Information Security Audit

• ISO 27K Series

ChoiceIT consultants have grown up with ISO/IEC 27002. The original Code of Practice for Information Security Management started as a structured collection of good practice advice and “key controls”, based largely on an internal security policy manual used by the Royal Dutch/Shell Group. We have tracked and (in small measure) contributed to the development of the standard through the British and New Zealand standards bodies, starting from before it was first published as British Standard BS 7799 in 1995.

The twelve main sections of ISO/IEC 27002 [numbered 4-15] are as follows:

• Section 4: Risk assessment and treatment
  ISO/IEC 27002’s coverage in this area is a short 1½-page section just before the main body of the standard. Although better than previous versions, the coverage remains woefully inadequate for such a complex and important subject, since decisions on information security risks drive the selection of appropriate controls. We are hoping for great things from ISO/IEC 27003, the ISO27k risk management standard currently under development.
  
  
• Section 5: Security policy
  Management should define a policy to clarify their direction of, and support for, information security.
  
  
• Section 6: Organization of information security
  A suitable information security governance structure should be designed and implemented.
  
  
• Section 7: Asset management
  The organization should be in a position to understand what information assets it holds, and to manage their security appropriately.
  
  
• Section 8: Human resources security
  The organization should manage system access rights etc. for ‘joiners, movers and leavers’, and should undertake suitable security awareness, training and educational activities.
  
  
• Section 9: Physical and environmental security
  Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.
  
  
• Section 10: Communications and operations management
  This lengthy section describes security controls relating to systems and network management operations.
  
  
• Section 11: Access control
  Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use.
  
  
• Section 12: Information systems acquisition, development and maintenance
  Information security must be taken into account in the processes for specifying, building/acquiring, testing and implementing IT systems.
  
  
• Section 13: Information security incident management
  Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.
  
  
• Section 14: Business continuity management
  This section describes the relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.
  
  
• Section 15: Compliance
  The organization must comply with legal and regulatory obligations as well as comply with its own internal security policies.
  
  

Contact ChoiceIT for assistance with the planning and delivery of an ISO/IEC 27002-compliant Information Security Management System that is certifiable against ISO/IEC 27001. Applying our accumulated experience, our consultants will show you the most direct route to best practice, helping you to:

• Undertake an independent audit of your current situation (“gap analysis”) to identify the key things your organization must do to be certified against ISO/IEC 27001;
• Prepare a pragmatic project plan and help persuade management to fund and support it;
• Write and implement formal information security policies, standards and procedures (a comprehensive information security policy manual based on ISO/IEC 27002 is available to purchase today);
• Initiate an information security awareness program to accompany the formal documentation, create a security culture and leverage the investment in technical, procedural, physical and legal controls;
• Prepare for and facilitate third-party assessment by an accredited ISO/IEC 27001 certification body (the certification body and implementation consultants must not be related: we do not do certification);
• Optimise the business value obtained from the ISO27k standards.

There are clear parallels with ISO 9000 in the way ISO27k is developing: the quality assurance standard was created by an enthusiastic team of early adopters, became BS 5750, was taken up by governments, became an ISO standard, was specified as a requirement for government suppliers, and then spread almost universally over the next few years to the point that it is now a fundamental business requirement in many industries. Having started life as BS 7799, ISO27k is essentially heading the same way. Click here for more thoughts on the relationship between quality assurance, governance and ISO27k, and visit our information site on the ISO27k information security management standards.
Finally, if are still not convinced about the value of implementing ISO27k, think about it as a tool to aide compliance with IT/information security-related laws, regulations and standards such as various privacy acts, PCI DSS, HIPAA, PIPEDA, computer misuse, copyright, freedom of information and many more. ISO27k compliance will also help meet the recommendations of the OECD Information Security Guidelines of 2002 and the Basel Committee paper “Sound Practices for the Management and Supervision of Operational Risk.” 

• Audit process

IT auditing, also known as ICT, computer, network or systems auditing, is a professional discipline involving several different techniques for independently reviewing computer and network systems, IT departments and a company's use of IT. Here are some examples of IT audit reviews typically performed by ChoiceIT consultants:

• Governance controls within IT departments and development projects e.g. management structures, financial planning, management information and reporting, post-implementation reviews, IT strategy reviews including the relationship to other business strategies
• IT/network system security controls e.g. reviewing information security controls during the testing phase of systems development, or on operational systems and networks (technical, physical and/or procedural controls; preventive, detective and/or corrective controls)
• Post-incident reviews to discover the root cause/s of information security incidents
• IT disaster contingency planning including the IT elements of business continuity planning
• IT installation reviews, focusing on physical security, uninterruptible power supplies, air conditioning, fire/flood protection etc. for the computer suite
• Broad-based ISO/IEC 27002-based reviews, ranging from pre-certification ‘gap analysis’ to periodic assessment against a consistent standard (ask us about our special ISO/IEC 27002 benchmarking service)

Auditing necessarily involves us working independently of the function being audited, in order to be objective. However at ChoiceIT, we prefer the more consultative modern style of internal auditing involving close interaction with the auditees during the fieldwork phase, rather than the traditional ‘tick-and-bash’ style of compliance auditing typical of old-fashioned external (primarily financial) auditors. 

Although auditors form opinions on historical and current facts, we are keen to ensure that our audits are, as far as possible, forward-looking with a view to making long-term value improvements in the organization.
For more information, read our IT Audit FAQ or contact us.