Objectives

• ISO/IEC 27001 Standard scope, purpose, terms, key definitions, and how to use it.
• Scope and applicability definition requirements.

Who is CertiProf®?

CertiProf® is an Examination Institute founded in Unites States in 2015. Located in Sunrise, Florida.

Our philosophy is based on the creation of knowledge in community and for this purpose its collaborative
network is made up of:

• CLL's (CertiProf Lifelong Learners) certification candidates are identified as Continuing Learner,
proven their unwavering commitment to lifelong learning, which is vitally important in today's ever-
changing and expanding digitalized world. Regardless of whether they win or fail the exam
• ATP's (Accredited Trainer Partners) universities, training centers and facilitators worldwide make
up our partner network
• Authors (co-creators) are industry experts or practitioners who, with their knowledge, develop
content for the creation of new certifications that respond to the needs of the industry
• Internal Staff: Our distributed team with operations in India, Brazil, Colombia, and The United
States is in charge of overcoming obstacles, finding solutions and delivering exceptional results
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Who should attend this certification workshop?

This learning process aims to motivate professionals from different organizational areas in the
exploration of knowledge about the application of the ISO/IEC 27001 standard regarding training in
its auditing component.

To this end, this certification takes the participant in the comprehensive knowledge of the standard
from its fundamentals, through the risk management model, requirements and technical controls to
finish with the internal audits module.

2
Our Accreditations and Affiliations

Agile Alliance

CertiProf® is a Corporate Member of the Agile

Alliance.

By joining the Agile Alliance corporate program,

we continue empowering individuals by helping
them reach their potential through education.
Every day, we provide more tools and resources

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

allowing our partners to train professionals
that are looking to improve their professional
development and skills.

https://www.agilealliance.org/organizations/
certiprof/

IT Certification Council - ITCC

CertiProf® is an active Member of ITCC.

The fundamental purpose of the ITCC is to

support the industry and its member companies
by marketing the value of certification, promoting
exam security, encouraging innovation, and
establishing and sharing industry best practices.

3
 Credly
CertiProf® is a Credly partner.

This alliance allows people and companies

certified or accredited with CertiProf® to have a
worldwide distinction through a digital badge.

Credly is the largest repository of badges in the

world and leading technology companies such as
IBM, Microsoft, PMI, Scrum.org, Nokia, Stanford
University, among others issue their badges with
Credly.

Badge
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

https://www.credly.com/org/certiprof/badge/certified-iso-27001-internal-auditor-i27001ia

4
hhttps://www.credly.com/org/certiprof/badge/certified-iso-27001-lead-auditor-i27001la

Lifelong Learning

Earners with this badge have proven their

unwavering commitment to lifelong learning,

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

vitally important in today’s ever-changing and
expanding digital world. It also identifies the
qualities of an open-minded, disciplined, and
constantly evolving mind, capable of using and
contributing its knowledge to develop a more
equal and better world.

Earning Criteria:
• Be a CertiProf® certification candidate
• Be a continuous and focused learner
• Identify with the concept of lifelong learning
• Truly believe and identify with the concept
that knowledge and education can and should
change the world
• Want to boost your professional growth

5
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

6
Introducción

Agenda
 Agenda

Phase 3. Information Phase 4. Internal

Phase 1. Phase 2. Design and
security risk audits with an
Fundamentals of an implementation of an Phase 5. Evaluation
management based on emphasis on lead
ISMS ISMS
ISO 27005 auditor competencies

Phase 1. Fundamentals of an ISMS

ISO 27001 Standard Fundamentals ISO 19011 Auditor Module

• Introduction to the Standard. • Auditing key concepts.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Terms and definitions. • Auditing process.

• Understanding the Standard numerals. • Auditing components.
• Requirement identification. • Auditor role general preparation.
• What are control objectives? • Conclusions and support questions
• Conclusions and support questions.

*The agenda is a general suggestion; trainers may develop the material according to their experience.

8
 AGENDA

1. Introduction and Background 14

Introduction 15
ISMS 15
History of the Standard 16
ISO/IEC 27001:2022 Structure 16
ISO 27000 Standard Family 17
2. Key Concepts 18
What is ISMS? 19
General Information and Principles 20
Information Security 20
The Management System 21
ISMS Success Critical Factors 22
Benefits of the ISMS Family Guidelines 22
3. Terms and Definitions 23
Phase 2. Design and Implementation of an ISMS 24
ISMS Design Phases 24
Implementation Stages of an ISMS 25
ISO/IEC 27001 Structure 25
PDCA Deming Cycle and ISMS 26

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

4. Organizational Context 27
4.1 Understanding the Organization and its Context 28
25-Minutes Workshop 29
4.2 Understanding the Stakeholders Needs and Expectations 30
4.3 Determination of the Information Security Management System Scope 31
4.4 Information Security Management System 33
25-Minutes Workshop 34
5. Leadership 35
5.1 Leadership and Commitment 36
5.2 Policy 37
5.3 Roles, Responsibilities and Authorities in the Organization 38
6. Planning 40
6.1 Actions to Treat Risks and Opportunities 41
Risk Treatment Plan 46
6.1 Actions to Treat Risks and Opportunities 46
ISO 31000 Standard Structure Risk Management - Guidelines 47

9
 6.2 Information Security Objectives and Achievement Planning 47
6.3 Planning of Changes 48
7. Support 49
7.1 Resources 50
7.2 Competence 50
7.3 Awareness 50
7.4 Communication 51
7.5 Documented Information 51
8. Operation 54
8.1 Operational and Planning 55
8.2 Information Security Risk Assessment 55
8.3 Information Security Risk Treatment 58
Risk Assessment and Treatment 58
9. Performance Assessment 59
9.1 Monitoring, Measure, Analysis and Evaluation 60
9.2 Internal Audit 61
Audit 61
9.3 Management Review 62
10. Improvement 64
10.1 Continual Improvement 65
10.2 Non-Conformity and Corrective Actions 65
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Annex A: Normative 66
Annex A: Controls 67
Annex A: Clauses, Objectives and Controls 67
5. Organizational Controls 67
6. People Controls 68
7. Physical Controls 69
8. Technological Controls 69
25-Minutes Workshop 71
Phase 3. Information Security Risk Management Based on ISO 27005 72
ISMS Risk Management 72
Why Perform Risk Management? 73
Risk Management Process Based on ISO-IEC 27005 73
Context Establishment 74
Identification of Assets 74
Classification of Assets 75
Threat 75

10
Threat Profile 76
Information Threats 76
Vulnerability 76
ISMS Risk Management: Workshop 78
Risk = Uncertainty? 79
Risk Management Cycle 80
ISMS Risk Management 80
ISO 19011:2018 85
ISO 19011:2018 Structure 85
ISO 19011:2018 Scope 86
Audit 86
Types of Audits 87
Audit Criteria 87
Audit Evidence 88
Audit Results 88
Audit Conclusions 89
Audit Clients 89
Audite 89
Auditor 90
Auditing Team 90
Technical Expert 90

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Observer 91
Guide 91
Audit Program 92
Audit Scope 92
Audit Plan 92
Conformity 93
Non-Conformity 93
Audit Evidence 93
Audit Methods 94
Clause 4: Audit Principles 94
Cláusula 5: Programa de Auditoría 96
Clause 6: Audit Activities 97
Clause 7: Auditor Competence and Evaluation 99
Methods to Evaluate Auditors 99
Clause 7: Personal Attributes 100
Clause 7: Generic Knowledge and Skills 101

11
 Establishing Audit Program Objectives 103
Determing and Evaluating Audit Program Risks and Oportunities 103
Establishing the Audit Program 104
Competence of Individual(s) Managing Audit Programme 105
Establishing Extent of Audit Programme 105
Determining Audit Programme Resources 106
Implementing Audit Program 106
Individual Audit Objective, Scope and Criteria Definition 107
Selecting and Determining Audit Methods 108
Responsibility Assignment to the Audit Team Leader for an Individual Audit 108
Managing Audit Programme Results 109
Managing and Maintaining Audit Programme Records 109
Reviewing and Improving Audit Program 110
Establishing Contact with the Auditee 111
Determining Feasibility of Audit 111
Performing Review of Documented Information 112
Audit Planning 112
Workshop 1 114
Workshop 2 114
Assigning Work to Audit Team 114
Assigning Roles and Responsibilities of Guides and Observers 115
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Preparing Documented Information for Audit 115

Checklist Possible Advantages 116
Checklist Use 116
Workshop 3 116
Conducting Opening Meeting 116
Audited Documentation Review 117
Communicating During an Audit 118
Methods to Collect Information 118
The Interview 119
Auditor Key Questions 119
Types of Questions 120
Conducting an Audit 120
Interview Conduction 120
Time Management 121
Management of Difficult Situations 121
Audit Results 121

12
 Types of Findings 121
Most Common Non-Compliance 122
Non-Conformity Drafting Formula 122
Non-Conformity Drafting Formula 122
Audit conclusions. 123
Audit Report 123
Closing Meeting 123
Preparing Audit Report 124
Distributing Audit Report 124
Completing Audit 125
Conducting Audit Follow-up 125
Workshop 4 126
Conclusions 127
Conclusions 128

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

13
 Historias de Usuario: Un Nuevo Orden en los Requisitos

1. Introduction and
Background
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

14
Introduction

• ISO/IEC 27001:2022.
• History of the standard.
• Current status.
• Definitions.

ISO 27001:2022 is the most implemented and accepted international standard in terms of
information security, cybersecurity and privacy protection, because:

• It has been designed to "provide the requirements to establish, implement, maintain and continuously
improve an information security management system"
• It can be used by internal and external parties to assess the organization's ability to meet its own
information security requirements."
• It Includes requirements for the assessment and treatment of information security risks

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• It generates competitiveness to the Organization, since it establishes the best practices in
Information Security, cybersecurity and privacy protection with international recognition
• It adapts to the needs of the organization, allowing to certify the processes that are defined in the
scope of the ISMS with the possibility of expansion if necessary
• The requirements set forth in this International Standard are generic and are intended to be
applicable to all organizations, regardless of type, size or nature."
• Builds legal compliance capacity

ISMS
Definition 2.34 of ISO 27000 INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

It is part of the global management system, based on a risk-approach to a business, to establish,

implement, operate, monitor, review, maintain and improve information security.

Includes organizational structure, policies, plans, responsibilities, procedures, processes, and resources.

15
 History of the Standard

2022

International Standard

ISO/IEC
270001:2022

ISO/IEC 27001:2022 Structure

The new structure reflects the structures of other new management standards, such as ISO 9000,
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

ISO 20000, and ISO 22301, that help organizations to comply with different standards.

The changes that occurred in the industry with the emergence of the NIST Cybersecurity Framework
(CSF) whose focus was to protect the critical infrastructure that supports the essential services of the
United States, the European Union Cybersecurity proposals reflected in various ENISA documents
and the updates that occurred in other best practices such as ITIL and COBIT -during 2019- and PCI,
during this year have also influenced the need to refresh the content of this standard.

There are 93 controls in 4 groups or types of controls compared to 114 controls in 14 clauses in the
2013 version.

Information Security, Cybersecurity and Privacy Protection - Information Security Management

Systems - Requirements.

11 new controls were added (Threat intelligence, Cloud information security, business continuity,
physical security and its monitoring, configuration, information disposal, data encryption, tracking
and monitoring, web filtering, secure encryption).

1 control was removed (asset disposal)

16
58 controls updated
24 controls merged
4 groups or types of controls: organizational (37 controls), people (8 controls), physical (14 controls),
technological (34 controls).

ISO 27000 Standard Family

ISMS standard family has standards for:

a) Defining the requirements for an ISMS and for bodies that certify such systems.
b) Assess the compliance assessment for ISMS.
c) Provide direct support, detailed orientation, and/or interpretation for the general process to be
determined, implemented, maintained, and improved under ISMS.
d) Address specific sectorial guidelines for ISMS.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

17
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

18
La Magia de las Historias de Usuario

2. Key Concepts
 What is ISMS?

19
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA
 General Information and Principles

ISMS (Information Security Management System) is a set of policies, procedures, guidelines, resources,
and associated activities collectively managed by an organization.

An ISMS is a systematic focus to determine, implement, operate, monitor, review, keep, and improve
the security of the information in an organization to accomplish the business objectives.

This focus is based on a risk appreciation and on risk acceptance levels at the organization devised to
efficiently treat and manage risks.

The analysis of the requirements for the protection of information assets and the application of
adequate controls to guarantee the protection of these information assets, as required, contribute to
the successful implementation of an ISMS.

The following fundamental principles may also contribute to the successful implementation of an
ISMS:

a) Information security needs awareness.

b) Information security responsibility allocation.
c) Direction commitment and stakeholder interest incorporation.
d) Social value improvement.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

e) Risk appreciation to determine adequate controls to reach acceptable risk levels.

f) Security incorporated as an essential element of information systems and networks.
g) Information security incident active prevention and detection.
h) Guarantee an information security management exhaustive approach.
i) Information security continuous assessment and performance of modifications, when required.

Information Security
Information security includes three main dimensions: Confidentiality, availability and integrity.
With the objective to guarantee sustained corporate success, as well as its continuation and impact
minimization, information security entails adequate security measure application and management,
implying the consideration of a wide range of threats.

Information security is achieved through the implementation of a set of applicable controls, selected
through the chosen risk management process managed by an ISMS, along policies, processes,
procedures, organizational structures, software and hardware to protect identified information
assets.

20
 These controls need to be specified, implemented, monitored, revised, and improved when required
to guarantee that security, business objectives and specific security issues are complied with. These
information security controls must be coherently integrated to the organizational business processes.

The Management System

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

A management system uses a framework of resources to reach the objectives of an organization. The
management system includes the organizational structure, policies, activity planning, responsibilities,
practices, procedures, processes, and resources.

In terms of information security, a management system enables an organization to:

a) Meet client and stakeholder security requirements.

b) Improve organizational plans and activities.
c) Comply with the organizational information security objectives.
d) Comply with regulations, laws, and sector obligations.
e) Manage information assets in an organized way to enable continuous improvement and adaptation
to current organizational goals and to its environment.

21
 ISMS Success Critical Factors
A large number of factors is fundamental for the successful implementation of an ISMS that enables
the organization to comply with its business objectives. Some success critical factor examples are:

a) The policy, objectives, and security activities are aligned with the objectives.
b) A focus and framework for information security design, performance, follow up, maintenance and
improvement aligned with the organizational culture.
c) Visible support and commitment at every Direction level, particularly the top direction.
d) The knowledge and understanding of information asset protection requirements provided by
information security risk management application (see ISO/IEC 27005 standard).
e) An effective information security awareness-raising, training and education program, reporting
to every employee and stakeholder information security duties set forth by information security
policies and guidelines and encourage them to act, accordingly.
f) An efficient information security incident management process.
g) An effective business continuity management focus.
h) A mediation system used to assess information security management performance and to provide
improvement suggestions.

An ISMS increases the likelihood that an organization reaches a success critical factors in a coherent
way to protect its information assets.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Benefits of the ISMS Family Guidelines

The benefits of implementing an ISMS will mainly produce a reduction in the risks associated with
information security by contributing to:

a) An assistance to management in structuring its approach to information security management.

b) corporate risk governance, education and training actions in information security management
c) The promotion of globally accepted information security best practices.
d) To have a common language for information security.
e) Achieving competitiveness with certification to the ISO/IEC 27001 standard by an accredited
certification body
f) Increased trust in the organization by interested parties
g) Effective management of information security investments.

22
 Cómo Luce una Historia de Usuario

3. Terms and Definitions

(See Annex No. 1 ISO27001 Glossary)

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

23
 Phase 2. Design and Implementation of an ISMS

IDENTIFY THE PHASES AND ACTIVITIES OF A ISMS IMPLEMENTATION PLAN ACCORDING TO

ISO 27003

ACTIVITIES

1
LOGICALLY IDENTIFY PROJECT PHASES FOR THE IMPLEMENTATION OF A ISMS PROJECT ACCORDING TO
ISO/IEC 27003
2
IDENTIFY, ANALYZE, ESTABLISH AND IMPLEMENT INFORMATION SECURITY REQUIREMENTS.
3
DEVELOP THE CONTROLS PROPOSED IN ANNEX A. CONTROL OBJECTIVES AND REFERENCE CONTROLS.

ELABORATE THE DESIGN OF AN ISMS

4

NOTE: The auditor validates that these cycles have been fulfilled in order to generate confidence that the necessary
implementation activities have been developed. There is an ISMS IMPLEMENTATION GUIDE (ISO/IEC 27003). The following
is the presentation of the design and implementation phases:

ISMS Design Phases

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Define the scope of Perform information Perform risk

Obtain management
the ISMS, its security Design the ISMS
approval to initiate assessment and
boundaries and ISMS requirements treatment planning
an ISMS project.
policy. analysis

Information security Written notification of ISMS final project

Management management approval implementation plan
Scope and limits of requirements
approval to initiate to implement the ISMS
the ISMS
the ISMS project

Risk treatment plan

Information assets
ISMS policy

Results of the safety SoA, including the control

assessment objectives and selected
controls

Línea de Tiempo

24
Implementation Stages of an ISMS

ETAPAS DE IMPLEMENTACIÓN DE UN SISTEMA DE GESTIÓN DE SEGURIDAD DE INFORMACIÓN

Revisión por MEJORA

la dirección
Acciones
Correctivas
Auditorías
Internas

Implementación

Mantenimiento del SGSI

Diseño
Análisis de
requisitos
Gestión de
riesgos Medición de controles
GAP-Plan de
Documentos - Controles

acción
Política Objetivos

Práctica

Conocimiento
del SGSI

TIEMPO DE IMPLEMENTACIÓN

ISO/IEC 27001 Structure

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

0. Introduction.
1. Scope.
2. Normative References.
3. Terms and Definitions.

4. Organizational Context.
5. Leadership.
6. Planning.
7. Support.
8. Operation.
9. Performance Assessment.
10. Improvement.

25
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

26
PDCA Deming Cycle and ISMS
 Historia de las Historias de Usuario

4. Organizational
Context

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

27
 4.1 Understanding the Organization and its Context

The organization must determine external and

internal issues pertinent to its purpose that affect
its capacity to achieve foreseen information
security management system results.

NOTE: The determination of these issues refers

to the setup of the organizational external and
internal context considering Section 5.3, ISO
31000 Standard.

• External Context: It is the external environment where the organization tries to reach its objectives.
• Internal Context: It is the internal environment where the organization tries to reach its objectives

CONTEXT PERSPECTIVE TYPE

Financial situation of the company Internal
ECONOMIC Profitability Internal
ISSUES Market share of competitors External
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Government incentives to reactivate the economy External

COVID 19 pandemic affecting sales and revenues External
Training Plans Internal
SOCIAL Work environment Internal
ISSUES Emotional Salary Internal
Customer productivity External
Work at home with collaborative platforms External
TECHNOLOGIAL ISSUES Software licensing Internal
Cyber attack External
Testing Internal
Customer service and support requirements External
Legislation and changes applicable to the company Internal
LEGAL ISSUES Knowledge of legislation Internal
Regulatory application to production and administrative
processes Internal
Service agreements with customers Internal
ENVIRONMENTAL Location of information assets and their exposition. Internal
ISSUES Natural disasters (fires, floods, earthquakes) External

28
25-Minutes Workshop
Historia de las Historias de Usuario

Determine the organizational

context using a SWOT analysis matrix

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

29
 4.2 Understanding the Stakeholders Needs and Expectations

The organization must determine:

a) The relevant stakeholders for the information

security management system.
b) The stakeholders requirements relevant to
information security.

NOTE: The stakeholders requirements may

include legal and regulating issues, as well as
contractual obligations.

A stakeholder is a person or organization that may affect, become affected or be perceived as affected
by a decision or activity.

Some examples of stakeholders:

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

30
Organizational Priorities For an ISMS

Inputs Objectives for implementing ISMS :

• Strategic objectives of the organization • Risk management: How the ISMS will generate better risk management.
• Overview of current Management Systems • Efficiency: In processes
• List of legal, regulatory and contractual • Competitive advantage: Create C.A
requirements for information systems.

I.S. PRIORITIES AND REQUIREMENTS BASED ON THE FOLLOWING FACTORS :

• Critical areas of the organization and business
• Critical information
• Laws that require I.S. measures
• Contractual agreements related to I.S.
• Industry requirements specifying particular I.S. controls or measures.
• Environmental threats
• Competitive drivers
• Business continuity requirements

Outputs
• A summary of the objectives, I.S. priorities and organizational requirements for an ISMS.
• A list of regulatory, contractual and industry requirements related to the organization's IMS.
• An outline of the characteristics of the business, the organization, assets and technology.

4.3 Determination of the Information Security Management System Scope

The organization must set up the limits and applicability of the information security management

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

system to determine its scope.

When this scope is determined, the organization must consider:

a) External and internal issues referred to in Section 4.1.
b) Requirements referred to in Section 4.2.
c) Interfaces and dependencies between activities performed by the organization and those performed
by other organizations.

The scope must be available as documented information.

A scoping document might consider the following:

• Characteristics of the organization
• Organizational processes
• Roles and responsibilities
• Information assets
• Geographical location
• Scope and limits from an organizational perspective
• Scope and limits from the technological perspective

31
 Geographical location

• Preliminary Scope
• Scope and limits of the Input
Organization
• Scope and limits from the
technological perspective

• Remote offices
• Interfaces with clients and services
• Functions
• Special offices if any (CCA, crisis rooms)
• Out of control locations

Output
• Description of physical boundaries and exclusions
• Description of the Organization and geographic
characteristics
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Scope and limits from a technological perspective Scope and limits from an organizational perspective

• Preliminary Scope • Preliminary Scope

• Scope and limits of the Organization • Organizational Priorities
Input
Input

• Processes, physical locations, I. Systems.

• Information Assets and Associated Risks
• Infrastructure • Identify areas of overlapping responsibilities
• Socio-cultural environment
• Software • Identify all personnel affected by the ISMS.
• Legal Aspects
• Hardware
• Technical limitations
• Roles and responsibilities

Output
Output • Description of Org. boundaries for the ISMS and exclusions
• Functions and structures included in the scope
• Information exchanged in scope and boundaries
• Processes and responsibilities of the included IAs

32
4.4 Information Security Management System

The organization must determine, implement,

maintain and continuously improve an information
security management system in compliance with
the requirements of this international standard.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

33
 25-Minutes Workshop
Historia de las Historias de Usuario

Define ISMS Scope

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

34
 Historia de las Historias de Usuario

5. Leadership

35
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA
 5.1 Leadership and Commitment

Top management must demonstrate leadership

and commitment to the information security
management system:

a) Making sure information security policies and

objectives are set forth and compatible with the
strategic direction of the organization.
b) Making sure the integration of the information
security management system requirements to
the organizational process are in place.
c) Making sure the necessary resources for the
information security management system are
readily available.

d) Communicating the importance of efficient information security management in compliance with

the information security management system.
e) Making sure the information security management system achieves expected results.
f) Leading and supporting people to contribute to the efficacy of the information security management
system.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

g) Encouraging continuous improvement.

h) Supporting other directive roles to demonstrate leadership applied to areas under your responsibility.

Top management commitment may be demonstrated by:

• Determining, Authorizing and Supporting the compliance with an Information Security Policy.
• Authorizing and Guaranteeing the resources required by ISMS.
• Making sure ISMS has roles, responsibilities and authorities defined.
• Communicating Information Security importance.
• Encouraging associates to contribute to ISMS efficiency.
• Strengthening information security management results accounting.
• Setting up the right conditions for associates participation achieving information security objectives
in the organization.

36
5.2 Policy

Top management must set up an information security policy that:

a) Is suitable for the organizational purpose.
b) Includes information security objectives (see 6.2) or provides a reference framework to set up the
information security objectives.
c) Includes the commitment to comply with applicable requirements to information security.
d) Includes continuous information security management system improvement commitment.

The information security policy must:

e) Be available as documented information.

f) Be communicated in the organization.
g) Be available to stakeholders, as suitable

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Some internal communication methods of the Information Security Policy might be:

• Induction and training through chats.

• Send e-mails.
• Personal delivery.
• Post on bulletin boards (Information Security Policy Statement).
• Posting on corporate Intranet.

Nevertheless, these methods may be used individually or together, as part of a permanent Information
Security Awareness-Raising Program and it must be guaranteed that associates understand the
Information Security Policy; these results may be measured by periodic evaluations to generate files
with those results and to determine improvements.

37
 5.3 Roles, Responsibilities and Authorities in the Organization
Top management must guarantee that responsibilities and authorities for information security relevant
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

roles are assigned and communicated in the organization.

Top management must assign the responsibility and authority to:

a) Guaranteeing that the information security management system complies with the requirements
of this international standard.
b) Report to top management the behavior of the information security management system.

NOTE: Top management may also assign responsibilities and authorities to report the information
security management system behavior in the organization.

In this phase, Information Security Roles, Responsibilities and Authorities must be clearly defined;
therefore, the person responsible for information security must be appointed and determining the
required authorities may be through an appointed ISMS committee.

Best practices suggest that this ISMS committee may be made up by representatives from the relevant
areas of the organization, such as Top Management, Management, Finance, Human Resources,
Information Technology and Legal.

Likewise, the Information Security Officers, the ISMS Committees (if required) and the Associates

38
responsibilities must be determined.

It is important to consider that the Information Security responsible person should never be
hierarchically dependent from the IT area, because he needs to be independent to adequately comply
with duty segregation.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

39
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

40
Historia de las Historias de Usuario

6. Planning
6.1 Actions to Treat Risks and Opportunities

6.1.1 General Considerations

When planning the information security management system, the organization must consider the
issues referred to under Section 4.1 and the requirements included under Section 4.2, and determine
the risks and opportunities that require being treated in order to:
a) Guarantee that the information security management system may achieve expected results.
b) Foresee or reduce undesirable results.
c) Achieve continuous improvement.

The organization must plan:

d) Actions to treat these risks and opportunities.

e) The way to:

1. Integrate and implement these actions to the information security management system.
2. Evaluate the effectiveness of these actions.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

6.1.2 Information Security Risk Appreciation

The organization must define and apply an information security risk appreciation process that:

a) Determines and maintains information security risk criteria, including:

1. Risk acceptance criteria.
2. Criteria to perform information security risk appreciation.
b) Guarantee that successive information security risk appreciations generate consistent, valid and
comparable results.

41
 c) Identify information security risks:
1. Performing the information security risk appreciation process to identify risks associated to
loss of confidentiality, integrity and availability of information in the scope of the information
security management system.
2. Identifying risk owners.

Risk owner: Person or company with the responsibility and authority to manage a risk.

Risk: Objective uncertainty effect.

An effect is a deviation of what was expected; it may be positive, negative or both and may address,
create or cause opportunities or threats.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Positive: Potential earnings / Negative: Harmful event.

Objectives may have different aspects and categories and may be applicable to different levels.

Risk is generally expressed in terms of risk sources, potential events, consequences and probabilities.

Risk level: Risk magnitude expressed in terms of a combination of consequences and probabilities.

Information security risks are associated to information confidentiality, integrity and availability loss.

42
Threat: Potential cause of an undesirable incident that may cause harm to a system or to an
organization.
Vulnerability: Asset or control weakness that may be taken advantage of by one or more threats.
Control: Measure that modifies the risk.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

d) Analyze information security risks:
1. Assessing possible consequences that would arise if risks identified under 6.1.2 c) 1) materialize.
2. Realistically assessing the likelihood of occurrence of risks identified under 6.1.2 c) 1).
3. Determining risk levels.
e) Assess information security risks:
4. Comparing risk analysis results with risk criteria set forth under 6.1.2 a).
5. Prioritizing analyzed risk treatment.

The organization must keep information security risk appreciation process documented information.

43
 6.1.3 Information Security Risk Treatment

The organization must define and perform an information security risk treatment process to:

a) Select suitable information security risk treatment options considering the results of the risk
appreciation conducted.
b) Determine every required control to implement the information security risk treatment chosen
option.

NOTE 1: Organizations may devise controls as required or identify them from any source.

c) Compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no
necessary controls have been omitted.

NOTE 1:Annex A has a wide list of controls and control objectives. Users of this international standard
are encouraged to analyze Annex A to make sure required controls are not skipped.

NOTE 2: Control objectives are implicitly included under selected controls. Listed controls and
control objectives under Annex A are not exhaustive; therefore, additional control and control
objectives may be required.

d) Draft an “Statement of Applicability” that has:

• The required controls [see 6.1.3 b) and c)].
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• An inclusion justification.
• A checklist of whether required controls are implemented.
• An exclusion justification of any control under Annex A.

44
 e) Formulate an information security risk treatment plan.
f) Get the information security risk treatment plan approval and the information security residual risk
acceptance from risk owners.

The organization must keep information security risk treatment documented information.

NOTE: Information security risk appreciation and treatment process provided for this international
standard are aligned with generic principles and guidelines under ISO 31000 Standard.

Statement of Applicability –SoA

Statement of Applicability –SoA

Justification
Control Control Name Control Description Applicable
applicability/exclusion

The information security policy and specific policies should be defined,

Information security approved by management, published, communicated to and Documented
5.1 SI
policies acknowledged by relevant personnel and relevant interested parties, and information required
reviewed at planned intervals and if significant changes occur.

Storage media shall be managed throughout their life cycle of acquisition,

use, transport and disposal in accordance with the organization's
No storage media are
7.10 Storage media standards. NO

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

handled
Classification scheme and handling requirements.

Strategies

Mitigate: Implement controls to reduce risk

levels.

Assume: Current risk level is assumed or

retained.

Transfer: Share risk with external parties (buy an

insurance or outsource services).

Eliminate: Cancel the risk-generating activity.

45
 Risk Treatment Plan

6.1 Actions to Treat Risks and Opportunities

Residual risk: Remaining risk after risk treatment.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

46
ISO 31000 Standard Structure Risk Management - Guidelines

• This document provides guidelines to manage

risk faced by organizations. Application
of these guidelines may be adapted to any
organization and its context.
•
• This document provides a common focus to
manage any type of risk and it is not specific to
an industry or sector.
•
• This document may be used along the life of
the organization and may be applied to any
activity, including decision-making at any level.

6.2 Information Security Objectives and Achievement Planning

The organization must determine information security objectives for the pertinent functions and levels.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Information security objectives must:

a) Be coherent with the information security policy.

b) Be measurable (if possible).
c) Consider applicable information security requirements, appreciation results and risk treatment.
d) Be monitored
e) Be communicated.
f) Be updated, if appropriate.
g) The organization shall maintain documented information on information security objectives.

When the planning is made to get the information security objectives, the organization must deter-
mine:

h) What is going to be done.

i) The required resources.
j) The responsible party.
k) When it will be finished.
l) How results will be evaluated.

47
 Example of an ISMS for a Security Service performed by a Security Operation Center (SOC).

6.3 Planning of Changes

When the organization determines the need for changes to the ISMS, the changes shall be carried
out in a planned manner.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

48
 Historia de las Historias de Usuario

7. Support

49
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA
 7.1 Resources

The organization must determine and provide the

required resources to set up, implement, maintain
and continuously improve the information
security management system.

7.2 Competence

The organization must:

a) Determine the required competence of the staff that conduct, under its control, work that affects
information security performance.
b) Ensure that these persons are competent on the basis of appropriate education, training, or
experience.
c) When applicable, implement actions to gain the required competence and assess the efficacy of
such implemented actions.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

d) Keep appropriate documented information to evidence competence.

NOTE: Applicable actions may include, for example: Training, tutorial, or reassignment of currently
hired staff, as well as hiring competent staff.

7.3 Awareness
Staff under the control of the organization must
be aware of:

a) Information security policy.

b) Contribution to the efficacy of the information
security management system, including the
benefits of information security performance
improvements.
c) The implications of uncomplying with the
information security management system.

50
7.4 Communication

The organization must determine the need of

external and internal communications pertinent
to the information security management system,
including:

a) Communication content.
b) When to communicate.
c) Whom to communicate to.
d) Who should send the communication.
e) Processes the communication must comply
with.

7.5 Documented Information

7.5.1 General Considerations

The information security management system of the organization must include:

a) Documented information required by this international standard.
b) Documented information the organization has determined to be necessary for the efficacy of the
information security management system.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

NOTE: The scope of the information security management system documented information may vary,
depending on the organization, due to:
1. The size of the organization and its type of activities, processes, products and services.
2. The complexity of its processes and interactions.
3. The competence of the staff.

7.5.2 Creation and Update

When documented information is created and updated, the organization must guarantee the
following, as required:

a) The identification and description (for instance, title, date, author, or reference number).
b) The form (for instance, language, software version, graphs) and support means (for instance, hard
copy, soft copy).
c) The review and approval in terms of suitability and adequacy.

51
 7.5.3 Documented Information Control

Documented information required by the

information security management system and by
this international standard, must be controlled to
guarantee that:
a) It is available and ready to be used where and
when needed.
b) It is adequately protected (for instance,
against confidentiality loss, inadequate use or
integrity loss).

To control documented information, the organization must try the following activities, as applicable:

c) Distribution, access, recovery and use.

d) Storage and preservation, including legibility preservation.
e) Change control (for instance, version control).
f) Retention and arrangement.

External documented information the organization has determined to be necessary for the information
security management system planning and operation must be identified and controlled, as required.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

NOTE: Access implies a decision concerning permits, just to search documented information, or permits
and authority to search and modify documented information, etc.

52
53
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

54
Historia de las Historias de Usuario

8. Operation
8.1 Operational and Planning

The organization must plan, implement and control the needed processes to comply with the information
security requirements and to implement the actions determined under 6.1. the organization must
implement also plans to achieve the information security objectives set forth under 6.2.

As required, the organization must keep documented information to have the certainty that processes
have been performed as planned.

The organization must control planned changes end review the consequences of unforeseen changes,
performing actions to mitigate adverse effects, when required.

The organization must guarantee that outsourced processes are controlled.

8.2 Information Security Risk Assessment

The organization must assess information security
risks at planned intervals and, when important
modifications are proposed or produced, it must
consider criteria under 6.1.2 a).

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

The organization must keep information security
risk assessment result documented information.

55
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

56
57
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA
 8.3 Information Security Risk Treatment

The organization must implement an information security risk treatment.

The organization must keep information security risk treatment result documented information.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Risk Assessment and Treatment

58
 Historia de las Historias de Usuario

9. Performance
Assessment

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

59
 9.1 Monitoring, Measure, Analysis and Evaluation

The organization must assess the information security performance and the effectiveness of the
information security management system.

The organization must determine:

a) What has to be followed up and what needs to be measured, including information security processes
and controls.
b) The follow up, measure, analysis, and assessment methods to guarantee valid results.

NOTE: Methods selected must yield comparable and replicable results to be valid.

c) When follow-up and measure should be

performed.
d) The person who must perform the follow up
and measure.
e) When follow-up and measure results should
be analyzed and assessed.
f) The person who should analyze and assess
those results.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

The organization must keep documented

information as evidence of the results.

60
9.2 Internal Audit

The organization must perform internal audits

at planned intervals to provide information that
verifies if the information security management
system:

a) Complies with:
1. The own information security management
system requirements the organization has.
2. The requirements of this international
standard.
b) Has been efficiently implemented and
maintained.

The organization must:

a) Plan, establish, implement and maintain one or several audit programs that include frequency,
methods, responsibilities, planning requirements, and report drafting. Audit programs must consider
the importance of involved processes and former audit results.
b) Define criteria and scope for each audit.
c) Select auditors and perform audits that guarantee the audit process objectivity and impartiality.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

d) Guarantee that the pertinent direction is reported with the auditing results.
e) Keep documented information as evidence of the audit program implementation and its results.

Audit
• Audit is defined as the systematic, independent, documented process of obtaining objective
evidence and evaluating it objectively to determine the extent to which audit criteria are met.
• Objective evidence data that supports the existence or truth of something. Objective evidence may
be obtained through observation, measurement, testing, or other means. Objective evidence for
the purpose of the audit generally consists of records, statements of fact or other information that
are relevant to the audit criteria and verifiable.
• Audit criteria set of requirements used as a reference against which objective evidence is
compared. If the audit criteria are legal (including statutory or regulatory requirements), the words
"compliance" or "non-compliance" are often used in an audit conclusion Requirements may include
policies, procedures, work instructions, legal requirements, contractual obligations, etc.

