the knowledgeacademy

ISO 27001: 2022

Lead Auditor
 theknowledgeacademy

About Us
The world's largest provider of classroom and online
training courses
✓ World Class Training Solutions
✓ Subject Matter Experts
✓ Highest Quality Training Material
✓ Accelerated Learning Techniques
✓ Project, Programme, and Change Management, ITIL®
Consultancy
✓ Bespoke Tailor Made Training Solutions
✓ PRINCE2®, MSP®, ITIL®, Soft Skills, and More
theknowledgeacademy Course Syllabus
Module 1: Introduction to ISO 27001 6

Module 2: Information Security 11

Module 3: Context of the Organisation 44

Module 4: Leadership 49

Module 5: Planning 53

Module 6: Support 62

Module 7: Operation 69

Module 8: Performance Evaluation 73

Module 9: Improvement 79
theknowledgeacademy Course Syllabus
Module 10: Introduction to Auditing 83

Module 11: Performing ISO 27001 Audits 105

Module 12: Internal Auditor 128

Module 13: ISMS and the ISO 27001 Standards 144

Module 14: Interaction with ISO 27005 189

Module 15: Roles and Responsibilities 197

Module 16: Launch and Implement an ISMS 204

Module 17: Risk Management 220

Module 18: Risk Assessment and the SOA 228

theknowledgeacademy Course Syllabus
Module 19: Introduction to ISO 27001 Lead Auditor 239

Module 20: Preparing and Planning an Audit 255

Module 21: Reviewing Process and Qualities 269

Module 22: Certification 281

Module 23: Audit Triangle 300

Module 24: Auditing Techniques 304

Module 25: Tasks of an Auditor 308

 theknowledgeacademy

✓ Introduction
Module 1:
✓ Compatibility with Other Management
Introduction to ISO System Standards

27001 ✓ ISO 27001:2022 and its Clauses

Introduction
General

✓ In order to establish, implement, maintain, and continuously improve an information security

management system, this document has been prepared.

✓ The information security management system's adoption is a strategic decision for an organisation.

✓ The needs and objectives of the organisation, security requirements, organisational procedures utilised,
and the size and structure of the organisation all influence the establishment and execution of an
organisation's information security management system.

✓ All of these impacting elements are expected to adjust over time.

✓ The information security management system protects information confidentiality, integrity, and
availability through a risk management process, giving interested parties confidence that risks are properly
handled.

theknowledgeacademy
Introduction
✓ Significantly, the information security management system is
integrated into, and part of the organisation's process and
overall management structure and that information security is
thought about in the design of processes, information systems,
and controls.

✓ An information security management system's execution is

expected to be scaled per the organisation's requirements.

✓ Internal and external parties can use this document to evaluate

the organisation's capacity to complete its information security
requirements.

✓ The order in which the requirements are given in this document

does not indicate their significance nor imply the order in which
they will be executed.

theknowledgeacademy
Compatibility with Other Management System Standards
✓ In order to maintain compatibility with other
management system standards that have adopted
Annex SL, this document applies the high-level
structure, identical sub-clause titles, identical text,
common terms, and core definitions defined in
Annex SL of ISO/IEC Directives, Part 1, Consolidated
ISO Supplement.

✓ For organisations that decide to operate a single

management system that satisfies the
requirements of two or more management system
standards, the common approach described in
Annex SL will be helpful.

theknowledgeacademy
ISO 27001:2022 and its Clauses
Clauses to ISO/IEC 27001

✓ Clause 1: Scope

✓ Clause 2: Normative references

✓ Clause 3: Terms and definitions

Clauses 1 to 3 are not directly audited against, but

because they provide context and definitions for the
rest of the standard, not that of the organisation,
their contents must be taken into account

theknowledgeacademy
 theknowledgeacademy

✓ What is Business?

✓ Industries

✓ Risk
Module 2:
✓ SWOT Analysis
Information Security ✓ Constructs & Characteristics of Assets

✓ Security

✓ Privacy

✓ Triad of Information Security

 theknowledgeacademy

✓ Cyber security is everyone’s responsibility

✓ Cybersecurity Landscape

✓ What is Information Security?

Module 2:
✓ Information Security Management
Information Security ✓ Need of Information Security

✓ Threats to Information Security

✓ Active and Passive Attacks

What is Business?

✓ An organisation or economic system where goods and services

are exchanged for one another or for money.

✓ Every business requires some form of investment and enough

customers to whom its output can be sold on a consistent basis
in order to make a profit.

✓ Businesses can be privately owned, not-for-profit or public

owned..

theknowledgeacademy
Industries
Utilities
Media Food Chemical

Education

Metal Retail
Engineering

Cement FMCG
BSFSI
Oil
Manufacturing

Health Pharma
Care Telecom
IT/ITES
Real Estate Automobile

theknowledgeacademy
Risk
Ransomware
Threats >>>
VVV
Theft,
Malwar Natural
Sabotage,
e Calamities
Supply Chain Misuse & Fire
Attacks

High User
Knowledg
e of IT Risks Lapse in
Systems Controls Physical
Deterrent Security

Disinformation – Preventive Social

Vulnerability Detective
Misinformation Engineering
Compensatin
g

Corrective
Lack Of Recovery
Docume Directive
ntation
Manmade
Disaster
Threats Against Availability- Internet Threats Against
Threats Data

Systems &
Network
ISMS Failure NIST CSF/ISO 27001:2022
Threats Against Availability
(DDOS)

theknowledgeacademy
SWOT Analysis

Weakness Strengths

Threats Mini-Mini Maxi-Mini

WT ST

Opportunities Mini-Maxi Maxi-Maxi

WO SO

theknowledgeacademy
Constructs & Characteristics of Assets

Assets Information
MERCURY
Transformation Assets

✓Transformed data (qualitative)

✓Raw facts, figures & events ✓Set of people, processes,
(quantitative) services & resources that ✓Created by analysis and
collects & transforms data into structured presentation of
✓Collected by observation &
information and disseminates data
recording
& presents this information ✓Virtual (logical) – not stored in
✓Stored in a specific location
✓The “information system” or a specific location
(physical)
“ICT system” ✓ Context (has meaning through
✓ No context (little meaning
organisation & presentation)
until organised, arranged &
developed)

theknowledgeacademy
Security
To provide confidence & assurance
✓ Business can depend upon and trust our technologies
✓ Business is not exposed to unacceptable risk
✓ Business can meet its objectives and grasp opportunities

To protect business assets

✓ Technology and are our use of it is ‘secure’
✓ Information and our use of it is ‘secure’

To support the business objectives

✓ What is our mission?
✓ What are our strategic, tactical & operational business
objectives?

theknowledgeacademy
Privacy
Protecting the privacy of information:
✓ Keep sensitive information off the network, if possible
✓ Encrypt sensitive information
✓ Protect access to your system
✓ Don’t share sensitive information
✓ Password protection

Preventing Unauthorised Modification of Information:

✓ Emails
✓ Data
✓ Digital Downloads
✓ Log/Audit files

theknowledgeacademy
Privacy
Reliability/Trustworthiness of information

✓ Hijacked websites

✓ Email with modified content

✓ Corrupted files

Danial of Service Attacks

✓ Denial of Service Attacks and Distributed Denial of

Service Attacks

✓ Expect the Unexpected

✓ Beware of Natural/Manmade disasters

theknowledgeacademy
Triad of Information Security
Confidentiality, Integrity, and Availability (CIA) are the three main goals of information security programs

I A
1. Confidentiality

✓ Confidentiality means that information is not disclosed to groups, organisations, or processes that are not
authorised

✓ For instance, let's say I had a password for my Gmail account, but someone witnessed me logging in. In that
case, both my password and confidentiality have been compromised

theknowledgeacademy
Triad of Information Security
2. Integrity

✓ Means ensuring data accuracy and completeness. This means that information cannot be altered without
authorisation

✓ For instance, if an employee leaves an organisation, all relevant data for that employee should be updated to
reflect JOB LEFT status in order to ensure that the data is accurate and complete. In addition, only authorised
individuals should be permitted to edit employee data

3. Availability

✓ Availability means that information must be accessible when required

✓ For instance, working with various organisational teams like network operations, development operations,
incident response, and policy/change management is necessary if one needs to access information about a
specific employee to determine whether they have exceeded the allowed number of leaves. One of the
factors that can affect the accessibility of information is a denial of service attack

theknowledgeacademy
Cyber Security is Everyone’s Responsibility
Cybersecurity is everyone’s concern:

Help your organisation

Reduce loss Think: C-I-A

Reduce loss Prevent Fraud

Protect customer
information

theknowledgeacademy
Cyber Security is Everyone’s Responsibility
Security breaches leads to:

✓ Reputation loss

✓ Financial loss

✓ Intellectual property loss

✓ Legislative Breaches leading to legal actions (Cyber Law)

✓ Loss of customer confidence

✓ Business interruption costs

theknowledgeacademy
Cybersecurity Landscape
Secure Application Physical Security
Data Protection Network Design Development
4th Party Risk
CASS Assets Inventory

Cloud Security Baseline

Configuration
Secure System Vulnerability Scan
Security Architecture 3rd Party Risk
build
Federated Identity Social Engineering
Access Control

Blue Team
Applications
Security Cryptography Risk Assessment
Identity Management ISO/IEC
Engineering CoBIT

Penetration Tests Red Team Infrastructure

NIST
Identity and Access SANS/CSC
Privileged Access
Management Management

`Framework &
Certifications Standard Data Centric Risk Assessment Data Flow Map

Training
Conferences
Source Code Scan
Career Development Industry Specific

DR
Federal
Peer Groups Self Study
Domains Blackbox Whitebox
Laws and Regulations

State
BCP Governance
Recovery
Executive Management Involvement
Detection User Education
Audit
Prevention Protection Risk Informed Reports & Scorecards

Threat Intelligence

SIEM Active Training (New Skills) Company’s Return Supervisory Procedure (WSPs)
KPIs/KRIs
Security Operations Defense

SOC
Policy
Awareness
Data (Reinforced) External Internal Compliance & Enforcement
Incident Leakage
Vulnerability Response
Management
Procedures
Guidelines

Breach Contextual IOCs Intel Sharing

Notification Forensic
Standards

Containment Eradication

theknowledgeacademy
Information Security Management
✓ Information security encompasses more than just
protecting data from unauthorised access
✓ The practise of preventing unauthorised access, use,
disclosure, disruption, modification, inspection,
recording, or destruction of information is known as
information security. Information comes in both physical
and digital forms
✓ Information can be either physical or electronic.
Information can include your personal information, your
social media profile, your mobile phone data, your
biometrics, and so on
✓ Thus, information security encompasses numerous
research areas such as cryptography, mobile computing,
cyber forensics, online social media, etc

theknowledgeacademy
Information Security Management
Information security management is about preserving the
‘Confidentiality, Integrity and Availability’ of information and
associated information processing facilities, whether that’s
systems, services, infrastructure or the physical locations. It
ensures business continuity by minimising business damage by
preventing and reducing the impact of security incidents.

C – Confidentiality: The property that information is not made

available or disclosed to unauthorised individuals, entities or
processes
I – Integrity: The property of safeguarding the accuracy and
completeness of assets
A – Availability: The property of being accessible and usable upon
demand by an authorised entity

theknowledgeacademy
Information Security Management
The purpose of the ISMS is to:

✓ Understand the organisation’s needs and the

necessity for establishing information security
management policy and objectives

✓ Implement and operate controls and measures for

managing the organisation’s overall capability to
manage information security incidents

✓ Monitor and review the performance and

effectiveness of the ISMS

✓ Continually improve the organisation’s information

security based on objective measurement

theknowledgeacademy
Information Security Management
Rules for ISMS:

✓ A weak foundation amplifies risk.

✓ If a bad guy tricks you into running his code on your

computer, it’s not your computer anymore.

✓ There’s always a bad guy out there who’s smarter, more

knowledgeable, or better-equipped than you.

✓ Know the enemy, think like the enemy.

✓ Know the business, not just the technology.

✓ Technology is only one-third of any solution.

✓ Every organisation must assume some risk.

theknowledgeacademy
Need of Information Security
✓ Information system refers to the process of evaluating
available controls or countermeasures inspired by
vulnerabilities discovered and identifying an area that
requires additional research.

✓ By preventing and reducing the effects of security

incidents, data security management aims to ensure
business continuity and reduce business damage.

The need for Information security:

1. Preserving the organisation's functionality

✓ Organisational decision-makers are responsible for

establishing policies and running their business in
accordance with complicated, changing legislation and
applications that are effective and capable.

theknowledgeacademy
Need of Information Security
2. Enabling the safe operation of applications

✓ The organisation is under tremendous pressure to obtain and run integrated, efficient, and capable
applications.

✓ The modern organisation must establish a setting that protects applications using its IT systems, especially
those applications that are crucial to the organisation's infrastructure.

3. Data protection for the organisation's collection and use

✓ In an organisation, data can exist in two states: at rest or in motion. Data in motion is being used or
processed by the system at the moment

✓ Attackers were motivated to steal or corrupt the data by its values. The values and integrity of the
organisation's data depend on this. Data in motion and data at rest are both protected by information
security.

theknowledgeacademy
Need of Information Security
4. Organisational technology asset protection

✓ Depending on its size and scope, the

organisation must add intrastate services. The
need for public key infrastructure, or PKI—a
comprehensive system of software and
encryption techniques—could arise as a result
of organisational growth.

✓ In contrast to a small organisation, a large

organisation uses a complex information
security mechanism. Small businesses typically
favour symmetric key data encryption.

theknowledgeacademy
Threats to Information Security
✓ Threats to information security can take many different forms, including software attacks, intellectual
property theft, identity theft, equipment theft, information theft, sabotage, and information extortion

✓ Threats include anything that has the potential to breach security, harm one or more valuable objects, or
negatively alter, erase, or otherwise affect them

✓ Attack & Breach:

Attack Breach

✓ An attack is the exploitation of a ✓ A breach is the occurrence of a security

vulnerability by a threat agent. In other mechanism being bypassed or thwarted by
words, an attack is any intentional attempt a threat agent. When a breach is combined
to exploit a vulnerability of an organisation’s with an attack, a penetration, or intrusion,
security infrastructure to cause damage, can result.
loss, or disclosure of assets. ✓ A penetration is the condition in which a
✓ An attack can also be viewed as any violation threat agent has gained access to an
or failure to adhere to an organisation’s organisation’s infrastructure through the
security policy. circumvention of security controls and is
able to directly imperil assets.

theknowledgeacademy
Threats to Information Security
✓ Software Attacks include viruses, worms, Trojan horses, and other malware. Many users think that malware,
viruses, worms, and bots are all the same.

✓ However, they are not identical; the only thing they have in common is that each is malicious software that
behaves differently.

✓ Malware is a combination of the words malicious and software. So malware is defined as malicious
software, including intrusive program code or anything else created to harm a system.

Malware can be categorised into two groups:

1
Malware
Actions
Infection
Methods
2

theknowledgeacademy
Threats to Information Security
The following list of malware is based on the manner of infection:

Virus Trojan

Worms Bots

theknowledgeacademy
Threats to Information Security
1. Virus

✓ They can reproduce themselves and spread throughout the Internet by connecting to the host computer's
software, such as music or videos

✓ The Creeper Virus was initially identified on ARPANET. Examples of viruses include file viruses, macro viruses,
boot sector viruses, stealth viruses, etc

2. Worms

✓ In nature, worms can also replicate themselves, but they do not affix themselves to the host computer's
software

✓ Worms are network-aware, which is their primary difference from viruses. They can quickly switch from one
machine to another if a network is available

✓ They will not harm the target machine, but they might slow it down by taking up hard disc space, for example

theknowledgeacademy
Threats to Information Security
3. Trojan

✓ A Trojan is absolutely unrelated to a virus or worm in terms of its

concept

✓ Greek mythology's "Trojan Horse" tale, which relates how the Greeks
invaded the walled city of Troy by disguising their men within a huge
wooden horse that had been presented to the Trojans as a gift, is where
the word "Trojan" originates

✓ The Trojans loved horses so much that they trusted the gift. The
soldiers entered the city during the night and began an internal uprising

✓ The software will carry out its mission of either stealing information or
performing any other function for which it was designed when it is
executed. They aim to conceal themselves inside software that seems
to be trustworthy

theknowledgeacademy
Threats to Information Security
4. Bots

✓ Worms that have advanced more are

known as bots.

✓ They are automated processes designed

for online communication without
human contact.

✓ They are both viable options. A

malicious bot can infect one host, after
which it connects to the main server and
sends commands to all other hosts
linked to that botnet.

theknowledgeacademy
Threats to Information Security
Malware based on its actions:

Adware Ransomware Scareware

Spyware Rootkits Zombies

theknowledgeacademy
Threats to Information Security
1. Adware

✓ Adware violates users' privacy even though it is not specifically dangerous.

✓ They display adverts in particular programmes or on the desktop of a computer.

✓ They come bundled with free software, which is how these developers primarily make money.

✓ Your preferences are tracked, and they show you relevant ads.

✓ If harmful code is included in the software, the adware can monitor your computer's operations and possibly
compromise it.

2. Ransomware

✓ It is malware that either locks the computer, rendering it partially or completely unusable or encrypts all files.
Then a screen will display and ask for money or a ransom

theknowledgeacademy
Threats to Information Security
3. Spyware

✓ It is a programme, or should we say software, that monitors internet actions and discloses the information to
anyone who may be interested

✓ Most frequently, spyware is released through viruses, Trojan horses, and worms. Once dropped, they establish
themselves and keep quiet to avoid being discovered

4. Scareware

✓ Although it appears to be a programme to help you fix your system, once the software is launched, it will
either infect or break your system

✓ In order to frighten you and convince you to take some sort of action, like paying them to fix your system, the
software will display a message

theknowledgeacademy
Threats to Information Security
5. Rootkits

✓ Root access usually referred to as

administrative rights, is what rootkits are
designed to achieve on the user system. The
exploiter can steal anything, including
confidential files and data, once they have
root access

6. Zombies

✓ Similar to spyware, they operate. The

infection mechanism is the same, but they
wait for a hacker's order instead of spying
and stealing data

theknowledgeacademy
Active and Passive Attacks
Active Attacks

An active attack tries to change system resources or

interfere with their operability. Active attacks include
some data stream modification or false statement
creation

Passive Attacks

A passive assault does not affect system resources but

tries to get or use information from the system

Eavesdropping or transmission monitoring are both

passive attacks

theknowledgeacademy
 theknowledgeacademy

✓ Organisation and Its Context

Module 3: ✓ Needs and Expectations of Interested Parties

Context of the ✓ Scope of the Information Security

Management System
Organisation
✓ Information Security Management System
Understanding the Organisation and Its Context

External and internal issues shall

be determined by the organisation
that is relevant to the purpose and
affect its capability of achieving
the intended result of its
information security management
system

theknowledgeacademy
Understanding the Needs and Expectations of Interested
Parties
The organisation shall determine:

✓ Interested parties that are appropriate

to the information security management
system

✓ These interested parties' requirements

are relevant to information security

✓ Which of these requirements will be

met by the information security
management system

theknowledgeacademy
Determining the Scope of the Information Security
Management System
✓ In order to establish its scope, the organisation shall
determine the boundaries and applicability of the information
security management system

The organisation shall think about when determining this scope:

o The external and internal issues

o The requirements

o The organisation performs interfaces and dependencies

between activities, and those that are performed by other
organisations

✓ As documented information, the scope shall be available

theknowledgeacademy
Information Security Management System
✓ In accordance with this document's requirements, the organisation shall establish, implement, maintain,
and continuously improve an information security management system, including the processes
required and their interactions

theknowledgeacademy
 theknowledgeacademy

✓ Leadership and Commitment

Module 4:
✓ Policy
Leadership
✓ Roles, Responsibilities, and Authorities
Leadership and Commitment
✓ Leadership and commitment shall be demonstrated by the top management regarding the information
security management system by:
o Make sure that the information security policy and goals are established and compatible with the
organisation's strategic direction
o Assure that the information security management system requirements are integrated into the processes
of the organisation
o Ensuring the availability of the resources required for the information security management system
o Communicating the significance of effective information security management and adhering to the
requirements of the information security management system
o Assuring that the information security management system attains its intended result
o Directing and assisting individuals in contributing to the effectiveness of the information security
management system, encouraging continuous improvement
o Assisting other appropriate management roles in showing leadership in their areas of responsibility

theknowledgeacademy
Policy
✓ An information security policy shall be established by the top management that:

o Is relevant to the organisation's objective.

o Contains information security objectives or gives a framework to set information security goals

o Includes a commitment to meet applicable information security requirements; and

o Includes a commitment to improving the information security management system on an ongoing basis

✓ The information security policy shall:

o Be available as documented information

o Be communicated in the organisation; and

o As relevant, be available to interested parties

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
✓ Top management must confirm that
responsibilities and authorities for information
security roles are assigned and communicated
throughout the organisation

✓ Top management must delegate responsibility and

authority for the following tasks:

o Ensuring that the information security

management system meets the requirements
of this document

o Reporting to top management on the

performance of the information security
management system

theknowledgeacademy
 theknowledgeacademy

✓ Actions to Address Risks and Opportunities

Module 5:
✓ Information Security Objectives and Planning
Planning
✓ Planning of Changes
Organisational Roles, Responsibilities, and Authorities
1. General

✓ When planning for an information security management system, the organisation shall think about the issues
and requirements, as well as determine the risks and opportunities that must be addressed:

o Make sure the information security management system can attain its intended result

o Avert, or decrease, undesired effects

o Attain continuous improvement

✓ The organisation shall plan:

o Taking steps to address these risks and opportunities; and

o How to Integrate and execute these actions into the processes of its information security management
system; and

o Assess the efficacy of these actions

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
2. Information Security Risk Assessment

✓ An information security assessment process shall be

defined and applied by the organisation that:

o Establishes and keeps information security risk

criteria, which include the following:

❑ Criteria for risk acceptance; and

❑ Criteria for conducting risk assessments in

information security

o Make sure that repeated assessments of

information security risk produce consistent, valid,
and comparable outcomes

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
o The information security risks should be identified:

❑ Use the information security risk assessment process to

recognise risks related to the loss of information's
confidentiality, integrity, and availability in the scope of
the information security management system; and

❑ The risk owners must be identified

o Analyses the risks to information security:

❑ Evaluate the potential consequences if the identified

risks were to materialise

❑ Assess the realistic likelihood of the risks happening;

❑ Determine the risk levels

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
o Assesses the information security
risks:

❑ Compare the risk analysis

outcomes to the risk criteria; and

❑ Prioritise the risks that have been

analysed for risk treatment

✓ The organisation shall keep documented

information regarding the information
security risk assessment process

theknowledgeacademy
Organisational Roles, Responsibilities, and Authorities
3. Information Security Risk Treatment
✓ An information security risk treatment process shall be defined and applied by the organisation that:
o Select relevant information security risk treatment options, considering the outcomes of the risk assessment
o Determine all controls required to execute the chosen information security risk treatment option
o Compare the controls and verify that no essential controls have been left out
o Produce an Applicability statement that includes the required controls and justification for inclusions,
whether or not they are executed, as well as justification for control exclusions from Annex A
o Create a plan for dealing with information security risks; and
o Receive approval from risk owners for the information security risk treatment plan and acceptance of
residual information security risks
✓ Documented information shall be kept by the organisation regarding the information security risk treatment
process

theknowledgeacademy
Information Security Objectives and Planning to Achieve Them
✓ At relevant functions and levels, the organisation must
establish information security objectives. The information
security objectives must include the following:

o Be in accordance with the information security policy.

o Be quantifiable (if possible)

o Consider applicable information security requirements,

as well as risk assessment and risk treatment results
o Be observed

o Must be communicated

o Be updated as needed
o Be accessible as documented information

theknowledgeacademy
Information Security Objectives and Planning to Achieve Them
✓ The organisation must keep documented information on its
information security goals. The organisation must decide
the following when planning how to achieve its information
security objectives:

o What will be completed

o What resources will be needed

o Who will be accountable

o When it will be finished; and

o How the outcomes will be assessed

theknowledgeacademy
Planning of Changes

➢ When the organisation determines that

changes to the information security
management system are required, the
changes must be implemented in a
planned manner.

theknowledgeacademy
 theknowledgeacademy

✓ Resources

✓ Competence
Module 6:
✓ Awareness
Support
✓ Communication

✓ Documented Information
Resources

The resources that are required for the

establishment, execution, maintenance and continual
improvement of the information security
management system shall be determined and given
by the organisation.

theknowledgeacademy
Competence
✓ The organisation shall:

o Determine the required competence of any

individual performing work under its control
that impacts its information security
performance

o Make sure these individuals are competent

based on relevant education, training, or
experience

o Take action to obtain the essential

competence where applicable, and assess the
effectiveness of the actions taken

o Maintain appropriate documentation as

evidence of competence

theknowledgeacademy
Awareness
✓ Individuals performing work under the
organisation's control shall be aware of the
following:

o The policy on information security

o Their contribution to the information

security management system's
effectiveness involves the advantages of
improved information security
performance

o The implications of failing to meet the

requirements of the information security
management system

theknowledgeacademy
Communication
✓ The organisation shall determine the requirement for internal and external communications appropriate to
the information security management system involving:

o On what to communicate

o When to communicate

o With whom to communicate

o How to communicate

theknowledgeacademy
Documented Information
1. General

✓ The information security management system of the organisation must include:

o This International Standard requires documented information

o The organisation determines documented information as being essential for the effectiveness of the
information security management system

2. Creating And Updating

✓ When making and updating documented information, the organisation shall make sure relevant:

o Description and identification

o Media and format

o Review and approval for appropriateness and sufficiency

theknowledgeacademy
Documented Information
3. Control of documented information

✓ The information security management system requires documented information and, by this International
Standard, must be controlled to make sure:

o It is readily available and appropriate for use where and when it is required

o It is adequately safeguarded

✓ The organisation shall address the following activities, as applicable, for the control of documented information:

o Distribution, retrieval, access and usage

o Storage and preservation, involving legibility preservation

o Changes' in control

o Retention and disposal

theknowledgeacademy
 theknowledgeacademy

✓ Resources

✓ Competence
Module 7:
✓ Awareness
Operation
✓ Communication

✓ Documented Information
Documented Information
✓ This clause is very easy to explain the evidence
against if the organisation has been already
‘showed its workings’

✓ In evolving the information security

management system to concede requirements
6.1, 6.2 and in particular 7.5, where the entire
ISMS is well structured and documented, this
also accomplishes 8.1 at the same time

✓ The organisation is responsible for planning,

implementing, and overseeing the procedures
required to satisfy information security
requirements and implement the chosen
course of action

theknowledgeacademy
Information Security Risk Assessment
✓ This clause of ISO 27001 is automatically
finished

✓ The organisations have already evidenced

the information security management work
in line with requirements 6.1 and 6.2, and
the whole ISMS is documented

✓ The organisation should perform

information security risk assessments as
per planned intervals and when changes
are required, which should be documented

theknowledgeacademy
Information Security Risk Treatment
✓ Under clause 8.3, the organisation needs to
enforce the information security risk treatment
plan and maintain documented information on
the outcomes of that risk treatment

✓ Therefore, this requirement ensures that the risk

treatment process described in clause 6.1 occurs

✓ This should incorporate evidence and

transparent audit trials of reviews and actions,
demonstrating the movements of the risk over
time as outcomes of investments emerge (not
least also providing the organisation and the
auditor confidence that the risk treatments are
accomplishing their objectives)

theknowledgeacademy
 theknowledgeacademy

✓ Monitoring, Measurement, Analysis, and

Evaluation
Module 8:
✓ Internal Audit
Performance Evaluation
✓ Management Review
Monitoring, Measurement, Analysis, and Evaluation
✓ The organisation will assess the information security performance and the effectiveness of the information
security management system
✓ The organisation shall determine the following:
o What requires to be observed and measured involves information security processes and controls
o The methods to monitor, measure, analysis and evaluation to make sure valid outcomes, as applicable
o When the monitoring and measuring shall be carried out
o Who is responsible for monitoring and measuring
o When the monitoring and measurement must be analysed and assessed; and
o Who will analyse and assess these outcomes?
✓ The organisation must keep appropriate documentation as proof of monitoring and measurement results

theknowledgeacademy
Internal Audit
✓ The organisation shall conduct internal audits at planned
intervals to give information on whether the information
security management system:
✓ Conforms to
o The organisation's information security management
system requirements
o This International Standard's requirements
✓ Is successfully executed and maintained

theknowledgeacademy
Internal Audit
✓ The organisation shall:
o Plan, establish, implement, and maintain an audit
programme, including the frequency, methods,
responsibilities, planning needs, and reporting
requirements
o The audit programme shall consider the significance of the
processes involved and the outcomes of earlier audits
o Define each audit's audit criteria and scope
o Select auditors and conduct audits that ensure the audit
process's objectivity and impartiality
o Assure that the audit results are reported to the
appropriate management
o Keep documentation as evidence of the audit programme
and the audit results

theknowledgeacademy
Management Review
✓ Top management must conduct planned reviews of the
organisation's information security management system to assure
its continued suitability, adequacy, and effectiveness
✓ The management review shall take into account:
✓ The status of previous management reviews' actions
✓ Changes in internal and external issues that are appropriate to the
information security management system
✓ Feedback on the performance of information security, involving
trends in:
o Corrective and nonconformities actions
o Results of monitoring and measurement
o Audit results
o Achievement of information security goals

theknowledgeacademy
Management Review
✓ Feedback from interested parties

✓ The outcome of the risk assessment and the status of the risk
treatment plan

✓ Opportunities for continuous improvement

✓ The management review's outputs shall contain decisions on

opportunities for continuous improvement and any requirements
for changes to the information security management system

✓ The organisation shall keep documented information as evidence

of the outcomes of management reviews

theknowledgeacademy
 theknowledgeacademy

Module 9: ✓ Nonconformity and Corrective Action

Improvement ✓ Continual Improvement

Nonconformity and Corrective Action
When a non-conformity happens, the organisation shall:
✓ Respond to the non-conformity, and if necessary:
o Take appropriate action to control and fix it, and
o Deal with the consequences
✓ Assess the requirement for action to eliminate the causes of
nonconformity so that it does not reoccur or happen elsewhere by:
o Review the nonconformity
o Determine the causes of the nonconformity
o Determining whether similar nonconformities exist or could
happen

theknowledgeacademy
Nonconformity and Corrective Action
✓ Execute any necessary action

✓ Review the efficacy of any corrective action taken

✓ If essential, make changes to the information security

management system

o Corrective actions shall be relevant to the nonconformities

encountered effects

o The organisation shall keep documented information as

evidence of the following:

✓ The nonconformities' nature, as well as any subsequent actions, are

taken

✓ Any corrective action outcomes

theknowledgeacademy
Continual Improvement

Continual improvement is fundamental to achieving

and sustaining information security's effectiveness
and propriety

theknowledgeacademy
 theknowledgeacademy

✓ Internal Audit Charter

✓ Communicate with Organisation and Audit

Committee

✓ Auditing Reflects
Module 10:
✓ General and Internal Auditing Standards and
Introduction Guidance

