Information Security Training t n i ISMS Auditor/Lread p Auditor Traineing R Course ISO 27001 r o f t o N - l a i r e Instructor Guide t Version 4.3.1 a M e p m a S Copyright © 2011, ITpreneurs Nederland B.V. All rights reserved. ITpreneurs Nederland B.V. is affiliated to Veridion. ISO27001CL_Lead Auditor_IG_Cover page.indd 1 5/26/2011 3:20:11 PM The information contained in this classroom material is subject to change without notice. This material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V. © Copyright 2011 by ITpreneurs Nederland B.V. All rights reserved. t n i This training material is sold subject to the condition that it, or any part of it, shall nort by way of p trade or otherwise, be sold, lent, re-sold, displayed, advertised or otherwise circulated, without the publisher’s prior written consent, in any form of binding, cover or title other ethan that in which it is published and without a similar condition including this condition beRing imposed on the subsequent purchaser(s). r o Version 4.3.1 f t o Training materials are based on PECB’s Training Provider and Examiner Certification N Scheme. Documents provided to participants are strictly reserved for training purposes and are copyrighted by ITpreneurs. ITpreneurs Nederland B.V. is affiliated to Veridion. Unless otherwise specified, no part of this publication may be, with-out ITpreneurs’ written permission, reproduced or used in any way or format or by any means whether it be electronic or mechanical including l a photocopy and microfilm. i r e t a M e p m a S ISO27001CL_Lead Auditor_IG_Cover page.indd 2 5/26/2011 3:20:12 PM Contents MODULE 1: INTRODUCTION TO INFORMATION SECURITY AND ISO/IEC 27001:2005 1 t Course Agenda n 3 Section 1: Course Objective and Structure i 4 r 1. Meet and greet p 5 2. General points e 6 3. Training objectives and structure 7 R 4. Instructional approach 9 5. What is PECB? 14 r Section 2: Standard and Regulatory Framework o 21 1. ISO structure f 22 2. Fundamental ISO principles 23 t 3. Information Security Standards o 27 4. ISO 27000 family N 32 5. ISO 27001 Advantages 42 6. Legal and regulatory conformity - 44 7. Conformity framework - United States 45 l a 8. Conformity framework - Europe 47 Section 3: Certifi cation Proceiss 52 r 1. Certifi cation processe 53 2. Certifi cation schtema 55 a 3. Accreditation authority 56 4. Certifi catMion body 58 5. Personnel Certifi cation body 60 Sectieon 4: Fundamental Principles in Information Security 62 1. Asset 63 p 2. Information security 64 m 3. Vulnerability 68 a 4. Threat 70 S 5. Risk 71 6. Confi dentiality, integrity and availability 72 7. Security objectives and controls 77 8. Control environment 80 Section 5: Information Security Management System (ISMS) 91 1. Defi nition of an ISMS 92 2. Process approach 94 3. ISMS implementation 104 4. Overview – Clauses 4 to 8 111 5. Mandatory controls 122 i MODULE 2: AUDIT RULES, PREPARATION AND LAUNCHING OF AN AUDIT 129 Course Agenda 131 Section 6: Fundamental Audit Concepts and Principles 134 1. What is an audit? 135 2. The actors 141 3. Audit criteria 142 4. Audit types 144 5. Audit objectives 145 t 7. Responsibility of auditors 164 n 8. Ways to reinforce ethics 165 i r Section 7: The approach based on evidence and risk 170 p 1. Evidence Based Approach 171 e 2. Type of audit evidence 173 R 3. Quality of an audit evidence 181 4. Risk Based Audit Approach 186 r 5. Materiality dimension of an information system o 187 6. Reasonable assurance 191 f Section 8: Preparation of the audit 193 t 1. The audit team o 194 2. Defi ning the audit objectives N 196 3. Defi ning the scope 197 4. Determining the feasibility of the audit - 201 5. Engagement letter 207 l 6. Initial contact a 209 7. Auditing a small organization i 210 r Section 9: Stage 1 Audit e 213 1. Objectives of stage 1 audit 214 t 2. Stage 1 audit steps a 216 3. Audit activities of stage 1 M 217 4. Documents review 218 5. Evaluation criteria of documents 219 e 6. Type of documents 224 p 7. Documents mandatory to be audited 225 m 8. Stage 1 audit report 229 Section 10: Pareparing and initiating stage 2 audit (on-site audit) 233 1. Stage 2 audit objectives 234 S 2. Preparing the audit plan 236 3. Assigning the auditors 238 4. Using technical experts 239 5. Preparing the work documents 240 6. Using a control list 241 7. Conducting the opening meeting 244 ii MODULE 3: ON-SITE AUDIT ACTIVITIES 253 Course Agenda 255 Section 11: Communication during the audit 258 1. Behaviour during on-site visits 259 2. Communication during the audit 260 3. Team meetings 263 4. Observer and guide roles 264 5. Confl ict management 266 6. Cultural aspects