2023

[ Forward 2 sec. / Keyframe / 00: 00 :08 (2 .
3%) ]
Before you learn about information security and see

how important it is, you first need tounderstand
terms like information and security.
When you see these two words-info.r mation and
security-you might wonder what type of
information is being discussed and why you would
need to secure it.
I I
[ Forward 2 sec. / Keyframe / 00: 02 :22 (41 .3%) ]
Data
Data can be any raw fact used to make decisions.
Information
Information is data that can be processed to provide meaning.
I I
[ Forward 2 sec. / Keyframe / 00:03 :16 (57 .0%)]
Here are some characteristics of information:
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Confidentiality
I I
[ Forward 10 sec./ Keyframe / 00 :00 :16 (2 .8%)]
ISO 27001: Information Security Management System
Imagine you are responsible for securing confidential data. What if this
information was stolen? What if your competitor accessed this
information?
In the wrong hands, personal information can be used against you.
I I
An ISMS is a framework of policies and procedures for ameliorating risk.
• An information security pol icy

• The scope of ISMS
• Conduct a risk assessment
• Manage identified risks
• Select the control objectives and controls to be implemented
• Prepare a statement of applicability
I I
An ISMS is a systematic approach to managing sensitive company
information so that it remains secure.
tSMSs stand on three main pillars, referred to as the CIA triad
• Confidentiality
• Integrity
• Availability
I I
[ Forward 10 sec. / Keyframe / 00 :07 :20 (77 .5%) ]
Confidentiality
Confidentiality refers to protecting information from being accessed by
unauthorized parties.
Integrity
Integrity refers to the consistency, accuracy, and trustworthiness of data
over its entire lifecycle.
I I
Availability
The availability of data is also very important. If the data is stored in a
database, it is very important that the business or authorized user can
access it when needed.
I I
Safeguarding information is essential to protecting yourself and your

organization against malicious or misguided attacks.
These examples will help you understand the following:
• What the motive was and what kind of information was stolen
• What the impact was
• How the security breach happened
I I
[ Forward 10 sec./ Keyframe / 00 :00 :54 (15.7%)]
Yahoo
Yahoo announced that a state-sponsored actor pulled off a big data

breach in 2014. This breach included the real names, email addresses,
dates of birth, and telephone numbers of 500 million users.
•
I I
Marriott International
In November 2018, Marriott International announced that cybercriminals had stolen

500 million customers' data. Marriott had acquired the Starwood hotel in 2016, and the
cyberthieves had attacked and entered their system.
I I
eBay
In May 2014, eBay reported a cyberattack in which all of its 145 million users' personal
details were stolen. That included their names, addresses, dates of birth, and
encrypted passwords.
I I
[ Forward 10 sec. / Keyframe / 00 :05 :24 (94.2%) ]
NHS Cyberattack
WannaCry crippled 200,000 computers with a
message demanding cryptocurrency in bitcoin.
This attack resulted in about $112 million in
losses.
Hackers broadcasted ransomware called

Wannacry, also called Wanacrypt, through
emails that tricked the recipients into opening I I I I I I I I I I I I
the attachments and releasing malware onto
their systems.
I I
After reading these real-life scenarios, you can see where information security may
apply to you and your organization.
Scenario 1: Banking
Banking transactions are part of our day-to-day activities and most people have one
or more savings accounts. According to the Global Findex World Bank report, 69
percent of adults have an account, up from 62 percent in 2014 and 51 percent in 2011.
The numbers clearly show that banking is integral to our daily life and hence securing
that data is a continuous challenge.
I I
[ Forward 10 sec. / Keyframe / 00 :04: 52 (34.7%) ]
Cosmos Bank Cyberattack

ATM switch compromise, swift environment compromise, and malware infection
According to cyber experts, the attacker hacked the ATM switch of the Cosmos Bank to
access the firewall server.
Compromised Switch 11::1
C:J ■
Retail
t
BMklng Automated
Teller Machl:ne
lOC Acqolr1ng ' •

$witch
Point of
t Sa1e
Issuing
SWitch
I I
Scenario 2: Trade Secrets

We all are aware of Apple and the iPhone. Imagine if you are an Apple employee and
are working in the product design department.
Management may feel mistrustful of the employees, thinking that they are the origin of
this breach. The outside world may be concerned that the company cannot protect its
confidential data.
I I
Once the business need is clear, you can implement a robust ISMS
(Information Security Management System) that covers the needs of the
interested parties and customers.
As per ISO 31000 Clause 5.3.1, these issues can be of two types:
• Internal issues: Factors that are under the control of the organization.
• External Issues: Factors that the organization cannot control.
Let's look at a few examples of internal issues:
• Organizational structure
• Organizational culture
• Available resources
Now let's look at some external issues:
• Legal and regulatory requirements

• Political and economic environment
• Technological trends
If the business context is not clear, workers won't be able to meet the
organization's set objectives. To understand this in a more holistic manner,
let's look at this from different industry angles:
• IT/hardware/software organization
• Banking organization
• Banking organization
These are just a few examples to show you why it's worth it to invest your
time and money in implementing ISO 27001 security practices.
Once you are clear about the business need, the next big step is to assess
the scope of the implementation within the organization.
There are numerous factors involved in identifying the scope. You need to
consider the organization entities, locations, geographies, business units,
departments, any products or services that are offered.
You can take three main steps to identify the scope of implementation for
your organization's ISMS:
• Identify the areas/ systems/locations where all the information is or will

be stored.
• Identify the areas/ systems/locations where all the information is or will
be stored.
• Identify what is out of scope, i.e., what your organization doesn't have
control over, such as outsourced products or services.
By taking these steps, you can prepare the following documents:
• Scope document
• Statement of applicability
A well-defined scope provides assurance that all the important areas of

your organization have been covered in terms of implementing security
controls.
The CISO has the authority to form a team to work on the implementation
of ISO 27001. In general, the team includes the following members:
• Steering committee members

• Information security department members
What's Covered in the Scope Document?
This section lists a sample table of contents for a sc•o pe document. It is for reference
purposes only.
This content may be modified or deleted based on the organization's

requirements/ knowledge/ experience.
• Purpose of the document

• Company/organization description
• Scope statement
I I
What Is the Statement of Applicability (SOA)?
The Statement of Applicability (SOA) goes hand in hand with the scope identification
exercise. It is an important document that helps you look for the areas to be included
in your ISMS.
I I
I I
Responsibility
The information Security team is responsible for checking and maintaining

compliance with respect to all applicable controls.
g ' -
•• • I
• •
rmJ •
'
Q
.·-·-
•
a
aO
I I
•
Once the ISMS scope is defined and you have a clear understanding of what is needed
to implement it, you need to create a timeframe to achieve the objectives.
Consider these real-life exampl·es of dependencies and constraints:

• Commitment from the management and employees
• Budget issues and tool availability
• Current compliance/gap levels
• Geographies/locations
I I
Senior Management Support
You can increase the chances of having a successful implementation by bringing in

top management. Without the support of management, your project will probably fail.
I I
Top management's commitment and involvement can make the expected benefits of
the ISMS program achievable, as follows:
• Meet the organization's strategic objectives

• Create a risk-management program to effectively manage risks
• Manage resources efficiently
• Create value-added initiatives
I I
In the previous chapter, you learned about setting the scope and timeline
of your implementation.
This chapter also talks about how to get stakeholder and team
commitment on the project and how to set the timeline and create the
project taskforce.
This chapter covers:

• Presenting the high-level plan
• Setting up the project taskforce
• Setting up the project taskforce
Presenting a High-Level Plan
When you're implementing a high-level plan, it is advisable to invite all the

stakeholders and to set up high-level policies for information security.
This involves:
• Setting up roles and responsibilities

• Defining rules for continual improvement
• Raising awareness of the team by providing them with regular training
and communication
[ Forward 10 sec. / Keyframe / 00 :03 :16 (42 .6%)]
t "Gn'S
I ...... (t:;r.em
2 NlwUI <--•
•
Sample High Lavel Plan

[ Forward 10 sec./ Keyframe / 00 :04:16 (55.7%)]
Setting Up the Project Taskforce
We all know that without team members' support,

projects aren't successful.
The project team can be selected based on the scope
of the ISMS.
Setting up the taskforce early in the planning and

implementation stages will lead to better success.
Administration Department
The administration department can be represented as a SPOC (single

point of contact) for managing and implementing the physical,
operational, and facility related aspects of the ISMS framework.
Chief Information Security Officer ( CISO)
The Chief Information Security Officer is primarily responsible for

preparing, maintaining, and communicating the information security
policies and procedures within the organization.
This is one of the most important roles in the ISMS implementation. This
person is responsible for maintaining the security of the organization's
network and other information-processing facilities
---
Information Security Management (ISM) Team
This team may have members from each department or function

included in the information security scope. The ISM team is primarily
responsible for incident reporting and response.
[ Forward 10 sec. / Keyframe / 00 :01 :54 (65.9%)]
Human Resources Management
The human resources team is responsible managing and enabling the

acknowledgment of HR guidelines, procedures, and policies inside the
organization in adherence with ISO 27001 requirements.
""'
◄,►
t
, ~
~~
This important step involves getting commitment from the team.
Commitment to achieve something new mostly comes from the top. Once
you get management-level commitment, it's easier to get commitment
from the people doing the work.
• • •••• •
• • ••
• •
•• • •
• •
[ Forward 10 sec. / Keyframe / 00 :01 : 14 (21 .6%) ]
To get the commitment and support of team members, it is best to have

clearly defined roles and responsibilities for every team member and
these must be approved by top management.
Commitment to information security must be driven from the top to the

bottom. It is also very important to have a balance of commitment levels
from management and the other stakeholders.
[ Forward 10 sec. / Keyframe / 00 :04:34 (80 .1%) ]
ISO 27001 - Agreement 1

Form / Signatures
Protect Nam•:
CISO Name;
I ••
To plan the meeting or risk assessment sessions,
first meet with the individual teams one by one.
That way, you can focus on the areas that each
team is responsible for, and it will reduce the
chances of missing a key security area.
Meeting all the teams at the same time in a group

might not be easy to handle because the security
controls for each team may vary.
•
Annex 5: Information Security Policies
Check whether the company has done the following:
• Defined information security policies.

• Communicated these policies to employees and other relevant
stakeholders.
• Reviewed the policies at regular intervals.
[ Forward 10 sec./ Keyframe / 00 :04:18 (29 .5%)]
Annex 14: Security Requirements of Information Systems
In any organization that has an IT department, this

security control is applicable, as it emphasizes the
security needed when building a software product or
application.
The service delivery team makes up the program

managers, project managers, business analysts, and
QA managers.
Here are some examples of security requirements:
• Level of access provided to the users.

• Encryption of sensitive data.
• Session management.
There may be different security requirements based on the application or

the software product you are working on. The standard makes it
mandatory to collect those requirements and to comply with the
regulations.
Security in Development and Support Processes
The objective of Clause 14.2 is to ensure that when the development team
works, the development lifecycle will remain secure throughout the
development or product's/ application's life.
Define a Secure Development Policy
The secure development policy should guide the development team, and
all must adhere to this security policy. The security policy should cover at
least these issues:
• Securing the coding environment

• Secure coding guidelines.
• Secure repositories
• system change C•ontrol.
• Technical review.
• Restriction of changes to software packages.
Test Data
The objective of Clause 14.3 is to ensure that the

test data is selected carefully, protected, and
controlled.
The main point is to remember while performing - -
testing, is to avoid personal identifiable information

and confidential information.
Annex 15: Supplier Relationships
Supplier relationships need to protect the business information that is

shared between the suppliers.
I I
Annex 17: Information Security Aspects of Business Continuity

Management
Business continuity during crises or adverse conditions like disasters can
be lifesaving. The risk associated with business continuity is essential.
Annex 18: Compliance
This control emphasizes the need to maintain compliance requirements

to prevent breaches of legal, statutory, regulatory, or contractual
requirements.
So far, you have done the risk assessment exercise by meeting all the
teams. Now it is time to prepare the report based on the identified gaps.
The report acts as a picture of every department based on the

international standard practices.
---
-
-
[ Backward 10 sec./ Keyframe / 00 :00 :44 (37.3%)]
SAMPLE GAP A ALYSIS REPORT
A 7.a Pt1ot to
•I C'IIJjpil,}rrftffld C'Ollll'artClj W.dti:&t.b&d tbtfr mJIClffl
kh a..-. «iaflekttd
c.atrol
k~wmlllwrfflr.ailo!.dwcb • ii c;,wlkfir,s for, .. ..,ei• m
A7l l IS!I.Wta.al"'l'ltdNtia~-:-au llfflf\" b ttpl.lt.- -..
.Jftd ttbla .aftd SA.Ill k ptopon to cJw t=stness r,qw.cfflffill.
thr '-»ulQtklll ol
tth~,.wt,
t._
lllfonillUOll t• -- ~ a-"" the Pff
Qlllcrol
Tirnm:aniicon.lkJons J1- lrac1lW :qJ'NUtfflt'S Wtl .. flDjJNJC<:I and n..,lrxton SZU!U
A11.2
ol&optoJLlifflil ' ""'""' &1v1r...,. ,._"" cq.uitLlt)j11e'1 rniieMlbllllff'sfor 1 w......
lot!:,,,«'1Wl Tit m-..a,. Cut •11.,.,,,, • .al"ld • · «ion ,. _.,. rt ti md t\ltm clwlr n1 ~ J.f'('Ur1l 1
Jes.
Co .....,
A.71.1 ~lllfrT'IN"'C rfl&»n 'IM.ll!Lllll'UIINlt 1h•D n'1'dr* ft:i flll')'<ts cor.i,n cton co •PW
oma.11i.
oc..,._ oltlr.
rilyl11attclr\lmc ,.. II ·
= l;,;;;
~.sr..i1oi.b b t 4 ~
kl;;;:111.;.__ _ _ _ _ _ _ __
c..u.l
A.7.t.2
OMut,I
A 7.1.1 1'tf'I' ' M .I f\,t .-J ;aM C'CIIICSldf,a •,J 41:ac-&pt ty protlPSS
~:_~•Inn ,-11o~c.......... •
~itCln..- Tl) JIR(f<t tM ors;uit:Wl!CJCt'l lnwt s &J p,n el* pro<

l
A:7.31
Presenting the Report to Management/Teams
Once the report is ready, you must plan a session and present the report
to the steering committee.
Once management sees this report, it will also act as an action tracker
with target dates. SAMPLE REPORT
■ Non Compliant Partly Compliant ■ Compliant
100
90
80
70
60
so
40
30
20
10
0
A-5 A-6 A•7 A-8 A-9 A-10 A-11 A-12 A-13 A-14 A-15 A-16 A-17 A-18
When you initiate the risk assessment, it is important to identify the

framework to be followed to manage risk. This method can help the teams
provide a guideline to condu·c t a risk analysis on assets based on the
defined scope.
Secori1y
Policy
Vulneribilities
Risk
Assets
Tolerance
J
Impacts ,__
Incidents
Consequence
Risk Components
The risk assessment process consists of the following components:
• Assets
• Threats
• Vulnerabilities
• Impact
• Probability of occurrence
• Consequences
What Are Threats?

