Crib sheet These are model answers to the ISO27k audit exercise. You may not agree with these suggestions and you may well be right, not least because the organizational context or situation markedly affects things (e.g. many of the information risks and hence controls needed by a small law firm are quite different to, say, a large, mature defence contractor). Remember: the primary objective of this exercise is to practice the process and refine your auditing skills, learning and improving. There are explanatory notes beneath the table.
1. The criteria for evaluating The information risk criteria and information risks have not 6.1.2 hence assessed risks may not Check and either reaffirm or revise and apply the NC been updated since last (a)(1) reflect the current business criteria before the end of this year year situation
Create/refine an access control policy clarifying who is
2. A restricted folder is being Unclear accountability if an accountable for determining who should have what shared for everyone to A.9.2.2 nc unauthorized access incident kind of access to information; implement the policy access occurs through procedures documenting the processes for assigning accountabilities to suitable individuals
Ensure periodic security awareness/training is provided
3. Audit fieldwork indicates With insufficient awareness, for workers, according to their individual and the NC/nc that security awareness for workers are more vulnerable organization’s general needs; use assessments, surveys 7.3 (auditor Finance Department is poor (easy targets!) for phishing/social and other metrics to both gauge and drive up + decides (below 50%, using the engineering/malware attacks, understanding, reducing the vulnerabilities; adjust the A7.2.2 according to organization’s own frauds, coercion etc. and are less awareness content and delivery to suit the audiences materiality) awareness metrics) likely to comply with policies e.g. introduce financial incident examples in the awareness & training materials for Finance workers
Summary audit finding Clause Category Impacts Recommendations 4. Some software in use has not been adequately Identify and prioritise the testing of critical security tested, due to the The implications depend on the applications; review the information risks in this area; lack of security A.14.2.5 obs nature of the software, its use, have the relevant risk or application owners formally requirements specifications and the possible security flaws and explicitly accept the residual information risks to test against and other associated with non-critical apps deficiencies/constraints
Implement a process to ensure that new/updated
5. ISMS policies are not People may be using out-of-date policies and related procedures, guidelines etc. are version-controlled, with no 7.5.3 NC policies and missing out on circulated to the right people at the right time, and any record of their distribution changes including new ones previous versions are formally withdrawn e.g. using a and access controlled area on the corporate intranet
6. Marketing Department is Sensitive business information is In accordance with the security policy, external parties working on new product being released to the vendor must formally commit to a suitable NDA before being launches in conjunction without the appropriate controls given access to information classified ‘confidential’; with a professional services in place; premature or further assurance controls may also be appropriate to A.13.2.4 nc supplier (an advertising inappropriate disclosure of the ensure they comply with the obligations to protect, use agency) that has not signed information is likely to cause and not disclose the information inappropriately; this a Non-Disclosure reputational harm and loss of audit finding relates to an incident that should be Agreement revenue handled through the incident management process
In conjunction with top management, revisit the
7. The ISMS is severely and The ISMS cannot achieve its objectives and the value proposition for the ISMS, unnecessarily resource- 5.1 (c) NC objectives, at least not in a leading to more realistic objectives and adequate constrained reasonable timescale resourcing to achieve them
8. Leavers’ network accounts Measure and drive up compliance with the policies and are not promptly disabled Leavers may retain and exploit procedures through better training, clear management A.9.2.1 nc as required in the leavers’ their access to the network direction, plaudits for compliance, penalties for non- procedures and policies compliance etc.
Summary audit finding Clause Category Impacts Recommendations The organization’s access control Prepare, release and mandate a password policy plus and accountability objectives are complexity standards; accompany the policy with 9. Weak passwords are A.9.4.3 obs unlikely to be satisfied, leaving procedures and awareness/training activities for IT commonplace the associated information risks users and system admins; periodically check for policy inadequately treated compliance, dealing with any issues accordingly
10. The document control in The current IAR is inaccurate and Review information assets and the associated risks 6.1.2(b) the Information Asset potentially missing important periodically (e.g. every 1-3 years depending on + NC Register shows the last assets that should be identified, volatility) in accordance with the ISMS requirements, A.8.1.1 update was 5 years ago risk-assessed and treated updating the relevant registers accordingly
Typical incidents such as theft,
loss, hardware failure or malware 11. Confidential business infection of the laptop may Review the information risks and security controls documents are stored in an inappropriately disclose or applicable to ‘confidential’ business documents; manager’s personal laptop A.8.1.1 nc prevent legitimate access to the strengthen compliance through awareness, training, instead of company’s information, causing business technical compliance checks, audits, management dedicated secured storage issues, losses and costs; the risks oversight etc. would be lower if the secure storage was used as intended
12. No evidence of information Distinct possibility that some Revise the risk management process to evaluate all risks being formally 8.2 NC information risks are identified information risks and retain relevant evaluated inadequately treated supporting evidence (formalise the process)
13. Leavers’ network accounts
Revisit, evaluate and treat information risks relating to are not promptly disabled Leavers may retain and exploit A.9.2.1 Obs leavers, accountability, access control etc. through and some remain active their access to the network appropriate policies, procedures and technical controls indefinitely
Increased risk of malware Revisit, evaluate and treat malware-related risks,
14. No antivirus package is in A.12.2 Obs infections - more and perhaps retaining documentary evidence of the associated use more severe incidents likely decisions and actions arising
Summary audit finding Clause Category Impacts Recommendations 15. Although the organisation [This is an example of an audit [This kind of audit finding may be worth discussing and does not actually process None or finding reflecting the auditor’s perhaps progressing, but is probably not relevant to the credit cards, it does not possibly personal prejudices or ISMS and its certification hence it is probably out of conduct regular PCI A.12.6.1 irr expectations, rather than the scope of the ISO27k audit. Management may choose to compliance audits that and ISO/IEC standard’s requirements ignore it, or perhaps bear it in mind and maybe take it might indicate issues with A.18.1.4 and recommendations, or the forward separately, and/or remind the auditor of the its handling of personal organisation’s] scope and purpose of the present audit.] data
16. When questioned, some Through suitable assurance arrangements (e.g. surveys, NC/nc Employees and organization are workers were substantially 7.3 tests, checks), management should ensure all workers depending on exposed to the security risk of ignorant of the + are sufficiently aware of the policy and their obligations materiality losing organization's data and organization’s information A.7.2.1 through awareness and training activities, clauses in (significance) other valuable assets security policy employment contracts/service agreements etc.
17. The organization has little if Understanding the business context - both internally The organization is probably out any contact with industry 4.1 and external to the organization - is an essential part of of touch with recent/ongoing peers and other local + NC information risk and security management … so incidents and challenges in its businesses on information A.6.1.4 establish social links, attend forums and generally industry and area security matters engage with applicable communities of interest
18. At least one NC from 10.1 The organization cannot be Top management should prioritise and resource the previous audits remains + NC (re)certified with major resolution of NCs appropriately, re-affirming the unresolved A.18.2.2 noncompliances importance of and their support for the ISMS
19. Some privacy issues have Delayed responses to incidents Whereas it would be unreasonable to insist that all not been reported and near-misses reduces incidents are instantly reported, prompt reporting of promptly through the A.16.1.2 Obs efficiency and effectiveness e.g. [potentially] serious incidents can markedly improve designated reporting by limiting managements choices the speed and efficiency of the incident responses; this mechanisms of how to respond finding suggests an ISMS improvement opportunity
About the wording Some of the summary findings, impacts and recommendations in the table are vaguely worded and, without more context, might be misunderstood, doubted or challenged by management. Findings would normally be supported by audit evidence and analysis held on file, ideally indexed and referenced from the audit report or (if reasonably succinct) appended to it. Presenting and discussing the draft audit report with management is an excellent opportunity to bring up and address such issues, and ideally gain the organization’s commitment to the actions arising, before finalising it.
About category • NC = a complete, blatant or serious failure to do whatever a main body clause of ISO/IEC 27001 requires. This MUST be resolved as a priority in order for the organization to be certified, as it indicates that the ISMS is not designed and functioning as specified by the standard. • nc = a relatively minor discrepancy between the organization and a ‘27001 main body clause, for example insufficient hard evidence that the proper ISMS processes (as specified in the main body of ‘27001) have in fact been followed. This should be addressed and ideally resolved as soon as practicable, but may not prevent certification. • obs = not strictly a noncompliance so much as a helpful comment or improvement suggestion. Concerns about the organization’s analysis, decisions and treatment of its information risks are generally observations. The auditor may have an opinion, and ‘27001 Annex A or other control catalogues may suggest a different approach, but management has the right to decide what to do. Provided they followed their ISMS processes, and provided those processes fulfil the ‘27001 main body requirements, differences of opinion or approach on the security controls etc. are not sound reasons to withhold certification. • irr = irrelevant to, and probably out of scope of, a typical ISO27k audit. Information security management is such a broad topic that almost anything relating to the protection of information could be deemed relevant, but that’s not helpful if the central purpose of the audit is to review the ISMS for compliance with ‘27001. Such issues can be distracting and may be handled informally, perhaps set aside to be picked up later in other audits, reviews etc.
About impacts Remember that the main objective of an ISMS is to help the organization manage the arrangements necessary to protect valuable information against various risks, in ways that benefit the business. Compliance with ‘27001 is merely a means to that end, not an end in itself. Describing impacts in business terms reinforces that distinction, especially if they are clearly of concern to management.
