Describe details of the COSO internal control framework and processes in relation to Sarbanes-Oxley Act (SOX) compliance.

The ISO27001 audit

While some organizations might still debate the value of ISO27001 certifica- tion (arguing that what matters is the implementation of an effective ISMS rather than a badge), the market is moving against them, and a major objec- tive of this book is to help those organizations that see the value in certification to be successful in achieving it. The first three chapters clearly explained all the benefits that accrue from a successful certification, and these will not be rehearsed here; a certification audit is a practical and cost- effective way of meeting the requirement in Control 18.2.1 for an independent review of information security, and provides a means of demon- strating compliance to ISO27001.

A certification audit will tend to use negative reporting (that is, it will identify inadequacies rather than adequacies) to assess an ISMS to ensure that its documented procedures and processes, the actual activities of the organization and the records of implementation meet the requirements of ISO27001 and the declared scope of the system. The outcome of the audit will be a written audit report (usually available soon after the completion of the audit) and a number of nonconformities and observations together with necessary corrective actions and agreed time-frames.

Selection of auditors

Chapter 3 touched on some of the issues that should be taken into account in selecting an ISO27001 certification body. Of course, any organization seeking certification will want to be sure that there is a cultural fit between itself and its supplier of certification services, and there will certainly be all the normal issues of ensuring that there is alignment between the desires of the buyer and the offering, including pricing and service, of the vendor.

IT GOVERNANCE366

It is completely appropriate to treat the selection of a certification body with the same professionalism as the selection of any other supplier.

There are three key issues that need to be taken into account when making this selection. The first is a general issue, the second is relevant to organizations that already have one or more externally certified manage- ment systems in place and the third applies specifically to organizations tackling ISO27001.

The first key point is that you should only use an accredited certification body (CB, also sometimes called a Registrar), one that is formally accredited by a National Accreditation Body that is a signatory to the International Accreditation Forum (IAF). These CBs deliver internationally recognized certification services, and their certificates are recognized as valid by all other IAF members; in other words, a UKAS-accredited certificate will be recognized as equivalent to a locally issued certificate accredited by another national accreditation body elsewhere in the world. There are a small number of unaccredited certification bodies offering combined consultancy and certification services outside the recognized international scheme; as they operate outside of the internationally recognized framework it is impossible to determine their competence, or extent of independence and hence the value to put on their certificates in terms of both assurance and credibility. Avoid them.

Secondly, it is essential that your ISMS is fully integrated into your organ- ization; it will not work effectively if it operates outside of the management and operation of the organization or exists outside of and parallel to any other management systems.

Logically, this means that the framework, processes and controls of the ISMS must, to the greatest extent possible, be integrated with, for instance, your ISO9001 quality system; you want one document control system, one set of processes for each part of the organization, etc. Clearly, therefore, the certification body assessment of your management system must also be integrated: you want only one audit, which deals with all the aspects of your management system. It is simply too disruptive of the organization, too costly and too destructive of good business practice to have anything else. You should take this into account when selecting your ISO27001 certi- fication body, and ensure that whoever you choose can and does offer an integrated assessment service. However, the fact that a CB is accredited to offer ISO9001 certification does not automatically mean it is accredited for ISO27001; you will need to check with the CB. If you are currently using a CB that is not accredited for ISO27001, you will have to consider switching to one that is able to offer certification to both standards.

THE ISO27001 AUDIT 367

The third issue that you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important therefore that each external assessment of an ISMS takes that difference into account so that the client gets an assessment that adds value to its business (which includes positive feedback as well as non- conformities), rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO27001. Inquiring how a potential provider of ISO 27001 certification ensures its auditors are appropriately competent for your specific business is one means of helping ensure you receive a valuable service.

Once an accredited certification body has been selected and terms agreed (using the same basis of contracting as is applied to any other third-party supplier), the organization can turn to the actual process of certification. This process will be completely familiar to any organization that has already undergone certification to ISO9000 or any other management system stand- ard. The certification body will want to go through an initial two-stage process. The first stage will be a Stage 1 audit, which enables the audit body to become acquainted with the organization, to carry out a document review, to assure themselves that the ISMS is sufficiently well developed to be capable of withstanding a formal audit and to obtain enough informa- tion about the organization and the intended scope of the certification to plan their Stage 2 audit effectively. This visit is usually relatively short and, depending on the size of the organization, may require only one or two days to carry out. The certification body will use this visit to ensure it has sufficient time and the appropriate competency profile in the audit team to successfully complete the Stage 2 audit, as well as to ensure that your organization is ready for that challenge.

Initial audit

The first formal audit, known as the initial audit, will usually take place over two stages. The audit process involves testing the organization’s documented processes (the ISMS) against the requirements of the standard (Stage 1, a readiness review), to confirm that the organization has set out to comply with the standard, and then testing actual compliance by the organization with its ISMS (Stage 2, the implementation audit). The entire two- stage audit will follow a pre-ordained plan, and the auditors will have

IT GOVERNANCE368

communicated with whoever is their liaison point (usually the information security manager) about whom they will wish to interview and in what order they will want to do it. There is no defined maximum period between the Stage 1 and Stage 2 audits, although it is unusual for it to exceed three months. Some negotiation is possible here, but usually over timing and availability rather than subject matter.

Each audit will start and finish with a management meeting. The audi- tors, just like financial ones, will need a separate room for the duration of the audit and appropriate arrangements made for refreshments. Many audits will involve at least two auditors, who may have different areas of expertise. There will be a lead, or principal, auditor, who will be responsible for the overall progress of the audit. The organization being audited should ensure that its liaison is on hand to support the auditors throughout the process; this might include guiding auditors around the premises, introduc- ing them to those staff next on their list to interview, and dealing with queries and issues arising.

At the end of each day, there will usually be a brief wrap-up meeting at which (usually) any areas of nonconformity with either the standard or the ISMS are identified. This part of the process will again be completely familiar to any organization that has gone through an ISO9001 certifica- tion. Nonconformities can be either minor or major; minor ones tend to vary in usefulness but major ones could very easily mean that the organiza- tion is not (at this stage) capable of successful certification. Often, upon identification of a major nonconformity the auditors will suggest that the audit process be suspended and started afresh once the organization has had time enough to address this major issue. This can be expensive and time- consuming, and have a negative effect on morale and the commitment within the organization to achieving certification.

There are two components to carrying out successful certification audits. The first is the level of preparedness of the organization’s ISMS and the second is the way in which the employees of the organization are themselves prepared for the audit.

Preparation for audit

No audit can take place until sufficient time has passed for the organization to have in place a working internal audit and management review pro- cess and to demonstrate compliance with clause 10, the requirement for

THE ISO27001 AUDIT 369

improvement. In other words, auditors will be looking for evidence that the ISMS is continuing to improve, not merely that it has been implemented. This means that a period of time will have to elapse between completion of the implementation and commencement of audit. How long will depend on the complexity of the organization and its ISMS, but one should assume that there will need to be good progress with the first cycle of internal audits for all of the key processes and arrangements. (It is for the certification body to determine exactly what it requires in order to be convinced of the establish- ment, effectiveness and ongoing arrangements for internal ISMS audit and management review, aspects it is required to confirm prior to issuing a certif- icate, and hence possibly something worth asking when selecting your certification body.)

The level of preparedness for an audit should then be assessed by carry- ing out a comprehensive review. The detailed work should be carried out by the information security adviser and by the quality function, and this should all be reviewed by the management information security forum. A compre- hensive review could use this book, starting with Chapter 4, and question the extent to which adequate steps have been taken to implement the vari- ous recommendations.

The Statement of Applicability (SoA) needs particularly detailed review. It should be possible to identify the extent to which each of the controls identified as necessary has been implemented and, where implementation has been only partial, to determine what steps (and how long they will take) will be necessary to complete its implementation. In particular, all instances in which the organization has chosen not to implement a recommended control should be reviewed in detail to ensure that this decision was appro- priate, and that the justification for exclusion that is included on the SoA is sufficient. Similarly, all instances in which a control has been implemented to a greater or lesser extent than indicated as necessary by a proper informa- tion security risk assessment should be reviewed, and if it is not possible (too difficult, expensive, etc) to improve the level to which the control has been implemented, managers should formally accept the highest level of residual risk.

Once a comprehensive review has been completed and the management steering group is satisfied that the ISMS is complete, complies with the standard and has been adequately implemented (and at least one cycle of internal audits of key areas of the ISMS as identified by the risk assessment also needs to have been completed), then the organization can safely move on to the Stage 1 visit by its external auditors.

IT GOVERNANCE370

Preparation of staff within the organization, prior to the audit, as to what they might expect and how to handle auditors is also a valuable step. Staff should be taught that auditors should be treated with complete honesty, and direct answers should always be given, even if this requires admitting to a lack of knowledge or error. Equally, staff should be trained to answer the question asked by the auditor and not to provide more, or less, information than is required. Auditors will usually ask for an explanation as to how a particular component of the ISMS works and will then want to be shown. This is normal and is how the audit is conducted.

ISO27001 Assessments Without Tears (available from https://www. itgovernance.co.uk/shop/product/iso27001-2013-assessments-without- tears-a-pocket-guide-second-edition) provides useful advice to those that are likely to be interviewed by an auditor. ISO27007 and ISO27008 set out guidelines for the ISO27001 auditor on how to conduct an audit. They are valuable both to the organization’s internal audit teams as part of their training and to the management information security forum so that they understand the approach that the auditors will take and can ensure that the organization is adequately prepared for the audit. The latter provides detailed guidance on auditing Annex A controls.

The outcome of the initial audit should, if the organization has diligently followed all the recommendations contained in this manual, be a positive recommendation for certification of the ISMS to ISO27001 and the issue of a certificate setting this out. The certificate should be appropriately displayed and the organization should start preparing for its first surveillance visit, which will take place about six to twelve months later. Any minor noncon- formities should be capable of being closed out by mail, and any certificate issued will be dependent on this happening within an agreed timescale.

The certificate will refer to the latest version of the SoA and auditors will check for updates at their subsequent visits. Therefore, when supplying a copy of the certificate to clients, stakeholders or other parties, the organiza- tion should be prepared to provide a copy of the most recent SoA (whether controlled or otherwise). While the SoA is a living document, updated as and when necessary, the organization should endeavour to keep such updates and alterations to a minimum.

It is possible that the issued accredited certificate mentions international and national standards from which information security contols in the SoA have been selected, such as ISO27017 and/or ISO27018.

THE ISO27001 AUDIT 371

Terminology

It is worth noting that different accredited certification bodies use different terms to describe what are, without wishing to imply a preference or endorsement of any one option, simply major and minor nonconformities. Some of the descriptors currently in use are shown in Table 27.1.

TABLE 27.1 Terms used by different accredited certification bodies for major and minor nonconformities

Major Minor

major nonconformity minor nonconformity

category 1 nonconformity category 2 nonconformity

nonconformity issue

major nonconformity nonconformity

Not all CBs will raise nonconformities at the Stage 1 audit; some will make ‘findings’, which should nevertheless be dealt with through your noncon- formity and corrective action process like any nonconformity.

While variations in use of terminology is obviously annoying, given that the accredited certification bodies work in the field of standardization, this inconsistency needs to be acknowledged for other reasons. With the increasing use of ISO27001-accredited certification in the supply chain, we will no doubt see these terms being used to specify reporting requirements, measure conformance and compare organizations. Obviously, unless the terminology is clearly defined for such applications, it could lead to mean- ingless comparisons.

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.