Sep 19 2022

ISO 27001 Internal Audit

Category: Information Security,ISO 27kDISC @ 12:40 pm

DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses. 

ISO27001 Internal Audit Service - iTGRC security and compliance advisory group

The Engagement:

We understand that your core business is your SaaS application and you desire an audit.  The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification.  Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.

The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews.  We will complete your standard audit process documentation according to the ISO 27001 standard. 

The Plan:

Below is our high-level audit plan for your ISO 27001internal audit.  We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.

Phase 1: This phase starts within a week one of signing of an engagement contract.  First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.

Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews). 

Phase 3: Recommendations will be the focus of this phase.  This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit.  This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value.  The closing meeting of this phase will present our collective recommendations.

All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add.  These audit records will likely be a primary target of the certification audit so they need to be well executed.  Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure.  We can help you do both.  Missing the secure part would be devastating to you and to all of your customers. This is our value-add. 

If you have a question about ISO 27001 internal audit:

LIST OF Materials for ISO Internal Audit

Checkout our latest articles on ISO 27001/2

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

email: Info@DeuraInfoSec.com

Tags: Internal audit, iso 27001, ISO 27001 2013 Gap Assessment, ISO 27001 Internal Audit

Nov 12 2021

Implementing and auditing an Information Security Management System in small and medium-sized businesses

Category: Information Security,ISO 27kDISC @ 11:02 pm

ISO 27001 Handbook

If you want to understand ISO 27001, this handbook is all you need. It not only explains in a clear way what to do, but also the reasons why.

This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.

An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ‘information security management system’ must be set up. A what?

This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented.

This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit.

ISO 27001 Certification

ISO 27001 Gap Assessment

DISC InfoSec vCISO as a Service

Tags: iso 27001, ISO 27001 2013, ISO 27001 2013 Gap Assessment, iso 27001 certification

Aug 03 2021

ISO 27001 vs. ISO 27002: What’s the difference?

Category: Information Security,ISO 27kDISC @ 11:09 am

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

What is ISO 27001?

ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.

This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.

To meet these requirements, organisations must:

What is ISO 27002?

ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

This is because the Standard explains how each control works, what its objective is, and how you can implement it.

The differences between ISO 27001 and ISO 27002

There are three main differences between ISO 27001 and ISO 27001:

  • Detail

If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

  • Certification

You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

  • Applicability

A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

When you should use each standard

ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

Learn the basics of information security

You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.

Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.

You’ll learn from expert information security consultants, as they explain:

  • ISO 27001 management system documentation;.
  • How to plan, scope and communicate throughout your ISO 27001 project; and
  • The key steps involved in an ISO 27001 risk assessment.

Source: ISO 27001 vs. ISO 27002

Previous blog posts on ISO27k

Pentests are required for ISO 27001 or SOC2 audits

ISO 27002 major revision

With ISO27001 how you should choose the controls needed to manage the risks

The importance of the Statement of Applicability in ISO 27001 – with template

Steps to implement ISMS (ISO 27001)

How FAIR & ISO 27001 Work Together

ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, ISO 27001 Auditing, iso 27001 certification, ISO 27001 Handbook, ISO 27001 implementation, ISO 27001 Lead Implementer, iso 27002, Statement of Applicability in ISO 27001

Jan 27 2021

ISO Self Assessment Tools

Category: ISO 27k,Security ToolsDISC @ 3:49 pm

ISO Self assessment tools list includes but not limited to Privacy, ISO 27001, ISO 9001 and ISO 14001 & ISO/IEC 27701 2019 Standard and Toolkit

Tags: CPRA, Gap assessment tool, Information Privacy, ISO 14001, iso 27001, ISO 27001 2013 Gap Assessment, ISO 27701 Gap Analysis Tool, iso 9001, iso assessment, Security Risk Assessment

Jul 11 2020

Ten Steps to Reduce Your Cyber Risk

Category: Information Security,ISO 27kDISC @ 4:19 pm

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/07/Ten-Steps-to-Reduce-Your-Cyber-Risk.pdf” title=”Ten Steps to Reduce Your Cyber Risk”]



Reduce your cyber risk with ISO 27001

Contact DISC InfoSec if you have a question regarding ISO 27001 implementation.





Explore the subject of Cyber Attack

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

Feb 11 2018

Pinpoint your current cyber security gaps

Category: ISO 27kDISC @ 9:07 pm

A comprehensive information security management system (as defined by the requirements contained in ISO 27001) details the steps required for the effective management of information security (and cyber security) risks.

An ISO 27001 gap analysis is a sensible starting point for assessing the gaps in your information security regime.

Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

 

  • A high-level review of the efficacy of your policies, procedures, processes and controls
  • Interviews with key managers
  • Assistance defining the scope of a proposed information security management system (ISMS)
  • A detailed compliance status report against the clauses and controls described in ISO 27001

 

Description

Our ISO27001 Gap Analysis will provide you with an informed assessment of:

  • Your compliance gaps against ISO 27001
  • The proposed scope of your information security management system (ISMS)
  • Your internal resource requirements; and
  • The potential timeline to achieve certification readiness.

 

What to expect:

An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

 

The report includes:

  • The overall state and maturity of your information security arrangements
  • The specific gaps between these arrangements and the requirements of ISO 27001
  • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
  • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
  • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

 

Please contact us for further information or to speak to an infosec expert.





Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

Aug 28 2017

ISO27001 Gap Analysis

Category: ISO 27kDISC @ 10:41 pm

 

A specialist, in-person review of your current information security posture against the requirements of ISO/IEC 27001:2013.

Get the true picture of your ISO 27001 compliance gap, and receive expert advice on how to scope your project and establish your project resource requirements.

What to expect:

An ISO 27001 specialist will interview key stakeholders  and perform an analysis of your existing information security arrangements and documentation.

Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

The report includes:

  • The overall state and maturity of your information security arrangements
  • The specific gaps between these arrangements and the requirements of ISO 27001
  • ISO 27001 2013 requirements
  • ISO 27002 2013 controls, categories and domains
  • Compliance report by ISO 27001 requirements
  • Compliance report by control ISO 27002 2013
  • Compliance report by category ISO 27002 2013
  • Compliance report by domain ISO 27002 2013

DISC gap assessment includes three or six level rating (CMMI) matrix of your choice for each control, category and domain.

Start your ISMS project with ISO27001 2013 Documentation Toolkit

ISO/IEC 27001 2005 to 2013 Gap Analysis Tool (Download)

Download ISO27000 family of information security standards today!

‱ ISO27001 2013 ISMS Requirement (Download now)

‱ ISO27002 2013 Code of Practice for ISM (Download now)

Contact us for further information or visit DISC site for our ISO27k services





Tags: ISO 27001 2013 Gap Assessment

Dec 04 2013

ISO27001 2013 high level review for making the transition

Category: ISO 27kDISC @ 3:06 pm

ISO 27001 2013

ISO 27001 2013 high level review for making the transition from ISO 27001 2005

The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)

It’s been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.

0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.

The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organization’s activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.

There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.

Annex A has also been restructured into fewer controls (114) and three new domains
A.5. Information security policies
A.6. Organisation of information security
A.7. Human resources security
A.8. Asset management
A.9. Access control
A.10. Cryptography – new
A.11. Physical and environmental security
A.12. Operations security – new
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships – new
A.16. Information security incident management
A.17. Information security aspects of business continuity management

The Standard now covers what was previously referred to as ‘control of documents’ and ‘control of records’ under the description of ‘documented information’.

There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as ‘documented information’ for itself. They are listed below

The scope (4.3)
The information security policy (5.2 e)
The information security risk assessment process (6.1.2)
The information security risk treatment process (6.1.3)
Statement of Applicability (6.1.3 d)
The information security objectives (6.2)
Evidence of competence (7.2)
That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
The results of information security risk assessments (8.2)
The results of information security risk treatment (8.3)
Evidence of the information security performance monitoring and measurement results (9.1)
Internal audit programme(s) and the audit results (9.2 g)
Evidence of the results of management reviews (9.3)
Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Summary of new controls in ISO 27001 2013 Annex A

A.6.1.5 – Information security in project management
All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
A.14.2.1 – Secure development policy
Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
14.2.6 – Secure development environment
The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
14.2.8 – System security testing
The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
15.1.3 – Information and communication technology supply chain
This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
16.1.4 – Assessment of and decision on information security events
Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.

Contact DISC for a Free Gap Assessment for any domain of your choice based on location

Start your ISMS project with ISO27001 2013 Documentation Toolkit

Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99  

  

 Download ISO27000 family of information security standards!
‱ ISO 27001 2013 ISMS Requirement (Download now)
‱ ISO 27002 2013 Code of Practice for ISM (Download now)

 

Related articles




Tags: Information Security Management System, isms, ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, iso 27001 certification, ISO 27001 Lead Implementer

Dec 01 2013

ISO27001 2013 ISMS Standalone Documentation Toolkit

Category: ISO 27kDISC @ 9:53 pm

ISO27001 2013

Start your ISMS project with ISO27001: 2013

With the publication of the new version of the ISO27001 standard, there has never been a better time to start an ISMS implementation project to look after your information security.

 

ITGP toolkits – ISO27001: 2013 ISMS Documentation Toolkit

This new Toolkit provides you with a comprehensive set of pre-written ISMS documents compliant with the newly released ISO27001: 2013 Standard, built from the necessary policies, procedures, work instructions and records that will save you months of work as you get your information security system up to speed, including:

* Information Security Manual

* Visio Documentation Map and Structure

* Information Security Policy

* vsRisk risk assessment tool Integration Templates (not vsRisk itself)

* Business Continuity Management for information security

* Gap analysis ISO27001: 2013 and ISO27002: 2013 Audit tool

* Asset Management documentation templates such as, Asset Inventory, Information Hardware Assets, Software log, etc.

* Supplier Relationships documentation templates such as, External Parties Information Security Procedure and Third Party Service Contracts

* Operations and Communications Security document templates dealing with, Anti-Virus Software, Vulnerability Management, Systems Auditing, System Planning & Acceptance, etc.

 

Benefits of the ISO27001: 2013 ISMS Documentation Toolkit:

  • Fully customisable and editable templates inclusive of:
    7 Policies, 55 Procedures, 23 Work Instructions, 25 Records, guidance documents as well as Blank Templates that will enable you to bring in your exisitng documentation in-line with a consistent management system
  • Pre-written to be compliant with the standard
  • Saves you time on research
  • Saves you time on writing
  • Provides document guidance as you go
  • Cheaper than one day of consultancy
  • After sales support service
  • 12 months of automatic updates

 

Related articles




Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit