ALA ISO 27000 Presentation Material Rev2

Welcome to the course
Information Security Management System

(ISMS) Auditor / Lead Auditor Training Course
About us
Certification No. ________
Global Partner for Business Success

Presented by :
QMSISMS
Auditor/Lead
Auditor/ LeadAuditor Training
Auditor Training Course
Course Issue 2.2
Issue 1.1
Introductions
Note: This page is in Section 1 of your manual along with space to write your notes
• Please interview your neighbour for 5 minutes (Please sit next to someone
you don't already know)
• Find out
– Who they are
– Where they are from
– What they hope to get out of the Course
– Summary of existing knowledge on ISO 27001
– How many Audits they've done
– Anything else of interest - Sports, Hobbies, Family, (claim to fame), etc.
• Be ready to briefly introduce your new friend to the rest of the class.
Note:
1. Please put your phone to silent mode while class is in progress
2. Do fill out the name you wish to be called in the name card provided
using marker pen.
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Course Objectives IRCA welcome
By the end of the Course delegates should have knowledge:

• Describe purpose and benefits of an ISMS
• Describe purpose of an ISMS standards
• Describe purpose of audit & certification
• Explain roles/responsibilities of auditors
and lead auditors
… and skills:
• plan, conduct, report and follow-up an
ISO/IEC 27001 (with ISO/IEC 27002) audit
effectively in accordance to
• ISO 19011
• ISO 17021
ISMS Auditor/Lead Auditor Training Course Issue 1.1
Structure of the Course

• 5 days duration Time table
• Style is Theory – Exercise – Do it for real

• At least 70% is ‘practical’
• Expected prior knowledge prerequisite
• Highlight is Live Audit
• Course follows lifecycle of audit
• Uses ‘accelerated learning’
– Students experience something
– Students reflect on what they did
– Students address weak areas
• Evaluation sheets for your comments can be found at the back of Manual.
• There is a ‘right of appeal’ by delegates

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Criteria for
‘SUCCESSFUL COMPLETION OF COURSE’
To pass the course you MUST:

• Complete / attend all of the course Neville Clarke
• Pass the Continuous Assessment
(achievement of learning objectives) Successful
Completion
• Pass the closed-book exam on day 5
(guidance and a specimen exam will be discussed on day 3) of Course
Or else,
you will receive Certificate of Attendance.
Take note:
1. Delegates must attend the entire course duration to qualify for a certificate.
2. Exam covers expected prior knowledge and this course content.
3. Retake of exam is allowed once within 12 months from the date of last exam.
4. Delegates to try out specimen exam paper.
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Learning Cycle
Listen, reflect and question
Participate in activities
Discussion, model answer
Address weak areas

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
OVERVIEW OF INFORMATION
2 SECURITY
AUDITS AND AUDITING
Learning Objectives:
• To obtain an overview of the audit lifecycle
• To understand parties involved in audit
• To understand the principles of auditing
• To understand the differences between 1st, 2nd and
3rd Party Audits
• To understand the characters of an auditor

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
What is a Audit?
Systematic, independent
and documented process
for obtaining audit evidence

and evaluating it objectively
to determine the extent to

which audit criteria are
fulfilled’
Definition from
ISO 27000:2014 or
ISO 19011:2011

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Definition from
Parties in an audit ISO 19011:2011
Auditor Technical
expert
Audit Client Person who conducts an Person who provides

Organization or audit (3.8) specific knowledge or
person requesting an expertise to the audit
audit (3.6) team (3.9)
Audit team
One or more auditors conducting an audit,
supported if needed by technical experts (3.10)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Definition from
Parties in an audit ISO 19011:2011
Auditee
Audit Organization
being audited
Audit team (3.7)
Guide Observer
Person appointed by the auditee to Person who accompanies the

assist the audit team (3.12) audit team but does not audit
(3.11)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Principles of Auditing
a) Integrity
- Foundation of professionalism
b) Fair presentation
- Obligation to report truthfully and accurately
c) Due professional care
- Application of diligence and judgement in auditing
d) Confidentiality Audit Principles
- Security of information
e) Independence
- Basis for impartiality of audit and objectivity of the audit conclusions
f) Evidence-based approach
- Rational method for reaching reliable and reproducible audit conclusions
Reference ISO 19011:2011, Clause 4
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Types and Reasons for Auditing
Your own
1st
Organisation
Party
Certification 3rd
Body Party
Subcontractor
2nd
or Supplier
Party
Let’s discuss: what is the purpose of audits?

