ISO 27001 VS.

GTAG

By Cathy Leung
ACC 626

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

Overview
Organizations are increasingly dependent on using their information asset to make important
business decisions. New emerging regulations and standards call for sensitive data to be secured and
management to demonstrate that an information security policy is in place. In particular, driven by
MasterCard, Visa and others, the Payment Card Industry (PCI) recently developed a new security
standard, requiring organizations to maintain tight securities on online credit card payments by
ensuring firewalls are only passing traffic on authorized ports, databases are not configured with
supplier defaults and servers are only running essential services (Mohamed, Apr 24, 2007 ).
Additionally, in February of 2006, Nationwide Building Society was fined 980,000 by
Financial Service Authority (FSA) for failing to have an effective system and controls in place to
manage its information security risk. Following a theft of laptop at Nationwide employees home, the
FSA carried out an investigation and discovered that building society did not have adequate
information security procedures and controls in place which may potentially cause leakage of
confidential information and increase risk of financial crime (Mohamed, Apr 24, 2007 ).
As Margaret Cole, director of enforcement at the FSA, has noted, Firms internal controls
are fundamental in ensuring customers details remain as secure as they can be, and as technology
evolves firms must keep their systems and controls up to date to prevent lapses in security (Brenner
B. , ISO 27001 could bridge the regulatroy divide, expert says , 2007).
Following the prominent accounting scandals in the early 21st century such as that of the
Enron Corporations, stakeholders of large organizations also demanded greater oversight of key risks
facing enterprise to ensure stakeholder values would be preserved and enhanced (Sutton, 2006).
As technology becomes more integral to organizations, both external and internal auditors are
facing new challenges on how to implement and integrate companywide assessment of IT risks and
controls into their overall audit and assurance plan. In particular, there is a rising demand for real
time information integrity generated from information assets. At the same time, the changing
emphasis on using technology to conduct business has also altered the characteristics of sufficient
and complete audit evidence. Businesses adaptation to more advanced technology has also driven
the auditing profession to response by issuing new guidance to provide assistance to auditors work,
this include (Brenner J. , January 2007),

SAS 80, Amendment to SAS 31, Evidential Matter

Auditing Procedures Study (APS), the Information Technology Age; Evidential Matter in the
Electronic Environment
1

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

SAS 94, The Effect of Technology on the Auditors consideration of Internal control in a
financial statement audit

SAS 106, Audit evidence.

However, to date, there appears to be no consistency, whether inside or outside the company,

to determine an appropriate level of security that will minimize the chance of damage, or a concrete
method of evaluating the security features of available products. As such, the International
Organization for Standardization has published ISO27001:2005 designed to provide guidance for
companies in selecting security controls sufficient to protect their information assets and give
confidence to interested parties (International Organization for Standardization , 2008). On the other
hand, the Institute of Internal Auditors (IIA) has also published a list of eleven Global Technology
Audit Guides (GTAG) that assts chief audit executives (CAE) and audit supervisors by providing
them with guidance to information technology related controls, management and risks.
Introduction of ISO 27001
ISO 27001: The Requirement for Information Security Management System (ISMS) is
universally accepted, and can be applied across any types of industries. This standard is in place to
help organizations develop and maintain ISMS and order to meet any information related regulatory
compliance. ISO 27001 has 10 domain areas, 38 control objectives, and 133 controls. The following
is the list of topics covered in ISO 27001 and their brief description (Myler, 2006),
1. Security policy Companies must develop a security policy that is authorized by management
and is clearly communicated throughout the organization. Management commitments must be
demonstrated and the policy must be updated frequently to reflect recent legislations and
regulations.
2. Organizational security Management must show evidence of their effort by establishing tone at
the top and exercising due diligence in managing controls to prevent third party access to
financial systems. Companies must evaluate all outsourcing contracts and include security
requirements in those contracts where appropriate.
3. Asset classification and control An inventory of asset must be established through
identification of all intangible (intellectual properties) and physical assets along with a system
that will properly distinguish ownership, types and forms of assets. A mechanism for labeling
these assets according to their classification should be established. Finally, countermeasures
should be designed to prevent theft, misappropriation, and to identify points of vulnerabilities.
2

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

4. Personnel security Companies must establish a secure environment that encourages honesty
and integrity of employees, in particular those who are responsible for handling financial data
and assets. Roles and responsibilities should be clearly defined in the pre-employment and
screening process. Continuous training must be provided to ensure that the employee is up to date
with organization standards. Finally, there must be removal of access right and return of
company assets upon termination of employment
5. Physical and environmental security Organizations premises and equipments must be properly
controlled by having security guards or entry controls in place. Upon disposition of equipments,
any confidential information held by these equipments must be deleted.
6. Communications and operations management All policies and procedures of organizational
programs must be formally documented and kept in a safe place. Backup procedures should also
be in place to replicate these data in a timely manner. Retention policy should be established to
ensure that critical documentations will be retained.
7. Access control Access controls should be applied to equipments and network services.
Passwords and touch pads could be used to restrict access.
8. Systems development and maintenance Organizations must ensure that incorrect code and data
are not introduced into the financial reporting system.
9. Business continuity management Organizations should identify risky areas and possible
occurrences, conduct business impact analysis and develop procedures to mitigate the impact of
these occurrences. Business continuity plan must be compiled and tested frequently to ensure that
the plan is effective and update.
10. Compliance: All regulatory requirements applicable to the organization must be identified and
their retention period should be documented. Security staff must regularly evaluate and determine
whether the organization remains compliant to the standard.
Implementation Process
In adopting and achieving compliance to ISO 27001, Jason Bellon, Head information security
and assurance program of WHO, has developed an approach known as Six Degree that combines the
conventional plan-do-check-act (PDCA) approach with technology (Bellone, Vol. 16, No.1, 2008).
Bellon pinpointed that PDCA approach has treated ISMS as more like a file cabinet than a system.
PDCA began with the usual documentation such as, drafting policies, performing gap analysis and
diagnostic reviews, administering risk assessments, and buildings binders. However the lack of
3

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

fluidity and massive labor mechanics caused documents to be outdated after print, inability to clearly
educate the employees on the functionality of ISMS and where their responsibilities lie.
Consequently, Bellon developed Six Degree, a process control system that drew from
disciplines in information visualization, graph theory, social network analysis, genetics and physics.
In essence, Six Degree is comprised of three core elements: a relational model, an analysis engine
and a process intelligence interface that allows companies to collect, analyze and report on all interrelated ISMS process.
In the relation model, ISMS is visualized as a system of relations with domains link to
controls, risks linked to assets, people linked to activities and budgets linked to gap. The model helps
to establish relationships among ISMS controls, processes and resources, enabling better coupling
and understanding of dependency between policy and process, activity and their respective personnel,
and finally, risk and assets
The analysis engine generates a gap analysis and diagnostic review report by referencing
guidelines from the COBIT Governance Framework to track any non-compliant standards. To further
strengthen the compliance tracking method and ensure timely response to non-conformities, Six
Degree incorporates the intelligence interface and generates a compliance dashboard similar to the
use of heatmaps for stockmarket pricing tracking. This interface will alert managers of nonconformities and ensure that they will be dealt with immediately.
Six Degrees have received wide auditors acceptance and substantially reduced audit cost.
Auditors no longer have to spend time enquiring managers of the IT security procedures as they can
be answered simply by referring to the relation model, where the relationships are very well defined.
In addition, through monitoring the dashboard, auditors can instantly check on the companys current
level of compliance with industry standards.
Benefits of certification
By having a ISO 27001 certification, companies will be able to gain customer confidence and
satisfy regulatory compliance. Certification is a signal to customers that the company is treating
information security as an important concern and has taken steps to mitigate the associated risks. It
also illustrates the management is committed to protecting their information which further provides
companies with a marketing and competitive advantage over their competitors.
In addition, certification will provide the company with a structured approach to risk
management and to ensure that the company has the right people, process and technology in place
4

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

that will suit the business model. More importantly, ISO 27001 certificated ISMS will ensure
simultaneous compliance with other information-related legislation including, HIPAA, GLBA, SB
1386 and other State breach laws, PIPEDA, FISMA, EU Safe harbor regulations and SOS 404. A
more detailed description of how ISO 27001 will achieve regulatory compliance will be further
discussed below. Karen Worstell, a former CISO at Microsoft and AT&T Wireless and currently a
member of advisory board of an European security risk management and awareness firm, has
indicated that ISO 27001 can help satisfy compliance requirements on a number of regulations such
as SOX, Safe Harbor, DSS with just minor adjustments (Brenner B. , ISO 27001 could bridge the
regulatory divide, expert says, July 11, 2007 ).
ISO 27001 certified companies have demonstrated desired reliability in their security system.
Inn particular, in the legal industry, there is a rising demand from prospective clients to seek legal
firms to prove information credentials as part of the tendering process. To remain competitive in this
industry, increasing number of law firms are seeking certifications to ISO 27001. Certifications to
this standard will provide assurance that information security is effective as it will be audited every
six months. Subsequent to their ISO 27001 certification, law firm Irwin Mitchell has successful
reduced the number of security incidents from 25 to 7 within a year.
Additionally, EZ Data, a provider of front-office systems for insurance companies, general
agents, banks, investment dealers, agents and financial advisors have demonstrated success in their
certification by obtaining customer acceptance and confidence. CPS, a large brokerage general
agency and a client of EZ Data, claimed it is assuring to know that the facility where we host our
corporate agent and client data meets the rigorous information security standards and policies
required for ISO 27001 certification.
Steps to achieve certification
Organizations must go through three necessary steps in order to achieve an ISO 27001
certification (Freeman, Sept/ Oct 2007),
1.

Implementation of an ISMS and integrate it into the day to day operation of business through
staff training and establishment of a continuous program of ISMS maintenance

2.

Request an audit of the ISMS by one of the accredited certification bodies. This certification
when obtained will be valid for three years upon which recertification will be required.

3.

Perform a surveillance every six to nine months by the certification body to ensure
continuous compliance to standard.
5

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

Introduction of GTAG:
Global Technology Audit Guides (GTAG), prepared by the Institute of Internal Auditors
(IIA), are written in a technical free language that serve to assist chief audit executives (CAE) in
dealing with technology-associated risks as well as informing them with timely issues related to
information technology. In preparation for the guides, other professional associations are also
involved to ensure that the content of the guides are technically accurate and appropriately address all
timely issues (Auditors, 2008 ). To date, eleven guides have been released by IIA ,
1. Information technology controls (released: March 2005): The purpose of this guide is to
communicate and raise CAE awareness for the need to strengthen IT controls. It provides an
overview of key elements in IT control assessment and places emphasis on roles and
responsibilities of key personnel that drive the governance of IT resources. Information
technology is pervasive throughout the organization, hence, it is essential that CAEs understand
the importance of IT controls and have the ability to manage IT risk through continuous
monitoring and improvements. This guide identifies several frameworks used for assessing
internal controls and assist executives to choose the most suitable framework for their
organization (IIA, 2005 ).
2. Change and Patch Management controls: Critical for Organizational success (released: June
2005): The purpose of this guide is to assist CAEs in effectively managing and governing IT
changes, assess the strength and weakness of the organizations existing change management
process and provide a metric that can foster higher level of control performances. Change and
patch management is defined to be the set of processes executed within the organizations IT
department designed to manage the enhancement, updates, incremental fixes and patches to
production systems, which include application code revisions, system upgrades and infrastructure
changes. With increasing demand for regulation compliance and complexity of Information
technology systems, it is essential that CAEs are at the forefront to look for the most effective
way to manage these changes. This guide will also help identify symptoms and indicators of
controls weakness and provide recommendation to reduce IT change risks (IIA, 2005 ).
3. Continuous auditing: Implications for Assurance, Monitoring and Risk assessment (released:
October 2005): This guide emphasizes on the need to change from a traditional retrospective and
cyclical basis of audit testing on a sampling approach to an ongoing audit testing of 100% of
transactions. The constantly changing regulatory environments and the globalization of
6

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

businesses drive the need for real time performance of control and risk assessment in order for
audit executives to ensure that controls are operating effectively and risks are being mitigated.
This guide attempts to assist CAE in making use of information technology to support continuous
auditing and monitoring of controls. With the assistance of information technology, auditors will
have easier access to the most relevant information and have the ability to review a larger amount
of transactions in greater detail (IIA, 2005 ).
4. Management of IT Auditing (released: March 2006): This purpose of this guide is to assist CAEs
in planning for their IT Audit. Organizations are becoming more dependent on information
technology to carry on their business activities. With such high reliance, two emerging issues
arise 1) the majority of key internal controls are likely to be technology related, 2) Inefficient
systems that have control deficiencies will have a larger impact on the organizations operations
and competitive readiness. As such, it is important that CAEs plan and manage the IT audit
function more effectively and efficiently. This guide is developed to assist CAEs how to plan,
perform and report on IT audits. It also helps to evaluate and manage IT related risks as well as
addressing emerging IT related issues (IIA, 2006 ).
5. Managing and Auditing Privacy Risks (released: June 2006): This guide is intended to assist
CAEs in managing and assessing privacy risks and provides assurance that those risk as are
being controlled appropriately. In particular, privacy audits are beneficial in several ways such as
facilitating compliance with regulations, improving customer satisfaction and increasing the
organizations awareness towards the confidentiality of data. This guide provides several key
frameworks that organizations may choose from to better understand the basic concepts and
expectations of privacy in different environments (IIA, 2006 ).
6. Managing and Auditing IT vulnerabilities (released: October 2006): This guide is developed to
assist CAE and IT staff with the assessment of the effectiveness of their vulnerability
management process. Vulnerability management is the process and technologies that an
organization employs to identify, assess and remediate IT vulnerabilities weaknesses or
exposures in IT assets or processes that may lead to a business risk or security risk. According
to the U.S. National Vulnerability Database, 40% of vulnerabilities, such as worms or viruses,
discovered in the year can cause high severity in that they could cause major disruption to the
organization. It is therefore important that CAEs acknowledge the importance of an effective
vulnerability management program and be able to integrate them into the overall IT process
framework so that they will be able to detect, prevent and mitigate vulnerabilities (IIA, 2006).
7

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

7. Information Technology Outsourcing (released: March 2007): This guide is developed to assist
internal auditors to perform a comprehensive review of its IT outsourcing operations through the
identification of risks and benefits, recommendation of ways to mitigate the risks as well as
providing a framework that can help evaluate the outsourcing companys compliance with
industry standards and regulation (IIA, 2007).
8. Auditing Application controls (released: July 2007): Any upgrade or installation of transactional
or support applications can pose significant risk to the organization if they are not configured or
used properly. The most cost effective way to reduce this risk is the implementation of
application controls that are embedded into the software itself. This guide is developed to assist
CAE in understanding the differences between IT general controls and application controls and
how well to design application controls so to ensure that applications are operating effectively. It
illustrates a list of controls and recommended tests that organizations may apply to ensure that
the controls are working appropriately (IIA, 2007 ).
9. Identity and Access Management (released: November 2007): IAM is the process of managing
who has access to what information over time. This process permeates across the entire
organization, affecting every business unit. It is essential for executives, IT departments and
business unit to know who has access to company resources that the all inherent risks have been
addressed. This guide will provide CAEs insights on how to evaluate, monitor and analyze their
organizations IAM process (IIA, 2007).
10. Business Continuity Management (released: July 2008): BMC is an important risk management
framework in place to reduce the impact and restore critical business processes after natural or
manmade disruptions. Inadequate procedures to respond to these incidents will result in extended
down time and significant financial loss. Through a focus on how BCM is designed to enable
business leaders manage risks caused by business disruption; this guide will assist CAEs in
communicating to corporate executives on the risks, controls, costs and benefits of adopting
BCM (IIA, 2008).
11. Developing the IT Audit Plan (released: July 2008): This guide can help CAEs and internal
auditors understand and define the IT environment, identify the role of risk assessment and to
formalize the annual IT audit plan (IIA, 2008).
Regulatory Compliance: ISO 27001 and GTAG

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

In response to the financial fraud such as that in Enron, the Congress of the United States,
passed the Sarbanes Oxley Act of 2002 (SOX) requiring senior management be actively involved
with and be accountable for the accuracy of the data used in financial reporting as well for external
auditors to remain independent of their client firms. Of particular concern is Section 404 which
requires all publicly traded organizations in the United States, as well as their foreign subsidiaries, to
include in its annual report an assessment of its internal control structure and procedures for financial
reporting. In addition, for their auditors to attest to these assessment. However, compliance with
SOX has been impeded by the lack of implementations details. As a result, senior management
officers turn to computer security officers to implement the necessary controls.
An ISO 27001 certificated ISMS sufficient to ensure that the company is in compliance with
SOS 404 report demands. Similarly, a few GTAG also have direct relevance to SOX compliance.
GTAT 1 Information technology controls: Although SOX does not explicitly address the
need for efficient IT controls; they are of significance to ensure the security, stability and reliability
of hardware, software, and personnel in the financial reporting process. For instance, in section 103
and 802 of SOX, auditors are required to perform a thorough assessment of IT controls that are
essential to the system of internal control over financial reporting. As well, section 302 and 404 of
SOX requires CEO and CFO who are responsible for financial information to evaluate and assess the
system of internal controls, including all applicable IT controls, and disclose any deficiencies (IIA,
2005).
GTAG 2 Change and Patch Management: A strong change management can assist the
company in complying with ongoing new and increasing regulation standards. In particular, SOX
requires executives to understand and sign off on the controls over financial reporting. If IT changes
are not controlled properly, errors will result and may greatly deteriorate the integrity of financial
statements. Therefore an effective change management is an essential element for public companies
that are required to comply with SOX (IIA, 2005)
GTAG 3 Continuous Auditing: Continuous auditing can significantly reduce cost for SOX
compliance. A Financial Executive International Survey performed in March 2005 indicated that the
cost of SOX compliance was more than $4 million per organization comprising mostly of labor costs
such as internal staff and external consultants. Another AMR Research study performed in January
2005 found that technologies can be used to reduce these costs by 25%. In addition, as SOX requires
timely disclosure of control deficiencies, continuous auditing and monitoring can achieve this
requirement by providing ongoing assessments of internal controls and risks (IIA, 2005).
9

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

GTAG 6 Managing and Auditing IT vulnerabilities: An effective vulnerability management

process is essential to ensure compliance to SOX as IT controls are part of the internal control
structure over financial reporting (IIA, 2006).
GTAG 7 Information Technology Outsourcing: To comply with SOX, it is important that the
service level agreement includes a clause that grants the organization the right to audit the process,
controls and results associated with the outsourcing activities periodically by external auditors ((IIA,
2006).
Conclusion
Overall, both ISO 27001 certification and GTAG can help organizations and auditors satisfy
the rising public demand for better security on information system as well as to comply with new
regulation and industry standards. Organizations should seriously consider pursuing an ISO 27001
certification as it can help achieve competitive advantage, provide reassurance to internal and
external users that their systems are running effectively, and help minimize both audit and
compliance costs. On the other hand, GTAG are excellent sources for auditors to understand what an
effective system entails and how to best communicate and educate the board and managers regarding
technology associated risk and recommend practices.

10

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

Bibliography
Ashford, W. (Nov 27, 2007 ). Law firms get competitive with ISO 27001. Computer Weekly , 7.
Auditors, T. I. (2008 ). Institute of Internal Auditors . Retrieved from GTAG :
www.theiia.org/guidance/technology/gtag
Bellone, J. (Vol. 16, No.1, 2008). Reaching escape velocity . Information Management and
Computer Security , 49-57.
Brenner, B. (July 11, 2007 ). ISO 27001 could bridge the regulatory divide, expert says. Search
Security.com , 1 .
Brenner, B. (2007, July 1). ISO 27001 could bridge the regulatroy divide, expert says . Retrieved
from Search Security.com:
http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1263828,00.html
Brenner, J. (January 2007). ISO 27001. Risk Management Magazine , 25-29.
Fratto, M. (May 23, 2006). Users line up behind audit standard. Dark Reading .
Freeman, E. H. (Sept/ Oct 2007). Holistic Information Security: ISO 27001 and Due Care.
Information Systems Security , 291.
IIA. (2005 ). GTAG 1 Information Technology controls . In IIA, GTAG 1 . Chicago .
IIA. (2005 ). GTAG 2 Change and Patch Management Contorls . In IIA, GTAG 2 . Chicago .
IIA. (2005 ). GTAG 3 Continous Audting: Implications for Assurance, Monitoring, and Risk
assessment. In IIA, GTAG 3 . Chicago .
IIA. (2006 ). GTAG 4 Management of IT Auditing . In IIA, GTAG 5 . Chicago .
IIA. (2006 ). GTAG 5 Managing and Audting Privacy Risks . In IIA, GTAG 5 . Chicago .
IIA. (2006 ). GTAG 6 Managing and Auditing IT vulnerabilities . In IIA, GTAG 6 . Chicago .
IIA. (2007 ). GTAG 8 Audting Application Controls. In IIA, GTAG 8 . Chicago .
IIA. (2007 ). GTAG 7 Information Technology Outsourcing . In IIA, GTAG 7 . Chicago .
IIA. (2007 ). GTAG 9 Identify and Access Management . In IIA, GTAG 9 . Chicago .
IIA. (2008 ). GTAG 10 Business Contuity Management . In IIA, GTAG 10 . Chicago .
IIA. (2008 ). GTAG 11 Developing the IT Audit Plan . In IIA, GTAG 11 . Chicago .

11

Cathy Leung
cm2leung
ISO 27001 VS. GTAG

International Organization for Standardization . (2008). ISO/IEC 27001:2005. Retrieved July 24,
2008, from http://www.iso.org/iso/catalogue_detail?csnumber=42103
Mohamed, A. (Apr 24, 2007 ). The Route to Compliance . Computer Weekly , 34-35.
Myler, E. (2006, November ). ISO 17799: Standard for Security . Retrieved from Information
Management Journal :
http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=3&did=1167635041&SrchMode=2&
sid=3&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1213577489&clientId
=16746

12