of the audit t 269 n 7. Communication with management 271 Section 12: Audit procedures i 278 r 1. Information gathering p 279 2. Observation e 284 3. Documentation review 287 R 4. Interview 288 5. Analysis 301 r 6. Technical verifi cation o 314 7. Audit Procedure f 318 Section 13: Audit test plan creation t 322 o 1. Creating audit test plans 323 2. Audit test plan examples N 326 Section 14: Writing conclusions and nonconformity reports 335 1. Drafting audit fi ndings - 336 2. Nonconformity defi nition l 338 a 3. Major nonconformity 339 i 4. Minor nonconformity r 342 5. Anomaly e 345 6. Observation t 346 a 7. Documenting a nonconformity 347 M 8. Benefi t of the doubt 349 MODULEe 4: CLOSING THE AUDIT 355 Cpourse Agenda 357 Section 15: Documentation of audit and quality review 361 m 1. Work documents 362 a 2. Audit records 365 S 3. Quality review 366 4. Documentation of quality review 370 5. Review of fi ndings and preparation of audit conclusions 372 Section 16: Closing an audit 374 1. Certifi cation recommendation 375 2. Discussion with management 381 3. Closing meeting 383 4. Audit report 388 5. Drafting recommendations for improvement 390 6. Certifi cation decision 393 7. Content of the certifi cate 396 iii Section 17: Follow-up audit 399 1. Follow-up audit 400 2. Submission of action plans 401 3. Content of action plans 402 4. Evaluation of action plans 403 5. Alternatives to follow-up audits 405 Section 18: Follow-ups to Initial audit 409 1. Surveillance activities 410 t n 2. Surveillance audit 413 3. Recertifi cation audit 415 i r 4. Extending the scope 417 p 5. Transferring a certifi cate 4e18 6. Suspending a certifi cate 419 R 7. Using the ISO trademark 421 Section 19: Managing an audit program 424 r 1. Audit program o 425 2. Audit resources f 426 3. Creating audit tools 427 t 4. Audit procedures o 428 5. Records of the audit program N 429 6. Follow-up and review 438 7. Managing combined audits - 439 Section 20: The competence and evaluation of auditors l 442 a 1. Competencies of auditors 443 i 2. Career Path 454 r 3. Audit register e 455 4. Continuous improvement of competenciets 457 a 5. Evaluation of auditors 458 M Section 21: Closing the training 461 1. Evaluation of training 462 2. Preparing for the examineation 463 p APPENDIX A: CASE STUDY 465 m APPENDIX B: EaXERCIESES LIST N/A S APPENDIX C: CORRECTION KEY 487 APPENDIX D: RELEASE NOTE 501 INSTRUCTOR FEEDBACK FORM 505 iv Instructor | Introduction to Information Security and ISO/IEC 27001:2005 Course Agenda 1 Day Module 1 : Introduction to Information Security and ISO/IEC 27001:2005 Section Name Start End Total Time t(in hours) n 1 Course Objectives and Structure 8:30 9:00 0:30 i r 2 Standard and Regulatory Framework 9:00 p10:30 1:30 e 3 Certifi cation Process 10:30 11:00 0:30 R 4 Fundamental Principles of Information Security 11:00 12:00 1:00 Lunch r 12:00 1:00 1:00 o 4 Fundamental Principles of Information Security (Contd.) 1:00 2:30 1:30 f 5 Information Security Management System (ISMSt) 2:30 5:30 3:00 o Total Time 9:00 N - l a i r e t a M e p m a S Copyright © 2011, ITpreneurs Nederland B.V. All rights reserved. 3 ISO 27001 | Lead Auditor Section 1: Course Objective and Structure t n 1. Meet and greet i r 2. General points p 3. Training objectives and structure e R 4. Instructional approach r 5. What is PECB? o f t o N - l a i r e 3 t a M e p m a S 4 Copyright © 2011, ITpreneurs Nederland B.V. All rights reserved. Instructor | Introduction to Information Security and ISO/IEC 27001:2005 Section 1: Course Objective and Structure 1. Meet and greet 2. General points 3. Training objectives and structure 4. Instructional approach 5. What is PECB? t Meet and greet n i r p e R r o f t o N - l a i r e 4 t a 1. Meet and greet M To break the ice, participants introduce themselves stating: (cid:121) Namee (cid:121) Cpurrent position (cid:121) m Previous positions (cid:121) Knowledge of and experience with ISO/IEC 27001:2005 a(cid:121) Knowledge and experience with audit S (cid:121) Objectives to be reached by participating in this course Duration of activity: 20 minutes Copyright © 2011, ITpreneurs Nederland B.V. All rights reserved. 5 ISO 27001 | Lead Auditor Section 1: Course Objective and Structure 1. Meet and greet 2. General points 3. Training objectives and structure 4. Instructional approach 5. What is PECB? t General Information n i r p e R r o Smoking Meals Timetable and breaks f t o N - l Mobiles Absences a i r e 5 t a 2. General points M For simplifi cation, only the masculine is used throughout this training. e p m a S 6 Copyright © 2011, ITpreneurs Nederland B.V. All rights reserved.
Description: