Auditing Security Management

Systems Compliance & ISO27001

G2
Anischa Leakat
Bruno Asai
Sindia Razafintsalama
Xavier Le Corre
 1. Introduction;

Agenda
2. Concepts;

3. Operations & Practice;

4. Conclusion;
1. Introduction
 ● Management Direction

Information ● Management Oversight

Security and Execution

Management ● Management of
Information Security Tech
2. Concepts
Information
Security
 Information security, sometimes
shortened to InfoSec, is the practice of
preventing unauthorized access, use,

Information
disclosure, disruption, modification,
inspection, recording or destruction of
information. The information or data may

Security
take any form, e.g. electronic or physical.
Information security's primary focus is the
balanced protection of the confidentiality,
integrity and availability of data (also
known as the CIA triad).
 ● Confidentiality means preserving
authorised restrictions on access
and disclosure, including means for
protecting privacy and proprietary
information.

Information ● Integrity means guarding against

improper information modification

Security
or destruction, and includes
ensuring information
non-repudiation and authenticity.

● Availability means ensuring timely

and reliable access to and use of
information
ISO/IEC 27001
What is ISO/IEC27001?

Advantages?

Why is it important?
 ISO/IEC 27001 is an information
security standard, part of the ISO/IEC
27000 family of standards, of which the
last version was published in 2013, with a
few minor updates since then. It is
published by the International

ISO/IEC 27001
Organization for Standardization (ISO)
and the International Electrotechnical
Commission (IEC) under the joint ISO
and IEC subcommittee, ISO/IEC JTC 1/SC
27.
What exactly is ISO 27001 ?
 The international standard ISO 27001
specifies an Information Security
Management System (ISMS). This RIMS is
structured in four complementary
recurring steps (i. e. planning
implementation, verification,
improvement), in order to respect the
principle of the Deming PDCA (Plan, Do,

ISO/IEC 27001 Check, Act) wheel from the world of

quality. This concept makes it possible
to establish a parallel with the
standards relating to quality
management systems (ISO 9001) and
the environment (ISO 14001).
Plan Check

Do Act
Advantages
Advantages

1°) Use the ISO/IEC 27001 standard, an internationally recognized model that incorporates the best practices of
information security experts.

2°) Identify and control data security risks (a 2006 DTI study estimated that £10 billion of annual damage to
British companies' information systems was suffered by British companies).

3°) Systematize a continuous improvement process in line with the company's overall management system.

4°) Comply with legal and regulatory requirements concerning the protection of information and the
guarantee of business continuity.

5°) Ensure the security of shared data for principals and third parties through your ISO/IEC 27001 certification.

6°) Guarantee the company's sustainability by controlling the risks of IT failure.

LRQA (company of certifications) qualifications
for an ISO/IEC 27001 audit
 LRQA (company of certifications) qualifications
for an ISO/IEC 27001 audit
1°) The ISO 27001 LRQA audit is carried out by LRQA employees who meet high IT skills
requirements - guaranteed expertise

2°) Operational pragmatism of auditors - optimization of the added value of guaranteed

audits

3°) International recognition of your ISO/ IEC 27001 certification duly accredited and registered
(www.iso27001certificates.com)

4°) LRQA, an actor involved in the management of information systems, is a partner of itSMF
and IT expert organizations
The ISO 27001 standard includes 6 process areas
 The ISO 27001 standard includes 6 process areas

1. Define an information security policy,

2. Define the scope of the Information Security Management System,

3. Conduct a safety risk assessment,

4. Manage the identified risks,

5. Select and implement controls. Prepare a SoA ( "statement of

applicability").
COBIT
 Effective information security requires a
comprehensive, integrated set of security,
management and governance processes to
plan, organize and counter the organization’s
information security risks. COBIT provides an
integrated governance, management and

COBIT
process framework to implement and execute
information security.
COBIT describes processes, practices, and
control objectives for managing and
operating IT systems, including their security
state. Organizations using the framework report
an increased ability to deliver high quality
service to their customers, which includes being
able to measure and satisfy confidentiality,
availability, and integrity requirements.
 Compliance
What is compliance?

Why is it important?
Compliance

“In general, compliance means conforming to a rule, such as a

specification, policy, standard or law. Regulatory compliance describes
the goal that organizations aspire to achieve in their efforts to ensure
that they are aware of and take steps to comply with relevant laws,
policies, and regulations.”
Compliance

“Due to the increasing number of regulations and need for

operational transparency, organizations are increasingly adopting the
use of consolidated and harmonized sets of compliance controls. This
approach is used to ensure that all necessary governance requirements
can be met without the unnecessary duplication of effort and activity
from resources.”
3. Operations & Practice
8 steps to implement the ISO 27001 standard
1°) Content of the mission

The implementation project should begin with the appointment of a project leader,
who will work with other staff members. It is essentially a set of answers to the following
questions:

● What do we hope to achieve?

● How long will it take?
● What will it cost?
● Do we have the support of the management teams?
2°) Initiation of the ISMS (Information security management system)

The next step is to adopt a methodology for setting up an ISMS. The ISO 27001 standard
recognizes that the continuous improvement approach using a process-based
approach is the most effective model for information security management.

However, it does not specify any specific methodology and allows organizations to use
the method of their choice or to continue with the model already in place.

3°) Management framework

At this stage, the ISMS will need a broader meaning of the framework. This includes
identifying the scope of the system, which will depend on the context. The scope must
also take into account mobile devices and teleworkers.
4°) Safety criteria
Organizations must identify their key security needs. These are the corresponding
requirements and measures or controls necessary to manage the company.

5°) Risk Management

The ISO 27001 standard allows organizations to define their own risk management
processes more broadly. The most common methods focus on risks related to specific
assets or risks presented in specific scenarios. The positive and negative points of
each and some organizations will be better able to use one or the other of the
methods.

The ISO 27001 risk analysis includes five important points:

● Establish a risk analysis framework

● Identify risks
● Analyze the risks
● Assess the risks
● Select risk management options
6°) Risk treatment plan

This is the process of building security controls to protect your organization's

information. To ensure the effectiveness of these controls, you will need to ensure that
employees are able to operate and interact with the controls, and that they are aware
of their information security obligations.

You will also need to develop a process to identify, review and maintain the skills
necessary to achieve your ISMS objectives. This includes setting up analyses and
defining a good level of competence.

7°) Measure, control and review

For an ISMS to be useful, it must meet information security objectives. Organizations

must measure, monitor and review the performance of the system. This involves
identifying metrics or other methods to judge the effectiveness and implementation of
controls.
8°) Certification

Once the ISMS is in place, organizations should try to obtain a certificate from an
accredited certification body. This proves to stakeholders that ISMS is effective and
that organizations understand the importance of information security.

The certification process involves reviewing the documentation of the organization's

management systems to ensure that appropriate controls have been put in place. The
certification body will also conduct an on-site audit to test the procedures.
4. Conclusion
Bibliography
1. Information Security Management System auditors welcome ISO/IEC 27007 publication <https://www.iso.org/news/ref2232.html>

2. ISO 27001 <https://en.wikipedia.org/wiki/ISO/IEC_27001>

3. Exemplar Global Information Security Management System (ISMS) Auditor

<https://exemplarglobal.org/certification/security-professionals/information-security-management-system-isms-auditor/>

4. ISACA Information Security Management Audit/Assurance Program

<https://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Information-Security-Management-Audit-Assurance
-Program.aspx>

5. GDPR <https://eugdpr.org/>

6. Regulatory Compliance <https://en.wikipedia.org/wiki/Regulatory_compliance>

7. ISO 27001 - Vista Infosec<https://www.vistainfosec.com/iso27001.php>

8. ISMS by Ecci
<http://www.eccinternational.com/consulting/it-process-excellence/iso-27001-information-security-management-system>

9. ISO27001 Compliamce <https://www.huntsmansecurity.com/solutions/cyber-security-compliance/iso27001/>

10. Information Security <https://en.wikipedia.org/wiki/Information_security>

 Anischa Leakat

Bruno Asai
THANK YOU.
Sindia Razafintsalama

Xavier Le Corre