ISO27001:2013 Assessments Without Tears

ISO27001:2013 Assessments Without Tears

STEVE G WATKINS
Copyright Date: 2013
Edition: 2
Published by: IT Governance Publishing
Pages: 29
https://www.jstor.org/stable/j.ctt5hh5dk
  • Cite this Item
  • Book Info
    ISO27001:2013 Assessments Without Tears
    Book Description:

    The audit process can be a daunting one as an auditor can direct questions at any employee within your organisation. Written in a clear plain style, this pocket guide offers a tried and tested briefing, and should be issued to staff in advance of the audit to help them prepare for the experience and be well equipped to answer questions when asked. This pocket book explains what an ISO 27001 assessment is, why organisations bother with them, and what individual staff should do and, perhaps as importantly, not do if an auditor chooses to question them.

    eISBN: 978-1-84928-535-3
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. ABOUT THE AUTHOR
    (pp. 5-6)
  3. Table of Contents
    (pp. 7-7)
  4. INTRODUCTION
    (pp. 8-8)

    This pocket guide explains what an assessment is, why organisations bother with them, and what individual staff should do and, perhaps as importantly, not do if an auditor chooses to talk to them.

    The fact that your organisation has made this available to you suggests you are seeking, or have, ISO27001 certification. It is therefore worth reading through this short introduction to understand:

    What an assessment, or audit, is

    Why information security is important

    What happens during an assessment/audit

    What to consider when answering an auditor’s questions

    What happens when an auditor finds something wrong

    Your policies and how to...

  5. CHAPTER 1: WHAT ARE ASSESSMENTS?
    (pp. 9-11)

    Assessments are a way of finding out whether an organisation’s internal management policies and processes match up to the requirements laid down in certain management standards. It is the same as an audit. If an assessment finds the specification is being met then the organisation being assessed can be certificated or registered as conforming to that standard. This means that the organisation is awarded a certificate to demonstrate compliance with the requirements of the standard against which the assessment was conducted.

    Each standard addresses one discipline, and has a document defining the requirements that have to be met for certification...

  6. CHAPTER 2: WHY INFORMATION SECURITY?
    (pp. 12-13)

    The specification for information security management, ISO27001, defines information security as:

    Information Security:The “preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved”¹

    where:

    Confidentiality:the “property that information is not made available or disclosed to unauthorised individuals, entities, or processes”

    Integrity:the “property of safeguarding the accuracy and completeness of assets”

    Availability:the “property of being accessible and usable upon demand by an authorised entity”

    A rapidly increasing number of organisations are pursuing certification to ISO27001 to demonstrate their security stance.

    Many organisationsneedassessments...

  7. CHAPTER 3: WHAT ACTUALLY HAPPENS DURING AN ASSESSMENT?
    (pp. 14-15)

    With respect to each standard your organisation is assessed against, the auditors from the third party accreditation body are ‘assessing’ three things:

    That your policy, manual and procedures satisfy the requirements of ISO27001 (this is the responsibility of the senior management);

    That you meet the aims of the relevantpolicy(more on this later);

    That you do what yourproceduressay you do – this is verified by askinganyonequestions.

    Before the assessment the auditor agrees with your organisation the scope (area of assessment), timing and size of the assessment, taking a sample of things to look at across...

  8. CHAPTER 4: ANSWERING AUDITORS’ QUESTIONS
    (pp. 16-18)

    In a third party accredited certification audit to any management system standard the auditor can askanyonequestions, although this is even more likely in the case of the Information Security Management System Standard, ISO27001, so you are advised to pay particular attention to this section.

    There are some basic ‘ground rules’:

    First and foremost, remember thatyouare not ‘on trial’, under examination or on oath. This is not an inquisition! The auditor is testing the system, not your knowledge. You must, however, know the location of procedures and use the correct forms, at the correct issue level.

    Remember...

  9. CHAPTER 5: WHAT HAPPENS WHEN THE AUDITOR FINDS SOMETHING WRONG?
    (pp. 19-20)

    If the auditor discovers something which (s)he thinks shows that your organisation is not meeting one or more aspects of ISO27001, (s)he will record the facts which (s)he has seen, and later ask the guide to sign and confirm that the facts are correct. If this is a difference between the requirements in ISO27001 and what is observed it is described as a non-conformance. Similarly, if the working practice does not conform with the internally defined requirements in your organisation’s policies or procedures, it is deemed a non-conformance.

    This does not mean that everything the auditor writes down is a...

  10. CHAPTER 6: POLICIES
    (pp. 21-21)

    ISO27001 requires an organisation to have an information security policy. If interviewed you are likely to be asked if you are aware of the existence of the policy and how you help fulfil the aims set out in it. Make sure you know where you can access your organisation’s information security policy and read it now. Think about how you contribute towards achieving the aims stated in the policy.

    Another requirement with which you need to be familiar is that relating to reporting security incidents, such as what do you do if you think your PC has a virus, or...

  11. CHAPTER 7: FURTHER ADVICE AND ASSISTANCE
    (pp. 22-22)

    Should you have any questions relating to the assessment process you can ask your manager, or contact the person responsible for the information security management system within your organisation.

    For access to a comprehensive set of all things relating to information security, and an impressive set of links to other sites, check out:

    www.itgovernance.co.uk.

    For general advice that is as applicable to the home as well as to the office take a look at:

    www.banksafeonline.org.uk.

    www.identitytheft.org.uk.

    www.getsafeonline.org....

  12. APPENDIX 1: DEFINITIONS OF TERMS
    (pp. 23-25)
  13. ITG RESOURCES
    (pp. 26-29)