✓ Auditing Types
to Auditing
✓ Auditing Techniques

✓ Auditing Principles

✓ Phases of Audit
Internal Audit Charter

Statement of Purpose Roles and Responsibilities

Reporting Relationships Points of Contact

Programme Activities Reporting Requirements

theknowledgeacademy
Communicate with Organisation and Audit Committee

Develop strategy

Create audit plans

Select tools and protocols

Manage, train, and assign auditors

Conduct audits

Produce findings and reports

Assess and improve programme quality

theknowledgeacademy
Auditing Reflects
✓ Organisational policy

✓ Programme perspectives on what to audit and how different

types of audits are conducted

✓ Generally Accepted Auditing Standards (GAAS) are examples of

such standards

✓ Applicable subject matter knowledge

theknowledgeacademy
General and Internal Auditing Standards and Guidance

Technical
guidance
Auditor
Procedural guidance
guidance

IT
Auditing
Policy and
Domain programme
knowledge guidance
Industry
guidance

theknowledgeacademy
Auditing Types
First Party Audit
✓ Is an internal audit where a person from the inside of an
organisation will conduct the Audit
Second Party Audit
✓ Also called external audit – an organisation will bring in a
qualified second-party company to perform an audit, making
sure that the organisation comply with a standard or
legislation
Third Party Audit
✓ Where an organisation organises the audit of a third party
(often a supplier) to ensure they are complying with an
agreed contract

theknowledgeacademy
Auditing Techniques
Auditing Techniques
✓ ISO Auditors will use various audit techniques to get the
required objective proof and obtain the objectives of every
internal audit sessions Here are some audit techniques which
are as follows:
Sampling
✓ This technique is one of the most efficient ways to obtain audit
objectives
✓ Auditors must be able to reach valid conclusions about large
systems However, it's often impractical or too costly to study
every single item in a large system
✓ There may be just too many items to examine or they may be
spread over a large geographical area
✓ As a result, auditors work with smaller samples

theknowledgeacademy
Auditing Techniques
✓ Sampling can be further divided into two types:
Judgement-Based Sampling
✓ Judgment-based sampling depends on the knowledge, skill, and experience of audit team members When
using this approach, auditors use their personal judgment to select audit samples
Statistical Sampling
✓ Your statistical sampling plan should help you to achieve your audit objectives and should be based on what is
known about the characteristics that define the population you intend to study
✓ ISO 19011 mentions two statistical sampling techniques: attribute-based sampling and variable-based
sampling
✓ Attribute sampling is used when there are two possible outcomes (attributes) for each sample: yes/no,
pass/fail, correct/incorrect
✓ Variable-based sampling is used when outcomes occur along a range of values

theknowledgeacademy
Auditing Techniques
Observation
✓ Auditors can observe a work process in review or action a physical
feature of premises to determine if a method is efficient in obtaining
intended results
✓ It can be an inactive observation while individuals carry on their work,
or a directed walkthrough where an auditor will ask questions to get a
better understanding
Testing
✓ In some situations, sampling or observing live data will not be possible,
for instance if doing an activity generates unnecessary risk or too much
disruption to the organisation

theknowledgeacademy
Auditing Techniques
Interview
✓ Showing the commitment of the leadership of the organisation is a
major requirement, and one way to audit this is using interviews
✓ Our auditors can meet with individuals from across the organisation
to ask them about various factors of the management system
✓ This is an excellent way to test awareness of critical policies and
methods

Data Analytics (the science of analysing raw data in order to make

conclusions about that information)
✓ Some processes can create a large amount of data which can be
examined to determine if an intended result has been obtained
✓ This is a more technical method but it can be a beneficial technique

theknowledgeacademy
Auditing Techniques
Onsite Vs Offsite
✓ Most audits are performed on-site; but, with the emergence of video
conferencing, remote execution of some of the above techniques is
becoming increasingly feasible
✓ At the planning stage of the audit programme, the balance between
on-site and off-site audits should be carefully considered, and it
should be remembered that some audit techniques can only be
performed on-site
Human Interaction Vs No Human Interaction
✓ Individuals are an essential part of the ISMS of an organisation and are
also a key to discovering what is happening within a management
system
✓ Most of our audit time will be spent working with members of the site
being audited

theknowledgeacademy
Auditing Principles
✓ The main principles of auditing are:

Planning Honesty Impartiality Secrecy

Consistency Legal Framework Internal Controls Report

theknowledgeacademy
Auditing Principles
✓ Planning: An auditor must take into account the system as well
as internal control procedures

✓ Honesty: Honesty and sincerity are important principles in

auditing The professional integrity of an auditor must be beyond
doubt

✓ Impartiality: The attitude of the auditor must be impartial Their

personal views may not influence or affect the audit report

✓ Secrecy: Secrecy must be maintained An auditor may not

disclose information to a third party
✓ Consistency: In the case of internet security audits, the auditor
must follow the same processes in future years There should be
consistency between audits

theknowledgeacademy
Auditing Principles
✓ Legal Framework: Business activities must run within rules and
regulations The rule of law must be applied to protect the rights of
interested parties
✓ Internal Controls: The auditor will examine the internal controls
governing information security Ensure evidence exists of control use
(eg records of resolved incidents)
✓ Report: A report should be prepared by the auditor at the end of an
audit The auditor can draw conclusions and disclose relevant facts
and figures as general information

theknowledgeacademy
Auditing Principles
✓ The techniques for auditing are:

Examination of
Record Analytical Review
Sampling

2 4
1 3 5
Inquiry
Confirmation

theknowledgeacademy
Auditing Principles
✓ Examination of Record: This is commonly done by auditors The
inspection of documentation is to verify the validity of data ISO
focus should be on documentation and records

✓ Inquiry: An auditor can make inquiries/interview others An auditor

can accumulate information from those inside and outside the
organisation, often through the designated contact

✓ Sampling: An auditor can select certain items from all of the

available information to create samples This allows the auditor to
obtain and evaluate the evidence to be extrapolated This is helpful
in forming conclusions

theknowledgeacademy
Auditing Principles
✓ Confirmation: To ensure the accuracy of data, an auditor collects
information from stakeholders Confirmation is a response to an
inquiry to prove certain data recorded

✓ Analytical Review: This consists of studying significant ratios, trends,

and investigating changes This review procedure is based on the
expectation of a relationship between past and present data

theknowledgeacademy
Phases of Audit
There are several phases to an internal audit:

✓ Preparation and planning

✓ Execution and fieldwork

✓ Recording and reporting

✓ Follow-up and assessment

theknowledgeacademy
Phases of Audit
Audit Preparation

✓ Audit preparation consists of anything that is done in advance by

interested parties, such as the auditor, the lead auditor, the client,
and the audit program manager to ensure that the audit meets its
goals

✓ The preparation stage of an audit begins with the decision to

conduct the audit, and ends when the audit itself begins

theknowledgeacademy
Phases of Audit
Audit Performance

✓ Audit performance is the evidence collection stage of the audit and

covers the time period from arrival at the audit location up to the
exit meeting

✓ It consists of activities including

o on-site audit management meeting with the auditee,
o understanding the process and system controls,
o verifying that these controls work,
o communicating among team members,
o communicating with the auditee

theknowledgeacademy
Phases of Audit
Audit Reporting

✓ The purpose of the audit report is to communicate the results

of the investigation

✓ The report should provide correct and clear data that will be
effective as a management aid in addressing important
organisational issues

theknowledgeacademy
Phases of Audit
Audit Follow-up and Closure

✓ The audit is completed when all the planned audit activities have
been carried out or agreed with the audit client and the report is
produced

✓ Follow-up occurs after the audit is completed to check that

concerns raised in the audit have been effectively addressed

✓ The audit cannot be closed until satisfactory evidence that the

concerns have been addressed has been obtained

theknowledgeacademy
 theknowledgeacademy

✓ Preparing an Audit Report

✓ Assessment of Audit Reports and Documents

✓ Report Preparation, Findings, Reconciliation,

Module 11: and Conclusions

Performing ISO 27001 ✓ Reviewing Documents and Reports

Audits ✓ Auditing Procedures

✓ Reviewing Documents and Reports

✓ Classifying Findings
Preparing an Audit Report
✓ The audit scope should be split down in the ISMS audit
plan/checklist This should include timings and priorities

✓ Resourcing should be negotiated and agreed upon with the

management of the organisation and auditing team

✓ Preliminary bookings should be made for formal audit

reports/discussions, allowing participants to confirm attendance

✓ Specific “checkpoints” should be put in place to give auditors and

management contacts opportunities to meet for discussion

theknowledgeacademy
Assessment of Audit Reports and Documents
✓ The internal audit is one of the key activities in ISO 27001, which assures
that the information security management system (ISMS) is working
efficiently and accurately
✓ An audit report is read by
o People who were audited, or were present at the closing meeting
o Senior management who were not present at the audit for review
o The audit report needs to address the needs of both audiences
✓ The report is required to contain
o The findings of the audit team supported by evidence evidence
o The auditors opinion as to whether the auditee is compliant with
ISO 27001
o Any concerns raised and corrective measures required

theknowledgeacademy
Assessment of Audit Reports and Documents
✓ ISO 19011 recommends the following items are to be included in the certification audit report :

Audit Client

Audit Objective

Audit Scope

Audit Dates and Places

Audit Criteria

Audit Conclusions

Audit Findings

theknowledgeacademy
Assessment of Audit Reports and Documents
The following information is useful to internal audit

01 03 05
Summary of Audit Disagreement between Agreed Follow-up
Process & Obstacles Auditor and Auditee Plans

02 04 06
Any Areas not Opportunities for
Audit Plan
Covered Improvement

theknowledgeacademy
Preparing an Audit Report
✓ What to include?

• Scope
Title and introduction
• Objectives

Timescale of audit • Nature and extent of audit

• Key findings
Executive summary • Summary analysis and commentary
• Conclusion(s) drawn from internal audit

Recipients and Document • Confidential findings viewable only by specified recipients

Classification • Instructions on how to circulate documentation

• How did the internal auditors carry out their audit?

Credentials
• Who are the internal auditors?

theknowledgeacademy
Preparing an Audit Report

• Detailed information of findings and in-depth analysis

Findings and Analysis • Cited in supporting evidence, where required
• Findings are categorised, based on severity

Conclusions and • Detailed summary of proposals and (possible action plans)

Recommendations • Written with consideration to the organisation’s own practices

• Does the auditor have any reservations about the audit that was
Limitations conducted?
• Were there any limitations that may have hindered the process?

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

✓ Below is the list of items that should be included in an Audit

Report

Audit Objectives

✓ What is the purpose of the audit?

✓ Is this a regular audit of a process, or a follow-up on a corrective

action?

✓ All Audits are done to demonstrate the compliance with the

requirements, but was there anything else that was being done?

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

Audit Scope
✓ What were the boundaries of the audit?
✓ If there is more than one manufacturing line that is using the
process, how many were audited?
✓ Was a night shift or evening shift excluded?
Audit Client
✓ Who was the process owner or owners that the audit was
performed for?
Audit Criteria
✓ What were the processes audited against? For instance, this could
be the ISO 27001 standard, internal company procedures and
policies, or customer requirements

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

Audit Dates and Places

✓ It is essential to be able to demonstrate the timeframe when all

of your audits of the system take place Also, for management
review, it may be important to know the chronology of the
audits that are being reviewed

Audit Findings

✓ What are the results of the evidence found? It is important to

include the audit evidence for these findings including contract
numbers that were reviewed, but leave out names of people
who were audited

theknowledgeacademy
Report Preparation, Findings, Reconciliation, and Conclusions

Audit Conclusions

✓ What is the summary of the outcome of the audit?

✓ Were there too many findings to determine if the process was

properly implemented?

✓ What is the assessment of the effectiveness of the QMS from

this audit?

theknowledgeacademy
Auditing Procedures
There are some activities/steps which are carried out in the procedure:

STEP 1 : PREPARE ANNUAL AUDIT PLAN

Responsibility ISMS Audit Team
• Security-related incidents which are occurred since the last audit
• Security-related personnel problems that have occurred since the last
audit
Input • Results of any risk assessment are initiated since the last audit and
proposed controls discussion
• To manage risk designation of processes or people
• Proposed changes to the Security Policy
• Previously decided actions' implementation progress reports
• The information security management system's Audit Team makes the
Annual Audit Plan which covers the audits types as well as the
Actions frequency and audit methods The plan of annual audit takes into
consideration the importance and status of the areas and processes to
be audited, the Risk Assessment report, as well as the results of earlier
audits
Output Annual Audit Plan

theknowledgeacademy
Auditing Procedures

STEP 2 : SUBMIT PLAN FOR APPROVAL

Responsibility ISMS Audit Team
Input • Annual Audit Plan
• The plan is submitted by the ISMS Audit Team to the ISMS Manager for
consent After having the permission of the annual audit plan, the ISMS
Actions Audit Team communicates the plan to the interested parties
Output • When approved: Proceed to step 3
• When not approved: Proceed to step 1

theknowledgeacademy
Auditing Procedures

STEP 3 : PREPARE FOR AUDIT

Responsibility ISMS Audit Team
Input • Annual Audit Plan
• Periodic audit
• Ad-hoc audit
• The ISMS Audit Team gathers and studies earlier audit findings and
possible outstanding concerns Also, all the relevant documents are
Actions prepared by the team that will be required for the realisation of the audit
Work-programs or checklists are instrumental in helping thorough,
efficient and uniform
• Periodical audit work-programs/ checklists should be in-depth and based
on ISO 27001, that follows a predefined path and checking adherence with
controls Follow-up audit work-programs/checklists should be limited to
involve only the findings of the relative audit Ad-hoc audit work-programs/
checklists should always be focused on a trigger event So, ad-hoc audit
checklists should be created to a new before every ad-hoc audit

Output • ISMS Audit Checklist

theknowledgeacademy
Auditing Procedures
STEP 4 : CONDUCT AUDIT & RECORD FINDINGS
Responsibility ISMS Audit Team
Input • ISMS Audit Checklist
• Annual Audit Plan
• The ISMS Audit Team conducts the audit and completes pre-
defined audit report During the audit course, the audit and ISMS
Actions audit Team tries to find out proper proofs to determine that:
o The information security policy is an absolute reflection of
the needs of the business
o A proper risk assessment methodology is used
o Documented processes are being followed and meeting
their desired goals
o Technical controls are in place, rightly configured and
working as planned
o Assessing residual risk correctly, acceptable to the
company's management
o Actions that are agreed form earlier audits and reviews
have been executed
o ISMS is compliant with ISO 27001
Output • Output Audit Findings (if any)

theknowledgeacademy
Auditing Procedures

STEP 5 : CREATE & ARCHIVE AUDIT REPORT

Responsibility ISMS Audit Team
Input • ISMS Audit Checklist
• Annual Audit Plan
• The ISMS Audit Team makes the report of the audit, that is based on the audit
findings This is a report related to non-compliance, high residual risks, unsolved
Actions issues, etc Audit findings should be labelled as per its priority level​
• Audit findings that are marked as Priority 1 are important nonconformities and
should be planned for resolution in a period on of two weeks, and follow-up
audit should be scheduled at the end period If it is considered critical, the
resolution of the certain audit findings are needed ASAP
• Audit findings that are marked as Priority 2 are less non-conformities and should
bee planned for resolution in a period of three months, and follow-up audit
should be scheduled at the end period
Output • Audit Report

theknowledgeacademy
Auditing Procedures

STEP 6 : DEVELOP ACTION PLAN

Responsibility ISMS Audit Team
Input • Annual Report
• In accordance with the audit findings and the non-conformance level, an action
plan and follow-up audit should be developed Follow-up audits are scheduled
Actions and performed when an earlier audit has found critical non-conformances The
scope of follow-up audits is restricted to the non-conformance and mechanisms
of the same audit that produces the finding are used
Output • Action Plan
• Follow up Audit

theknowledgeacademy
Reviewing Documents and Reports
Mandatory Documents by ISO 27001

✓ Scope of the ISMS (clause 43)

✓ Information security policy and objectives (clauses 52 and 62)
✓ Risk assessment and risk treatment methodology (clause 612)
✓ Statement of Applicability (clause 613 d)
✓ Risk treatment plan (clauses 613 e and 62)
✓ Risk assessment report (clause 82)
✓ Definition of security roles and responsibilities (clauses A712 and A1324)
✓ Inventory of assets (clause A811)

theknowledgeacademy
Reviewing Documents and Reports
Mandatory Documents by ISO 27001

✓ Acceptable use of assets (clause A813)

✓ Access control policy (clause A911)
✓ Operating procedures for IT management (clause A1211)
✓ Secure system engineering principles (clause A1425)
✓ Supplier security policy (clause A1511)
✓ Incident management procedure (clause A1615)
✓ Business continuity procedures (clause A1712)
✓ Statutory, regulatory, and contractual requirements (clause A1811)

theknowledgeacademy
Reviewing Documents and Reports
Reports

✓ The following are the six best reports for ISO 27001 audit:

The Statement of
Applicability
The Risk Treatment Plan

The Risk Assessment The Risk Summary Report

Report

Controls Usage
Comments Report
Report

theknowledgeacademy
Classifying Findings
✓ The audit findings are the auditor’s summary or description and
analysis of an inadequately mitigated risk to the organisation

✓ Audit findings are collected through interviews, examination of

documents, and observation of activities and conditions in the
areas of concern

✓ The audit team will review their findings to determine whether

they should be reported as non-conformities or observations

theknowledgeacademy
Classifying Findings

Finding Definition/Impact Action/Mitigation

Compliant means adherence with the requirements of the standard and the QMS The
COMPLIANT Continue to monitor trends/indicators
process is implemented and documented and records exist to verify this

A low risk issue that offers an opportunity to improve current practice Processes may Review and implement actions to improve the
OFI cumbersome or overly complex but meet their targets and objectives Unresolved OFIs process(s) Monitor trends/indicators to determine if
may degrade over time to become non-compliant improvement was achieved

A medium risk, minor non-conformance resulting in deviation from process practice not
Investigate root cause(s) and implement corrective
MINOR N/C likely to result in the failure of the management system or process that will not result in
the delivery of non-conforming products nor reduce the effectiveness of the QMS action by next reporting period or next scheduled audit

A high risk, major non-conformance which directly impacts upon customer Implement immediate containment action, investigate
MAJOR N/C requirements, likely to result in the customer receiving non-conforming products or root cause(s) and apply corrective action Re-audit in 4
services, or which may reduce the effectiveness of the QMS weeks to verify correction

theknowledgeacademy
The Reliability of Audit Findings
The following are the aspects that impact the reliability of audit findings:

✓ Relevant scope of the audit

✓ Auditee name and title

✓ Time, date and venue

✓ Needs of the standard

✓ State what is seen and how it does not satisfy the needs

✓ Document names, versions of documents and date of the last update

theknowledgeacademy
 theknowledgeacademy

✓ Roles and Responsibilities

✓ Audit Plan

✓ Opening Meeting
Module 12:
Internal Auditor ✓ Record Review Activities

✓ Internal Auditor Checklist

✓ Communication Between Departments

✓ Drafting Reports and Test Plans

Roles and Responsibilities
✓ Internal auditors must:

Attend meetings with the auditee

Travel to onsite locations to meet staff and obtain documents

Report on risk management processes

Provide advice to managers and staff

Perform risk assessments

theknowledgeacademy
Roles and Responsibilities

Anticipate potential issues

Agree on recommendations for improvements

Report on issues and problems to relevant personnel

Assess compliance

Manage stakeholders and their expectations through communications

theknowledgeacademy
Audit Plan
✓ The ISO 19011 standard tells management about the auditing
activities for auditing to ISO 27001

✓ This official methodology can help to assure the consistency

and effectiveness in your internal audits and shapes the
integrity of the system of internal audit

✓ These are not compulsory steps (eg, small companies can miss
some of them), but they are a best practices for conducting an
audit

theknowledgeacademy
Audit Plan
Prepare an audit plan This plan should involve the following components
and considerations:

1. Roles and responsibilities of each audit team member

2. Risk-based approach to audit planning

3. Scheduling and coordination of audit activities

4. Scope and complexity of the audit

5. Sampling techniques for collecting evidence

6. Opportunities for improvement

7. Risks of inadequate planning

8. Impact of the audit on auditee activities

theknowledgeacademy
Opening Meeting
✓ An opening meeting between the auditee and all relevant parties
should be held

✓ During the opening meeting, confirm the following with all relevant
parties:

o Audit programme plans

o Audit scope

o Audit objectives

o Audit criteria

o Audit plans

theknowledgeacademy
Opening Meeting
o Roles and responsibilities of the audit team

o That all planned activities can be performed, and proper

authorisation is acquired

o Language of the audit

o Information security protocol

o Relevant access and arrangements for the audit team

o Notable on-site activities that could impact audit process

theknowledgeacademy
Opening Meeting
✓ During the opening meeting, the following items should be clearly
communicated:

o Methods for reporting and communicating audit progress

o Conditions of audit termination

o Procedures for dealing with audit findings during the audit

o Procedures for receiving feedback from the auditee in response

to findings during the audit

theknowledgeacademy
Record Review Activities
✓ Internal auditors should keep in regular contact
to ensure adherence to the audit plan.

✓ Regular face-to-face meetings and the use of

audit working papers allows internal auditors
and lead auditors to track progress according
to the internal audit checklist and plan.

✓ Meetings set out in the plan with management

contacts allow for auditors to request access to
certain information, as well as potential
problems with the process.

theknowledgeacademy
Internal Auditor Checklist
✓ One of the tools available to ensure audits address the essential requirements is the audit checklist.

✓ It serves as a reference point before, during, and after the audit process, and if developed for and used
correctly, it will provide the following benefits:

Ensures the audit is conducted Ensures a consistent audit

systematically Promotes audit planning
approach

Actively supports organisation’s Provides a repository for notes

audit process collected during the audit

Ensures uniformity in the

Provides reference to objective
performance of different
evidence
auditors

theknowledgeacademy
Internal Auditor Checklist
✓ An audit plan is a list of guidelines to be followed when conducting the audit; this will be particular to the
nature of the organisation and its ISMS, as well as its specific needs.

To prepare the audit plan, the following are required:

Preparation of audit
Knowledge of the client’s
programme
business and its ISMS

Development of audit
strategies or overall plan

theknowledgeacademy
Internal Auditor Checklist
Benefits of a Checklist:

✓ Conducting regular audits can help a

small business identify problems and
highlight strengths within the business.

✓ The use of an audit checklist not only

helps small business review their
practices but will also help them to
prepare in the event of a third-party audit
in the future.

✓ An audit checklist identifies areas of

concern, allowing management to take
corrective action.

theknowledgeacademy
Communication Between Departments
Here are some tips for communication during an audit:

Do not Rely on Email

✓ Email should be used for basic tasks and for keeping

people informed.
✓ Face-to-face and telephone interaction force parties
to commit to an action, speeding up the process

Less Jargon

✓ Avoid using audit jargon when communicating with

stakeholders, as it increases the potential for
confusion
✓ Be ready to take time explaining aspects

theknowledgeacademy
Communication Between Departments
Here are some tips for communication during an audit:

Keep Meeting Short and Relevant

✓ Avoid wasting stakeholders' time; the information shared should

be actionable.
✓ Do state when additional information is required to move
forward.
✓ Keeping things concise and relatable gives the auditee more
chances and incentives to help.

theknowledgeacademy
Drafting Reports and Test Plans
✓ A typical ISMS audit report will contain some of the
following elements, some of which may be split into
appendices or separate documents:

o Title and introduction naming the organisation and

clarifying scope, objectives, period of coverage and the
nature, timing and extent of the audit work performed.

o An executive summary indicative of the key audit

findings with a short analysis and commentary, and an
overall conclusion, typically phrased as:

❑ “We find the ISMS compliant with ISO/IEC 27001

and worthy of certification” or “Aside from
[significant concerns], we are impressed with the
coverage and effectiveness of the information
security controls within the ISMS”.

theknowledgeacademy
Drafting Reports and Test Plans
✓ A list of specific recipients (since the contents may be confidential) and appropriate document classification or
circulation instructions.

✓ An outline of the credentials, audit methods, and other information pertaining to individual auditors and team
members.

✓ Audit findings and analysis, supported upon occasion by extracts from the audit files to aid understanding.

✓ The audit conclusions and recommendations are to be discussed with management and eventually integrated
if agreed upon as action plans depending on the organisation’s practices.

✓ A formal statement of the auditors’ reservations, qualifications, scope limitations, or other caveats with
respect to the audit.

✓ Management may be invited to provide a short commentary or formal response, accepting the results of the
audit and stating a commitment to agreed plans.

theknowledgeacademy
 theknowledgeacademy

✓ What is an ISMS?

✓ Project Plan

✓ Management and Governance Frameworks

Module 13: ✓ ISMS Benefits

ISMS and the ISO 27001 ✓ Scope of ISMS in an organisation

Standards Family ✓ Introduction to Management Systems

✓ Process Approach

✓ Fundamentals

✓ The PDCA Cycle

What is an ISMS?
✓ An ISMS is simply an application of 27001. A set of policies and
procedures for the holistic management of sensitive data and related
systems on various levels

✓ A series of guidelines for documentation, auditing, continual

improvement, and corrective and preventive action

✓ The overarching goal is to ensure confidentiality, integrity, and availability

of information (resiliency)

✓ ISMS incorporates continuous feedback and improvement processes

(more on PDCA shortly). ISMS intends to address changes over time, such
as threats, vulnerabilities, and impacts

theknowledgeacademy
What is an ISMS?
Areas of focus are:

✓ Business processes and assets

✓ Reducing risk to data assets and related systems

✓ It can be targeted towards specific data classes or implemented comprehensively

✓ An ISMS is not a tactical instrument. The main goals of ISMS are generally to:

Ensure Proactively limit

Minimise risk information the impact of
security security breaches

theknowledgeacademy
What is an ISMS?
Role and Importance of ISMS

✓ Adopts a comprehensive management strategy to guarantee

the information security controls meet the organisation’s
ongoing information security needs

✓ A company’s use of a systematic approach to identify,

evaluate, and manage information security risk is strongly
suggested by establishing, maintaining, and updating an ISMS

theknowledgeacademy
What is an ISMS?
Key Components of ISMS

✓ Below are the three key components of implementing an information security policy:

Process/Procedure Technology User Behaviour

✓ The ISO 27001 standard requires that an organisation’s needs and objectives directly influence the
design and implementation of an ISMS, security requirements and the organisational processes
used, and the size and structure of the organisation

theknowledgeacademy
What is an ISMS?
Objectives and Purposes of ISMS

✓ The main objective of Information Security Management Systems is to implement the appropriate
measures to eliminate or minimise the impact that various information security-related threats and
vulnerabilities might have on an organisation.

✓ Doing so will help in the development of desirable characteristics for the services offered by the
organisation, such as:

Availability of Preservation of
Services Data Integrity
Confidentiality

theknowledgeacademy
Project Plan
Implementation Phases

✓ An organisation must also have a detailed understanding of PDCA implementation phases to manage the project's
costs

✓ The PDCA cycle matches each auditable international standard: ISO 18001, 9001 and 14001. ISO/IEC 27001:2005
dictates the PDCA steps for an organisation to follow, which are as below:

Define an ISMS Policy Manage the Identified Risk

Define the Scope of the ISMS Select Controls to be Implemented and Applied

Perform a Security Risk Assessment Prepare an SOA

theknowledgeacademy
Project Plan
There are Eleven Phases of Implementation:

Phase 1 Identify Business Objectives Phase 2 Obtain Management Support

Phase 3 Select the Proper Scope of Implementation Phase 4 Define a Method of Risk Assessment

Prepare an Inventory of Information Assets to

Protect, and Rank Assets According to Risk Manage the Risks, and Create a Risk
Phase 5 Phase 6 Treatment Plan
Classification Based on Risk Assessment

theknowledgeacademy
Project Plan
There are Eleven Phases of Implementation:

Set Up Policies and

Phase 7 Procedures to Control Risks Phase 8 Allocate Resources, and Train the Staff

Phase 9 Monitor the Implementation of the ISMS Phase 10 Prepare for the Certification Audit

Phase 11 Conduct Periodic Reassessment Audits

theknowledgeacademy
Project Plan
Phase 1: Identify Business Objectives

✓ Stakeholders must buy-in; the step that will win management support is establishing and
prioritising objectives

✓ The organisation's mission, strategic plan, and IT goals can all be used to create primary
objectives. The objectives can be:

o Increased possibilities for marketing

o Assuring business partners of the organisation's information security status

theknowledgeacademy
Project Plan
Phase 1: Identify Business Objectives

o Assurance of the company's dedication to information security, privacy, and data

protection to partners and customers

o Offering the best level of protection for customers' sensitive data will increase revenue
and profitability

o Understanding information assets and performing efficient risk analyses

o Maintaining the organisation's standing among top business leaders

o Adherence to the rules of the industry

theknowledgeacademy
Project Plan
Phase 2: Obtain Management Support

✓ The ISMS must be established, planned for, implemented, run, monitored, reviewed,
maintained, and improved by management

✓ The commitment must guarantee that all personnel impacted by the ISMS have the
appropriate training, awareness, and competency and that the right resources are available to
work on the ISMS

The following activities/initiatives demonstrate management support:

o A policy for information security

o Information security roles and responsibilities, often known as a segregation of duties

(SoD) matrix that lists the roles involved

theknowledgeacademy
Project Plan
Phase 2: Obtain Management Support

o A statement or message to the organisation stressing the value of following the

information security policy

o Enough resources to administer, create, maintain, and apply the ISMS

o Determining the acceptable risk threshold

o Every so often, the ISMS is reviewed by management

o Assurance that the training is given to the employees who the ISMS will impact

o Appoint qualified individuals to the positions and duties they will be fulfilling

o Information security plans and objectives

theknowledgeacademy
Project Plan
Phase 3: Select the Proper Scope of
Implementation

✓ According to ISO 27001, any implementation scope may include all or a part of an
organisation

✓ For certification to take place, only the business units, processes, and external vendors or
contractors falling within the implemented scope must be identified

✓ Companies must also list any scope exclusions and the justifications for them by the standard.
The organisation may save time and money by determining the implementation’s scope

The following details should be taken into account:

o In order to accomplish the determined business objectives, the chosen scope is

important

theknowledgeacademy
Project Plan
Phase 3: Select the Proper Scope of
Implementation

✓ In order to accomplish the determined business objectives, the chosen scope is important

✓ The organisation's overall size of activities is a crucial factor in determining the degree of
complexity of the compliance process.

✓ Organisations must consider the number of people, business procedures, work locations, and
products or services to assess the proper scale of operations.

✓ Which organisational departments, locations, resources, and technology will be under the
ISMS's control?

✓ Will suppliers have to follow the ISMS?

theknowledgeacademy
Project Plan
Phase 3: Select the Proper Scope of
Implementation

✓ Dependencies on other organisations exist? Should they be taken into account?

✓ It is important to note any legal or regulatory requirements relevant to the ISMS's coverage
areas

✓ The organisation's industry, local, state, or federal governments, as well as worldwide

regulatory organisations, may provide such standards

✓ The scope should be modest, and it might be wise to focus exclusively on a logical or physical
grouping inside the organisation

theknowledgeacademy
Project Plan
Phase 4: Define a Method of Risk
Assessment

✓ Companies must specify and document a risk assessment approach in order to comply with
ISO/IEC 27001 criteria.

The risk assessment method is not specified in the ISO/IEC 27001 standard. It's important to
take into account the following:

o How will the risk to certain information assets be evaluated?

o Which risks are unaffordable and must be mitigated?

o Using carefully established rules, processes, and controls to manage the remaining risks

theknowledgeacademy
Project Plan
Phase 5: Prepare an Inventory of Information Assets
to Protect, and Rank Assets According to Risk
Classification Based on Risk Assessment

✓ A list of the information assets that the company needs to safeguard must be made

✓ It is important to identify the risk connected to each asset, as well as its owners, location,
criticality, and replacement value

✓ It will be helpful to have information on asset grouping, data categorisation, and asset
inventory documents

The following actions are suggested:

o Determine the assets' high, medium, and low CIA effect levels

o Determine the risks and categorise them based on their gravity and exposure

theknowledgeacademy
Project Plan
Phase 5: Prepare an Inventory of Information Assets
to Protect, and Rank Assets According to Risk
Classification Based on Risk Assessment

o Determine the risks and categorise them based on their gravity and exposure

o Assign values to the risks after determining the hazards and the CIA levels

o Determine the risk's tolerability based on risk values and then decide whether to put a
control in place to remove or decrease the risk. Establishing risk levels for assets will be
guided by the risk assessment approach

✓ The information assets with intolerable risk and hence needing controls will be determined
once the assessment is complete

✓ At that point, a report that details the risk value for each asset is prepared and is occasionally
referred to as a risk assessment report

theknowledgeacademy
Project Plan
Phase 6: Manage the Risks, and Create a Risk
Treatment Plan

✓ The organisation must accept, avoid, transfer, or decrease the risk to an acceptable level by
utilising risk-mitigating procedures to control the impact associated with risk

✓ The next step is to do a gap analysis using the standard's controls to produce an RTP and an
SOA

✓ For the suggested residual risks, management approval is crucial

theknowledgeacademy
Project Plan
Phase 6: Manage the Risks, and Create a Risk
Treatment Plan

The RTP provides the following:

o Effective risk management (accept, transfer, reduce, avoid)

o Gap analysis is used to identify operational controls and extra proposed controls

o A suggested timetable for implementing controls

theknowledgeacademy
Project Plan
Phase 7: Set Up Policies and Procedures to Control
Risks

✓ The organisation will need policy statements or a comprehensive procedure and responsibility
document to establish user roles for the consistent and efficient application of policies and
procedures for the controls implemented, as illustrated in the SOA

✓ ISO/IEC 27001 stipulates that policies and procedures must be documented

✓ The organisation's structure, locations, and assets will determine the applicable policies and
procedures

theknowledgeacademy
Project Plan
Phase 8: Allocate Resources, and Train the Staff

One of the key commitments for management is highlighted by the ISMS process: having
the resources to manage, develop, maintain, and implement the ISMS. The training must be
documented to pass an audit

theknowledgeacademy
Project Plan
Phase 9: Monitor the Implementation of the ISMS

✓ For monitoring and evaluation, a recurring internal audit is essential. Controls and corrective
and preventative measures are examined during an internal audit review

✓ The internal audit gaps must be addressed by determining corrective and preventative
controls and the company’s compliance based on a gap analysis to complete the PDCA cycle

✓ Management must examine the ISMS regularly at predetermined periods for it to be effective

✓ The evaluation comes after modifications/improvements to staffing decisions, policies,

procedures, and controls

✓ The project management review is a crucial stage in the procedure. The findings of audits and
regular reviews are kept on the document and updated

theknowledgeacademy
Project Plan
Phase 10: Prepare for the Certification Audit

✓ For an organisation to be certified, it must complete a full cycle of internal audits,

management reviews, and PDCA process activities

✓ It must also keep records of its actions in response to those reviews and audits

✓ Risk analyses, the RTP, the SOA, and policies and procedures should all be reviewed by ISMS
management at least once a year

✓ To ascertain the scope and content of the ISMS, an external auditor will first review the ISMS
documentation

theknowledgeacademy
Project Plan
Phase 10: Prepare for the Certification Audit

✓ A significant amount of evidence and review/audit papers must be provided to an auditor for
examination for the review and audit to be successful

✓ The documentation and supporting proof will show how well the organisation's and its
business divisions' implementation of the ISMS has worked

theknowledgeacademy
Project Plan
Phase 11: Conduct Periodic Reassessment Audits

✓ Periodic audits or follow-up evaluations verify that the organisation complies with the
standard

✓ Reassessment audits are necessary for certification maintenance to verify that the ISMS is
operating as planned and defined

✓ The PDCA cycle is followed by ISO 27001, just like all other ISO standards, and it helps ISMS
management understand how well and how far the company has come in terms of this cycle's
progression

✓ This directly affects how much time and money is projected to achieve compliance

theknowledgeacademy
Management and Governance Frameworks
ISMS Frameworks
1
Definition of Security
Policy Policy Document
Input Examples
2 Scope of ISMS
Threats, Impacts Definition of ISMS Scope
and List of Assessed Risks
Vulnerabilities 3
Risk Assessment Identified weakness
Risk for Assets
4
Management Risk Management
Strategy Strength of Control
5 and implementations
Additional Selection of Controls
Controls Statement of
6 Applicability
Statement of Applicability Document

theknowledgeacademy
ISMS Benefits
The benefits of ISMS are as follows:

Provides consumers and stakeholders

Protects an organisation’s assets,
01 with confidence in how you manage 04 shareholders, and customers
risk

Consistency in the delivery of

02 your product or service 05 Keeps confidential information
secure

03 Enhanced customer satisfaction 06 Secure exchange of information

theknowledgeacademy
ISMS Benefits
The benefits of ISMS are as follows:

Provides organisations with a Adherence to a well-vetted and

07 competitive advantage 10 accepted standard lends

A clearer definition of processes, roles, and

responsibilities, resulting in better efficiency
Manages and minimises risk
08 exposure
Alignment with Annex SL lends shared
language and concepts across all management
system implementations baon ISO standards.

09 Builds a culture of security

theknowledgeacademy
Scope of ISMS in an organisation
✓ When designing an ISMS, defining the ISMS scope and boundaries is completed first

✓ ISMS scope should correlate with business requirements, organisational structure, technologies, and
information assets

✓ No limits to ISMS scope – it can be as small or large as the organisation wishes

✓ Defined by security aims, threats to security, security procedures, and organisation size

✓ Depends on how complex the ISMS would need to be – smaller organisation, simpler ISMS

✓ Top management should decide the scope

✓ ISMS should evolve at the same pace as risks develop

✓ Organisations can measure their compliance with ISO 27001 by becoming certified with the standard

theknowledgeacademy
Introduction to Management Systems
Management Responsibility in Implementation

✓ Implementing an ISMS is something that ISO 27001 recognises,

affecting the whole organisation

✓ ISO 27001 requires management to communicate the

importance of an effective information security management
system and to conform to that system’s requirements

✓ Designing and establishing an ISMS is difficult without

management support and direction

theknowledgeacademy
Process Approach
✓ It is recommended that an organisation should adopt a process approach when
it establishes, implements, operate, monitors, reviews, maintains, and improves
the organisation's ISMS

✓ In the process approach, processes are any activities managed using

management resources to transform inputs into outputs

✓ A process approach means identifying the processes within an organisation,

grasping their interaction, and applying and managing a series of those
processes as a system

✓ Adopting this process approach provides organisations with the benefit of

effectively operating their ISMS through managing combinations of interaction
among processes and with links to individual processes

theknowledgeacademy
Process Approach

Phase 1 Phase 2 Phase 3

Scope, Design and First Cycle of Operate, Monitor,
Build Implementation, and Improve
Operation, Monitoring,
and Improvement

theknowledgeacademy
Process Approach
✓ Preparing the ISO 27001 Statement of Applicability

✓ Preparing the scope and programme of work for Phase 2 and providing input to further business cases

Phase 2 consists of four work streams:

Implement

Improve Operation

Monitor

theknowledgeacademy
Process Approach

Implement

✓ It is defined by the gap analysis and risk assessment activities

from Phase 1

✓ Implementation will focus on integrating new and revised

security processes and controls into an operational security
environment, including training personnel, earmarked for
operating these processes and controls

✓ An implementer role in this work stream would be conducting

project management, facilitating integration, and providing
training

theknowledgeacademy
Process Approach

Operation

✓ Operations include the management of information, security

resources, security incident management, and training and
awareness

✓ A lead implementer’s role in this workstream will be providing

support and hand-holding to staff responsible for running the
ISMS

theknowledgeacademy
Process Approach

Monitor

✓ Monitoring includes assessing control KPIs, testing control

effectiveness, internal auditing of the ISMS, and management
review

✓ A lead implementer’s role in this workstream would be

performing effective reviews and internal audits of the ISMS (on
the implementer’s behalf)

theknowledgeacademy
Process Approach

Improve

✓ Improve is about taking the outputs from the work stream to

identify and determine improvements that can be made to the
ISMS and its security controls

✓ A Lead Implementer’s role would be to help design

improvements and integrate these improvements back into the
operational ISMS

theknowledgeacademy
Process Approach
Phase 3:

ISMS PROCESS
Management
Interested Parties Responsibility Interested Parties

PLAN Establish
ISMS

DO Implement
ACT Maintain
and Operate
and improve
the ISMS
Information Security
Managed Information
Requirements
CHECK Monitor Security
& Expectations
and Review
ISMS

theknowledgeacademy
Process Approach
✓ When the integration of the ISMS processes and controls is
complete, the ISMS becomes a BAU (Business as Usual) system

✓ The ISMS will now be fully operated by staff continuously

monitoring and improving information security within the business

✓ It will support the PDCA cycle required for continuous

improvement of the ISMS by providing resources and expertise for
effectiveness reviews and performing the checks required for
internal audits of the ISMS

theknowledgeacademy
Fundamentals
Introduction

✓ ISMS adoption is a strategic decision

✓ An organisation’s ISMS design and implementation are influenced by

its business and security objectives, security risks and control
requirements, the processes employed, and the size and structure of
the organisation. In other words, a simple situation will only require a
simple ISMS

✓ In response to changing risks, the ISMS will evolve systematically in

response to said changes

✓ Compliance with ISO27001 can be assessed and certified formally. A

certified ISMS builds confidence in the organisation’s approach to
information security management among stakeholders

theknowledgeacademy
Fundamentals
Scope of ISMS

If commonplace controls are

not applicable, they should In the event of this, the
be justified and documented certification auditors will
in the Statement of refer to the documentation
Applicability (SOA)

theknowledgeacademy
The PDCA Cycle
Scope of ISMS
Act (Update and
Do (Implementing and Check (Monitoring and Improvement of the
Plan (Establishing the Review of the ISMS)
ISMS) Workings of the ISMS) ISMS)

Establish the policy, the

ISMS processes, Undertake preventive
procedures and and corrective actions
objectives related to risk Implement and exploit Assess the based on outcomes of
management and the the ISMS policy, performance against the ISMS internal audit
improvement of processes, controls, the Objectives, policy and management
information security, and procedures and practical review or other
providing results in line experience and report appropriate
with the objectives and results for information for
global policies of the management to review continually improving
organisation the said system

theknowledgeacademy
 theknowledgeacademy

✓ What is ISO 27005 ?

Module 14: ✓ ISO 27001 VS ISO 27005

Interaction with ISO

✓ Quantifying the Business Impact
27005

✓ Impact Severity
What is ISO 27005 ?
✓ ISO 27005 is a set of guidelines for Information Security Risk
Management

✓ Created by the International Organisation for Standardisation and the

International Electrotechnical Commission in 2008, this guideline
supports ISO 27001

✓ ISO 27005 can be implemented for an entire organisation or any

discrete unit, from departments to services

✓ It applies to all organisations intending to manage risks that may impair

their information security

✓ This standard describes the information security risk management

process and its various facets

theknowledgeacademy
ISO 27001 VS ISO 27005
✓ Effective risk management is widely accepted as being the key to achieving
certification and maintaining compliance with ISO 27001.

✓ The underpinning facets of ISO 27005 correspond as they involve:

o Identifying the risk

o Determining if the existing organisational measures are capable of dealing

with the identified risk

o Calculating whether the risk should be approached or avoided – potential

rewards against potential loss

o Reduce the level of its risk by adding precautions or control measures if

deemed necessary

theknowledgeacademy
ISO 27001 VS ISO 27005
✓ ISO 27001 specifies that an ISMS should:

“Align with the organisation’s strategic risk management context”, “establish criteria against which
risk will be evaluated”, and “identify a risk assessment methodology that is suited to the ISMS”

✓ However, despite specifically stating the requirement for a risk assessment, ISO 27001 does not describe the
suitable methodology, hence why it is often complimented by ISO 27005, which is more precise regarding the
terms and actions required

✓ It is recommended that these are used with each other as ISO 27005 offers guidelines for information
security risk management, and 27001 is designed to assist the implementation of an ISMS-based approach

✓ In fact, before implementing or striving to meet the standards required within ISO 27005, managers and
stakeholders should understand the concepts, models, and processes described in ISO 27001 and, to a
certain extent ISO 27002 (Security Techniques)

theknowledgeacademy
Quantifying the Business Impact
✓ ISO 27005 allows organisations to modify and utilise their approach
to risk assessment and management, as each situation varies, given
that it is based on the objectives and aims of each organisation at a
given time

✓ This flexibility is where ISO 27005 and ISO 27001 are preferred over
alternative popular risk management systems, including Octave and
NIST SP 800-30 – which are more rigid in their pursuit of effective
management and business productivity engagement

✓ ISO 27005 supports the flexible needs of all versatile organisations

due to taking the following approach when used parallel with ISO
27001:
o Identify threats
o Identify Existing Controls
o Identify vulnerabilities and the impact of their exploitation

theknowledgeacademy
Quantifying the Business Impact
o Risk = (the probability of a threat exploiting a vulnerability) x (total
impact of the vulnerability being exploited)
✓ In addition, it is fundamental that you quantify the probability and
business impact of potential threats that the risk can become a reality.
Consequently, you should have a specialised focus on the following:

o The frequency with which the risk could take advantage of the
vulnerability
o Extent and cost of physical and financial damage that the risk
could cause
o Value is lost if confidential information is leaked – from a data
protection perspective, this could be substantial given the
implementation of the GDPR
o Cost of recovering from a virus attack (financial, physical, and
reputational)

theknowledgeacademy
Impact Severity
✓ The impact severity is calculated as shown below:

Analysis, based on numerous

factors, including architecture,
In this instance, the aim is to system security, strength, and
determine the impact that known vulnerabilities, are likely
Impact severity = Asset value the suspected risk will
x Threat severity x to sway the decisions of risk
exploit another vulnerability managers and senior
Vulnerability severity (*) within the organisation stakeholders on whether to take
the risk in order to pursue
greater rewards or whether to
take mitigation steps

theknowledgeacademy
Impact Severity
ISO 27001 is concerned with negative impacts, described as loss or degradation of the asset’s confidentiality,
integrity, or availability

Confidentiality Lost when information suffers from unauthorised

disclosure

Integrity Lost when information undergoes unauthorised changes

Undermined when someone is unable to access

Availability information in spite of being authorised

theknowledgeacademy
 theknowledgeacademy

✓ Roles and Responsibilities

Module 15:
Roles and Responsibilities
✓ Case Study: ABC’s ISO 27001
of a Lead Implementer
Roles and Responsibilities

✓ The primary responsibility of the Lead Implementer is to lead successful

communication of campaign implementations, oversee budget requirements, and
ensure deadlines are met

✓ The Lead Implementer coordinates and prioritises project tasks, manage timelines,
maintains project plans, and communicates status to Engagement Managers, Senior
Management and Clients as needed

✓ The Lead Implementer ensures the project is implemented within contractual

obligations and regulatory requirements is another responsibility

theknowledgeacademy
Roles and Responsibilities

✓ The Lead Implementer will be responsible for managing multiple client projects
simultaneously

✓ They will also be responsible for participating in internal projects as needed

✓ This role is responsible for scope management, change management, and estimating
the impacts of scope change

✓ E.g. Timeline and cost, as well as managing project resources

theknowledgeacademy
Case Study: ABC’s ISO 27001
Background

✓ Company Overview: ABC is a software development company specialising in creating custom software
solutions for businesses.

✓ Pre-ISO 27001 Situation: The company faced challenges in protecting intellectual property and customer
data, and experienced inefficiencies in handling information security.

Objectives for Implementing ISO 27001

✓ Enhance Data Security: Strengthen the protection of sensitive company and customer data.

✓ Regulatory Compliance: Ensure compliance with global data protection regulations.

✓ Market Competitiveness: Improve market positioning by demonstrating a commitment to information

security.

theknowledgeacademy
Case Study: ABC’s ISO 27001
Implementation Process

✓ Initial Assessment: Conducting a thorough review of existing security measures and identifying gaps.

✓ Risk Management: Implementing a risk management process to identify, analyse, and address information security
risks.

✓ Developing Policies and Procedures: Creating comprehensive policies and procedures to govern information
security.

✓ Staff Training and Awareness: Ensuring all employees are trained on the new policies and understand their role in
maintaining security.

✓ Technical and Physical Controls: Implementing appropriate technical and physical measures to secure information.

✓ Continuous Monitoring and Review: Establishing a process for ongoing monitoring, review, and continuous
improvement of the ISMS.

theknowledgeacademy
Case Study: ABC’s ISO 27001
Challenges and Solutions

✓ Resource Allocation: Balancing the need for robust security with budget
constraints. Solved by prioritising key areas of risk and implementing scalable
solutions.

✓ Change Management: Overcoming resistance to change within the

organisation. Addressed through comprehensive staff training and
demonstrating the benefits of the new system.

✓ Integration with Existing Systems: Ensuring the new security protocols are
seamlessly integrated with existing IT systems. Achieved through careful
planning and phased implementation.

theknowledgeacademy
Case Study: ABC’s ISO 27001
Results and Benefits

✓ Increased Security: Significant reduction in security incidents and data

breaches.

✓ Compliance with Regulations: Successfully meeting international data

protection standards.

✓ Enhanced Reputation: Gaining customer trust and opening new business

opportunities due to recognised commitment to data security.

theknowledgeacademy
 theknowledgeacademy

✓ Apply the Frameworks

✓ Procedures and Controls

Module 16:
✓ Implementing the Controls
Launch and Implement
an ISMS in an ✓ Training and Awareness Programme

Organisation ✓ Management’s Role

✓ Responsibilities of Employees
Apply the Frameworks
ISMS Frameworks
1
Definition of Security
Policy Policy Document
Input Examples
2 Scope of ISMS
Threats, Impacts Definition of ISMS Scope
and List of Assessed Risks
Vulnerabilities 3
Risk Assessment Identified weakness
Risk for Assets
4
Management Risk Management
Strategy Strength of Control
5 and implementations
Additional Selection of Controls
Controls Statement of
6 Applicability
Statement of Applicability Document

theknowledgeacademy
Procedures and Controls
Procedures

In the mandatory section of ISO 27001 documented procedures are required:

1 2 3
Control of Documents Control of Records Internal ISMS Audits

4 5 6
Corrective Actions Preventive Actions Risk Assessment Procedure

theknowledgeacademy
Procedures and Controls
To support selected controls, documented procedures are required

✓ In security policy operating procedures are identified

Procedures Required by Organisation

Disciplinary Process Handling & Storage of Information

Review of User Access Rights Monitoring of Use of Information System

Acceptable Use of Assets Acceptance Criteria for New Info System

theknowledgeacademy
Procedures and Controls
Procedures Required by Organisation

Software Change Control Incident Management including Reporting

Control against Malicious Software Information Labelling & Handling

User Reg. & De-reg Control of Operational Software

Roles and Responsibilities Access Control Policy

Key Management System Identification of Appl. Legislation

Migration of Software Allocation of Passwords

theknowledgeacademy
Procedures and Controls
Controls

✓ The ISO 27001:2022 Annex controls have been updated to address

current security challenges, while the core ISMS management processes
remain the same

✓ The controls have been restructured and consolidated into four

categories: Organisational, People, Physical, and Technological

✓ Each control now includes a set of suggested attributes, which align with
common industry language and international standards

✓ These attributes can be used to quickly select appropriate controls based

on risk assessments and the Statement of Applicability (SoA)

theknowledgeacademy
Procedures and Controls
There are following controls:

Organisational

People

Technological

Physical

theknowledgeacademy
Implementing the Controls
The following are the steps to implement ISMS at your organisation:

Asset Conduct a
Identification Detailed Risk
and Assessment
Valuation

Establish the ISMS

theknowledgeacademy
Training and Awareness Programme
ISO 27001 requires training in a systematic manner to perform as follows:

Define required
knowledge and skills

Measure whether
Deliver training to
required level has
each required level
been reached

theknowledgeacademy
Training and Awareness Programme
Step 1
✓ Define which kind of knowledge and skills are required for a
particular person who has a role in an information security
management system (ISMS), or business continuity management
system (BCMS)
✓ LIs need to go through every ISMS or BCMS document and see what
knowledge and skills are required of every responsible person
mentioned in the document
Step 2

✓ Deliver training to reach the desired level of knowledge and skills

Step 3
✓ Measure whether each individual has achieved the desired level of
knowledge and skills through testing, interviews, and so on

theknowledgeacademy
Training and Awareness Programme
Methods of Awareness Raising

Include employees in documentation

development

Before publishing the documents, ask employees to give their inputs

Presentations

✓ Organise shorter meetings, during which Lis can explain what new
policies and procedures are being published

✓ Ask your employees for opinions about them and clarify any
misunderstandings

theknowledgeacademy
Training and Awareness Programme
Methods of Awareness Raising

Articles on intranet or newsletter

Initiate and participate in discussions and questions arising from

information security/ business continuity

Discussions through internal forums

✓ Create short online courses that explain the significance of these

topics and can be training aids for employees

theknowledgeacademy
Training and Awareness Programme
Methods of Awareness Raising

Videos are a very powerful presentation method,

as we can distribute them via email, through the
intranet, etc

Occasional messages via email or via intranet can

be used not only to distribute videos, but also to
send relevant news and tips for business
continuity

Meetings can be organised throughout the

company

theknowledgeacademy
Management’s Role
✓ The responsibility of management is to oversee the maintenance,
development, and implementation of the Information Security
Management System

✓ It includes defining the organisation's information security objectives,

allocating money to be spent on information security, and ensuring
the enforcement and compliance of the implementation

✓ For the organisation, management has particular goals

theknowledgeacademy
Training and Awareness Programme
Management should also make sure security controls are integrated
throughout the organisation by performing the following:

o Make sure the security process is administered through

organisational practices and policies that are continuously applied

o Require that information with identical sensitivity and criticality

characteristics be continuously protected irrespective of where it
resides in the organisation

o Implement compliance with the security program across the

organisation in a consistent and balanced manner

o With physical security coordinate information security

theknowledgeacademy
Responsibilities of Employees
✓ The knowledge and capabilities of persons assigned to this role are essential for
meeting the purposes of the organisation concerning data protection.

✓ They must work according to the policies applicable, processes, and procedures
that constitute ISMS.

✓ The essential policies applicable to this role involve:

Acceptable Access to
Information Password Network and Information
Use of Security Management Classification
Network
Assets Policy Policy Policy Services Policy Policy

theknowledgeacademy
 theknowledgeacademy

✓ Analysing and Evaluating Risks

Module 17:
Risk Management ✓ Managing Risk Approaches

✓ Case Study: Law Firm

Analysing and Evaluating Risks
Below are five basic actions that can help auditors in
arriving at sound professional decisions:

✓ Identify and define the problem

✓ Collect the facts and information, and

identify the pertinent literature

✓ Identify alternatives and perform the analysis

✓ Make the conclusion

✓ Complete and review the documentation
and rationale for the conclusion

theknowledgeacademy
Managing Risk Approaches
✓ It is the auditor’s task to question management and others to understand the organisation, its operations,
and any shortcomings and potential breaches that may occur in the ISMS
✓ Performing analytical procedures on expected or unexpected variances in account balances or classes of
transactions
✓ Observing the physical inventory count
✓ Confirming accounts receivable and other accounts with a third party
✓ It is an auditor’s responsibility to work with trustees and management to ensure a system is in place which
ensures that all major risks to the company are identified and analysed on an annual basis
✓ Auditors spend most of their time looking at risks that arise internally and their countermeasures
✓ Auditors see a “risk” as anything that could impact an organisation achieving its objectives.
✓ “Internal controls” are measures taken to cope with or reduce risk
✓ Internal risks can be anything from incompetence to dishonesty

theknowledgeacademy
Case Study: Law Firm
✓ Top Law firm
o Required for ISO 27001 to:
❑ More readily answer client surveys
❑ Set themselves out from the competitors
✓ Thirty-day YZZ Resource to support the initiative
o Project management
o Using viewpoint and some Coal-face work
✓ Client Resource: IT Manager and two IT security staff
✓ Scope: IT function
o Two locations
o Statement of Applicability to reflect properly

theknowledgeacademy
Case Study: Law Firm
Issues

✓ Resource

o Information Security Office is absent

o It was challenging to make time for the project

✓ Development of Documentation

o There are hardly any documented IT security

protocols

o Key staff members keep too much information in

their heads rather than on paper

theknowledgeacademy
Case Study: Law Firm
✓ Gap vs Risk Analysis

o There should be two distinct sets: no problem with

Gap, but why Risk?

o Identifying important assets

✓ Policies

o Simple policies exist, but there is no organisation,

little awareness, and no enforcement

theknowledgeacademy
Case Study: Law Firm
Solutions

✓ Resource

o Virtual Information Security Office was offered by YZZ

o Project management reserved several days

✓ Development of Documentation

o They provided significant library assistance, but

correct integration was still required

o Meetings were facilitated so that information could

be documented

theknowledgeacademy
Case Study: Law Firm
✓ Gap vs Risk Analysis

o YZZ performed a Gap Analysis.

o Organised a meeting

✓ Policies

o Meetings with HR were scheduled to get

the Policies on track, adopted, distributed,
and enforced.

theknowledgeacademy
 theknowledgeacademy

✓ Risk Assessment

Module 18: ✓ Conducting Risk Assessments

Risk Assessment and the ✓ Risk Assessment Methodology

Statement of
✓ ISMS Risk Assessment Report
Applicability (SOA)
✓ Threats and Vulnerabilities
Risk Assessment
✓ The risk assessment helps an organisation to recognise,
analyse and assess vulnerability in their information
security processes

✓ It is a central part of ISO 27001, the international standard

which describes best practice for maintaining and
implementing an Information Security Management
System (ISMS)

✓ It is vital to that process, assisting the organisation in the:

o Understand the particular situations in which their

data can be compromised

o Evaluate the damage every situation can cause

o Determine how possible such situations are to occur

theknowledgeacademy
Conducting Risk Assessments
✓ For risk assessment of ISO 27001 to be successful, it is required to reflect the view of an organisation on risk
management, and it should produce consistent, valid, and comparable results
✓ The risk assessment procedure must be detailed and explain who is liable for each task, how they should be
completed, and in what order
✓ This could be a daunting task for many. Inexperienced assessors frequently trust spreadsheets, spend hours
interviewing individuals in their organisation, exchange methodologies and documents with other departments
and do data filling.
✓ They would probably realise that spreadsheets are quite inconvenient as
o They are error-prone
o Hard to maintain.
o They do not automatically conform to ISO 27001
o It is not easy to find relevant data in multiple tabs

theknowledgeacademy
Conducting Risk Assessments
Five steps to conduct a successful risk assessment:

Establish a risk
management framework

Identify risks

Analyse risks

Evaluate risks

Select risk treatment

options

theknowledgeacademy
Risk Assessment Methodology

Risk Assessment Methodology

✓ Define an overarching risk management

approach for the entire organisation

✓ Qualitative or quantitative?

✓ Qualitative risk assessment scales?

✓ Define acceptable levels of risk

theknowledgeacademy
ISMS Risk Assessment Report
1. SOA (Statement of Applicability)
✓ As an auditor, the SOA serves as the primary guide for auditors, covering all aspects of Annex A
✓ The SOA is based on the Risk Treatment Plan results and represents the organisation's security profile
✓ It identifies the organisation's information security objectives and controls and defines appropriate rules
✓ Addresses residual risks
✓ Records formal approval for implementation of the described controls
✓ It must be reviewed on a defined and regular basis
✓ Used to demonstrate to third parties the degree of security that has been implemented
✓ An auditor must ensure there is evidence that ISMS controls are in operation rather than just part of policy.
✓ Look for evidence of incidents that have been confirmed and addressed through the necessary processes.
✓ Information security management processes must be proved to exist.

theknowledgeacademy
ISMS Risk Assessment Report
There are some steps which help to develop an effective ISO 27001 SoA:

Understand the controls you

Identify and Analyse Risks
01 need to include and how to
include them
02

Choose Controls to Treat Risks Provide a List of Implement

03 04 Controls

Maintain Your Statement of

Develop a Risk Treatment Plan
05 06 Applicability

theknowledgeacademy
ISMS Risk Assessment Report
2. RTP (Risk Treatment Plan)

✓ ISO27001 Clause 6.1.3 requires the organisation to formulate a risk

treatment plan

✓ This plan should identify the appropriate management action,

responsibilities, and priorities for managing information security risks

✓ The risk treatment plan should be documented

✓ This plan should be set within the organisation’s information security

policy

✓ It should identify the organisation’s approach to risk and its criteria

for accepting risk

✓ These criteria should be consistent with the requirements of ISO

27001

theknowledgeacademy
ISMS Risk Assessment Report
Objectives of Risk Treatment Plans

Risk treatment plans have four linked objectives, which are:

Tolerate them, exercising Transfer them, by means of

carefully the controls that contract or insurance, to
keep them ‘acceptable’ another organisation

Eliminate risks Reduce those that cannot be

(terminate them) eliminated to ‘acceptable’ levels
(treat them)

theknowledgeacademy
Threats and Vulnerabilities
Threats

✓ Threats could exploit vulnerabilities of an information asset or group of

information assets, thereby causing harm to an organisation

✓ Threats are things that can go wrong or can ‘attack’ the identified assets

✓ Threats can be either external or internal

✓ Threats vary according to the industry and the scope of the ISMS

Vulnerabilities

✓ Vulnerabilities leave open systems to attack by something classified as a

threat or allow an attacker to have some success or more significant
impact

✓ A threat can exploit a vulnerability

theknowledgeacademy
Threats and Vulnerabilities
✓ Vulnerability Assessment Tools:

o Vulnerability assessment tools are also known as security scanning tools

o It plays a role in many information security management systems, and its position is determined by the risk
treatment plan which arises from the risk assessment

o They assess the security of network or host systems and report system vulnerabilities

o These tools are automated and designed to scan networks, firewalls, servers, routers and software
applications for vulnerabilities
o In evaluating a vulnerability assessment tool, consider how frequently it is updated to include the detection
of new weaknesses, security flaws and bugs

o Vulnerability assessment tools are not usually run in real-time but are commonly run periodically
o The tools can generate technical and management reports, including text, charts, and graphs

o Vulnerability assessment reports can classify what weaknesses exist and how to fix them

theknowledgeacademy
 theknowledgeacademy

✓ Roles and Responsibilities of a Lead Auditor

Module 19:
Introduction to ISO ✓ Team Selection and Planning

27001 Lead Auditor ✓ Qualifications of an Auditor

✓ Conformance and Compliance

Roles and Responsibilities of a Lead Auditor
Some of the key roles of a Lead Auditor are:

01 02 03

May facilitate the documentation

Is the management interface May act as a guide during audits
and implementation process

04 05 06

May interface with customer and Must maintain ‘independent’ and

Exhibit professional behaviour
external auditors confidentiality

theknowledgeacademy
Roles and Responsibilities of a Lead Auditor
✓ The Lead Auditor is ultimately responsible for
all phases of the audit

✓ The Lead Auditor should also have

management capabilities and experience and
should be given authority to make the final
decision regarding the conduct of the audit
and any audit observation

theknowledgeacademy
Roles and Responsibilities of a Lead Auditor
The Lead Auditor’s Responsibility includes:

1. Assisting with the 2. Preparation of the

selection of other audit AUDIT PLAN
team members

3. Representing the AUDIT 4. Submitting the AUDIT

TEAM with the auditee’s REPORT
management

theknowledgeacademy
Roles and Responsibilities of a Lead Auditor
In various businesses the Lead Auditor is responsible for:

Leading the team and

deciding on allocation
of audit activities

Monitoring the
performance of auditors
within the team

theknowledgeacademy
Roles and Responsibilities of a Lead Auditor
In various businesses the Lead Auditor is responsible for:

Check for adequacy of

checklists and other documented
preparations
of the audit team members

Communicating with the

auditee to conform audit
plans

theknowledgeacademy
Roles and Responsibilities of a Lead Auditor
In various businesses the Lead Auditor is responsible for:

✓ Authorising the final report before being provided to

the auditee

✓ Managing any conflicts between auditors and auditees

✓ Lead team meetings to discuss progress at regular

intervals throughout the audit

theknowledgeacademy
Team Selection and Planning
✓ Every Audit team has a Lead Auditor

✓ When preparing your audit plan, your lead auditor

must examine the complexity of the activities to be
audited and select team members who possess the
qualifications or expertise that are needed to perform
the audit

✓ Qualified auditors must be knowledgeable in Audit

criteria such as ISO 27001

✓ Auditors should also be familiar with the industry of

the organisation that they are auditing

theknowledgeacademy
Team Selection and Planning

Personnel are selected for specified auditing assignments on the basis of

experience or training that indicates qualifications commensurate with the
complexity of activities to be audited

An Audit Team Member’s work experience and education may benefit the
audit team and improve the effectiveness of the audit

The responsibility of an Audit Team is to gather factual evidence of

conformance or non conformance of the audited area to the audit criteria

theknowledgeacademy
Team Selection and Planning

The number of
personnel needed and
An Audit team To ensure that the
their experience and
member should be audit is effective, team
qualification depends
free from biases or members should be
on the amount of
conflicts of interest, allowed to report the
material that is needed
and comply with audit results
to be covered, as well
standards of ethical objectively and
as the availability of
conduct impartially
personnel and other
audit resources

theknowledgeacademy
Qualifications of an Auditor
Experience

✓ Auditor requirements should be set based on the number of days

spent performing internal audits of ISO 27001
✓ An internal auditor should also have experience as a consultant in
implementing the ISO 27001 standard
✓ In this case, a requirement could be established that they should
have participated in the least of 2-3 implementation projects
✓ Project and personnel management experience (scheduling, time
management, budgeting, etc.)
✓ Business management experience is recommended to understand an
organisation’s situation and goals
✓ Experience delivering training/awareness courses for ISO 27001 is
useful

theknowledgeacademy
Qualifications of an Auditor
Knowledge

✓ Having knowledge about ISO 27001 and information security is

necessary

✓ This knowledge can be developed through training courses

✓ It is highly recommended that the auditor has completed an

ISMS Lead Auditor course. It would also be helpful if they had
completed an ISMS implementer training course

✓ Knowledge of other information security

standards/frameworks/regulations is not necessary but useful

✓ Knowledge of the advantages and disadvantages of qualitative

and quantitative risk assessment/analysis

theknowledgeacademy
Qualifications of an Auditor
Soft Skills

✓ They must have high ethical standards and integrity and

be beyond reproach

✓ Able to make use of negotiation skills

✓ A pragmatic outlook

✓ Very organised and motivated

✓ Able to work under stress and with frequent interruptions

✓ Able to deal with conflict effectively

✓ A capable communicator can explain information security

issues in both a written and verbal manner

theknowledgeacademy
Conformance and Compliance
✓ Conformance can be defined as choosing to do something in
a recognised way following standards (e.g. ISO 27001) or
recognised methods (e.g. agreed test methods for ring tests
under ISO 17025)

✓ Compliance is “doing what is told”, i.e. abiding by the law and

meeting legislative requirements

✓ If someone mandates to meet the requirements of a

standard or test method, then conformance becomes
compliance

theknowledgeacademy
Conformance and Compliance
These are the following differences between Conformance and Compliance:

Conformance Compliance
Basic starting point More detailed, systematic application of standards

Achievable at low cost Implementation of ISMS with information security

controls
Generalises which standards will be applied and to what Specifies which standards are required to be met
extent
Limited reassurance to third parties about security status Can assure third parties with limited obligation for proof
of the company
Has little meaning without more detail Conformance becomes more informed and obligatory

theknowledgeacademy
 theknowledgeacademy

✓ Roles and Responsibility of an Auditor

✓ Auditing Schedule and Time

Module 20:
✓ Qualifications of an Auditor
Preparing and
✓ Activities of an Auditor
Planning an Audit
✓ Audit Components

✓ Purpose and Extent of an Audit

Qualifications of an Auditor
The following are the roles and responsibilities of an auditor:

Communicating with management

Facilitating the documentation and implementation process

May act as a guide during audits

May interact with customers and external auditors

theknowledgeacademy
Qualifications of an Auditor
The following are the roles and responsibilities of an auditor:

Must maintain independence and confidentiality as an auditor

Exhibit professional behaviour

Analyse and audit information security management

Awareness of standards and control parameters

theknowledgeacademy
Roles and Responsibility of an Auditor
The Lead Auditor helps improve information security within an organisation by making small changes

The Lead Auditor is ultimately responsible for all phases of the audit

The Lead Auditor should have management capabilities and experience

They should be given the authority to make final decisions regarding the conduct of the audit and any audit
observations

The Auditor’s responsibilities include:

1. Assisting with the selection of 2. Preparation of the audit plan

other audit team members

theknowledgeacademy
Roles and Responsibility of an Auditor

3. Representing the audit team with 4. Submitting the audit report

auditee’s management

5. Leading the team and deciding on 6. Monitoring the performance of

allocation of audit activities auditors within the team

Checking adequacy of any checklists

7. 8. Communicating with the auditee to
and other documented preparations
confirm audit plans
of the audit team members

theknowledgeacademy
Roles and Responsibility of an Auditor

9. Authorising the final report before 10. Managing any conflicts between
providing it to the auditee auditors and auditees

Lead team meetings to discuss Deciding upon any non-conformances

11. progress at regular intervals through 12. or follow-up action required based on
the audit collated findings

13. Conducting the entry and exit 14. Collating the findings of each auditor
meetings involved in the audit

theknowledgeacademy
Auditing Schedule and Time
✓ Scheduling is the easiest way to keep an audit
programme on track

✓ To create a schedule, one needs to develop a

form that is suitable for the organisation

✓ After the creation of the form, it is time to

schedule the audits

✓ Key processes should have an increased audit

frequency

✓ The internal audit schedule must show that all

processes the company has identified appear
on the audit schedule

theknowledgeacademy
Procedures and Process Flow
Pre-audit Prepares for Begins Audit
Select for Audit
notification letter audit fieldwork

How long on-site Closing meeting Audit fieldwork Auditor completes

audit takes at audit site ends audit work

Lead Auditor reviews Written audit and Agree or request

End of Audit
fieldwork and report report communicated reconsideration

Reconsideration

theknowledgeacademy
Activities of an Auditor
The following are four auditor’s activities:

Conducting Document
01 Initiating the audit 02 Review

Preparing for on-site Conducting on-site

03 04 activities
activities

theknowledgeacademy
Audit Components
Planning and Scheduling
✓ Determine the audit cycle, typically quarterly
✓ Publish the audit plan, typically annually
✓ Provide senior management and audit participants advance notice and confirm availability
✓ Develop the audit timeline based on best estimates and regularly update based on actual results

Selecting Participants/Assigning Roles/Responsibilities

✓ Participants selected based on availability, people skills, specialised skillset related to the system they will be
auditing
✓ Roles/responsibilities assigned, Participants cannot audit their own work
✓ Management announces audit teams and members
✓ Audit leader drives function and organisation

theknowledgeacademy
Audit Components
Documentation Audit – Review all ISMS Documents

✓ The documentation audit will allow the auditor to

gain an understanding of ISMS in the context of the
organisation’s security policy, objectives, and
approach to risk management

✓ The documentation audit includes documentation

review that has to be completed before starting the
implementation audit

✓ The results of documentation audit will be

contained in the report. Based on the findings, the
auditor will decide whether to begin or postpone
the implementation audit

theknowledgeacademy
Audit Components
Implementation Audit – Confirmation of Compliance

The Implementation audit will cover:

✓ Confirmation of the organisation’s compliance with its own policies, objectives and procedures
✓ Confirmation of the ISMS' compliance with all ISO 27001 requirements and of its attainment of the
organisation’s policy objectives (includes checking that the organisation has a system of processes in place to
cover the requirements given in Clauses 4 to 8 inclusively of the ISO 27001 standard)

✓ Assessment of Information Security related risks and the resulting design of its ISMS
✓ The approach to risk assessment includes:

o Risk identification, Risk treatment and Risk assessment

o The choice of control objectives and controls for risk treatment

o Preparation of a Statement of Applicability

theknowledgeacademy
Audit Components
✓ Performance monitoring, measuring, reporting and reviewing against the objectives and targets. This should
include checking that processes are in place and being used for at least the following:
o Monitor and review the ISMS
o Management review of the ISMS
o ISMS improvement
✓ Management responsibility for the Information Security policy

Audit Report
✓ The Lead Auditor shall be responsible for the preparation and contents of the audit report. The audit report
shall be provided to security management forum. The audit report should provide a complete, accurate,
concise and clear record of the audit, and should include:
o Identification of audit team leader and members
o The audit criteria, the audit findings and the audit conclusions

theknowledgeacademy
Purpose and Extent of an Audit
Internal Audit

✓ An internal audit considers whether business

practices are helping the business manage its risks
and meet its strategic objectives. They are not
required by law

External Audit

✓ An external audit is required annually to ensure

standards for meeting accreditation have been
maintained

theknowledgeacademy
 theknowledgeacademy

✓ Different Review Stages

✓ Collecting Evidence
Module 21:
✓ Observation
Reviewing Process
✓ Audit Findings
and Qualities
✓ Conducting Follow-ups
Different Review Stages
✓ There are two types of review stages:

Stage 1 Stage 2

theknowledgeacademy
Different Review Stages
Stage 1

✓ Reviews the design of the ISMS against the ISO 27001 standards

✓ Reviews the level of preparation for Stage 2

✓ Assessed against the management system requirements, mostly

clauses 4-10

Stage 2

✓ Full review: includes ISMS and the controls to address the

information security risk

theknowledgeacademy
Different Review Stages
✓ Review of ISMS assesses the effectiveness of the management
system, while also correcting any nonconformities identified in
Stage 1

✓ Assesses how effectively the controls within the SOA operate,

specifically within Annex A

✓ Includes inquiry, observation and inspection of evidence that

should ensure the control operates and mitigates the identified
risk properly

✓ Is finalised with the audit team deciding whether the results

suggest certification or not

theknowledgeacademy
Collecting Evidence
Management Interviews
✓ Auditors must focus on getting responses to enable accurate
assessment of past and current practices
✓ The statements made by staff must be verified by reviewing
documents, records, physical observations

Worker Interviews
✓ Worker interviews give a critical complement to staff interviews
and documentation review
✓ Listening to workers gives realistic view of working conditions

theknowledgeacademy
Observation
✓ Observation of the application of the company’s policy or
procedure assures at a given point in time, but not necessarily of
its performance throughout the year

Visual Observation

✓ Smart auditors immerse themselves within the organisation and

observe from every angle. They may look for:

✓ Uncontrolled Documents: If information is lying about, you need

to inquire how it is supposed to be controlled

o Product outside normal flow: Normally they are non-

conforming products

theknowledgeacademy
Observation
o Measuring Instruments: If being used in control processes, they
need to be checked for their fitness
o Housekeeping and Disorganisation: Usually the sign of a more
significant problem, could be damaging to information security
o Informal Record Keeping: If they contain information, is it
adequately secured?

theknowledgeacademy
Audit Findings

✓ The Audit Findings are the Lead Auditor’s summary or

description and analysis of an inadequately mitigated risk to
the organisation

✓ Audit findings are collected through interviews, the

examination of documents, and observation of activities and
conditions in the areas of concern

✓ The audit team shall review all of their findings whether they
are to be reported as non-conformities or as observations

theknowledgeacademy
Audit Findings

✓ Any findings during the audit shall be indicated with one of

three classifications:

o Conformity: The process or product sampled was in

accordance with the relevant requirements and criteria

o Opportunity for Improvement: In the auditor’s opinion,

an improvement can be applied to the matter, and the
organisation may or may not adopt to take this
opportunity

o Nonconformity: The process sampled was not according

to the requirements and audit criteria

theknowledgeacademy
Audit Findings
✓ The Lead Auditor consolidates all the audit findings for preparation of the audit report
✓ Classification of findings is as follows:

Major non-conformity

• This pertains to a major deficiency in the ISMS

• A non-conformity pertains to one or more element of the ISO 27001 not being
implemented

Minor non-conformity

• A minor deficiency
• One or more elements of the ISMS is only partially complied
• Minor non-conformity has an indirect effect on information security

theknowledgeacademy
Conducting Follow-ups
Requirements before Follow-Up

✓ The audit conclusions and recommendations to be discussed

with management and eventually integrated if agreed upon as
action plans depending on the organisation’s practices

✓ A formal statement by the auditors reservations,

qualifications, scope limitations or other caveats with respect
to the audit

✓ Management may be invited to provide a short commentary

or formal response, accepting the results of the audit and
stating commitment to agreed plans

theknowledgeacademy
Conducting Follow-ups
✓ The Lead Auditor will follow-up to check on the
implementation of corrective actions as stated in the Non-
Conformity/Corrective and Preventive Action Report

✓ An audit will not be considered complete and closed until all

corrective actions or measures have been successfully
implemented to the satisfaction of the Lead Auditor

theknowledgeacademy
 theknowledgeacademy

✓ Steps towards successful certification

✓ Selecting an ISO 27001 Registrar

✓ Prepare for the Certification Audits

Module 22: ✓ Certification

Certification ✓ Audit Components

✓ Stage 2 Audit

✓ Surveillance Audit

✓ Re-certification Audit
Conducting Follow-ups

theknowledgeacademy
Selecting an ISO 27001 Registrar
Considering that the registrar you choose will not only decide whether you have satisfied the standard’s
requirements, but potentially also the maintenance of your certification, choosing your registrar carefully is
important

Important Certification Body evaluation factors include:

Cost Attitude Experience

Time Accreditation

theknowledgeacademy
Selecting an ISO 27001 Registrar
Aspects of a registrar’s cost
✓ ISO certification can be costly

✓ Your organisation’s size, number of facilities and location all contribute to the cost of certification

✓ Larger organisations will require additional audit time, which will increase the cost of certification

✓ Travel expenses are also factored into certification costs

✓ Selecting a registrar nearest to your organisation or one with a local auditor will most likely lower your
certification costs

✓ Obtaining quotations from several registrars to determine which are most economical for your organisation
is a key cost-reducing first step

theknowledgeacademy
Selecting an ISO 27001 Registrar
Information Security and industry experience needed

✓ When selecting a registrar, you will also want to consider

the knowledge and experience level of the auditor they
assign to your organisation

✓ Auditors lacking in knowledge or experience of your

industry or the ISO 27001 standard may be a disadvantage

o This could have a negative impact on your audit

results

o You may get additional benefits from the audit if you

auditor has good level of experience to share

theknowledgeacademy
Selecting an ISO 27001 Registrar
Attitude
✓ Don’t forget relationship chemistry and a good attitude

✓ Consider how the registrar will work with you

✓ In the event that there is an issue or you need to

contest/appeal a nonconformance or audit report, it is better
to work with a professional and open-minded registrar

✓ Although there is a difference between using a consultant and

a registrar, getting useful feedback on your information
security management system (QMS) is an integral part of the
auditing process

✓ Interview registrars prior to selection to see if they will be a

good fit for your organisation

theknowledgeacademy
Prepare for the Certification Audits
Be Prepared: Stick to Your Plan
✓ Having a successful ISO 27001 system requires on-going
maintenance and takes time to implement

✓ Create a schedule that outlines how you plan to

implement your new ISO 27001 system

✓ Create a time-line with milestones to make sure you stay

on track

✓ The last thing you want your organisation to do is to rush

to meet the ISO 27001 requirements weeks before your
official certification audit

theknowledgeacademy
Prepare for the Certification Audits
Prepare Your Employees
Your employees and management should also be prepared for the audit. Make sure they are up-to-date on the
following information security management system features:

✓ ISMS Policy

Review the information security policy with your teams and make sure all of your employees understand it. They
should at least have an understanding of what the company’s information security management system entails
along with its goals

✓ ISMS Objectives

Employees should know what your organisation’s information security objectives are and how they can help
achieve them They should know how their day-to-day systems help meet these objectives

✓ Training

Make sure all employees have been properly trained to perform their roles according to ISO 27001 standards

theknowledgeacademy
Prepare for the Certification Audits
Documentation
All employees and management should know where they can get the
latest version of documentation for procedures, work instructions,
and forms related to their position and/or department

General Audit Information

Inform your employees about the scope of the audit, when they
should expect to be audited, and what the auditor may be checking
for within their department

Interviews
Your employees should be able to answer the auditor with honesty
confidently, and should be comfortable with saying “I don’t know,” if
they are not sure how to respond to an auditor’s question

theknowledgeacademy
Prepare for the Certification Audits
Prepare the facility
✓ Make sure all areas of the facility are clean and neat; there are potential nonconformances hiding in any given
mess
✓ Make sure documents are available where every they need to be used

✓ Check bulletin boards, desks, cupboards, drawers for uncontrolled documents, uncalibrated measuring and
monitoring instruments and unidentified parts or supplies

Be Professional
✓ Just like your internal audits, it's important to be positive and professional

✓ Make sure you make a good impression with the auditor--treat them professionally and with respect

✓ Remember that the external auditor isn’t your enemy—they’re trying to help you and your organisation uncover
any weaknesses so that you can take corrective actions needed to ensure a high-quality standard for your
employees, your company, and ultimately, your customers

theknowledgeacademy
Certification
The Certificate Lasts for three years
The Stage 1 Readiness Review/Documentation Audit is the first stage in the certification audit process

The Stage 2 Certification Audit is the first stage in the certification audit process, successful completion leads to
the issue of a Certificate

Following 2 years Have Surveillance Audits

At the end of three years Re-certification audit – similar to certification audit

theknowledgeacademy
Stage 1 Audit
Stage 1 (Readiness Review) Audit:
✓ The Stage 1 Readiness Review is the first stage in the
certification audit process

✓ The goal is to determine if the organisation is able to

move on to the Stage 2 Certification Audit

✓ During stage 1 the registrar will review the requirements

of the management system, including:

o Documented information

o Evaluate the client’s site specific conditions

o Talk to personnel

theknowledgeacademy
Stage 1 Audit
Stage 1 (Readiness Review) Audit:
✓ During stage 1 the auditor will review the organisation’s
scope and gather information on

o the processes and operations

o Equipment

o levels of control

o any statutory or regulatory requirements

✓ The auditor is looking to make sure that objectives are

being met and key performance indicators, or ISMS
aspects, are defined and understood

theknowledgeacademy
Stage 1 Audit
Stage 1 (Readiness Review) Audit:
✓ Internal audits and management reviews will be evaluated to make sure they are being performed adequately

✓ The implementation of the management system will be evaluated to determine if the organisation is ready to
move forward with the Stage 2 Certification Audit

✓ A Stage 1 Audit usually takes place in one or two days

✓ This audit is almost always onsite, but when an organisation has more than one location the audit may occur
at their head office

✓ Documented information will be given to the organisation to allow them to fix any nonconformances that may
arise in the final audit

theknowledgeacademy
Stage 2 Audit
Stage 2 (Certification Audit):
✓ The purpose of the Stage 2 Audit is to confirm a company’s
information security management system is fully compliant with
ISO 27001:2015

✓ One to two months following the Stage 1 audit, the certification

body will return to audit your entire information security system

✓ The Auditors will analyse each process within your organisation

for compliance with ISO 27001. This includes such things as
customer requirements, and legal and organisational
requirements

✓ The length of the Stage 2 audit is determined by the size of the

organisation, number of sites, and the functions included within
the system

theknowledgeacademy
Stage 2 Audit
Stage 2 (Certification Audit):
The Stage 2 Audit will include:

✓ Evaluating the documented information to ensure that the management system conforms with all standard
requirements

✓ Report how well the information security management system complies with the organisation’s quality manual
and procedures

✓ Evaluation of internal audits, management review and management responsibility for the organisation’s policies

✓ Report all nonconformances so that they can be assessed further

✓ Create the surveillance plan for the organisation and choose dates for the first surveillance visit in the following
months

theknowledgeacademy
Surveillance Audit
✓ Surveillance audit are shorter and will only review some portions of your QMS processes, rather than
everything

✓ They will start each time by looking at

o Your key processes (such as management review, internal audit, and corrective actions)

o Any Complaints and Changes since the last audit

o some of the remaining processes within your QMS

✓ They may also only look at a portion of the whole organisation, such as only one out of two production
lines, or even only certain sites chosen by the auditors, rather than multiple sites

✓ The goal for the certification body is to audit all of the processes and business sites at least once during the
two-year surveillance cycle

theknowledgeacademy
Re-certification Audit
✓ The final step in the ISO 27001 audit process is ‘Recertification’

✓ The audit will take a longer view of the system and review what
the Organisation has learnt and how it has progressed during
the three years of operating the ISO 27001 information security
Management System

✓ The Recertification audit will look forward as well, to the

information security management objectives and planning that
the organisation has made for the forthcoming trading period

✓ The recertification audit will set the forthcoming audit plan for
the next three years

✓ As a result of a successful audit, the Certificate will be re-issued

for a further three years and the Surveillance programme will
begin again

theknowledgeacademy
 theknowledgeacademy

Module 23: ✓ Fraud Triangle

Audit Triangle ✓ Tackling the Fraud Triangle

Fraud Triangle
✓ The fraud triangle is a framework commonly used in auditing to explain the reason

✓ behind an individual's decision to commit fraud. The fraud triangle outlines three components that contribute
to increasing the risk of fraud: (1) opportunity, (2) incentive, and (3) rationalisation

✓ Why is the fraud triangle important to auditors?

The Fraud Triangle is a great prompt to use to help ensure internal auditors adequately assess anti-fraud internal
controls and identify important controls that may be missing

✓ What does the fraud triangle explain?

According to Albrecht, the fraud triangle states that “individuals are motivated to commit fraud when three
elements come together:

o some kind of perceived pressure,

o some perceived opportunity, and

o some way to rationalise the fraud as not being inconsistent with one's values

theknowledgeacademy
Fraud Triangle

Incentives/motivation
to commit fraud

Knowledge and ability Justification for

to carry out fraud committing fraud

theknowledgeacademy
Tackling the Fraud Triangle
Incentives/Pressures
✓ Financial pressures are common and drive employees to commit fraud

✓ Provide opportunities for employees to relieve pressures and stress (e.g. financial help, counselling,
healthcare)

Opportunities for Fraud

✓ Potential weaknesses within a company must be identified and regularly reviewed

✓ Minimise opportunities for fraudsters to exploit a company’s vulnerability

Attitudes/Rationalisation
✓ ‘Zero tolerance’ approach to fraud to prevent such activities, and fraudsters from being able to rationalise their
actions

theknowledgeacademy
 theknowledgeacademy

✓ Classifying Audit Findings

Module 24:
✓ On-Site Auditing
Auditing Techniques
✓ Remote Auditing Methods
Classifying Audit Findings
Any findings during the audit shall be indicated with one of the
three classifications:
1. Conformity

The process or product sampled was in accordance with the relevant

requirements and criteria

2. Opportunity for Improvement

In the auditor’s opinion, an improvement can be applied to the matter,

and the organisation may or may not adopt to take this opportunity

3. Nonconformity

The process sampled was not according to the requirements and audit
criteria

theknowledgeacademy
On-Site Auditing
Direct Interaction with Auditees

✓ Face-to-face interviews Direct Examination of Auditee Systems

✓ Collect samples with auditee participation

✓ Review documents without auditee assistance
✓ Review documents from auditee participation
✓ Conduct on-site visits without auditee
participation
✓ Complete checklists with auditee assistance
✓ Complete checklists without auditee assistance
✓ Fill out questionnaires with auditee assistance
✓ Analyse information without auditee assistance

✓ Collect samples without auditee participation

✓ Observe work without auditee assistance

theknowledgeacademy
Remote Auditing Methods
Direct Interaction with Auditees

✓ Long-distance interviews (e.g. Skype)

Remote Examination of Auditee Systems
✓ Complete checklists with auditee help

✓ Fill out questionnaires with auditee help

✓ Review documents without auditee assistance
✓ Review documents with auditee participation
✓ Analyse information without auditee assistance

✓ Observe work without auditee assistance

theknowledgeacademy
 theknowledgeacademy

✓ Classifying Audit Findings

Module 25:
✓ On-Site Auditing
Tasks of an Auditor
✓ Remote Auditing Methods
Opening Meetings
The following topics on the agenda should be considered where relevant:

Introduction of Roles of Auditor, Auditee,

1 Participants of a Meeting
2 Guide, and Observer 3 Objective of Audit

4 List of Attendance 5 Scope of Audit 6 Criteria of Audit

7 Documentation Status 8 Agenda Plan 9 Audit Methods

theknowledgeacademy
Opening Meetings

10 Risk Management 11 Communications 12 Confidentially

Confirmation of Safety, Security, and Language and

13 Resources and Facilities
14 Emergency Considerations 15 Acknowledgements

16 Reporting Method 17 Closing Meeting 18 Complaints or Appeals

theknowledgeacademy
Daily Discussion Meetings
✓ The daily discussion meetings during a multiple-day Audit are usually held at the end of the day with
management and the individuals audited during the day

✓ These meetings are usually brief and informal

✓ During these meetings, the auditee produces additional evidence of conformity to a certain finding, which
the auditor may not have had a chance to discover earlier

The following is the agenda of daily discussion meetings:

Provide the Discuss all the

Discuss the functional information gathered observations, including
area that was audited from the audited non-conformance
during the day individuals

theknowledgeacademy
Daily Discussion Meetings
✓ Ask whether there is additional material the
auditee might have skipped during the audit

✓ Encourage questions from the attendees

✓ At the end of the meeting, confirm the

identified non-conformances that will be
shared again in the closing meeting

✓ Express gratitude and discuss the next day’s

audit agenda

theknowledgeacademy
Closing Meeting
✓ The first formal reporting that occurs during an audit is the closing meeting

✓ This meeting is lead by the Lead Auditor who presents a verbal summary of the audits including any positive
and negative outcomes

✓ Depending on the size of the Audit and the duration, the closing meeting can last anywhere from fifteen
minutes to over an hour

✓ The Lead Auditor confirms that the Audit is complete with respect to the Audit Scope and its objectives, then
express thanks to the company members
✓ The Lead Auditor discusses the scope of the Audit as well as an overview of the Audit

✓ They highlight the areas that need to be Audited and discuss the best practice observations

✓ When an Audit finishes, the Audit team presents its findings to the Auditees during the closing meeting
✓ The Audit report must be issued as soon as possible once the Audit has been officially completed

theknowledgeacademy
Monitoring and Logging
✓ Administrator and Operator Logs

✓ Privileges of administrators and operators of

systems are different from normal users, meaning
that they can perform more actions.

✓ Systems should register information on all users,

regardless of privileges.

✓ Clock Synchronisation

✓ All systems should be configured with the same

time and date. If an incident occurs and a
traceability test is required, difficulties arise when
each system has a different configuration.

theknowledgeacademy
Monitoring and Logging
Benefits to Monitoring and Logging

1 Providing baselines, test results, and general IT

insight.

2 The needs are met of stakeholders in an

Audit.

3
The tools are on hand to resolve a complete
range of IT issues.

theknowledgeacademy
Monitoring and Logging
Benefits to Monitoring and Logging

4 Business risk is ultimately reduced through

manager being able to detect and react to events.

5 Managers are also able to respond to process

exceptions.

6 Compliance, risk management, and governance are

all at the core of the information that monitoring
and logging provide.

theknowledgeacademy
Monitoring and Logging
Benefits to Monitoring and Logging

7
Performance indicators can be put in to place.

8
The needs are met of stakeholders in an Audit.

9 Log information can assist with security breaches

by being used as evidence.

theknowledgeacademy
Handling Stressful Situations
✓ Auditors must have the strength of mind, stability, and patience to be able to cope with and react to stressful
situations effectively

✓ An auditor requires a high degree of maturity, a good sense of humour, and understanding

✓ The auditor must be aware that the outcome of the audit may result in angry/insulting outbursts from
auditee personnel

Types of Stress
1. Episodic Acute Stress Daily or almost
A commonly constant stress
negative is a normality
The frequent attitude
occurrence of
acute stress

theknowledgeacademy
Handling Stressful Situations
2. Chronic Stress

Constant stress
1. with little to no
gaps or relief

Difficult factors that

are a part of daily life;
2. unhappy home life,
stressful work life,
finance or debt issues

theknowledgeacademy
Handling Stressful Situations
Techniques of Stress Management
The flowchart represents techniques of Stress Management:

Time
management

Personal
Stay healthy
responsibility

Think positively,
Solve problems
have faith

Effective Set Goals

communication

theknowledgeacademy
Handling Stressful Situations
The following are some ways used to incorporate clear
communication and humour in times of high stress:

✓ Ensure that all of the information used has a clear

purpose

✓ Practice your delivery

✓ Avoid sarcasm or slapstick humour that may cause

offence

✓ Try to practice inclusive humour – “we are all in this

together” type humour

✓ Observational humour (surroundings/objects)

theknowledgeacademy
Intrusion and Penetration Testing
Intrusion Detection
✓ Intrusion detection often does not automatically identify an imminent attack in security

✓ The level of ability in intrusion detection is typically examined in a security audit

Penetration Testing
✓ Penetration testing is often used in security audits

✓ Testing of this type is the deciding factor in a company or organisation's success in the prevention of
intrusion

✓ A penetration test, also called as a Pen Test, is an authorised cyber-attack that identifies exploitable
susceptibilities on computer systems. Penetration tests imitate real attacks in order to extract accurate
results

✓ They are generally used to enhance a web application firewall in the context of web application security

theknowledgeacademy
Intrusion and Penetration Testing
✓ They can involve the attempted breaching of any number of
application systems, like frontend/backend servers and
application protocol interfaces (APIs), to uncover
susceptibilities

✓ Automated or manual technologies are used to carry out

penetration tests in order to methodologically weaken
servers

✓ Testers may endeavor to use the compromised system to

launch successive exploits at other internal resources once
susceptibilities have been effectively exploited on a system

✓ The objective of penetration testing is to measure the

probability of a system’s compromise and assess any
associated consequences

theknowledgeacademy
Intrusion and Penetration Testing
Benefits of Penetration Testing
✓ A Penetration test involves stimulation of intrusions

✓ Manual and Automatic tools will be used in Penetration

testing

✓ The manual tool is very useful, and they can uncover

weaknesses that the automatic tools fail to do

✓ The intrusions will consist of a variety of attack scenarios

theknowledgeacademy
Intrusion and Penetration Testing
Why Perform Penetration Testing?
These are the following are the reasons for penetration testing:

High costs following Impossible to Helps identify and

security continuously protect highlight the major
infringements and all the data of a risks in the system
other services company
disruptions

theknowledgeacademy
Intrusion and Penetration Testing
1. High costs following security infringements and other service disruptions
✓ Security infringements and other service disruptions often mean the vulnerability of the business's information
✓ This leads to financial costs, threatened reputation, in turn, losing customers due to low protection of their
information, destructive press and even charges and penalties

2. Impossible to continuously protect all the data of a company

✓ Businesses are known to create layers and layers of security mechanisms to protect all their systems
✓ However, with the continued implementation of new technological systems, it is almost impossible to keep up
security and locate the business's vulnerable areas

3. Helps identify and highlight the major risks in the system

✓ It is important to assess the business’ capability to prevent attacks on their networks, applications, and user.
✓ Assessing them both externally and internally is important, as attacks can come from anywhere.

theknowledgeacademy
Intrusion and Penetration Testing
Types of Penetration Testing

1. Grey Box

2. Black Box

3. White Box

theknowledgeacademy
Reporting Audits
✓ Audit Reporting includes:
o Review and analysis of findings
o Consolidation of all findings, including grouping and tabulation
o Classification of findings
o Preparation of recommendations

✓ Audit Reports Serve to:

o Facilitate corrective action and Promotes standardisation
o Garner higher management support
o Offer managers insight into operations
o Gives an objective evaluation of performance
o Acts as a source of objective information on the current state

theknowledgeacademy
Follow-up Actions
✓ Follow-up actions will be documented as an
Observation or Opportunity for improvement
statement

✓ Recommendations that the auditor may provide an

organisation with post-audit are not compulsory

✓ Recommendations are advised, and the

management can either follow them up or not

✓ The actions to follow up on any advice must be

decided upon by management

theknowledgeacademy
 The World’s Largest Global Training Provider
theknowledgeacademy.com

[email protected]

/The.Knowledge.Academy.Ltd

/TKA_Training

/the-knowledge-academy

/TheKnowledgeAcademy

Congratulations