure to meet one requirement of a sub-
clause of reference standard, e.g. ISO 27001 or other
reference document
OR
Categorise Nonconformities
MAJOR
Absence, or total failure, of a process to meet the
requirements of a complete sub-clause of reference
standard, e.g. ISO 27001 or other reference document or
regulations, resulting harm to human
OR
A number of minor nonconformities against one sub-
clause of ISO 27001 which when acting together reduce the
effectiveness of a process to the extent that there is harm
to human can represent a major nonconformity, i.e. total
system failure
Global Partner for Business Success
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Observations/Opportunities for
Improvement
• If allowed, recommendations
Giving Advice
If allowed, do so
3rd Party Auditors must never suggest
how to overcome a nonconformity as:
• Confidentiality (from other
Companies) broken
– May be a conflict of interest
– If wrong, could involve legal action
16 CLOSING MEETING
effective closing
Recommendation as
Follow up of
meeting Corrective Action (Sec 17)
Approved Supplier
or Certification
On-going surveillance
On-going Surveillance (Sec 17)
effectiveness of corrective
action and how to conduct
surveillance audit
Corrective Action
InfoSec Surveillance
18 IRCA
• To maintain confidentiality
IRCA slides