61
 Audit scope refers to the scope and boundaries of an audit. Audit scope generally includes a
description of physical and virtual locations, functions, organizational units, activities and processes,
as well as the time period covered. A virtual location is when an organization performs work or
provides a service using an online environment that allows people, independent of physical locations,
to execute processes.

9.3 Management Review

9.3.1 General: The top management must revise

the information security management system
of the organization at planned intervals to
guarantee its continuous convenience, adequacy
and effectiveness.

9.3.2 Management Review Inputs: The revision

performed by top management must include
considerations, such as:

a) The status of actions from former top

management revisions.
b) Changes on external and internal issues
pertinent to the information security
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

management system.

c) Information security behavior, including

trends on:
1. Non-conformities and corrective actions.
2. Measure follow up and results.
3. Audit results.
4. Information security objective compliance.
d) Stakeholders comments.
e) Risk appreciation results and risk treatment
plan status.
f) Continuous improvement opportunities.

62
9.3.3 Management Review Results: Top management revision output elements must include decisions
related to continuous improvement opportunities and any information security management system
change need.

The organization must keep top management revision results documented information as evidence.

Top management revision acts must include the following items, at least, in correlative order:

1. Follow-up actions on the previous ISMS Committee Act agreements.

2. Pertinent internal and external issue changes to ISMS.
3. Comments on information security performance, including trends on: Non-conformities and
corrective actions.
4. Monitoring and measurement results.
5. Audit results.
6. Information security objective compliance.
7. Interested parties comments.
8. Risk assessment results and risk treatment plan status.
9. Continuous improvement opportunities.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

63
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

64
Historia de las Historias de Usuario

10. Improvement
10.1 Continual Improvement

10.1. Continual improvement: The organization shall continually improve the adequacy, sustainabili-
ty and effectiveness of the ISMS.

10.2 Non-conformity and corrective actions: When a non-conformity occurs, the organization shall:

a) React to the non-conformity and, when applicable:

1. Implement actions to control it and correct it.
2. Address the consequences.
b) Assess the need of action to eliminate the non-conformity causes, to keep it from happening here
or elsewhere again, through:
1. The review of the non-conformity.
2. The determination of the non-conformity causes.
3. The determination if there are similar non-conformities that might potentially take place.

10.2 Non-Conformity and Corrective Actions

c) Implement any required action.

d) Revise the efficiency of the corrective actions performed.
e) If needed, make changes to the information security management system.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Corrective actions must be adequate to effect non-conformities found.

The organization must keep documented information to evidence:

f) Non-conformity nature and any performed action.

g) The results of any corrective action.

65
 Historia de las Historias de Usuario

Annex A: Normative
(See Control Objectives I27001IA-LA)
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

66
Annex A: Controls

REQUIREMENTS • 5. Organizational Controls

• 6. People Controls
4. Context of the organization • 7. Physical Controls
5. Leaderrship • 8. Technological Controls
6. Planning
7. Support
8. Operation
9. Performance Evaluation
10. Improvement

Note: The auditor does NOT only evaluate requirements 4 to 10, but also the controls in Annex A explained
below.

Please refer to supplement No. 2.

Annex A: Clauses, Objectives and Controls

4 DOMAINS

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

93 CONTROLS

5. Organizational Controls
• 5.1 Policies for information security.
• 5.2 Information security roles and responsibilities.
• 5.3 Segregation of duties
• 5.4 Management responsibilities
• 5.5 Contact with authorities
• 5.6 Contact with interested parties
• 5.7 Threat intelligence
• 5.8 Information security in project management
• 5.9 Inventory of information and other associated assets
• 5.10 Acceptable use of information and other associated assets

67
 • 5.11 Return on assets
• 5.12 Classification of information
• 5.13 Labeling on information
• 5.14 Information transfer
• 5.15 Access control
• 5.16 Identity management
• 5.17 Authentication information
• 5.18 Access rights
• 5.19 Information security in supplier relationships
• 5.20 Addressing information security within supplier agreements
• 5.21 Information security management in the ICT supply chain
• 5.22 Monitoring, review and change management of supplier services
• 5.23 Information security for the use of Cloud services
• 5.24 Information security incident management planning and preparation
• 5.25 Assessment and decision making in information security incidents
• 5.26 Response to Information Security Incidents
• 5.27 Learning from Information Security Incidents
• 5.28 Collection of evidence
• 5.29 Information security during a disruption
• 5.29 Information security during a breach
• 5.30 ICT readiness for business continuity
• 5.31 Legal, statutory, contractual, and regulatory requirements
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• 5.32 Intellectual property rights

• 5.33 Protection of records
• 5.34 Privacy and protection of personally identifiable information(PII)
• 5.35 Independent review of information security
• 5.36 Compliance with policies, rules and standards for information security
• 5.37 Documented operational procedures

6. People Controls
• 6.1 Screening
• 6.2 Terms and conditions for employment
• 6.3 Information Security Awareness, education, and training
• 6.4 Disciplinary process
• 6.5 Responsibilities after termination or change of employment
• 6.6 Confidentiality or non-disclosure of agreements
• 6.7 Remote working
• 6.8 Information security event reporting

68
7. Physical Controls

• 7.1 Physical security perimeters

• 7.2 Physical entry
• 7.3 Securing of offices, rooms and facilities
• 7.4 Physical security monitoring
• 7.5 Protecting against physical and environmental threats
• 7.6 Working in secure areas
• 7.7 Clear desk and clear screen
• 7.8 Equipment siting and protection
• 7.9 Security of assets off-preimises
• 7.10 Storage media
• 7.11 Supporting utilities
• 7.12 Cabling security
• 7.13 Equipment maintenance
• 7.14 Secure disposal or re-use of equipment

8. Technological Controls

• 8.1 User end devices

• 8.2 Privileged access rights

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• 8.3 Information access restriction
• 8.4 Access to source code
• 8.5 Secure authentication
• 8.6 Capacity management
• 8.7 Malware protection
• 8.8 Technical vulnerability management
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.13 Information backup
• 8.14 Redundancy of information processing facilities
• 8.15 Logging
• 8.16 Monitoring activity
• 8.17 Clock synchronization
• 8.18 Use of privileged utility programs
• 8.19 Installing software on operating systems

69
 • 8.20 Network Security
• 8.21 Security of network services
• 8.22 Segregation of networks
• 8.23 Web filtering
• 8.24 Use of cryptography
• 8.25 Security development life cycle
• 8.26 Application security requirements
• 8.27 Secure system architecture and engineering principles
• 8.28 Secure coding
• 8.29 Security Testing in Software Development and Acceptance
• 8.30 External Development
• 8.31 Separation of development, test and production environments
• 8.32 Change management
• 8.33 Information for testing
• 8.34 Protection of information systems during audit tests
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

70
 Historia de las Historias de Usuario

25-Minutes Workshop
Revise Information Security Terms and
Conditions

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

71
 Phase 3. Information Security Risk Management Based on ISO 27005

This standard provides support to the concepts specified in ISO-IEC 27001, which facilitates the
successful implementation of information security based on the risk management approach.

This standard can be applied to all types of organizations that determine to manage information
security risks.

ISMS Risk Management

Opportunities: Purpose is to manage/exploit business opportunities and focuses on investment.

Offensive in nature.

Impact: Success of a vulnerability due to a threat to an asset to which an estimated monetary value
must be assigned by ranges (e.g.: Between U$ 1 and U$ 10 million) the probability of occurrence of the
event is evaluated, e.g.: The virus is daily, weekly, etc. Classify them as high, medium or low. Offensive
in nature.

Business Risk
+ Risks in the
+ Risks in the
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Information Systems Processes

Top Management Applications and Information End User

Controls at cross-business level

72
Why Perform Risk Management?

Seeking efficiency and effectiveness of the processes, a risk management system has these
characteristics and principles:
• Creates and protects value by contributing to the achievement of objectives.
• Risk management is an integral part of all processes.
• Its outputs are fundamental in decision making
• It deals with uncertainty
• It is systematic, structured and timely
• It is based on the best available information
• It is specific
• It takes into account the human and cultural factors of the organization.
• It is transparent and inclusive as it is located in all the processes.
• It is dynamic, iterative and change-oriented.
• Facilitates continuous improvement

Risk Management Process Based on ISO-IEC 27005

Context establishment

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Risk assessment

Risk Analysis

Risk monitoring and review

Risk identification: What can happen? How can it happen?
Risk communication

Risk estimation: Likelihood? Impact? Level of risk?

Risk Evaluation: Controls? Effectiveness of Controls? Treatment?

DECISION ON RISK NO
Point 1. Satisfactory assessment
YES
Risk Treatment

RISK DECISION NO
Point 2. Satisfactory treatment
YES
Risk Acceptance

73
 Context Establishment

The Organization articulates its objectives and defines external and internal components to be
considered to establish the scope and criteria for risk performance.

External and internal conditions that could have an impact on

the achievement of objectives.

External Internal
• Social and cultural environment • Organizational Culture
• Political environment • Governance, structure, roles and
• Compliance, legal and regulatory responsibilities
• Technology • Standards, guidelines, processes
• Economic environment • Technical components
• Competitiveness • Internal technology
• Drivers • Customers
• Psychosocial aspects

Identification of Assets
It is necessary to identify the assets in order to perform the risk valuation. Two asset classes are
identified:
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Primary
• Missional activities and processes, proprietary technology, those with legal and contractual
requirements.
• Information from: mission processes, high cost of processing, storage, transmission and retrieval.
• Secondary
• Hardware
• Software
• Networks and connectivity
• Services (Subcontractors/suppliers/manufacturers)
• Decision makers (Knowledge of the business)

74
Classification of Assets

Ite Cod Classification Type

m e
1 PI1 Physical Information 1 Documental
2 PI2 Physical Information 2 Documental
3 S1 Tools for Operation Software
4 S2 Management Software
Software
5 N1 The Network Infrastructure
6 LS Local Server Infrastructure
7 CE Computer Equipment Equipment
8 ST Storage Storage
9 BN Business Knowledge Non Tangible and HR

Threat
Threat

They are present in each system or asset under the premises of:
• Confidentiality
• Availability

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Integrity

The purpose is to reduce the negative impact. Defensive in nature.

Scenario (Cause) where an action or event (incident) compromises the security of an Information Asset.

Cause: Reason or circumstance.

75
 Threat Profile

Natural Impact
Accidental
Human Disclosure
Internal
Deliberate
Lost
Information
Network
Asset
Accidental Modification
Human
External
Deliberate Interruption

Asset Access Actor Reason

Information Threats

Examples:
• Physical damage (Pollution, accidents, fire, etc.).
• Introduction of malicious code to the system
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Unauthorized access/changes
• Software illegality
• Fraud/identity theft
• Unexpected loss of critical services
• Accidents caused by natural events

Vulnerability

They leave a system exposed to a threat attack or allow the success or greater impact of the threat.
They area exploited
Dejan by threats.
un sistema expuesto al ataque de una amenaza o permite el éxito o mayor impacto de la amenaza. Son
explotadas por las amenazas.

E.g.:Ej.: Incendio
Fire à Gas.
Gas.
Ineficiencia, condiciones adversas de operación, reputación, pérdida de oportunidad se identifican como
Inefficiency, adverse
consecuencias operating conditions, reputation, loss of opportunity are identified as consequences
de las vulnerabilidades.

of vulnerabilities.
Grado de sensibilidad de un Activo.

Degree of sensitivity of an Asset.

76
 Weaknesses of any kind that compromise the security of an Information System.

• Applications with construction defects without testing

• Faulty network and equipment configurations
• Absence of a Continuity of Operations policy.
• Outdated O.S., DBMS and development tools.
• Weak, unprotected communications system
• Insufficient HR training
• Lack of succession plans or training
• Areas susceptible to flooding

These weaknesses can be exploited by threats.

Examples
Examples

Activity No.2 Information Risks

INFORMATION
THREAT VULNERABILITY
ASSET
Location of the Data Center in areas close to
Computer center Flooding
rivers, lagoons, lakes, etc.
Communications
Loss of I.T. services. Absence of a Business Continuity policy.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Equipment
Human Resources Loss of key personnel Absence of succession plans
Process failures affecting
Core business Software construction defects
Confidentiality / Availability /
applications
Integrity.
EXERCISE : Develop practical examples of your work associating the respective Threats and
Vulnerabilities to the Information Assets.

It is requested to develop this exercise with the assets of the practical Workshop No.1 Classification
and valuation of Information Assets..

77
 ISMS Risk Management: Workshop

METALMECANICA S.A. started its activities in 2010 with 150 employees and with a process map that
was not completely defined until March 2021.

It currently has some applications that do not fully cover the activities, although in a meeting with
the Management, it is stated that so far everything has worked very well although they have manual
processes. Since its beginnings, the company has had the same computer plant and is staffed by two
people with mid-level professional training who technically attend to the operations of the business,
with satisfactory results.

An audit conducted in April concluded that the company's financial figures are reasonable. Management
authorizes investing in a corporate image project in order to position the company in the media and
before the competition, this project is done by means of a bank loan. According to the previous status
of METALMECANICA S.A. it is requested to develop an exercise with Findings, Threats, Vulnerabilities.

Solution

Findings:
1. The company does not have a completely defined process map, where its activities are referenced.
2.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

3.
Threats:
1. Loss of IT services.
2. Inability to meet the demand for new services.
3.
Vulnerabilities:
1. Lack of process characterization policies
2. Absence of strategic and technological development plans

78
 Your organization is at risk In
when : addition:

Defects or damage to any

information asset. Loss of operation or continuity.

Unforeseen failures or defects in the

Unscheduled outages. I.T. infrastructure.
Modification, interception or Inability to fulfill the promise of
alteration of data without proper service to internal and external
authorization. users.

Consult other I.T. risk factors.

Risk = Uncertainty?
It is the potential for a threat to exploit the vulnerabilities of the I.A., turn into a disaster and affect the

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

objectives of the Organization (economic, environmental, image, reputation, social).

It can be positive or negative.

Risk Management: It is a methodological and systematic practice that is executed to identify, measure,
classify and define procedures, policies and actions.

Controls:
• Mitigate
Objective • Avoid
• Transfer
• Assume

79
 Risk Management Cycle

Identification
I.T
• Plans and organizes
Evaluation

Controles
Clasification • Defines treatment

Control
• Monitor and Evaluate
Analysis
• Identification Monitor
• Clasification
Evaluation • Analysis Treatment

Planning

ISMS Risk Management

The following 9 steps will lead the participant

to understand the risk management model. It
starts in the CONTEXT and ends in the design of
CONTROLS.

1. Establishment of the external and internal

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

context
2. Classification of information assets

Resume
Item Code Classification Type

1 PI1 Physical Information 1 Documental

2 PI2 Physical Information 2 Documental

3 S1 Tools for Operation Software

4 S2 Management Software Software

5 N1 The Network Infrastructure

6 LS Local Server Infrastructure

7 CE Computer Equipment Equipment

8 ST Storage Storage

9 BN Business Knowledge Non Tangible and HR

80
 Threats of Information and Communication Technologies (ICTs)
VULNERABILITIES
Interception • Lack of role segregation
Espionage • Incorrect configuration of information
Loss / Theft of media or equipment systems
• Lack of user training
COM P ROM ISED • Zero-day vulnerabilities Failures due to lack of
INFORM ATION operator training
Media recovery
• Diseases
Disclosure • Failures due to updates
• Lack of knowledge of tools
Unreliable data sources • Lack of commitment from top management 3. Classification of threats
Non-compliance with legal obligations
• Lack of standards to define criteria or and vulnerabilities to
Location detection typology of events that could generate
security risks to the client's network. information assets
• The person does not identify an attack on the
Technological abuse, improper operations with equipment and network
applications. • Inability to execute tasks due to workload
imbalance and/or capacity management (by
Unauthorized use of equipment time).
• Absence of a development standard that
Software copying UNAUTHORIZED ACTIONS
allows choosing new behaviors to be
Use of illegal software detected by IDS or initial scanning performed
in the registration process.
Corruption of data base • NO detection of devices with physical or
ILLEGAL data processing configuration failures.
• Errors in configuration that do not allow
Error in the use / blocking of equipment remote start-up.
Abuse of rights

4. Risk scenario

Matrix that includes the Organization's Information Assets.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Confronted with the threats for each of the assets.

Información Asstes Click

Information 2

Management
Information I

Local Server

knowledge
equipment
Operation

Computer
Software
Tools for

Business
Physical

Physical

Storage
Net

2021 Threasts

Natural Event x x x x
Click

Loss of Essential Services x x x

Technical Failures
x x x x x x A
V I
Physical Harm A
x x x x x x P N
R I T
L
Computer Attacks I E
x x x x x A
V G
B
A R
I
Unauthorized Actions C I
x x x x x x L
Y T
I
Y
T
Commitment of Functions
x Y

Commitment to information
x x x x x x

Unsatisfied staff
x x x x x x x x x
Intangibles and HR
Infrastructure
Documentary

Equipment
Software

Storage

Type of information assets Information Security

81
 5. Risk Criteria

Probability / Frequency Table

Level Ranges Detailed Example of Description
1 Very unlikely May occur only under exceptional circumstances
2 Unlikely May occur sometimes (Rarely)
3 Likely It may happen at some point
4 Quite Likely Probability of occurrence in most circumstances
5 Very likely The expectation of occurrence is in most circumstances

Impact Table: Priority 1 – Impact on the Operation

Level Ranges Detailed Example of Description

1 No impact There is an unavailability less than or equal to 5 minutes

2 Very Low There is an unavailability between 6 and 15 minutes

3 Low There is an unavailability between 15 and 30 minutes
4 Moderate There is an unavailability between 30 and 60 minutes
There is an unavailability for more than 60 minutes. An alternative
5 High
processing mechanism needs to be established

6. Rating risk scenarios

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Probability of Impact on operations

occurrence operations

IMPACT ON Risk*
SCENARIO PROBABILITY OPERATION Impact
NATURAL EVENT - PHYSICAL INF 1 Very unlikely 1 No impact 1 1
NATURAL EVENT - PHYSICAL INF 2 Very unlikely 1 No impact 1 1
NATURAL EVENT - NET Unl ikel y 2 Very low 2 4
NATURAL EVENT - COMPUTER EQUP Very unlikely 1 Very low 2 2
LOSS OF ESSENTIAL SERVICES - NETWORK Unl ikel y 2 Very low 2 4
LOSS OF ESSENTIAL SERVICES - LOCAL SERVER Likely 3 Very low 2 6
LOSS OF ESSENTIAL SERVICES - COMPUTER EQUIPMENT Likely 3 Very low 2 6
TECHNICAL - DOMINA DIGITAL F-E Unl ikel y 2 High 5 10
TECHNICAL FAILURES - MANAGEMENT SOFTWARE Unl ikel y 2 High 5 10
TECHNICAL FAILURES - NETWORK Unl ikel y 2 Very low 2 4
TECHNICAL FAILURES - LOCAL SERVER Unl ikel y 2 Very low 2 4
TECHNICAL FAILURES - COMPUTER EQUIPMENT Unl ikel y 2 Very low 2 4
TECHNICAL - MOBILE EQUIPMENT Unl ikel y 2 Very low 2 4
PHYSICAL DAMAGE - PHYSICAL INF 1 Very unlikely 1 No impact 1 1
PHYSICAL DAMAGE - PHYSICAL INF 2 Very unlikely 1 No impact 1 1
PHYSICAL DAMAGE - NETWORK Very unlikely 1 Very low 2 2

82
7. Risk Map

Matrix resulting from CROSSROADS Graphical display of the status of

Probability X Impact of the processes
ZONE Total Risk
PERCENTAGE DISTRIBUTION
ZONE Total Risk
Acceptable; 68, 63
Percentage distribution

Inadmisible; 23,53

Unacceptable; 3,92

Acceptable; 68, 63

Unacceptable

7. Risk Map Analyst

Matrix resulting from CROSSROADS Percentage distribution

Probability X Impact
Inadmisible; 23,53

Unacceptable; 3,92

Acceptable; 68, 63

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Acceptable Lower risk, managed through routine procedures

Tolerable Moderate risk, the responsibility of senior management must be specified

Unacceptable High risk, the attention of senior management is necessary

Inadmissible Extreme risk, immediate action required

83
 Probabilities of Occurrence Potential Impactc

Rating Attribute Description

Rating Attribute Description
1 Insignificant Exceptional occurrence
1 Odd Exceptional occurrence

2 Unlikely Difficult to happen 2 Minor It is controllable

Possible Normally doesn’t happen Moderate Requires third-party intervention

3 3
Likely There is reason to believe that it will happen. Loss of capacity, harmful effects.
4 4 High

It usually happens Impossibility of reaction

5 Frecuent 5 Catastrophic

Controls
Rating Attribute Description
Absence of control regarding the probability of occurrence and
1 Incontrolable the possibility of managing the consequences

2 Deb Insufficient controls to prevent or mitigate risk or NOT KNOWN

Controls do NOT allow the management of all potential risk

Moderate
3 events

Viable economic controls are managed. Follow-up and monitoring.

4 Strong

9. Controls implementation

Caracterización y atributos de los Controles

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Risk Code
• Category
• Risk Name
• Control
• Objective
• Implementation Guidance
• Metrics
• Monitoring plan
• Responsible
• Expected Result
• Timeline
• Budget

84
ISO 19011:2018

This standard provides a guideline for any size or

type of organization and different scope and scale
audits, including those conducted by large auditing
teams, generally in large organizations and those
conducted by individual auditors, whether in large or
small organizations. This guideline must be adapted
as required by the scope, complexity and scale of the
auditing program.

ISO 19011:2018 Structure

Preface.
Introduction.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

1. Scope.
2. Normative references.
3. Terms and definitions.
4. Auditing principles.
5. Auditing program management.
6. Audit performance.
7. Auditors competence and assessment.
Annex A.
Bibliography.

85
 ISO 19011:2018 Scope

This document provides guidance to audit management systems, including auditing principles, an audit
program management and the conduction of management systems auditing, as well as guidance on
competence evaluation of people involved in the auditing process.

These activities include people who manage the auditing program, auditors and auditing teams.

It is applicable to every organization that need planning and conducting management systems internal
and external audits or managing an auditing program.

The application of this document to other types of auditing is possible, as long as special consideration
is granted to the required specific competence.

Audit
Systematic, independent and documented process to get objective evidence and assess it dispassionately,
to determine the extent auditing criteria is being complied with.

Note 1: Internal audits, sometimes called first-party audits, are conducted by or on behalf of, the
organization itself.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Note 2: External audits include those generally called second and third-party audits. Second-party
audits are conducted by the parties that have an interest in the organization, like customers or by
people on their behalf. Third-party audits are conducted by independent auditing organizations, such
as the ones that provide certifications, compliance certificates or governmental agencies.

86
Types of Audits

A. Internal audits: Sometimes called first-party audits, are conducted by or on behalf of the organization
itself.
B. External audits: Include those generally called second and third-party audits.

1. Second-party Audits are conducted by the parties that have an interest in the organization, like
customers, or by people on their behalf.
1. Third-party audits are conducted by independent auditing organizations, such as the ones that
provide certifications, compliance certificates or governmental agencies.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Audit Criteria
Set of requirements used as reference to compare objective evidence against.

Note 1: If audit criteria are legal (including legal or regulating requirements), the words “compliance” or
“incompliance” are often used in audit conclusions.

Note 2: Requirements may include policies, procedures, work instructions, legal requirements,
contractual obligations, etc.

87
 Audit Evidence

• La evidencia objetiva son los datos que

respaldan la existencia o la verdad de algo.
• Nota 1: La evidencia objetiva se puede obtener
a través de observación, medición, prueba o
por otros medios.
• Nota 2: La evidencia objetiva para el propósito
de la auditoría generalmente consiste en
registros, declaraciones de hechos u otra
información que son relevantes para los
criterios de auditoría y verificables.

Audit Results
Los resultados de la evaluación de la evidencia de auditoría recopilada contra los criterios de auditoría.

• Note 1: Objective evidence may be obtained through observation, measurement, test or other
means.
• Note 2: Objective evidence for audit purposes generally includes records, factual statements or
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

other audit criteria relevant and verifiable information.

The assessment results of the audit evidence collected against audit criteria.

• Note 1: Audit findings indicate compliance or non-compliance.

• Note 2: Audit findings may lead to the identification of risks, improvement opportunity or best-
practice records.
• Note 3: If the audit criteria are selected from legal or regulating requirements, the audit finding is
called compliance or non-compliance.