Risk assessment is based on threat identification, which means if there is a
potential scenario of a threat, you need to do risk analysis or assessment
and treatment.
There are different types of threats, and each threat could lead to unique
problems.
Some examples are:

• Asset may malfunction or be damaged
• Asset may be corrupted or modified
• Asset may be stolen or lost
• Asset may be disclosed to unauthorized people
• Any other interruption of services
What Are Vulnerabilities?
A ''vulnerability'' is a weakness in an asset or system

that makes it susceptible to threats.
When you come across a condition or set of conditions

that occurs frequently in your business operations and
exploits an asset, you need to identify the vulnerability
and avoid the conditions.
What Is a Security Risk?
When you get input by analyzing a threat to an asset and determine the
associated vulnerabilities, you will arrive at a conclusion. If the identified
threat has the potential to exploit any vulnerabilities and negatively
impact an asset or group of assets, that constitutes a security risk.
Risk Value= Asset Value • Likelihood • Impact

[ Forward 10 sec. / Keyframe / 00 :04:26 (94.3%) ]
Likelihood Levels Rating Description
Rare 1 Very low probability of occurrence
Moderate 2 Has a noticeable impact
Likely 3 Has a significant impact
Almost Certain 4 Has a very high impact

Impact Scale Rating Description
Minor 1 Service or business downtime that is

less than a few hours
Moderate 2 Service or business downtime that is
more than a few hours and could last for
one calendar day
Major 3 Service or business downtime that is

more than a day and could affect
delivery of services
Catastrophic 4 Service or business downtime caused

by severe damage to the office
---- ---
-- s -
-- K
The rank assigned to each risk is called its risk ranking. Risks are ranked into
four types, depending on the calculated risk value and the priority level of the
risk.
Risk Value Rating Description Risk Priority
1-36 Low Chance to exploit the vulnerability is P4

low
37-72 Medium There are chances to exploit the P3
vulnerability
73-108 High There are high chances to exploit the P2
vu lnera bi lity
109-144 Very High There are very high chances to Pl
exploit the vulnerability
Risk Prioritization
The idea is to prioritize the risks and to allocate resources appropriately for risk
treatment.
Risk Priority Action
Pl Risk is a showstopper or blocker
P2 Take actions mentioned in Table
P3 Take actions mentioned in Table
P4 No action required
Risk Owner Identification
It is the responsibility of each department head to take

ownership of their departmental risks. Then they can assign
further risk ownership to their team members.
Risk Treatment
Risk owners and teams need to analyze which risks are

acceptable and which risks require immediate
attention.
Risk Acceptance
To decide whether to accept the risk or not, you should focus on

the following implementation constraints:
• Budget/financial
• Environmental
• Organizational
• Technological
• Cultural
• Time-based
Risk Mitigation
Mitigation in simple terms involves the planned and executed

actions you take to reduce the impact of any risk.
• Threat reduction
• Vulnerability reduction
• Impact reduction
• Detection of unwanted event
• Recovery from unwanted event
[ Forward 10 sec. / Keyframe / 00 :04: 54 (34.2%) ]
Risk Avoidance
Risk avoidance is possible when potential threats are eliminated. This is

often done by changing process ladders or execution methods.
Risk Transfer
This is often the best strategy, as organizations can

share their risk burdens with third parties on
contractual terms.
0
RISK
Acceptable risk is the risk that remains or still exists after

implementing security controls.
Acceptable Risk Description
Very High/High/Medium Requires additional controls to bring the

risk to an acceptable level
Low Risk is at an acceptable level

Risk Monitoring and Review
Risk monitoring and review is a continuous process.
Risk owners from their respective departments are

also responsible for monitoring and reviewing risks
and reporting to management on a monthly basis
(or as needed).
Identifying Assets
An asset can be anything that has value to the organization.

This can be tangible or intangible value.
From an information security point of view, an asset can be

any device, data, or components of environments such as
development, testing, and production environments that
support the information security activities within the
organization.
Asset Category
Information assets Include files including details, image

files, ...
Paper assets Include HR records, contracts,...
Software assets Include system software, application
software,...
Hardware/ physical assets Include computer and
communications equipment, magnetic
media, ...
Extension services Include communication services, air
conditioning,...
People assets Include employees, contractors, ...
Asset Value
Each asset is assigned a value, called the asset value.
The asset value helps you identify and determine the appropriate protection for
the assets.
Rating Information Asset Security Elemen1s

Confidentiality (C) Integrity (I) Availability (A)
1 Public Lo\'/ Not Important
2 Internal Medium Important
3 Confidential High Very Important
Net Asset Value= (Confidentiality+ Integrity+ Availability)

Asset Classification
An asset can be grouped into different categories based on similarities and

characteristics. The process of grouping similar assets is called asset
classification.
Data Classsifications
Asset Labeling
Once you are done with the information asset classification process, it must be
labeled properly.
Asset labeling is the small step toward achieving better security, since
organizations deal with lots of information assets in their daily activities.
Some best practices for labeling assets include:

• By item ID
• Adding a color code
• Customized tagging
So far so good. These are just some of the benefits of asset labeling:
• Stock availability
• Tracking
• Better monitoring
Hardware/Physical Asse1S
Asset Register Compute,s Anti-virus software

Servers BusineM applkatiom
Swildlesfrouterslhubs Nel\vOl'k management system software
Access poinlS Development 1Dols
An asset register is a list of assets Access CcVd readers Operallng systems
owned by the organization. ~k
Coml'l'lmicabon equipment
Utilrtie~
Data storage
cabinets
The main benefit of having an asset Safes
Server racks
register is that it gives you a list of Semces People
assets along with their owners. Every Outsourceo operabons Empk,yees

Outsourced ssmces QJstllmers
department needs to create an asset Outsourced telepoone aperatJons
Security &81Vk:es
S.1bscnbers
Contracts
register. IT services
lnfonnation Paper
Databases and data files/soft Copies Contracts
System documentatioo'mMual HR records
User manuals Invoices
Trammg materials
Operational or support procedures
Backup
AMC document
I I
I I ■
I I
Asset disposal is the act of obsoleting unwanted equipment or assets in a safe

manner.
A few key points that need to be covered in this asset disposable policy are the
following:
• Media sanitization procedures

• Destruction of electronic media
• Repairing hard drives under warranty
• Disposal of damaged media
• External party
Asset Register Examples
This section explains how to track and maintain asset information in your
department, with examples. The following sections discuss some examples of
departments.
1111
1111
1111
II 1111 II
II 1111 II
Human Resources Department
In any organization, human resources is the first department that communicates

the company's information security controls and ensures that everybody follows
them.
$
,,. s
l Oesl
Otcb
ll i wyi t:t l
,,
I
, ,
l
' H
,,
2
1
s £ 2 s
6 ]
1 pe 5 ! l
IT Helpdesk Department
Whatever you call the IT support department, their functions and activities will
basically be the same. This department typically covers about 30-40% of the ISO
27001 security controls implementation.
IT Infrastructure Department
Whatever you call the IT infrastructure

department, their functions and
activities will basically be the same.
This department typically covers about
20-30% of the ISO 27001 security
controls implementation
[ Forward 10 sec. / Keyframe / 00 :06 : 12 (84.7%) ]
Software Development Department
In any organization, the software development division is crucial, as throughout

the software development lifecycle, they handle the information related to their
client's product and software development.
In the previous chapter, you performed an initial risk assessment.

If you remember, each department risk owner analyzed key questions about the
information assets to determine ''the current/existing controls which are already
in place'' for the risks identified.
• Department
• Asset
• Category
• Asset value
• Threat
• Vulnerability
• Risk
• Likelihood
• Impact
• Risk value
• Risk rank
• Risk priority
• Risk owner
• Existing controls
[ Forward 10 sec. / Keyframe / 00 :04: 12 (7 4.8%) ]
Identifying Security Controls

Along with managing risks, you need to start identifying the appropriate security
controls.
The proposed mitigation plan should be implemented at the departmental or

organizational level. To this kind of tracker, you can also add and track target
dates for the mitigation plan.
~--- -~--
'92 ;fr-a z•tNIH
......,..........
_,_____ _ - •···--
-·~----
..... ~ .. -.!:;, - .,
--·-· ..
Revisiting the Statement of Applicability (SoA)
You may wonder why you need to revisit the SoA, as you already did so in an
earlier exercise.
Recall from an earlier chapter that you learned that you might have to revisit the
SoA, as when you proceed with the implementation, you may find areas or
scenarios that were skipped.
Awareness of the ISO 27001 standard should be planned and conducted at the
organizational level.
In some organizations, contractors/vendors are also part of the workforce, so

they must also attend the awareness sessions. They need to be familiar with the
sec·u rity policies and need to abide by them.
An Emphasis on Training Content
It is important to know what you are covering as part of the awareness content. It
should be easy for all employees to understand and they must remember them
as well.
• ••
Awareness Quiz
A quiz session makes the awareness training more interesting and attendees get
to play a game and learn at the same time. This is the best way to check whether
employees understood the awareness sessions.
The awareness session also helps implementation team members when writing
the policies and procedures
• •
• •
• •
Policies and Procedures
The most important step in the execution is defining

the policy and operational procedures. Without them,
the implementation will be incomplete.
••
To avoid defining too many procedures in the ISO •
•
27001 implementation, the policies cover how security
controls/practices should be implemented in the
·-
organization or in one of the business units of the
organization, as applicable.
Who Defines the Policies?
As mentioned, the applicable team members help define the policies that
affect their daily work routines. It is the combination of the information security
team and the members from the operational team who work together.
... ....,
Who Reviews and Approves the Policies?
The best way to go about this is to form a team of

seniors (such as team heads and management)
who will review and approve the policies, as they
know the business processes very well and have the
authority to change or modify them as needed.
/". ;,-
(;
~ -
- -----
-
-
The following policies are examples based on the ISO 27001 standard.
Organizations c-a n prepare their policies as applicable.
• Access control policy

• Acceptable usage policy
• Asset management policy
• Antivirus policy
• Business continuity and data recovery policy
• Clear desk and clear screen policy
• Change management policy
• Data retention and disposal policy
• Email usage policy
• Encryption policy
• Information security policy

• Incident management policy
• Information classification policy
• Legal compliance policy
• Network security and information transfer policy
• Password creation policy
• Physical and environmental security policy
• Privacy and protection of personally identifiable information management
policy
• Remote access policy
• Supplier relationship management policy
• Technical vulnerabilities management policy
Access Control Policy
The main objective of the access control policy is to protect an organization's

resources from unauthorized access while facilitating seamless and legitimate
use of these resources. This policy document should cover both logical and
physical access control.
-
Acceptable Usages Policy
The main objective of the a•c ceptable usages policy is to document and define
the practices that users must agree to in order to access the organizational
network or Internet.
Some organizations require employees to accept this usages policy before

they can access the network or Internet.
-
Asset Management Policy
This document describes the asset management policy for all IT and non-IT
assets of the organization. The policy covers all information assets, such as
hardware, software, and data.
Identification and inventory of all the assets and relevant information

• Information assets
• Software assets
• Hardware assets
• Personnel assets
Antivirus Policy
The purpose of this policy is to help prevent the infection by computers and
other malicious code and to provide a virus-free environment.
The goal is to prevent the organization's data from damage due to a

virus/Trojan attack.
Business Continuity and Disaster Recovery Policy
This is one of the most important policies you'll create because it tells you how
to recover quickly from service interruption or disaster, whether natural or
man-made.
Clear Desk and Clear Screen Policy
This policy helps reduce the risk of unauthorized access, loss, or damage of
information during and outside working hours.
POLICY
The purpose of this policy is to define how changes to information security are
managed and controlled, because when an organization undergoes changes
in terms of business processes, tools, and technologies, the security controls
may require revisions and there may be new controls to doc·u ment.
Data Retention and Disposal Policy
This policy tells you how securely the data is retained and how you dispose of
data when it's no longer needed.
Email Usage Policy
The purpose of this policy is to ensure acceptable use of email services

provided by the organization to its users/employees to conduct business in an
ethical, legal, and lawful manner.
Encryption Policy
The objective of this policy is to provide direction about the use of encryption
to protect information resources that contain, process, or transmit confidential
and business-sensitive information.
• ••
0100
0101
100
IOI
Information Security Policy
The purpose of the information security policy is to provide complete security

from all ends and ensure the protection of the organization's information
assets from all threats, whether internal or external, planned or accidental.
Incident Management Policy
This purpose of this policy is to define how the incident can be managed and
reported in the organization.
Information Classification Policy
The purpose of this policy is to classify the information appropriately and to

ensure that the information created, treated, and stored by the organization
will reach intended addressees only.
The purpose of this policy is to address the legal, statutory, regulatory, and
contractual obligations arising from the security and privacy requirements of
an organization.
Network Security and Information Transfer Policy
The purpose of this policy document is to ensure the protection of information

in networks and software when they are exchanged outside the organization.
Password Creation Policy
The purpose of this policy is to secure password management by establishing

a set a standard procedures for the creation of strong passwords, the
protection of those passwords, and the frequency of change.
Physical and Environmental Security Policy
The purpose of this document is to secure the organization from physical and
environmental threats.
Privacy and Protection of Personally Identifiable Information

Management Policy
The purpose of this policy is to establish the guidelines for protecting the
confidential information belonging to users/employees/clients.
Remote Access Policy
The purpose of this policy is to define and document procedures to protect

confidential data that can be compromised without this policy.
Supplier Relationship Management Policy
The purpose of this policy is to provide guidelines to manage the supplier

relationship and ensure secure supplier management activities to be carried
out.
Technical Vulnerabilities Management Policy
The purpose of this policy is to keep the components of the information

technology infrastructure available to the organization's end users.
To keep the infrastructure available all the time to users, it is important to keep
the hardware, software, and services up to date with the latest patches.
The purpose of this policy is to define and document procedures to protect

confidential data that can be compromised without this policy.
The motive is to help the implementation teams complete the implementation

in their areas in a smooth manner. If you implement these controls effectively,
it ensures you that you are on the right path in securing the company's
information.
A.5 Information Security Policies
A.5.1 Management Direction for Information Security
Objective: To provide management direction and support for information

security in accordance with business requirements and relevant laws and
regulations.
Explanation: The focus is on management involvement, by giving direction to

form all the required policies based on the type of organization's business and
applicable laws.
A.5.1.1: Policies for Information Security (ISO 27001 Control)
A set of policies for information security should be defined, approved by

management, published, and communicated to employees and relevant
external parties.
A.5.1.2: Review of the Policies for Information Security (ISO 27001

Control)
The information security policies should be reviewed at planned intervals or if

significant changes occur to ensure their continuing suitability, adequacy, and
•effectiveness.
A.6 Organization of Information Security
A.6.1 Internal Organization
Objective: To establish a management framework to initiate and control the

implementation and operation of information security within the organization.
Explanation: Before you initiate the ISO 27001 implementation in your

organization, you need to build a framework to support the implementation
teams.
A.6.1.1: Information Security Roles and Responsibilities (ISO 27001

Control)
All information security responsibilities sho•u ld be defined and allocated.
A.6.1.2: Segregation of Duties (ISO 27001 Control)
Conflicting duties and areas of responsibility should be segregated to reduce

opportunities for unauthorized or unintentional modification or misuse of the
organization's assets.
A.6.1.3: Contact with Authorities (ISO 27001 Control)
Appropriate contacts with relevant authorities should be maintained.
A.6.1.4: Contact with Special Interest Groups (ISO 27001 Control)
Appropriate contacts with special interest groups or other specialist security

forums and professional associations should be maintained.
A.6.1.5: Information Security in Project Management (ISO 27001

Control)
There must be information security in project management regardless of the

type of project.
Some examples that could help in identifying information security risks are as
follows:
• Analyze the project/product requirements risks
• Access control risks
• Business continuity risks
• Any legal/regulatory risks
• Contract risks
A policy and supporting security measures should be adopted to manage the

risks introduced by mobile devices.
The following example controls could be implemented to safely use mobile

devices
• Mobile devices given to employees/contractors must be registered.

• Employees should not be allowed to install software on these devices on
their own, as this could pose an information security risk.
• Ensure that security patches are updated on these devices on time.
• These devices must be automatically locked out when unattended for a

few minutes and must be password protected.
• Ensure that antivirus software is running on these devices so that a regular
scan can be performed on the device to detect any virus or malware.
• Regular backups are also performed so that information can be retrieved in
any unexpected incident.
• The policy must also explain what employees should do to report an
incident to the IT Helpdesk team and to their immediate supervisors
• Users should sign an end-user agreement before they get access to a
mobile device.
• These devices must be automatically locked out when unattended for a

few minutes and must be password protected.
• Ensure that antivirus software is running on these devices so that a regular
scan can be performed on the device to detect any virus or malware.
• Regular backups are also performed so that information can be retrieved in
any unexpected incident.
• The policy must also explain what employees should do to report an
incident to the IT Helpdesk team and to their immediate supervisors
• Users should sign an end-user agreement before they get access to a
mobile device.
[ Forward 10 sec. / Keyframe / 00 :04:44 (7 4.2%) ]
A.6.2.2: Teleworking (ISO 27001 Control)
A policy and supporting security measures should be implemented to protect

the information accessed, processed, or stored at the teleworking sites
A.8.1 Responsibility for Assets
Objective: To identify organizational assets and define appropriate protection

responsibilities.
Explanation: The objective is to identify all the assets associated with the
organization and then define security controls needed to safeguard those
assets.
A.8.1.1 Inventory of Assets (ISO 27001 Control)
Assets associated with information and information processing facilities

should be identified and an inventory of these assets should be drawn up and
maintained.
• •
•
A.8.1.2 Ownership of Assets (ISO 27001 Control)
Assets maintained in the inventory should be owned.
The asset owner is responsible for:
• Ensuring that the asset register is correct and up to date.

• Ensuring that assets are classified into appropriate categories and
protected.
• Defining the asset management policy and reviewing it periodically.
• Properly handling assets while deleting or destroying them.
A.8.1.3 Acceptable Use of Assets (ISO 27001 Control)
Rules for the acceptable use of information and assets associated with
information and information processin-g facilities should be identified,
documented, and implemented.
A.8.1.4 Return of Assets (Control ISO 27001)
All employees and external party users should return all the organizational
assets in their possession upon termination of their employment, contract, or
agreement.
A.8.2 Information Classification
Objective: To ensure that information receives an appropriate level of

protection in accordance with its importance to the organization.
Explanation: This control helps classify information, which is very important for
the organization.
A.8.2.l Classification of Information ( Control ISO 27001)
Information should be classified in terms of legal requirements, value,

criticality, and sensitivity to unauthorized disclosure or modification.
I
A.8.2.2 Labeling of Information ( Control ISO 27001)
An appropriate set of procedures for inf.o rmation labeling should be

developed and implemented in accordance with the information
classification scheme adopted by the organization.
A.8.2.3 Handling of Assets ( Control ISO 27001)
Procedures for handling assets should be developed and implemented in

accordance with the information classification scheme adopted by the
organization.
A.8.3 Media Handling
Objective: To prevent unauthorized disclosure, modification, removal, or

destruction of information stored on media.
Explanation: The objective is to prevent any kind of unauthorized access on a

media device.
A.8.3.1 Management of Removable Media (Control ISO 27001)
Procedures should be implemented for the removable of media in

accordance with the classification scheme adopted by the organization .
••
I I
I I
••
A.8.3.2 Disposal of Media (control ISO 27001)
Media should be disposed of securely when it's no longer required, using

formal procedures.
A.8.3.3 Physical Media Transfer ( Control ISO 27001)
Media containing valuable information should be protected against

unauthorized access, misuse, or corruption during transportation.
A.10.1 Cryptographic Controls
Objective: The objective of this control is to

ensure proper and effective use of
cryptography to protect the confidentiality,
authenticity, and/ or integrity of information. .P
-0
Explanation: Today we all must deal with lots -0
of information through different mediums ~
such as emails, online transactions, hard
drives, and through other mediums.
A.10.1.1 Policy on the Use of cryptographic Controls (ISO 27001

Control)
A policy on the use of cryptographic controls for protection of information

should be developed and implemented.
A.10.1.2 Key Management (ISO 27001 Control)
This control explains the use of policy and protection of cryptographic keys.
The important aspect is about the management of keys throughout the
lifecycle.
Objective: To prevent unauthorized physical access, damage, and interference

to the organization's information and information processing facilities.
Explanation: The objective in this control is to restrict illegal physical and

environmental access, the term physical and environmental refers to steps
taken to protect the physical system and infrastructure against physical and
environmental threats.
A.11.1 Secure Areas
Objective: To prevent unauthorized physical

access, damage, and interference to the
organization's information and information
processing facilities. !l
llll
Explanation: Prevent unauthorized physical
access and prevent damage to the
organizational site and information.
A.11.1.1 Physical Security Perimeter
Security perimeters should be defined and used to protect areas that contain
either sensitive or critical information and information processing facilities.
A.11.1.2 Physical Entry Controls
Secure areas should be protected by appropriate entry controls to ensure that

only authorized personnel are allowed access.
A.11.2.4 Equipment Maintenance (control ISO 27001)
Explanation/what is required: This control covers the

maintenance of equipment to ensure its availability and integrity
Evidence to be prepared: Maintenance record for all equipment,

list of assets under maintenance.
Who prepares it: The IT or Admin team is responsible for the
regular maintenance of equipment.
For external audit: The external auditor conducting the ISO 27001
audit may ask for this evidence..
I I
A.11.2.5 Removal of Assets (control ISO 27001)
Equipment, information, or software should not

be taken off-site without prior authorization.
A.11.2.7 Secure Disposal or Reuse of Equipment {Control ISO 27001)
All items of equipment containing storage

•
media should be verified to ensure that any
• •
sensitive data and licensed software has been
removed or securely overwritten prior to •
disposal or re-use.
I I
A.12.1 Operational Procedures and Responsibilities
A.12.l Operational Procedures and Responsibilities
A.12.1.1 Documented Operating Procedures (ISO 27001 Control)
Operating procedures should be documented

and made available to all users who need
them.
• •
-
I I
A.12.1.2 Change Management (ISO 27001 Control)
Change to the organization business processes, information

processing facilities, and systems that affect information security
should be controlled.
A.12.1.3 Capacity Management (ISO 27001 Control)
The use of resources should be monitored and

tuned, and projections made of future
capacity requirements to ensure the required
system performance. aa
I I
A.12.1.4 Separation of Development, Testing, and Operational

Environment (ISO 27001 Control)
Development, testing, and operational environments should be

separated to reduce the risks of anybody having unauthorized access or
changes to the operational environment.
A.12.2 Protection from Malware

Objective: To ensure that information and
information processing facilities are rotected
against malware.
I I
A.12.2.l Controls Against Malware (ISO 27001 Control)
Detection, prevention, and recovery

controls to protect against malware
should be implemented, combined with
appropriate user awareness.
I I
A.12.3.1 Information Backup (ISO 27001 Control)
Backup copies of information, software, and system images should be

taken and tested regularly in accordance with an agreed backup policy
A.12.2 Protection from Malware

Objective: To ensure that information and
information processing facilities are rotected
against malware.
I I
A.13.1.1 Network Controls (ISO 27001 Control)
Networks should be managed and controlled to protect

information in systems and applications
A.13.1.2 Security of Network Services (ISO 27001 Control)
Security mechanisms, service levels, and

management requirements of all network
ervices should be identified and included in
network services agreements, whether
hese services are provided in-house or
sourced.
I I
A.13.1.3 Segregation in Networks (ISO 27001 Control)
Groups of information services, users, and

information systems should be
segregated on networks
I I
A.13.2.l Information Transfer Policies and Procedures

(ISO 27001 Control)
Formal transfer policies, procedures, and controls should be in

place to protect the transfer of information using all types of
communication facilities
A.13.2.2 Agreements on Information Transfer (ISO 27001

Control)
AGREEMENT
Agreements should address the secure transfer of business

information between the organization and external parties
A.13.2.3 Electronic Messaging (ISO 27001 Control)
Information involved in electronic messaging should be

appropriately protected.
A.13.2.4 Confidentiality or Non-Disclosure Agreements

(ISO 27001 Control)
Requirements for confidentiality or non-disclosure agreements

reflecting the organization needs for the protection of
information should be identified, regularly
reviewed, and documented
I I
a
a
a
a
a
A.14.1.1 Information Security Requirements Analysis and

Specification ( Control ISO 27001)
The information security-related requirements should be

included in the requirements for new information systems or
enhancements to existing information systems.
A.14.1.2 Securing Application Services on Public Networks

(Control ISO 27001)
The information involved in application services passing over

public networks should be protected from fraudulent activity,
ontract dispute, and unauthorized disclosure and
dification. c-
I I
A.14.1.3 Protecting Application Services Transactions

(Control ISO 27001)
The information involved in application service transactions

should be protected to prevent incomplete transmission,
misrouting, unauthorized message alteration,
unauthorized disclosure, and unauthorized message
duplication or replay.
I I
• •
A.14.2.1 Secure development policy (Control ISO 27001)
Rules for the development of software and systems should be

established and applied to developments within the
organization.
A.14.2.2 system Change Control Procedures {control ISO

27001)
Changes to systems within the development lifecycle should
be controlled using formal change control procedures.
I I
A.15.1.1 Information Security Policy for Supplier
Relationships (ISO 27001 Control)
nformation security requirements for mitigating the risks

associated with supplier's access to the organization's assets
should be agreed with the supplier and documented.
A.15.1.2 Addressing Security Within Supplier Agreements

(ISO 27001 Control)
All relevant information security requirements should be
established and agreed with each supplier that may 00
access, process, store, communicate, or provide IT ~
nf astructure components for the organization
inf r,._ation.
I I
A.15.1.3 Information and Communication Technology

Supply Chain (ISO 27001 Control)
Agreements with suppliers should include requirements to

address the information security risks associated with
information and communications technology services and
product supply chain.
I I
A.16.1.1 Responsibilities and Procedures (ISO 27001

Control)
Management responsibilities and procedures should be

established to ensure a quick, effective, and orderly response to
information security incidents.
A.16.1.2 Reporting Information Security Events (ISO

Control)
Information security events should be reported through
appropriate management channels as quickly as possible
I I
A.16.1.3 Reporting Information Security Weaknesses (ISO

Control)
Employees and contractors using the organization's information systems

and services should be required to note and report any observed or
suspected information security weaknesses in systems or services.
A.16.1.4 Assessment of and Decision on Information

Security Events (ISO Control)
Information security events should be assessed, and it should be
decided if th·e y are to be classified as information security
Cl ~
incidents.
Cl ~
Cl ~
I I
A.16.1.5 Response to Information Security Incidents (ISO

Control)
Information security events should be responded to in accordance with the

documented procedures.
A.16.1.6 Learning from Information Security Incidents

(ISO Control)
Knowledge gained from analyzing and resolving information
security should be used to reduce the likelihood or impact of
future incidents.
I I
•
A.17.1.1 Planning Information Security Continuity (ISO

27001 Control)
The organization should determine its requirements for information security

and the continuity of information security management in adverse
situations e.g. during a crisis or disaster.
A.17.1.2 Implementing Information Security Continuity

(ISO 27001 Control)
The organization should establish, document, implement, and ***

maintain processes, procedures, and controls to ensure the
required level of continuity for information security during an
. dverse situation
I I
A.17.1.3 Verify, Review, and Evaluate Information Security

Continuity (ISO 27001 Control)
The organization should verify the established and

implemented information security continuity controls
at regular intervals in order to ensure that they are
valid and effective during adverse situations.
I I
•
A.17.2.1 Availability of Information Processing Facilities

(ISO 27001 Control)
Information processing facilities should be

implemented with redundancy enough to
meet availability requirements.
I I
•- [
•-
This chapter focuses on understanding the internal audit

requirements, conducting the audit, preparing the audit
report, and closing the findings before the external audit.
This chapter lays the foundation for the following:
I
• Preparing an internal audit team I
•Conducting -a udits •
• Closing findings/gaps
• Planning improvement -- - --- -
• Communicating
-- -
--
1--- --
-- ---
• •
I I
Preparing an Internal Audit Team
Once all the security control implementation is done, it's

time to perform an internal audit to verify the accuracy of
the implementation and to ensure that no more gaps
exist.
The audit team should include people from different

departments, such as the IT department, software
development, human resources, and the finance
department.
I I
Here are a few of the types of internal auditor that an

organization needs:
Full-time internal auditor: Organization whose scope of

work is very large and that have more audit work prefer a
ful I-time resource.
Part-time internal auditor: This is the most common case AUDIT

in small or mid-sized organizations.
Internal auditor from outside the organization: Some

■
companies prefer a person from outside the organization •

■
o conduct the internal audit.
I I
Some of the parameters that companies keep in mind

when hiring a third-party consultant or internal auditor
are as follows:
• Experience of auditor
• Regional auditor
• Reputation
I I
Conducting Audits
The ISO 27001 internal audit helps you examine

whether your organization-defined ISMS is
compliant with the standard requirements. It also
helps the organization achieve its set business
objectives and ensures that the organizational
policy and procedures
I I
--
--
- - -
-- -
-
Whenever you do some important activity in your

life, it's a good idea to plan for it first. The following
key items cover what you should take care
of when planning for an ISO 27001 internal audit:
• Objective and scope of audit plan

• Audit schedule
• Audit teams
I I
Pre-Audit Meeting/Briefing
There can be one or more pre-audit meeting

between the information security team and the
auditors. It should take place no later than one day
before the actual audit. The objectives of the
meeting should include:
• Ensure the availability of all the resources

needed
• Verify the scope of the audit
'11111111111
I I
[ Forward 10 sec. / Keyframe / 00 :04:36 (84.7%)]
Audit's Finding Report
Once the audit is completed, the internal auditor

must present the audit's finding report
to the auditees. The audit's finding report must
clearly define the weakness or risks identified. ... .. - ~~-
... ..
.
--
-
= -· '··....
••
•
•
..
----
v _
•••
• • !:! •
•••
••
.
~
"'--·
:/ •-- r
4 •-
..
.:
=o
::i · - -
.• =~
•• .. =□
.. •• • ••
•
'•
I I
Audit's Finding Report
After conducting the audit and sharing the report with

the auditees, it is important to close the findings.
To close the finding, you need to revisit your finding
report and understand the weakness or non-
compliance. By reading the recommended strategy
mentioned by the auditor, you can easily close them. By
following these generic steps for all the non-
compliances or weaknesses, you
can close the gaps.
I I
Planning Improvement
Once you complete the audit findings, it becomes important to assess where
your information security implementation is weak. For some organizations, this
can be their first implementation exercise or their first internal audit exercise.
Here are the sample examples, which could be the possible reasons for the
gaps:
• Lack of awareness
• Half implementation only
• The wrong implementation
I I
Eliminating Gaps
Now it's time to prepare an action plan for the identified

improvements and gaps. You need to list all the
identified areas for improvement, in the order of largest
impact to least impact.
Once the improvement list is set, assign the owner and

the timeline for each
improvements. It is important to give them enough time
(realistically) for each
improvement.
-· ·-
I I
Can You Eliminate All Gaps?
With the limited resources/facilities that most

people work under these days, it might not be
feasible to eliminate all the gaps.
Trying to eliminate all the gaps might not be as
effective, as the desired result may lack quality
I I
Com mu nicati ng
One thing that most organizations lack is good

communication within the organization and with the
employees. During the audit process, not every employee
gets audited.
When many members are not involved, it becomes
important to communicate the status and findings noted
during the audit to all the employees in the organization.
I I
Conducting the Review
When you implement large improvement initiatives in an

organization, it is essential for management to know
about them. And this is also a requirement of the ISO ♦
27001 standard.
Organizations, at a minimum, should plan for
semiannual management review meetings. The 00000
decisions made at such meetings are made for the •
future improvement of the organization and their
♦
+
impacts/benefits can usually be analyzed in a sixmonth
timeframe.
•
00000
What Is Expected from Department

Heads/ Stakeholders?
The data that's collected are the information security

objectives/KPls from each department. The KPls/metrics
performance achieved in the past month or on a
monthly basis show whether you are achieving the
information security objectives.
•
Scheduling the Management Review Meeting
You can schedule this meeting in two ways.
First way
If an organization is trying to implement the ISMS the first
time, it is best to schedule the review meeting after all
the policies and procedures are defined, the security = •••
controls are implemented, and one round of the internal
audit exercise has been completed. -- - -- .J
\...
Second Way
In some organizations, the implementation has been

complete for a year or two, but they never planned the
management review meeting. Such organizations must
plan for the review and, once the first management
review is conducted, a second management
review should be planned in six months.
~ _ !7/ L/ ~ <-- - - - ,l
~~~ l✓l,_I
Schedule the Meeting
Look for a suitable day to schedule the management

revi·e w meeting, ensuring that all members can attend.
Send the invite to all the participants/stakeholders at
least two weeks in advance so that they can mark their
calendars and have enough time to prepare.
Preparing the Presentation
The easiest way to present the data is to prepare a

slideshow presentation. The information security team
should prepare a common template, which will be
tilelpful for all the participants to follow.
Items To Be Covered in the Presentation
• Information security policy

• Organization risks and opportunities
---
• Information security objectives
• Resource status
• Internal audit findings
On the day of the meeting, you can start the session with
the information security team. The CISO or information
security manager can review the agenda of the meeting
and then continue to present the points, as mentioned in
th is chapter. After the information.
The meeting can be conducted either by inviting all

participants/department heads or stakeholders together
at the same time, or they can be given an individual
timeslot.
J
... ... ~
After the meeting session, it is important to prepare the

meeting minutes by covering the following:
• Participants' names
• Meeting agenda
• Points discussed
• Action items, with owners and target dates
-
If you refer to the meeting minutes that were prepared after the review meeting,
they should cover all the improvement initiatives. Each action item can be taken
as one improvement or broken into multiple improvements.
What Do You Improve?
You improve the following:
• Business processes and efficiency

• Security objectives/KPls
• Awareness of the employees
• Overall effectiveness of the organization's ISMS
How Do You Know if You Have Improved?
This is an important question. Management needs to be

able to see how the organization has improved. The
information security team needs to track the status of
each improvement initiative and collect the data to
analyze the progress.
You need to keep collecting data on a monthly basis.
When the time comes for the next management review
meeting,
[ Forward 10 sec. / Keyframe / 00 :01 : 52 (61.2%) ]
Communicate
Here, the information security team and the other

department heads must communicate with each other
on a regular basis about the status of the improvement
areas.
If the information security team stops following up with
the owners/department heads, the people in charge of
the action items might not work on them.
If no significant improvements are made then, during the
next management review meeting, management will
take notice.
-
'
Audit Preparation
After spending several months on the ISMS

implementation, your teams are progressing
toward the final stage of the implementation, which is
the certification audit.
Before you move to the external audit phase, it is

important to be sure the team is prepared. Facing an
audit without being prepared will lead to failure. Time
spent preparation is worth every second, as it will give
your team confidence and make them audit-ready.
Stage 1 Audit
During a stage 1 audit, the auditor generally looks at the

documentary evidence. This is sometimes called a
tabletop audit or document review audit. Here, the
auditor looks at the required process, policy, or
procedure documents.
Stage 2 Audit
The stage 2 audit is detail-oriented, and this formal audit AUDIT

is sometimes called a compliance audit. During this
audit, the auditor must visit the organization's onsite
office.
Stage 3 Audit
Th·e stage 3 audit is the follow-up review and is generally

called the surveillance audit. This audit is conducted on
an annual basis to validate that the organization
is maintaining the ISMS effectively and focusing on
continual improvement.
Stepl: Understand the Context
This step will help you understand the business context,

which in turns helps you understand the internal and
external factors that affect the organization.
Step 2: Ensure Leadership Commitment

•••
This is a simple yet very important step during the
external audit. You need to have commitment from
management throughout the project.
Step 3: Plan the Audit
Planning is always important during the ISMS journey.

Here, you can plan for your audit, control selection,
manage risk, address the risk assessment results, and
develop a risk treatment plan
Step 6: Prepare Your Team
Now it's time to prepare your team for the audit. Discuss 0
with the team and send an email if required about what •
they should expect to be asked and how to reply.
•
Step 7: Close the Gaps
During this step, you need to close all the gaps or issues
shared by the auditor during the stage 1 audit. By this
time, the team will have c·o nfidence and will understand
the audit cycle, as they already went through a stage 1
audit.
Step 8: Schedule Stage 2 Audit
This is the final step before receiving the ISO 27001

certificate. Schedule your stage 2 audit and relax.
Step 9: Celebrate
This is an optional step, but your team has done well and
earned this valuable certificate. Time to celebrate this
achievement.
Th-e se external audit best practices help you address any

compliance issues reported during the audit and help
create more awareness for the team. Follow these best
practices during the audit preparation stage:
• Clearly understand the scope

• Focus on critical areas
• Information security policy awareness
• Conduct mock audits
• Get approval on policy and procedure
• Check software/tool expiration
• Ensure traceability
• Keep manual execution to a minimum
Audit Closure
The audit was conducted to inspect your organization's

security controls as per the defined policies and
procedures. Hence, this audit helps you determine how
well your business processes are helping to secure your
organizational information/asset. In general, most of you
know when an audit is completed, which document you
will receive as part of this phase.
Here are the key points that an auditor covers during the
audit closure meeting.
• Reiterate audit scope and objective

• Preliminary findings
• Clarifications
• Acknowledgment
• Report •
•
• •
•
0
• •
I
Executive Summary
Here's an example of the executive summary
• The company has implemented ISMS in its software

development, maintenance, support department.
• The ISMS objectives, along with its policies
• Information Security Policy vl.O, ISMS-Roles •
SUMMARY
SWOT analysis
• Strengths
• Weaknesses
• Opportunities
• Threats
Scope Description Control by Control
The score descriptions are universal to all management

systems and cannot be customized by the auditor. This
ensures consistency of interpretation and standardization of
audit results worldwide.
Finding Summary
In this section, the auditor will share a summary of the key

findings that were issued during the stage 2 audit.
Evidence Summary
In this section, the management system evidence that the

auditor audited can be summarized
Lead Auditor Recommendation
Here is where the final recommendation part comes in. The

auditor will write her recommendation about whether the
company should be awarded a certificate or not.
AUDIT
ee, --
_
El -
This final chapter discusses continual improvement. Is

continual improvement needed when you have implemented
the ISO 27001 standard controls and have been audited/
certified by an external certifying body? The fact is, your duty is
not over once you are certified.
The plan, do, check, and act principle, mentioned in the

previous chapter, states that your focus should always be on
checking and acting.
I
Areas of Improvement
Many organizations struggle in this area, as they don't know

how to identify the improvement areas or who will work on
them. Once the external audit is completed, you receive the
audit report
Monthly KPls/Reports
These monthly reports always have something to tell you

about the health of the system/controls and whether there are
areas of concern.
Employee Observations -
Employees use the system daily and usually observe
everything around them. They can share issues they observe,
which you might never think about.
Periodic Internal Audits
As important as the external audit is, periodic internal audits

are equally important in terms of identifying improvement
areas. The external audit focuses on continual
improvements only and not on finding faults with the
eople / system.
[ Forward 10 sec. / Keyframe / 00 :04: 12 (69 .4%) ]
Management Review Meetings
During management review meetings,

management/steering committee members will often
share areas of improvement when they're reviewing the
business objectives/goals.
Customers/CI ients
Looking critically at your clients' processes, tools, and systems,

you could come to understand any area that poses
challenges in safeguarding client information.
[ Forward 10 sec. / Keyframe / 00 :04: 52 (80 .4%) ]
New Tools/Technology
0
When a new, pertinent technology/tool is launched in the
market, it becomes important to explore it. You need to
determine whether it would be useful to the organizations
you serve
Regulatory/Governmental Laws
Any law mandated by the government must be adhered to;

this cannot be avoided. You must consider not only the local
laws but also any international or country laws where your
clients are based
Once you have identified your actionable improvement
areas, it is time to go ahead and implement them. The
main responsibility of the information security team is to
collate all the gaps/ improvement areas on the
improvement tracker in order of priority and target dates.
Once the improvement tracker is updated, it must be

reviewed with management, as it's possible that more
improvements could be added or removed, or the priorities
could be changed
Pilot the Improvement First
It's very important to test-pilot the improvement first, as

you cannot safely implement an improvement before
testing it, especially if it is related to tools or technology.
Once the test passes without incident, you can roll it out in
a planned manner. It's still advisable to monitor it for few
more weeks or a month, to verify that everything is
running smoothly.
Measure Success
The success of the implementation is also measured in terms

of which benefits an organization has achieved, and this must
be regularly communicated to the management/steering
committee.
Performing Regular Audits/Reviews
After implementing the improvements on a regular basis, the

audit becomes an important exercise, as it will also help you
assess whether improvements have helped the
organization and will continue to do so in the long run.
. . . ....
• • • • • •
• .• .• .• ' • . •
• • • • •
.. . . . ......... •
. ·.·.·.·.·.
. . ..... . . . . .. ' . .. . . .
.·.·.·.·
. . . . l+-+-f
•
.
• •
.. •
.
• • • •
.'
• •
. 1 •
...
• • • •
. ,..t ~-t--f
• • • • • ~ • l • "

2023

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2023

Uploaded by

Copyright:

Available Formats

[ Forward 2 sec. / Keyframe / 00: 00 :08 (2 .

Before you learn about information security and see

Information is data that can be processed to provide meaning.

Here are some characteristics of information:

ISO 27001: Information Security Management System

In the wrong hands, personal information can be used against you.

• An information security pol icy

tSMSs stand on three main pillars, referred to as the CIA triad

Safeguarding information is essential to protecting yourself and your

These examples will help you understand the following:

Yahoo announced that a state-sponsored actor pulled off a big data

In November 2018, Marriott International announced that cybercriminals had stolen

Hackers broadcasted ransomware called

Cosmos Bank Cyberattack

lOC Acqolr1ng ' •

Scenario 2: Trade Secrets

Let's look at a few examples of internal issues:

Now let's look at some external issues:

• Legal and regulatory requirements

• Identify the areas/ systems/locations where all the information is or will

By taking these steps, you can prepare the following documents:

A well-defined scope provides assurance that all the important areas of

• Steering committee members

This content may be modified or deleted based on the organization's

• Purpose of the document

The information Security team is responsible for checking and maintaining

Consider these real-life exampl·es of dependencies and constraints:

Senior Management Support

You can increase the chances of having a successful implementation by bringing in

• Meet the organization's strategic objectives

This chapter covers:

Presenting a High-Level Plan

When you're implementing a high-level plan, it is advisable to invite all the

• Setting up roles and responsibilities

Sample High Lavel Plan

Setting Up the Project Taskforce

We all know that without team members' support,

Setting up the taskforce early in the planning and

The administration department can be represented as a SPOC (single

Chief Information Security Officer ( CISO)

The Chief Information Security Officer is primarily responsible for

Information Security Management (ISM) Team

This team may have members from each department or function

Human Resources Management

The human resources team is responsible managing and enabling the

To get the commitment and support of team members, it is best to have

Commitment to information security must be driven from the top to the

ISO 27001 - Agreement 1

Meeting all the teams at the same time in a group

Annex 5: Information Security Policies

Check whether the company has done the following:

• Defined information security policies.

Annex 14: Security Requirements of Information Systems

In any organization that has an IT department, this

The service delivery team makes up the program

Here are some examples of security requirements:

• Level of access provided to the users.

There may be different security requirements based on the application or

Security in Development and Support Processes

Define a Secure Development Policy

• Securing the coding environment

The objective of Clause 14.3 is to ensure that the

The main point is to remember while performing - -