Audit starts off with receiving of audit brief from the audit management.
You will now be given the audit brief
of your assigned audit on Day 4
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
What do you know about Auditing?
• What are the key processes involved in a typical

audit life cycle? Exercise 1
• What are the differences between 1st, 2nd and 3rd

party audits? Exercise 2
• What could be the ideal characteristics of an

auditor ? Exercise 3
• What are Knowledge and skill required by an

ISMS auditor? (include Generic knowledge and skills of
auditors, Specific knowledge and skills of ISMS auditor and
Generic knowledge and skills of Audit Team Leader)
Exercise 4
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
3 OVERVIEW OF ISO 27000 SERIES
• To be able to explain the purpose of ISO 27000
series, ISO 19011 and ISO 17021
• To be able to explain terminology used in ISO
27000

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Standards within the ISO 27000 Series

TC 176 •Who uses the standards?
REVIEW (5 YRS) •Why the need?
ISO
27000Series
Vocabulary • ISO 27000
STANDARD
Requirement • ISO 27001, ISO 27006
STANDARD
GUIDANCE • ISO 27002, ISO 27003, ISO 27004, ISO 27007

STANDARD ISO 2TR 27008, ISO 27013, ISO 27014, ISO 27014
Sector Specific • ISO 27010, ISO 27011, ISO TR 27015, ISO TS 27017
Auditing
Guide • ISO 19011 Guidelines for Auditing Management Systems
ISO Committee on
Conformity • ISO 17021 Conformity Assessment : Requirements for Bodies Providing
Assessment Audit and Certification of Management System
(CASCO)
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Quick Summary of the ISO 27000 Series

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Quick Summary of the Auditing Standard
ISO 19011 ISO 17021

•Generic auditing guideline •Requirements for Certification
Bodies
•For all types of audits: 1st, 2nd,
3rd •For certification audit only
•Not used as audit criteria •Audit criteria for Accreditation
Body to check Certification Body
•Includes 2-stage audit approach
NOTE: Lead Auditor is known as Audit Team Leader in ISO 19011

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Method (ISO 19011 Annex B)
Extent of auditor- Location of auditor

auditee
On-site Remote (off site)
involvement
Human • Interview Via interactive communication
Interaction • Completing checklist with means:
auditee participation • Interview
• Document review with • Completing checklist
auditee • Document review
• Sampling
No human • Document review & data • Document review
interaction analysis • Observation through
• Observation surveillance means
• Completing checklist • Analyzing data
• Sampling (e.g. products)
NOTE: Audit can be performed using a range of audit methods.

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Certification
• Third Party (Certification Body) checks that an

organisation
Certificated
• Has implemented an effective Information to
Security Management System that meets the ISO 27001
requirements ISO 27001
• Enables customers to have confidence in the

organisation without the need for any checking
Let’s discuss:
What is the benefit of certification?

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Accreditation
The Hierarchy Certification Process
Accreditation Body e.g. UKAS
Accreditation
Certification Body e.g. BSI, DNV or BVQI
Certification
ISO 27001 Company e.g. Bloggs and Co.

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Stage 1 Audit (for Certification Process)

• Document review to determine conformity with ISO 27001
• Collect necessary information to finalize the scope,
processes and location(s), related statutory, regulatory
aspects and compliance
• Plan and allocate resources for stage 2 audit
• Evaluation of the organisation’s planned internal audits
and management review
• Determine organisation’s preparedness for stage 2 audit
• Although the conduct of stage 1 audit follows the complete
audit life cycle, it is also part of the preparation for stage 2.

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Stage 2 Audit (for Certification Process)
• To evaluate implementation and effectiveness of the

system
• Collect evidence of conformity
• Check performance against objectives and legal
requirements
• Check operational control of processes
• Check internal audit and management review
• Check management responsibility towards its policy

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Understanding Terminology ISO 27000:2013
Audit
(2.5)
Audit Scope (3.14) Audit Criteria (3.2)

Extent and boundaries of
Set of policies, procedures
an audit
or requirements
(physical locations,
(reference against which
organizational units,
audit evidence is
activities, processes, time
compared)
period)
ISO 19011:2011
What do you know about the terms

used in the standard? – Exercise 5

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Fundamental of ISO 27000

4 (PDCA and ISMS)
• To be able to explain the PDCA Concept
implementation in ISO 27001
• To be able to explain step to establish Information
Security Management System

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
What is ISO 27001
An ISMS is
A systematic approach for establishing, implementing,

operating, monitoring, reviewing, maintaining and improving an
organization’s information security to achieve business
objectives.
An Information Security Management System (ISMS) consists

of the policies, procedures, guidelines, and associated
resources and activities, collectively managed by an
organization, in the pursuit of protecting its information assets.

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Concepts embraced in ISO 27001
PLAN
ACT DO
CHECK
Process Model
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Process Approach
• Consistent and predictable results are achieved more

effectively and efficiently when activities are understood
and managed as interrelated processes that functions as
a coherent system.
Example of a
process approach
system

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Plan-Do-Check-Act Framework
Basic continual improvement framework in management system
PLAN
P Establish objectives and processes
ACT DO
D Implement the processes
CHECK
C Monitor and measure
A Actions for continual improvement
Can you identify clauses in ISO 27001 which relate to each

element of the cycle?

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
PDCA Application in a Process
Plan the process –

Act – incorporate
(Extent of planning
improvements as
depends on RISK)
necessary
other processes
other processes
Interaction with
Interaction with
INPUTS OUTPUTS
Do – Carry out
the process
Check –
monitor/measure
process performance

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Importance of ISMS?
Let’s discuss:
What are the business
benefits of a ISMS to:
- Owners & Shareholders
- Customers
- Suppliers & business
partners
- Society/community
- Employee?

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Let’s try to describe :

 PDCA model applied to ISMS process
- Exercise 6
• What are the key step in ISMS
Development ?
- Exercise 7

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
5 AUDITING THE ISO 27001
• Understand the application of ISO 27001

in organizations
• Know what audit evidences can be

accepted

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Requirements of ISO 27001:2013
1 Scope 7 Support
2 Normative reference 7.1 Resources
3 Terms and defenitions 7.2 Competence
4 Context of the Organization 7.3 Awareness
4.1 Understanding the organization and its context 7.4 Communication
Understanding the needs and expectations of 7.5 Document Information
4.2
interested parties 7.5.1 General
Determining the scope of the information 7.5.2 Creating and updating
4.3
security management system 7.5.3 Control of documented Information
4.4 Information Security Management System 8 Operation
5 Leadership 8.1 Operational Planning and Control
5.1 Leadership and commitment 8.2 Information Security Risk Assessment
5.2 Policy 8.3 Information Security Risk Treatment
Organizational roles, responsibilities and 9 Performance Evaluation
5.3
authorities Monitoring, measurement, analysis and
9.1
6 Planning evaluation
6.1 Actions to address risks and opportunities 9.2 Internal Audit
6.1.1 General 9.3 Management Review
6.1.2 Information Security Risk Assessment 10 Improvement
6.1.3 Information Security Risk Treatment 10.1 Nonconformity and Corrective Action
Information security objectives and planning to 10.2 Continual Improvement
6.2
achieve them

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
4.1 Understanding the organization and its context
Intention Example(s) of conformity to

requirements
• Determine external issues that • External issues of organisation

affect to InfoSec (Effect to ISMS)
• Determine Internal Issues that • Internal issues of organisation

effect to InfoSec
(effect to ISMS)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
4.2 Understanding the needs and expectations of

interested parties
Intention Example(s) of conformity to requirements
• Determine interested • List of Interestes parties that relevant with

parties that relevant to the ISMS
ISMS
• Requirement of interested parties

• Determine the
requirements of there
interested parties
Requirement include:
Legal, regulatory and
contractual obligations

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Exercise
Let’s try some other clauses

of ISO 27001
- Exercise 8

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Context of the
6 Organisation
• To Understand External and Internal Context of the

organization
• To Understanding the needs and expectations of interested
parties
• To determining the scope of the InfoSec Management System

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Context of the organization
• More strategic high-level, conceptual

understanding of the factors impacting
(positively/negatively) the planning of the
ISMS
• The context is limited to the scope of ISO
27001 :
• Where an organization needs to demonstrate
its ability to consistently provide products and
services that meet customer and applicable
statutory and regulatory requirements
• Aims to enhance customer satisfaction

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Understanding the organization and its context

ORGANIZATION
External Issues
(international/national/
regional/local)
Legal Intended
Technology
Outcomes of
Competition
the ISMS
Market
Conformity of
Culture product/service
Society Enhanced customer
Economic environments
Internal Issues:
satisfaction
Values
Culture
Review Knowledge
Determine
(see 9.3) Performance
Business
Environment
Monitor
(see 9.1)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Understanding the needs and expectations of interested

parties
Customers Determine relevant parties
Owners
Determine relevant
Suppliers & Partners requirements
Unions
Review
Determine
Regulators (see 9.3)
Society (competitors/
pressure groups)
Bankers Monitor
(see 9.1)
Employees
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
InfoSec Management System
Determine and document scope (products/services covered)

and justification for non-application (previously exclusion)
Scope of ISMS
Establish
*Consider:
Conformity with
External & internal issues
ISO 27001
Implement
Requirements of relevant interested parties
Products and services
Maintain
Process 1 Process 2 Process x
Continually
improve

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Exercise
Understanding the context of an

organization
Exercise 9

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Planning – Risk Assessment

7 and Risk Treatment

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
InfoSec Risk Treatment

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
AUDIT PREPARATION
8 Receiving Audit Brief (Sec 8)
Learning Objectives: Identify Scope (Sec 8)
• Identify what preparations are
Preparation
Identify Resources (Sec 8)
required prior to audit
• Establish audit resource Document Review (Sec 9)
requirement Create Audit Plan (Sec 10)

• How to write audit scope
Create checklist (Sec 12)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Programme
• Done by person managing the audit programme

Audit Programme
• For 1st party & 2nd party, based on risk
– Status and importance Audit 1
• For 3rd party, includes Audit 2

– two-stage initial audit
– surveillance audits in 1st and 2nd year, and
– a recertification audit in 3rd year

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Objectives
• Purpose determined by audit manager
• Depending on type of audit:

– 1st, 2nd or 3rd party
– Stage 1, stage 2 or surveillance
• Can include:
– To assess whether ISMS designed to meet the requirements of
standard (stage 1)
– To verify whether ISMS is effectively implemented as per
standard and organization’s requirements (stage 2)
– To determine whether the ISMS continues to meet requirements
(surveillance)
– To assess the supplier’s ISMS for the purpose of approval (2nd
party)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Scope
The Audit Scope is the organisation’s

‘shop window’ that is used by both
auditor and auditee as the definition
of what is covered by the audit.
• Extent and boundaries of the audit

such as
– physical locations
– organisational units, activities
and processes to be audited,
– time period covered

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Establish Team Size and Duration
Team size and duration

depend on:
• Size, complexity of
Company (Scope of audit)
• Published guidelines for

number of workdays
• Time available
• Purpose of the Audit

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Resource requirements
• Selection of audit team:

• auditor, technical expert,
interpreter
• Logistics:
• time, date, travel arrangement,
etc
Lets try out to understand the key aspects in

preparing for a ISO 27001 certification audit
- Exercise 12

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
DOCUMENTED INFOSEC SYSTEM

9 and DOCUMENTATION REVIEW
Receiving Audit Brief (Sec 8)
Learning Objectives: Identify Scope (Sec 8)

• Understand ISMS
Preparation
documentation Identify Resources (Sec 8)
• How to perform document Document Review (Sec 9)

review
• Write an audit scope Create Audit Plan (Sec 10)
Create checklist (Sec 12)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Documented InfoSec Management System
• Document should reflect what Company

does currently, not what the Auditors want
to see, bearing in mind
– Level of documentation relates to

skill/training
– Can use flow charts/ diagram/
information system
• Documentation is there to ensure effective

– Planning
– Operation
– Control of processes

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Example of Documentation Structure
Policy / Process Map

InfoSec
MANUAL
WHAT is done,
OPERATING PROCEDURES
WHO does it , and
WHEN
SUPPORT DOCUMENTATION
e.g. Work Instructions
Checklists "HOW it is done"
Drawings
NB: A 4th Level would be ‘InfoSec Records’
Other forms of InfoSec Management System documentation

structure may exist

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Document versus Record

DOCUMENT (4.2.3) RECORD (4.2.4)
• Contains information • Stating results achieved
about what needs to • Evidence of activities
be done performed or done
• Examples could be • Examples might show
drawing, procedure, evidence of traceability,
standard, forms, verification or corrective
checklist… action
Input information Output information
in any medium e.g. paper, magnetic, electronic ,

optical disc or master sample

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Why Conduct Document Review?
• A requirement in Stage 1 audit

• To review and confirm the documentation conformance to the
standard
• Ensure system adequacy an suitability  4 “C”
• To help Stage-1 Audit by identifying Complete
• The business process
• InfoSec risk assessment, risk treatment Curren
are established and its monitoring and review. t 4 Cs Correct
• legislation is in place
• interfaces and trails Consistent
• measurement and control systems

• Organization’s readiness for stage-2 audit
• Provide information for audit plan and checklist

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
How To Do A Document Review

• Do on-site during stage 1 for 3rd Party Audit. What about for 2nd
Party?
• Get the top level of documented InfoSec Management Systems,
e.g. Manual & procedures
• Get the InfoSec Risk register, legal register, and location map
• If possible get ‘Process Flow Map’
• Check each documentation requirement of the Standard is met
• Report using appropriate format
InfoSec Manual
Policy Role &
............ Respon
. sibility
............ .............
. ………..
............ ………..

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Stage-1 Audit
 Key system elements to be checked include:

• whether a fully documented system exists which meets the
requirements of ISO 27001:2013 standard
• InfoSec risk assessment, risk treatment and determining
control procedure, including results
• legal requirements including site licences
• method of achieving continual improvement and regulatory
requirements
• training needs have been identified and key personnel have
been trained
• internal audits are established and effective
• whether at least one management review has been carried
out

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Document review
Let us try :
Identify the required ISMS documentation
- Exercise 13A
Performance ISMS stage 1 audit

- Exercise 13B
Prepare a stage 1 audit report

- Exercise 13C

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
10 AUDIT PLAN
Identify Scope (Sec 8)
Identify objectives and arrangements
Preparation
for an audit plan Identify Resources (Sec 8)
Preparatory Document Review (Sec 9)

Prepare an on-site plan that is
Create Audit Plan (Sec 10)
appropriate to the sequence and
interaction of the organisation’s Create Checklist (Sec 12)
processes

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Plan
• Sequence and timing of audit activties
• Details who looks at what and when
• Should ‘follow the process’ e.g. process map Agenda?
• Allows Company to know what is planned Resource

(should be accepted beforehand by Company) arrangement?
• Makes efficient use of time & resources
Who is
• Should be flexible to allow changes involved?
• Should not restrict the Audit

• Requirement in ISO 19011 / ISO 17021
• Required for both Stage 1 and Stage 2 audits
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Inputs to Creating Audit Plan

• Stage 1 Audit • Stage 2 Audit
– information provided in – Scope of audit
the application form – Requirements in Standards
– Preparatory document – Sequence - ‘Business Process Map’
review (InfoSec Manual) or Audit Trails
– Information obtained at Stage 1
– Team size and skills
– Floor Plan
– Time available
• Surveillance Audit
– Changes to system
– Follow-up on nonconformities
– Previous audit plan
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Simple Manufacturing Organisation

– Example ‘Business Process Map’
Auditor 1 Customer Order

Marketing Management
Auditor 2 Responsibility
Sales
Document &
Record Control
Production
Planning Infrastructur
Design
e
Inspection & Review &

Supplier
Testing Improvement
Assessment Purchasing Manufacturing
Calibration
Material
Stores Dispatch Human
Training Resources
After Sales
Customer
Service
Satisfaction

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Typical Audit Trail

Example of material audit trail
• Management Audit Trail
Evaluation of
• Sales Audit Trail Subcontractors
• Material Audit Trail Raising Purchase

Orders
• Product/Service realization
audit trail Goods Inwards
• Corrective action audit trail Stores
• Continual Improvement Parts Kitting

audit trail
• Product and Development
Sample Audit Plan
audit trail

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Typical Stage 1 Audit Visit Agenda

• Meet key players
• Explain process
• Answer questions
• Confirm scope/date/details/skills
• Tour of site
• Document Review
• Check effectiveness of the management system and results of
internal audits and management review conducted
• Check actions are consistent between the organization’s policy,
objectives and targets, and results
• Recommended to conduct stage 1 on-site or at least part of it be
done on-site.
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Typical Stage 2 Audit Visit Agenda
• Opening meeting
• Conducting audit according to
trail
• Audit area covering the scope
and ISO 27001
• Review and feedback meeting
• Preparing audit findings
• Closing meeting
• Has to be done on-site

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Audit Plan
Let us practice preparing the audit

plan – Exercise 9
Sample Live Audit Plan

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
11 PROCESS BASED AUDITING
• Approach to a process based audit
• Process approach to management systems

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
What is a Process?
• An activity that receives inputs and converts them to outputs

• A ISMS will have a network of linked processes hence output from
one process becomes input to another process
• Follows PDCA cycle
• Have objective(s) to drive the process
• Each stage can be seen as a ‘Value Adding Transition’ to achieve
conformity to product/service and / or organization’s
requirements.
Note: The key processes, with their lines of flow, make up what we
called the Business Process Map

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Process-Based Auditing Approach

HOW [METHOD] CRITERIA
 objectives
 Procedures
 specifications
 Work instructions MEASUREMENT
 environment / process  regulatory and other
 Guidelines requirements
performances
 reviews, verifications & audit
INPUT(S) OUTPUT(S)
 Information  Information
 [MATERIALS] PROCESS  WIP
 WIP
 Products
INFRASTRUCTURE HUMAN RESOURCE [MAN]

 Maintenance of utilities and  Roles, Responsibilities &
machines [MACHINE] Authorities
 Work environment [ENVIRONMENT]  Competencies, training needs
 Internal communications
• Determine what the process is trying to achieve

• How the process is being controlled
• Global Partner
Look at relevant for Business
ISO requirements (e.g.Success
system procedures like doc. control ) according to
priority
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Overview on Process Approach and How

It Applies To Auditing
Auditors need to:
• Look at Management System as a whole [overall process]
o Inputs [customer requirements]
o Outputs [performance measurements of both intended
( i.e. product/service required by customer) and unintended
(i.e. InfoSec risk)]
o Links between processes
• Look at business needs, InfoSec policy and objectives
• Look at how it meeting the InfoSec Management Systems
and organization requirements
• Look at continual improvement.
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Policies, Objectives and Processes
Auditors need to look at how the organization is implementing its

InforSec Policy and Objectives
Legal InforSec
Requirement hazard & risk
Policies High level strategy of typically what the

organization is trying to achieve e.g. InfoSec Policy
Objectives to achieve the policies set accompanied

Monitor &
Measures
with measurable indicators that show how policy is

Objectives
being met
InfoSec
Programs Activity within the Organization that turns an input
into an output to achieve the objectives set.
Process

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
12 AUDIT CHECKLIST
Identify Scope (Sec 8)
Preparation
Use, benefits and potential Identify Resources (Sec 8)
limitation of a checklist Preparatory Document Review (Sec 9)
Create Audit Plan (Sec 10)

Preparation of checklist for
process approach audit Create Checklist (Sec 12)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Checklists
• Reminder of key check items (memory jogger)

• Ensure coverage
• Should follow ‘process’ – structured way
(5W + 2H)
• Should not take over Audit (guide only) What?
• Useful for new Auditors Where?
• Can evolve over time When?
Why?
• Aid time management
Who?
• Avoid tick sheet How?
• Format - list, flow chart, mind map etc. How many?

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
What is the Need?
• Ensure depth and

continuity of Audit
• Cover all relevant aspects
• Give structure to Interview
• Help if stuck
• More professional

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Sources for Checklist Items
• ISO 27001
• Company DISMS
• Ideas from others
• Knowledge of Industry
• Previous Checklists
Example mindmap
Example checklists

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Auditor’s Tool Kit
• Clipboard
• Log Book
• ISO 27001 Standard
• Checklists
• Report Forms
• Audit Plan
Let us practice creating checklists

Exercise 15
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
13 OPENING MEETING
Opening Meeting (Sec 13)
Tour of Site (Sec 14)
Conducting
Auditing
Audit Team
Meetings
Focus of Stage 1 Focus of Stage 2
(Sec 14)
 Documentation Audit (Sec  Verification of CA for Stage 1
Understand the purpose 6)
 QMS fundamental
 Process-Based Auditing
(Sec 9)
of and typical content of requirements
 Review audit scope
 Assess compliance to
Standard requirements
Auditee
Feedback
 Readiness for Stage 2  Assess effectiveness of
audit Opening Meeting Implementation
Meetings
(Sec 14)
Generating Audit Findings & Conclusions (Sec 14)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Opening Meeting
• Purpose: Introduction and confirm arrangements including plan
• Establishes authority from top management for the audit
• Shows openness
• Auditor can
– Explain process
– Set expectations
– Confirm plan
– Answer questions
– Get co-operation
• Opening Meeting for Stage 1 Audit is less formal than Stage 2 Audit
Let’s discuss: Agenda
Who needs to be present for stage 1 & 2? Mindmap
What is the agenda?
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Role of the Guide
• Takes Auditor to where

s/he wants to go
• Introduces Auditor
to Auditee
• Acts as witness
• Others may include
– Overcomes problems
– Provides missing answers
– Ensure safety and security
requirements are known

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Handling of Difficult Situations

• Bear in mind that things may not
always happen as planned
• Decisions and actions should be

within the level of authority given to
the auditor & terms of contract (3rd
party)
• Mutually acceptable conclusions

may require escalation to superior

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Opening Meeting
Let’s practice
How to run opening & closing
meetings – Exercises 16A
How to handling difficult situations
Exercise 16B

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
14 CONDUCTING THE AUDIT

Opening Meeting (Sec 13)
Tour of Site (Sec 14)
Conducting
Learning Objectives: Auditing
Audit Team
Meetings
Focus of Stage 1 Focus of Stage 2
(Sec 14)
 Documentation Audit (Sec  Verification of CA for Stage 1
Understand how the 6)
 QMS fundamental
 Process-Based Auditing
(Sec 9)
 Assess compliance to
audit should be carried requirements
 Review audit scope Standard requirements
Auditee
Feedback
 Readiness for Stage 2  Assess effectiveness of
out Implementation
Meetings
(Sec 14)
Generating Audit Findings & Conclusions (Sec 14)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Role of Lead Auditor vs Auditor
Lead Auditor (Team Leader): Auditor:

• Plan the audit & make effective • Collecting evidence and
use of resources evaluate conformity to
• Organise & direct audit team requirements
• Represent the audit team – in • Record evidence of
communicating with auditees conformity/nonconformity
• Provide direction / guidance to
• Prepare individual audit report
trainee auditors
• Lead the team in reaching • Inform LA of any difficulties
conclusions
• Prevent / resolve conflicts
• Signing off the audit report

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Key activities in conducting audit

• Opening Meeting (Section 13)
• Tour of Site (if applicable)
• Sampling, Collecting Evidence and
Verify Conformity
• Team Review Meeting (Section 14)
• Client Feedback Meeting (Section 14)
• Generate audit findings and conclusion (Sec 15 & 16)
• Closing Meeting (Section 16) Interview
Gathering Sampling records

Audit Observing process
Evidence & activities

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Summary of auditing techniques

Audit Triangle Questioning Technique Recording
Open questions
-Suspected nonconformities
Observe (What they do)
-Information to be provided later
-Items to be followed up
Probing -Sample examined
questions
-Improvement ideas
Question Check (Compare
(What they documentation)
Close questions
do?)
Are they in
Sampling Examine for : CONTROL?
Judgement-base sampling
- Conformity to
- Experience - Confidence Level requirements
Statistical sampling plan - Legal compliance
- Use of suitable sampling plan
- Effectiveness
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Auditors Should
• Avoid ‘nit-picking’
• Take good points into account
• Be punctual
• Perform all tasks
• Avoid argument
• Audit against specification
• Audit system not individual
• Be sensitive to local customs
• Respect confidentiality at all stages
• Obey any rules / regulations of Auditee
• Be facilitating the audit e.g put people at ease
• Be Assertive – express your needs, stand up for your right, honest
& work towards satisfying all parties.
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Definition from
Audit Findings and Conclusion ISO 19011:2011
Audit Conclusion
Audit Findings
Outcome of an audit after
Results of the evaluation consideration of the audit
of the collected objectives and all audit
audit evidence against findings (3.5)
audit criteria (3.4)
Conformity Nonconformity Observations/

Fulfilment of a Non-fulfilment of a Opportunities for
requirement (3.18) requirement (3.19) improvement
Compliance Noncompliance
(if criteria is legal (if criteria is legal
requirements) requirements)

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Agreeing Non conformities
Can be two stages:

1) Agree with Guide as facts
2) Agree facts as nonconformities
Can be done:
• When they are found
• At the end of the Audit
• At regular Review Points
e.g. Client Feedback
Meeting

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Review Meetings
Team Review Client Feedback Meetings

• Monitor/Revise Audit Plan • Held if audit > 1 day
• All areas covered • Provide feedback to
Company
• All aspects of ISO clauses audited
– Progress
• Exchange of information
– Audit findings
• Discuss and resolve problems – Problems (if any)
• Reach consensus on
findings and conclusions

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Conducting the Auditing

Let’s practice
How to run Effective auditing – Risk
Assessment – Exercises 17A
How to run effective auditing-management
- Exercises 17B
Case study-Classification Audit Finding
- Exercises 17C

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
REPORTING AND
15 GRADING FINDINGS
Reporting & Follow up

Prepare report (Sec 15)
• Typical content of an
audit report Closing Meeting (Sec 16)
• How to write Follow up of

Recommendation as
Approved Supplier
Corrective Action (Sec 17)
nonconformity or Certification

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Stage 1 Audit Output
Written audit report on

• Whether the information security management system has
been designed to meet requirements of standard
• Auditee’s plan to achieve the Information security Policy &
Objectives
• Any areas of concern

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Stage 2 Audit Output

Written audit report on
• Evidence of implementation against requirements of the
standard
• Performance against planned objectives
• Compliance to product legal requirements
• Effectiveness of process control
• Management responsibility towards the policy
• Any nonconformities
• Opportunity for improvement
• Conclusions and recommendations
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Nonconformities Must
• Be factual/objective Problem
• Be clear and concise Statement
• Give clause number of Quality Standard
• Be locatable by other Auditors
• Define the exact instance –
Objective Evidence NC
• Not include individual names
• Be given a unique identifier Evidence Requirement
• Be categorised (e.g. minor/major) if third
party audit
• Be acknowledged / signed by Company

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Nonconformity Statement
Problem 1. Failure in the system (e.g.,

Statement
Evidence 2. Evidence (e.g
3. Reference to the audit criteria (e.g.,

Requirement

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Categorise Nonconformities
MINOR
Either a failure to meet one requirement of a sub-
clause of reference standard, e.g. ISO 27001 or other
reference document
OR
a single observed lapse in implementing one

requirement of Company InfoSec Management
Systems Procedures.

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Categorise Nonconformities
MAJOR
Absence, or total failure, of a process to meet the
requirements of a complete sub-clause of reference
standard, e.g. ISO 27001 or other reference document or
regulations, resulting harm to human
OR
A number of minor nonconformities against one sub-
clause of ISO 27001 which when acting together reduce the
effectiveness of a process to the extent that there is harm
to human can represent a major nonconformity, i.e. total
system failure
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Observations/Opportunities for
Improvement
• Observations can report on

– Conformities
– Opportunities for improvement
• Opportunities for improvement are

Issues of concern moving towards a
nonconformity
• Enviromental / Health / Safety

requirements
• If allowed, recommendations
• Auditee can consider preventive actions

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
The Audit Report

ISO 19011 says may include: BLANK AUDIT REPORT
• Identification of client and audited organization
• Audit objectives, scope and plan NCR REPORT
• Audit criteria
• Date & place of audit
• Identification of auditees / guides
• Identification of audit team
• Audit findings and related evidence
• Audit conclusions
• A statement on the degree to which the audit OTHER NCR
criteria have been fulfilled.
• Statement confidentiality
• And, others as appropriate e.g. agreed follow-up
plans, report distribution.
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Giving Advice
If allowed, do so
3rd Party Auditors must never suggest
how to overcome a nonconformity as:
• Confidentiality (from other
Companies) broken
– May be a conflict of interest
– If wrong, could involve legal action
Let us practice our report writing skill by using a

case study – Exercise 18

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
16 CLOSING MEETING

Learning Objectives: Prepare report (Sec 15)
• How to run an Closing Meeting (Sec 16)
effective closing
Recommendation as
Follow up of
meeting Corrective Action (Sec 17)
Approved Supplier
or Certification

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Purpose of the Closing Meeting

• To provide a balanced summary
and conclusion
• To present nonconformities
and observations
• To resolve errors / misunderstandings
• To provide recommendation
• Surveillance plan
• To agree future, including Follow-Up action
• Stage 1 Audit closing meeting agenda is less formal than Stage 2
Audit • What is the agenda for Closing Meeting and who will be
attending? Agenda Mindmap
• Let’s practice how to run closing meetings –
Exercises 19
• How to handle difficult situations Exercise 20
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
FOLLOW-UP OF CORRECTIVE ACTION

17 AND SURVEILLANCE

Learning Objectives: Prepare report (Sec 15)
Closing Meeting (Sec 16)

Recommendation as
Understanding the audit Follow up of Approved Supplier
or Certification
follow-up activities, Corrective Action (Sec 17)
including evaluating the
On-going surveillance
On-going Surveillance (Sec 17)
effectiveness of corrective
action and how to conduct
surveillance audit

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Corrective Action
• Auditee best placed to outline corrective

action by carrying out investigation of
root cause(s)
• Auditee may take correction prior to

taking corrective action.
• Must address root cause(s)
• Should prevent recurrence
• Should help to improve InfoSec System
• Must be timely corrected

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Checking Corrective Action

• Auditor will initially review the corrections, identified causes and
corrective actions to determine if these are acceptable.
• Realistic timing depending on impact
• Verification effectiveness of corrective action may be done through:
– Full Audit – Complete breakdown of the ISMS
– Additional Limited Audit – Major nonconformities on specific
areas
– Submission of Documented Evidence – Minor nonconformities.
This will be subsequently closed during the next surveillance
audit.
• Objective evidence will always be required to clear a ‘nonconformity’
Let us identify effective corrective action
– Exercise 21

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
InfoSec Surveillance
The continuing monitoring and

verification of the status of
procedures, methods, conditions,
processes, products and services,
and the analysis of records in
relation to stated references to
ensure that specified requirements
for InfoSec are being met.

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Surveillance Audit Can Incorporate

• On-site audit 3rd Party focus:
• Not necessarily full system • Review previous nonconformities
audit
• Internal audit & management review
• Announced or • Complaints handling
unannounced
• Effectiveness against objectives
• Continual improvement
• Continuing operational control
• Review of changes
• Use of certification mark

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Frequency of Surveillance Depends On
• How critical Supplier is (2nd Party)

• Financial and logistical restraints (2nd Party)
• InfoSec performance
• Findings of original Audit
• Rolling Re-Audit to pre-defined plan,
e.g – (3rd Party) at least once a year
• Recertification of system shall be done at the 3rd year.
May involve stage 1 where there are major changes.
Do you think surveillance is necessary?

Why?
QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Problems during Audits
How do we handle “sabotage” tactics?
• Time Wasting by Auditee • The ‘Cook’s Tour’

• Provocation • Fixed Sample
• Special Case • Trial of Strength

• Pity
• Insincerity
• Amnesia
• Absentees
• Bribes
• Language Barrier
We have completed the theory part of the course

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
18 IRCA

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1
Summary of IRCA Code of Conduct
• To act in trustworthy and unbiased manner
• To disclose any conflict of interest
• Not to accept any inducement
• To maintain confidentiality
• Not to act in prejudicial way
• To co-operate with any enquiry
IRCA slides

QMSISMS
Auditor/Lead
Course Issue 2.2
Issue 1.1

ALA ISO 27000 Presentation Material Rev2

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ALA ISO 27000 Presentation Material Rev2

Hochgeladen von

Copyright:

Verfügbare Formate

Welcome to the course

Information Security Management System

Certification No. ________

Global Partner for Business Success

Course Objectives IRCA welcome

By the end of the Course delegates should have knowledge:

Structure of the Course

• Style is Theory – Exercise – Do it for real

Global Partner for Business Success

To pass the course you MUST:

Listen, reflect and question

Discussion, model answer

Address weak areas

Global Partner for Business Success

Global Partner for Business Success

for obtaining audit evidence

to determine the extent to

Global Partner for Business Success

Audit Client Person who conducts an Person who provides

Global Partner for Business Success

Person appointed by the auditee to Person who accompanies the

Global Partner for Business Success

Audit Types and Reasons for Auditing

Let’s discuss: what is the purpose of audits?

What do you know about Auditing?

• What are the key processes involved in a typical

• What are the differences between 1st, 2nd and 3rd

• What could be the ideal characteristics of an

• What are Knowledge and skill required by an

3 OVERVIEW OF ISO 27000 SERIES

Global Partner for Business Success

Standards within the ISO 27000 Series

GUIDANCE • ISO 27002, ISO 27003, ISO 27004, ISO 27007

Quick Summary of the ISO 27000 Series

Global Partner for Business Success

Quick Summary of the Auditing Standard

ISO 19011 ISO 17021

NOTE: Lead Auditor is known as Audit Team Leader in ISO 19011

Global Partner for Business Success

Audit Method (ISO 19011 Annex B)

Extent of auditor- Location of auditor

NOTE: Audit can be performed using a range of audit methods.

Global Partner for Business Success

• Third Party (Certification Body) checks that an

• Enables customers to have confidence in the

Global Partner for Business Success

The Hierarchy Certification Process

Accreditation Body e.g. UKAS

Certification Body e.g. BSI, DNV or BVQI

Global Partner for Business Success

Stage 1 Audit (for Certification Process)

Global Partner for Business Success

Stage 2 Audit (for Certification Process)

• To evaluate implementation and effectiveness of the

Global Partner for Business Success

Understanding Terminology ISO 27000:2013

Audit Scope (3.14) Audit Criteria (3.2)

What do you know about the terms

Global Partner for Business Success

Fundamental of ISO 27000

Global Partner for Business Success

What is ISO 27001

A systematic approach for establishing, implementing,