• Compliance finding.
• Requirements (standard, legal, regulating, contractual).
• The element is adjusted to the demand.
• The implementation corresponds to the intention.
• Implementation is efficient.

Best Practices:
• Verify verbal facts.

88
• Define nature and non-compliance with the audited, describing audit evidence.
• Take notes and refer back to them to draft the report.
• Draft the findings report during the information collection.
• At the end of the day, conduct a private revision.

Audit Conclusions

Audit result after considering the audit objectives

and all audit results (findings).

Audit Clients

Organization or person who request an audit.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Note 1: In case of an internal audit, the audit client may also be the audited party or the person
who manages the audit program. External audit request may come from sources like regulators,
contracting parties, potential customers or current customers.

Audite

Organization fully or partly being audited.

89
 Auditor

Person who conducts an audit.

Auditing Team
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

One or more people that conduct an audit supported, if required, by technical experts.

Note 1: An auditor from the auditing team is appointed as the auditing team leader.
Note 2: The auditing team may include in-training auditors.

Technical Expert

90
Person who provides specific knowledge or experience to the auditing team.

Note 1: Specific knowledge or experience is related to the organization, activity, process, product,
service, discipline being audited, language or culture.
Note 2: An auditing team technical expert does not act as auditor.

Observer

Individual that walks through the auditing team but does not act as auditor.

Guide

Person appointed by the audited party to assist the auditing team.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

91
 Audit Program

Set of one or more planned audits for a period of determined time aimed to a specific purpose.

Audit Scope

Audit scope refers to the scope and limits of an audit.

The scope of the audit generally includes a description of the physical and virtual locations, functions,
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

organizational units, activities and processes, as well as the covered period of time.

A virtual location is when an organization performs a duty or provides a service using an online
environment that allows people, regardless of their physical locations, to perform processes.

Audit Plan

Description of activities and arrangements for an audit.

92
Conformity

Compliance with a requirement.

Non-Conformity

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Non-compliance with a requirement.

Audit Evidence
Facts records, statements, or other information relevant to the audit criteria and verifiable.

93
 Audit Methods
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Clause 4: Audit Principles

1. Integrity: The base of professionalism.

2. Fair presentation: The obligation to report truthfully and accurately.
3. Professional due care: Diligence and judgement application to the audit.
4. Confidentiality: Information security.
5. Independence: Audit impartiality base and conclusion objectivity.
6. Evidence-based focus: Rational method for auditors to reach reliable and replicable conclusions
in a systematic audit process.
7. Risk-based focus: An audit focus that considers risks and opportunities.

94
Integrity: The base of professionalism.

The auditors and the people that manage an audit program must:
a) Conduct the work ethically, honestly and responsibly.
b) Conduct only audit activities if competent.
c) Conduct the work impartially; that is, keep being fair and impartial in every deal.
d) Be sensible to any influence your judgement may have while conducting an audit

Fair presentation: The obligation to report truthfully and accurately.

Audit findings, audit conclusions, and audit reports must reflect truthfully and accurately audit
activities. Significant obstacles found during the audit and unsolved diverging opinions between the
audit team and audit party must be reported. Communication must be truthful, accurate, objective,
timely, clear and complete.

Due professional care: Application of diligence and judgement to audits.

Auditors must have due care according to the importance of the task performed and to the trust
deposited on them by the audit client and other stakeholders. An important factor to conduct their
work with due professional attention is to have the capacity to issue judgements reasoned on audit
situations.

Confidentiality: Information security.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Auditors must exercise discretion and protection in the use of information acquired in the performance
of their duties. Audit information should not be used inappropriately for personal benefit by the
auditor or by the audit client or in a damaging way to the legitimate interests of the audited party.
This concept includes adequate management of sensible or confidential information.

Independence: The base for audit impartiality and objectivity of audit conclusions.

Auditors must be independent from the audited activity as long as possible and, in every case, they
must act in a way not subject to prejudice or conflict of interests. For internal audits, auditors must be
independent from the function they are auditing, if possible. Auditors must keep objectivity during
the entire auditing process to guarantee that audit findings and conclusions are exclusively based on
audit evidence.

For small organizations, internal auditors may not be completely independents from the audited
activity, but every effort must be made to eliminate biases and encourage objectivity.

Evidence-based focus: The rational method to reach reliable and replicable audit conclusions in a
systematic audit process.

95
 Audit evidence must be verifiable. In general, it must be based on available information samples
because an audit is conducted during a finite period of time with limited resources. Sampling
appropriate use must be applied because it is closely linked to audit conclusions trustfulness.

Risk-based focus: Audit focus that considers risks and opportunities.

Risk-based focus must substantially influence planning, conduction, and presentation of audit
reports to guarantee audits are focused on issues important to the audit client and to achieve audit
program objectives.

Cláusula 5: Programa de Auditoría

NOTE 1: This figure illustrates the Plan – Do –

Check – Act application in this document.

NOTE 2: Clause/subclause, numbering refers to

relevant clauses/subclauses in this document.

Figure 1: Process flow for the management of

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

an audit program.

96
Clause 6: Audit Activities
This clause provides guidance on the planning and the way to perform audit activities as part of an audit
program.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

97
 The audit team leader must: Hold informative meetings with the audit team, when appropriate, to
distribute tasks and decide possible changes.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

98
Clause 7: Auditor Competence and Evaluation

This clause deals with auditor competences when conducting an audit.

Auditors must:

Have personal qualities, such as diplomacy, sincerity, perception, persistence, etc. for the audit to be
conducted both professionally and correctly.

Have generic knowledge and skills, such as:

• Apply audit principles, procedures and techniques.
• Efficiently plan and organize work.
• Know local, regional, and national codes, laws and guidelines.

Have an adequate level of education, work experience, training as auditor and audit experience.

Keep and continuously improve skills and competences.

Methods to Evaluate Auditors

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

99
 Clause 7: Personal Attributes

a) Ethical, that is, fair, truthful, sincere, honest, and discreet.

b) Open-minded, that is, able to consider alternate ideas or points of view.
c) Diplomatic, that is, discreet when dealing with individuals.
d) Observer, that is, actively observe the physical environment and activities.
e) Perceptive, that is, aware of and able to understand situations.
f) Versatile, that is, able to easily adapt to different situations.
g) Persistent, that is, persevering and focused on reaching objectives.
h) Decisive, that is, able to reach timely conclusions based on logical reasoning and analysis.
i) Self-sufficient, that is, able to act and perform independently while effectively interacting with
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

others.
j) Able to act with strength, that is, able to act responsibly and ethically, although these actions are not
always popular and, occasionally, may cause disagreements or confrontations.
k) Open to improvement, that is, able to learn from situations.
l) Culturally sensible, that is, attentive and respectful of the audited culture.
m) Collaborator, that is, effective interaction with others, including audit team members and audited
staff.

100
Clause 7: Generic Knowledge and Skills

a) Audit principles, processes and methods: Knowledge and skills in this area enable the auditor to
guarantee that audits are conducted consistently and systematically.

An auditor must be able to:

• Understand the types of risks and opportunities associated to auditing and risk-based audit focus
principles.
• Plan and organize work effectively.
• Conduct the audit in the agreed upon timeline.
• Prioritize and focus on important issues.
• Effectively communicate in writing and orally (whether personally or through interpreters).
• Collect information through effective interviews, listen, observe, and review documented
information, including records and data.

An auditor must be able to:

• Understand the suitability and consequences of sampling technique use for the audit.
• Understand and consider technical expert opinions.
• Audit a process end-to-end, including interrelations with other processes and different functions,
as required.
• Verify the relevance and accuracy of collected information.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Confirm audit evidence sufficiency and suitability to support audit findings and conclusions.
• Assess those factors that may affect audit findings and conclusions reliability.
• Document audit activities and audit findings and prepare reports.
• Maintain information confidentiality and security.

b) Management system standards and other references: Knowledge and skills in this area enable the
auditor to understand the scope of the audit and apply audit criteria, covering the following:

• Management system standards and other guiding or orienting support documents used to determine
criteria or audit methods.
• Application of management system standards used by the audited party and other organizations.
• Relations and interactions among management system processes.
• Understand the importance and priority of multiple standards or references.
• Application of standards or references to different audit situations.

c) The organization and its context: Knowledge and skills in this area enable the auditor to understand
management structure, purpose and practices of the audited party and must cover the following:

101
 • Relevant Interested Parties needs and expectations that impact the management system.
• Type of organization, government, size, structure, functions and relations.
• General business and management concepts, processes, and related terminology, including planning,
budgeting, and staff management.
• Cultural and social aspects of the audited.

d) Applicable regulating and legal requirements and other requirements: The knowledge and skills in
this area enable the auditor to know the requirements of the organization and work accordingly.
Specific knowledge and skills of the jurisdiction or activities, processes, products and services of the
audited party must cover the following:

• Legal and regulating requirements, as well as related governmental agencies.

• Basic legal terminology.
• Contracting and liability.

NOTE: Legal and regulating requirement awareness does not imply legal expertise and a management
system audit must not be treated as a legal compliance audit.

19011 defines them as arrangements for a set of one or more planned audits in a specific timeline
aimed to a specific purpose.

• An audit program may include one or more audits, depending on the size, nature and complexity of
the audited organization.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• The scope of an audit program must be based on the size and nature of the audited party, as well as
the nature, functionality, complexity, type of risks and opportunities and the level of maturity of the
management systems to be audited.

• To understand the context of the audited party, the audit program must consider:
• Organizational objectives.
• Relevant internal and external issues.
• Pertinent Interested Parties needs and expectations.
• Information confidentiality and security requirements.

102
Establishing Audit Program Objectives

The audit client must guarantee that audit program objectives are set up to lead the planning and
conduction of audits and it must guarantee that the audit program is effectively implemented.

The objectives of the audit program must be coherent with the strategic orientation, objectives and
policy of the support management system of the audit client.

These objectives may be based on consideration of the following:

a) Pertinent Interested Parties needs and expectations, both internal and external.
b) Process, product, service, and project characteristics and requirements, as well as any changes in
them.
c) Management system requirements.
d) External suppliers assessment needs.
e) Performance level and maturity level of the management system or systems of the audited party,
as reflected on relevant performance indicators (e.g., KPI), the occurrence of non-conformities,
incidents or Interested Parties claims.
f) Identified risks and opportunities for the audited party.
g) Former audit results.

Determing and Evaluating Audit Program Risks and Oportunities

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

There are risks and opportunities related to the audited party context that may be associated to an
audit program and may affect the achievement of objectives.

The person responsible for the audit program must consider risks during the development of the
program:

a) Planning, for instance, not to determine relevant audit objectives and determine audit scope,
number, duration, location and timetable.
b) Resources, for instance, allow insufficient time, time, and/or resources to develop the audit program
or to conduct an audit.
c) Selection of the audit team, for instance, insufficient global competence to conduct audits effectively.
d) Communication, for instance, inefficient external/internal processes or communication channels.
e) Implementation, for instance, inefficient audit coordination in the audit program or no consideration
of security and confidentiality of the information.
f) Documented information control, for instance, inefficient determination of required documented

103
 information by auditors and pertinent Interested Parties; lack of adequate audit record protection
to demonstrate audit program efficiency.
g) Supervise, revise, and improve the audit program, for instance, inefficient audit program result
follow-up.
h) Audited party cooperation and availability, as well as evidence to be sampled availability.

Opportunities to improve the audit program may include:

a) Allow multiple audits in a single visit.
b) Minimize travelling time and distances to the site.
c) Make the level of competence of the audit team match the level of competence required to reach
the audit objectives.
d) Align audit dates with the availability of the audited party key staff.

Establishing the Audit Program

Roles and responsibilities of the staff that manages the audit program.

a) Determine the extension of the audit program according to the relevant objectives and any known
restriction.
b) Determine internal and external issues, as well as risks and opportunities that may affect the audit
program and implement actions to address them, integrating these actions to every relevant audit
activity, as corresponding.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

c) Guarantee the selection of the audit team and its general competence to conduct audit activities
through the assignation of tasks, responsibilities and authorities, as well as leadership support,
when required.
d) Determine every relevant process, including processes to:
• Coordinate and program every audit within the audit program.
• Set up audit objectives, scope(s), audit criteria, audit method determination and audit team
selection.
• Auditor evaluation.
• Set up internal and external communication processes, as required.
• Solve disputes and manage claims.
• Follow up audits, if required.
• Report to the audit client and to the pertinent interested parties, if required.

e) Determine and guarantee the provision of every required resource.

f) Guarantee the preparation and maintenance of appropriate documented information including
program records.

104
g) Monitor, review and improve the audit program.
h) Communicate the audit program to the audit client and, when required, to the pertinent Interested
Parties

People who manage the audit program must request audit client approval.

Competence of Individual(s) Managing Audit Programme

People who manage the audit program must have the required competence to manage the program,
its risks, and associated opportunities, as well as external and internal issues effectively and efficiently,
including knowledge of:
a) Audit principles, methods and processes.
b) Management system standards, other pertinent standards and reference/guideline documents.
c) Information on the audited party and its context (for instance, external/internal issues, relevant
Interested Parties and their needs and expectations and audited party commercial activities,
products, services, and processes.
d) Applicable legal and regulating requirements and other relevant requirements for the audited party
commercial activities.

Establishing Extent of Audit Programme

People who manage the audit program must determine the audit program scope. It may vary depending

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

on provided information by the audited party about its context.

Other factors that impact the scope of the audit program:

a) The objective, scope, and duration of each audit, the number of audits conducted, the notification
method and, if required, the audit follow up.
b) The management system standards or other applicable criteria.
c) The number, importance, complexity, similitude and location of audited activities.
d) Factors that impact the management system effectiveness.
e) Applicable audit criteria, such as arrangements planned by the pertinent management system
standards, legal and regulating requirements and other requirements the organization is committed
to.
f) Former internal or external audit results, as well as direction revisions, if applicable.
g) Results of a previous revision to the audit program.
h) Linguistic, cultural and social issues.
i) Interested Parties worries, such as customer complaints, legal and regulating requirement non-
compliance, and other requirements the organization is committed to, or supply chain issues.
j) Significant changes to the audited context or to is operations and related risks and opportunities.

105
 k) Information and communication available technology to support audit activities; in particular, the
use of remote audit methods.
l) The occurrence of internal and external events, such as product or service non-compliance
information security leaks, health and safety incidents, criminal acts or environmental incidents.
m) Commercial risks and opportunities, including actions to address them.

Determining Audit Programme Resources

When determining the audit program resources, people who manage the audit program must consider:

a) Financial resources and required time to develop, implement, manage and improve the audit
activities.
b) Audit method.
c) Individual and general availability of auditors and technical experts that have the required
competences for the particular objectives of the audit program.
d) The extension of the audit program and the risks and opportunities of the audit program.
e) Travel, lodge and other audit needs time and cost.
f) The impact of the different time zones.
g) The availability of information and communication technologies (e.g., required technical resources
to set up a remote audit using technologies that accept remote collaboration).
h) Availability of any tool, technology and required equipment.
i) Availability of required documented information, as determined during the audit program set up.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

j) Requirements related to the installation, including safe areas and equipment (e.g., personal
protection equipment, among others).

Implementing Audit Program

a) Inform the pertinent parties about the audit program, including risks and opportunities, and
periodically report progress through set-up internal and external channels.
b) Define objectives, scope and criteria for each individual audit.
c) Select audit methods.
d) Coordinate and program audits and other activities relevant to the audit program.
e) Guarantee that audit teams have the required competence.
f) Provide individual and global resources to the audit teams.
g) Guarantee the conduction of audits according to the audit program, managing every risk, opportunity,
and operative issue (that is, unexpected events) as they arise throughout the program deployment.
h) Guarantee that audit activity relevant documented information is adequately managed and
maintained.
i) Define and implement operative controls required to oversee the audit program.

106
j) Revise the audit program to identify improvement opportunities.

Individual Audit Objective, Scope and Criteria Definition

Each individual audit must be based on defined audit objectives, scope, and criteria. They must be
consistent with the general objectives of the audit program.

Audit objectives define what is to be achieved through the individual audit and may include the
following:
a) Determination of the level of conformity of the audited management system or parts of it, with the
audit criteria.
b) Assessment of the management system capacity to aid the organization to comply with pertinent
legal and regulating requirements and any other requirements the organization is committed to.
c) Assessment of the management system effectiveness to reach expected results.
d) Identification of opportunities for the potential improvement of the management system.
e) Assessment of the suitability and adequacy of the management system in terms of context and
strategic direction of the audited party.
f) Assessment of the capacity of the management system to determine and reach objectives and to
effectively address risks and opportunities, in a changing environment, including the implementation
of related actions.

The audit scope must be coherent with the audit program and audit objectives.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

107
 Selecting and Determining Audit Methods

The individuals who manage the audit program must select and determine the methods to efficiently
conduct an audit, depending on defined audit objectives, scope and criteria.

Audits may be conducted onsite, remotely, or combined. The use of these methods must be adequately
balanced in terms of, among others, associated risk and opportunity consideration.

If an audited party operates two or more management systems in different disciplines, combined
audits may be included in the audit program.

The individuals that manage the audit program must appoint the audit team members, including the
team leader and any technical expert required for the specific audit.

An audit team should be selected considering the needed competence to reach the individual audit
objective within de defined scope. If there is only one auditor, he/she must perform every audit team
leader applicable duty.

Responsibility Assignment to the Audit Team Leader for an Individual Audit

People who manage the audit program must assign the responsibility to perform individual audits to
the audit team leader.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

The assignment must be made with sufficient time before the programmed audit date to guarantee
an effective audit planning.

For the audit to be conducted efficiently, the auditor must be provided with the following information:

a) Audit objectives.
b) Audit criteria and any relevant documented information.
c) Audit scope, including the organization identification, its functions and processes to be audited.
d) Audit process and associated methods.
e) Audit team composition.
f) Audited contact data, location, temporary time framework and duration of the audit activities to be
conducted.
g) The required resources to conduct the audit.
h) Required information to assess and address identified risks and opportunities to achieve the audit
objectives.
i) Information that supports audit team leaders in their interactions with the audited party for the
effectiveness of the audited program.

108
Managing Audit Programme Results

People who manage the audit program must guarantee the performance of the following activities:

a) Assessment of the objective achievement for each audit within the audit program.
b) Revision and approval of audit reports on the compliance with the audit scope and objectives.
c) Revision of the effectiveness of the actions taken to address the audit findings.
d) Distribution of audit reports to the pertinent Interested Parties.
e) Determination of the need of any follow-up audit.

People who manage the audit program must consider, when required:
• Communicate the audit results and best practices to other areas of the organization.
• The implications with other processes.

Managing and Maintaining Audit Programme Records

People who manage the audit program must guarantee that audit records are generated, managed
and maintained to demonstrate the implementation of the audit program.

The records may include the following:

a) Records related to the audit program, such as:

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Audit calendar.
• Audit program objectives and scope.
• Those that address the audit program risks and opportunities and relevant internal and external
issues.
• Revision of the audit program effectiveness.
b) Records related to each audit, such as:

109
 • Audit plans and audit reports.
• Objective audit evidence and findings.
• Non-conformity reports.
• Corrective actions corrections and reports.
• Audit follow-up reports.

c) Records related to the audit team that cover issues such as:

• Audit team members competence and performance evaluation.

• Audit team and audit team member selection criteria and audit team formation.
• Competence maintenance and improvement.

People who manage the audit program must guarantee the assessment of:

a) Audit program timetable and objective compliance.

b) Audit team member performance, including the audit team leader and the technical experts.
c) Audit team capacity to implement the audit plan.
d) Audit client, audited party, auditor, technical expert and other stakeholder feedback.Documented
e) information sufficiency and adequacy throughput the audit process.

Reviewing and Improving Audit Program

People who manage the audit program and the audit client must revise the audit program to assess
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

if objectives have been complied with.

The revision of the audit program must consider the following:

a) Audit program follow-up results and trends.

b) Audit program process and relevant documented information conformity.
c) Pertinent stakeholder evolution of their needs and expectations.
d) Audit program records.
e) Alternate or new audit methods.
f) Alternate or new methods to assess auditors.
g) Effectiveness of the actions to address risks and opportunities and internal and external issues
associated to the audit program.
h) Audit program related information confidentiality and security issues.

110
Establishing Contact with the Auditee

It is a responsibility of the leading auditor.

Purpose

a) Confirm communication channels with the audited party representatives.

b) Confirm their authority to conduct the audit.
c) Provide relevant information on the objectives, scope, criteria, methods and composition of the
audit team, including technical experts.
d) Request access to relevant information for planning purposes, including information on risks and
opportunities the organization has identified and how they are addressed.
e) Determine legal and regulating requirements applicable and other relevant requirements for the
audited activities, processes, products and services.
f) Confirm the agreement with the audited party on the scope of disclosure and treatment of
confidential information.
g) Plan the audit, including the timetable.
h) Determine specific location arrangements, such as access, health, safety and confidentiality, among
others.
i) Agree audit team observer attendance and guide or interpreter need.
j) Determine any area of interest, concern, or risk for the audited party in terms of a specific audit.
k) Solve issues with the audited party or the audit client related to the composition of the audit team.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Determining Feasibility of Audit

Viability determination must consider factors such as the availability of the following:

a) Sufficient and appropriate information to plan and conduct the audit.

b) Adequate cooperation with the audited party.
c) Adequate time and resources to conduct the audit.

111
 Performing Review of Documented Information

Documentation must be reviewed to:

• Collect information to understand the audited party’s operation and to prepare audit activities and
applicable audit work documents (see 6.3.4), for instance, processes and functions.
• Establish a general vision of the documented information scope to determine possible conformity
with audit criteria and detect possible areas of concern, such as deficiencies, omissions and conflicts.

Documented information must include, but not be limited to:

• Management system documents and records.
• Former audit reports.

The review must consider the context of the audited party organization, including size, nature, and
complexity as well as related risks and opportunities. It must also consider audit scope, criteria and
objectives.

Audit Planning
Focus based on the planning risk.

The audit team leader must adopt a risk-based focus to plan the audit based on audit program infor-
mation and documented information provided by the audited party.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

When planning an audit, the audit team leader must consider the following:

a) The composition of the audit team and its general competence.

b) Appropriate sampling techniques.
c) Opportunities to improve audit activities effectiveness and efficiency.
d) Risks to achieve audit objectives caused by an inefficient audit planning.
e) Audited party risks caused by conducting the audit.

Audit Plan Details

Audit plans must address or refer to the following:

a) Audit objectives.
b) Audit scope, including the organization identification, functions and process to be audited.
c) Audit criteria and any reference documented information.
d) Physical and virtual locations, dates, foreseen time and duration of the audit activities to be
conducted, including meetings with the audited management.
e) The audit team need to become familiar with the audited party facilities and processes (e.g., visiting
the physical location or reviewing the information and communication technology).

112
f) Audit methods to be used, including the required audit sampling level to gain sufficient audit
evidence.
g) The audit team members, guides and observers or interpreters duties and responsibilities.
h) The allocation of appropriate resources based on the consideration of risks and opportunities
related to the activities to be audited.

Audit plans must consider, as required:

• Identification of the audited party representative for the audit.

• The work and audit report language, when different from the language of the auditor, audited party
or both.
• Audit report issues.
• Logistics and communications arrangements, including specific arrangements for the locations to
be audited.
• Any specific action taken to address risks to reach audit objectives and opportunities that might
arise.
• Issues related to confidentiality and information security.
• Follow-up actions to a former audit or any other source, such as:
• Learned lessons and project reviews.
• Any follow-up activity to the planned audit.
• Coordination with other audit activities, in case of a joint audit

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Audit plans must include:
1. Audit objectives.
2. Audit scope.
3. Audit criteria.
4. Location, date, schedule, and duration, including meetings with the audited party’s direction.
5. Auditor team members duties and responsibilities, as well as those of guides and observers.
6. Allocation of required resources.
7. Identification of the audited representative identification.
8. Language.

The audit plan may be revised and accepted by the audit client and must be presented to the audited
party.

113
 Workshop 1

• Audit plan draft.

Workshop 2

• Audit plan matrix.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Assigning Work to Audit Team

The audit team leader, consulting the audit team, assigns to each team member responsibility to:
• Audit processes.
• Activities.
• Functions.
• Specific places.

Assignments must consider the need of:

114
• Auditors independence and competence.
• Resource efficient use.
• Auditor, auditor in training, and technical expert different duties and responsibilities.

Assigning Roles and Responsibilities of Guides and Observers

Guides and observers may accompany the audit team, upon approval from the audit team leader,
the audit client and/or the audited party, if required.

They must not influence or interfere the audit conduction. If it cannot be guaranteed, the audit
team leader must have the right to reject the presence of observers during certain audit activities.

The guides responsibilities must include the following:

a) Help auditors to identify individuals to participate in interviews and confirm schedules and locations.
b) Set access to specific locations of the audited party.
c) Guarantee that audit team members and observers know and respect, norms related to specific
location agreements, such as access, health, safety, environment, confidentiality and other issues,
addressing risks.
d) Witness the audit on behalf of the audited party, as required.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

e) Provide clarifications or help collecting information, when required.

Preparing Documented Information for Audit

Audit team members must collect and review information pertinent to assigned tasks and prepare
work documents, as required, for audit reference and evidence record.

115
 Checklist Possible Advantages

a) Guarantee that something important is not skipped.

b) Help provide continuity to the audit.
c) Help planning an efficient audit.
d) Help identifying the most critical aspects of the system.
e) Help controlling audit depth, continuity and rhythm.
f) Register positive and negative findings.
g) May provide a timely improvement record.
h) Checklists formerly prepared might inhibit auditors.
i) Auditors may skip important issues not included in checklists

Checklist Use

a) Consider checklists as a memory aid.

b) Avoid feeling inhibited by them.
c) Write at length: Checklists are part of the audit report.
d) Record final conclusions.
e) Record improvement opportunities.
f) Record examined samples specific identities.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Workshop 3

• Draft a checklist to audit the clauses pointed

out by the instructor.

Conducting Opening Meeting

PURPOSE:
a) Confirm all participants agreement (e.g., auditee party, audit team) with the audit plan.
b) Introduce the audit team and its roles.
c) Guarantee all planned audit activities can be performed.

116
POINTS TO CONSIDER:
• Audit objectives, scope and criteria.
• Audit plan and other relevant arrangements with the auditee party, like closing meeting time and
date, any interim meeting between the audit team and the auditee party management and any
required change.
• Formal communication channels between the audit team and the auditee party.
• Language used for the audit.
• The auditee party must keep informed on the audit progress throughout the audit.
• Resource availability and facilities required by the audit team.
• Issues related to confidentiality and information security.
• Relevant access, health, safety, security, emergencies and other arrangements for the audit team.
• Onsite activities that may affect audit activities.

Information presentation on the following elements must be considered, as required:

• The method to report audit findings, including grading criteria, if required.

• Conditions to consider the audit terminated.
• How to deal with possible findings during the audit.
• Any audited party feedback on audit findings and conclusions, including claims or appeals.

Audited Documentation Review

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Audited party relevant documented information must be reviewed to:
• Determine system compliance, as documented, with audit criteria.
• Collect information to support audit activities.

Revision may be combined with other audit activities and may continue throughout the audit as long as
it is not harmful to the effectiveness of the audit conduction.

If it is not possible to provide adequate documented information within time framework provided by
the audit plan, the audit team leader must inform both the people who manage the audit program and
the audited party. Depending on audit objectives and scope, a decision must be taken to see if the audit
should continue or be interrupted until the documented information issues are solved.

117
 Communicating During an Audit

During an audit, it may be required to make formal communication arrangements within the audit
team, as well as with the audited party, the audit client and potential external parties (e.g., regulators),
especially when legal and regulating requirements need to be mandatorily notified when non-complied.

• The audit team must periodically consult to exchange information, to assess audit progress and to
reassign duties to audit team members, as required.
• During the audit, the audit team leader must periodically communicate audit progress and any
doubt to the audited party.
• When audit objectives are not reachable, the audit team leader must report the reasons to the
stakeholders to take appropriate actions.
• Actions may include plan reconfirmation or amendment, objective changes, scope changes or audit
interruption.
• Changes must be reviewed and approved both by the audit program manager and by the audited
party.

Methods to Collect Information

• Interviews.
• Activity observation or worksites.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Document review, including records.

• Records, such as security event occurrence, control efficiency measures, meeting acts and audit
reports.
• Security incident data summaries, analysis and performance indicators.
• Reports from other sources; for instance, regulating entity data.

118
 General vision of a typical process, since the
collection of information to audit conclusions.

The Interview

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

a) Interviews must be conducted with people at appropriate levels and duties who conduct activities
or tasks within the audit scope.
b) Interviews must be conducted during normal working hours and, when practical, at the normal
worksite of the person being interviewed.
c) The person being interviewed must be comfortable before and during the interview.
d) The reason for the interview must be explained, as well as any notes taken.
e) Results with the interviewed person must be reviewed and summarized.
f) Interviewed people must be thanked for their participation and cooperation.

Auditor Key Questions

119
 Types of Questions

• Were internal audits conducted?

• Is there a Management System policy?
• Has the Management System been communicated?
• Are you part of the internal audit team?
• Is the process conducted as documented?
• Where is information registered?
• What procedure?
• Do you know the policy?
• Does it comply with legislation?

Conducting an Audit

• Conduct an activity sampling; do not focus on one.

• Look for evidence seeing what happens and reviewing records.
• Take full notes.
• Listen to the audited party explanations.
• Write down and confirm findings and observations. If you have doubts on the compliance of a
requirement, ask some additional open questions.
• Always write the details of what was observed or evidenced; for instance, write down the process
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

audited, record identifiers, number of orders, lot identification, document codes, etc.
• An open and friendly audit would yield an agreement that there is a problem.
• Verify whether the non-conformity is a one-time event.

Interview Conduction

• Be friendly.
• Make feel comfortable the audited person.
• Explain the reasons for the interview and for the notes taken.
• Start with a description of the activities.
• Do not ask inductive questions (avoid yes/no questions).
• Thank the audited party.

120
Time Management

• Conduct first the most complex or difficult activities.

• Assign duties to other auditors.
• Get the habit of doing things immediately.
• Know the fatigue curve of the audited party and of the auditor.
• Set up time limits and comply with them.
• Be creative.

Management of Difficult Situations

• The party responsible for the process or audited party does not come to the meeting.
• The audited had foreseen to visit two facilities, but there are no vehicles or accompanying parties
available.
• The audited party deviates from the auditor question; for instance, he/she is asked how documents
are controlled and the audited party answers how records are controlled, being that documents are
a type of records.
• The audited party provides little information; for instance, information on January through May
results is requested and only the latest month results are submitted.
• The audited party reformulates the auditor questions.
• The audited party asks questions to the auditor; for instance, what you asked does not make sense.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• In the opening meeting there is no agreement about the audit object and scope.

Audit Results

Finding

• Objective evidence assessment results collected on a set of policies, procedures or requirements

used as reference.
• Recorded on the checklist as response to the questioning prepared.

Types of Findings
• Non-conformity
Non-compliance of a specified request.
• Observation
Situation that potentially may affect the quality management system

121
 Most Common Non-Compliance

• Documentation not found.

• Unassessed human resource competences.
• Inadequate controls implemented.
• Internal audit non-conformities without efficient closing.
• Corrective actions without direction review.
• Risk analysis methodology deficiency.
• Procedure non-compliance.

Non-Conformity Drafting

• Evidence: List of findings supported with objective evidence or witnessed by the audited party.
• Reference: The requirement of the standard and/or quality or procedure manual. One requirement
at a time, the most applicable.
• Conclusion: Generic, brief, accurate, and accepted by the audited party.
• Non-conformity: Non-compliance with the audited Standard requirement.
• Observation: Finding detected in an audit that may generate a non-conformity if left untreated.
• Improvement opportunity: Situations that do not represent non-compliance but may be revised by
the organization, when deemed convenient, to improve the process efficacy
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Non-Conformity Drafting Formula

The report must have, at least:
• A general vision of the finding.
• A full and accurate description of what was observed.
• Audit evidence examples.
• Reference to the standard/organization document clause.
• Clause/document requirement explanation.
• Discrepancies must be attributed only to one standard clause, the moist applicable.
• Sometimes, the only available reference is the organization documentation.

122
Audit Conclusions

The audit team must meet before the “closing meeting” to:
• Revise audit findings and any other appropriate information collected throughout the audit to
achieve audit objectives.
• Agree audit conclusions.
• Draft recommendations, if required by the audit plan.

Audit conclusions may treat issues like:

• Assessment of the compliance level with the audit criteria.
• Management system implementation efficacy, maintenance and improvements.
• ISMS revision process capacity by the direction to guarantee adequacy, efficacy and sustained
improvement.

Audit Report

Must include:
• Audit objectives.
• Audit scope, particularly the definition of audited organizational units or processes and the audit
period.
• Contact persons documentation.
• Audit leader and other auditors documentation.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• Dates and locations when and where audit activities were conducted.
• Audit criteria.
• Audit statements.
• Audit conclusions.

Closing Meeting
Facilitated by the lead auditor.

As required, the following must be explained to the audited party in the closing meeting:
a) Report that collected evidence was based on a sample of available information, not necessarily
representative of the general efficacy of the audited party processes.
b) Method used to report.
c) How the audit conclusion must be addressed in function of the agreed process.
d) Possible consequences of not adequately addressing audit findings.
e) Presentation of the audit findings and conclusions for the audited party management understands
them and acknowledges them.

123
 f) Any related audit later activity (e.g., corrective action implementation and revision, audit complaint
treatment and appeal processes).
Preparing Audit Report

The audit team leader must report the audit conclusions according to the audit program.

The audit report must provide a complete, accurate, concise and clear audit record and include, or refer
to, the following:

a) Audit objectives.
b) Audit scope, particularly, organization identification (audited party), functions or audited processes.
c) Audit client identification.
d) Audit team identification and audited party participants in the audit.
e) Dates and places where the audit activities were conducted.
f) Audit criteria.
g) Audit findings and related evidence.
h) Audit conclusions.
i) A statement on audit criteria compliance level.
j) Any unresolved diverging opinion between the audit team and the audited party.
k) Audits, by nature, are a sampling exercise; as such, there is risk that examined audit evidence is not
representative.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

Distributing Audit Report

The audit report must be issued within the agreed time. If delayed, the reasons must be communicated
to the audited party and to the people who manage the audit program.

The audit report must be dated, reviewed and accepted, as required, in compliance with the audit
program.

The audit report must be distributed to the pertinent stakeholders in the audit program or audit plan.

When distributing the audit report, appropriate measures must be considered to guarantee
confidentiality.

124
Completing Audit

The audit is completed when the planned audit activities are conducted or as agreed with the audit
client (e.g., there may be an unexpected situation that keeps the audit from being completed according
to the audit plan).

The relevant audit documented information must be kept or eliminated as agreed among stakeholders
and according to the audit program and applicable requirements.

Unless demanded by law, the audit team and people who manage the audit program must not disclose
any information obtained during the audit or the audit report, to any other party without the explicit
approval from the audit client and, when required, the approval of the audited party.

Learned lessons from audits may identify risks and opportunities for the audit program and the audited
party.

Conducting Audit Follow-up

• The audit result may, depending on audit objectives, indicate the need of corrections, corrective
actions or improvement opportunities. Such actions are generally decided and performed by the
audited party within an agreed term. As required, the audited party must keep informed the people
who manage the audit program and/or the audit team on the status of these actions.

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

• The completion and effectiveness of these actions must be verified. This verification may be part of
another later audit. The results must be reported to the person who manages the audit program and
the audit client is reported to be reviewed by the direction.

Auditor responsibilities:

• Agree the follow-up audit date.

• Develop the follow-up audit according to corrective and preventive actions.
• Present and report follow-up audit results.
• Assess the efficacy of implemented corrective and preventive actions.

125
 Workshop 4

• Depending on the format, draft the audit

report.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

126
 Historia de las Historias de Usuario

Conclusions

127
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA
 Conclusions

ISO 27001:2022 standard may be implemented in any type of organization because it provides a
methodology to implement an Information Security Management System allowing also that a company
is certified for the compliance with this standard whose core is to protect information confidentiality,
integrity and availability in a company. This is accomplished investigating, what the potential issues
that may affect the information (assessing risk) are and then defining what is required to be done to
avoid these issues to happen (risk treatment).

Therefore, the main philosophy of ISO 2700:2022 Standard is based on risk management: Investigate
where they are to treat them systematically.
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA

128
 www.certiprof.com

129
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR I217001 IA/LA