Category Archives: iso 27001

How to conduct an ISO 27001 internal audit

To maintain compliance with ISO IEC 27001 (ISO 27001), you need to conduct regular internal audits.

An ISO 27001 internal audit will check that your ISMS (information security management system) still meets the requirements of the ISO 27001 standard.

Regular audits can be beneficial, since they enable continual improvement of your framework.

The ISMS audit process can pose a challenge, though. This is because unlike ISO 27001 implementation, there is no formal internal audit methodology to follow.


Get started with your ISO 27001 audit plan

To help you achieve ISMS internal audit success, we have developed a five-step checklist that organisations of any size can follow.


1) Documentation review

You should begin by reviewing the documentation you created when implementing your ISMS.

This is because the audit’s scope should match that of your organisation.

Therefore, doing so will set clear limits for what needs to be audited.

You should also identify the main stakeholders in the ISMS.

This will allow you to easily request any documentation that might be required during the audit.


2) Management review

This is where the audit really begins to take shape.

Before creating a detailed audit plan, you should liaise with management to agree on timing and resourcing for the audit.

This will often involve establishing set checkpoints at which you will provide interim updates to the board.

Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.


3) Field review

This is what you might think of as the ‘audit proper’. It is at this stage when the practical assessment of your organisation takes place.

You will need to:

  • Observe how the ISMS works in practice by speaking with front-line staff members.
  • Perform audit tests to validate evidence as it is gathered.
  • Complete audit reports to document the results of each test.
  • Review ISMS documents, printouts and any other relevant data.

4) Analysis

The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.

Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.


5) Report

You will need to present the audit’s findings to management. Your report should include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed.
  • An executive summary covering the key findings, a high-level analysis and a conclusion.
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
  • An in-depth analysis of the findings.Conclusions and recommended corrective actions.
  • A statement detailing recommendations or scope limitations.

Further review and revision might be needed, because the final report typically involves management committing to an action plan.


Need help with your ISO 27001 audit?

At IT Governance, we’re serious about security.

Our unique combination of technology, methodology and expertise will give you the peace of mind that your organisation is secure and compliant.

You can take the hassle out of the audit process and save time and money with our market-leading ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners, it contains a customisable scope statement as well as templates for every document you need to implement and maintain an ISO 27001-compliant ISMS.

The ISO 27001 ISMS Documentation toolkit includes a template of the internal audit procedure.


A version of this blog was originally published on 18 July 2018.

The post How to conduct an ISO 27001 internal audit appeared first on IT Governance Blog.

5 ways to improve your information security in 2019

This blog has been updated to reflect industry developments. Originally published Mar 19, 2018.

Protecting your organisation against cyber crime can sometimes feel like a never ending game of security whack-a-mole.

Just as soon as you’ve secured one weakness, it seems as though another vulnerability rears its head.

But if you take a step back, you’ll notice that as much as the cyber criminals’ tactics evolve, they tend to follow the same basic methodology.

By implementing defences that tackle the trends rather than the specific weaknesses, you can mitigate the risk of any kind of attack.

In this post, we outline five essential ways of keeping your organisation secure.


1) Support cyber security staff

Cyber security staff often cite a lack of organisational support as their biggest concern.

They often feel that they’re not given a sufficient budget or that senior staff don’t listen to their requests.

These problems are inextricably linked.

Senior leadership generally lack technical know-how, and tend to view cyber security as a cost rather than a benefit.

However, cyber security affects every part of an organisation, from its staff to its physical premises.

It is therefore essential that organisations’ board rooms acknowledge the value of cyber security, and give staff appropriate budgets.

Learn how cyber security is at its most effective when taking a top-down approach >>


2) Conduct annual staff awareness training

Two of the biggest threats organisations face are phishing and ransomware, both of which exploit human error.

If employees who receive phishing emails (which often contain ransomware) are unable to spot them, the whole organisation is at risk.

Similarly, accidental breaches, privilege misuse and data loss are all the result of employees not understanding their information security obligations.

Educating staff on the ways they could put data at risk helps organisations turn one of their biggest vulnerabilities into an area of strength.

Training courses should be given to employees during their induction and then repeated annually.

Discover our range of staff awareness e-learning courses >>


3) Prioritise risk assessments

A risk assessment is one of the first tasks an organisation should complete when preparing its cyber security programme.

It’s the only way to make sure that the controls you choose are appropriate to the risks your organisation faces.

Without a risk assessment, you could ignore threats or waste time and effort addressing events that are unlikely to occur or won’t cause significant damage.

There is, after all, little point implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation.

Identify the challenges you may face during the risk assessment process >>


4) Regularly review policies and procedures

Policies and procedures are the documents that establish an organisation’s rules for handling data.

Policies provide a broad outline of the organisations principles, whereas procedures detail how, what and when things should be done.

The evolving cyber threat landscape makes it imperative that organisations regularly review their policies and procedures.

If a procedure isn’t working, it needs to be rewritten.


5) Assess and improve

Each of the steps listed here references the need to conduct regular reviews, but the assessment and improvement process is so important that it merits particular attention.

Every part of an organisation’s cyber security framework benefits from reviews of its effectiveness, but the process will inevitably take time and effort, meaning the frequency of reviews will depend on the resources you have.


How ISO 27001 can help

We recommend implementing to ISO 27001, the international standard that describes best practice for an information security management system (ISMS).

The Standard’s framework covers everything listed here, and is designed to help organisations manage their security practices in one place, consistently and cost-effectively.

We know that implementing an ISO 27001-compliant ISMS can be an intimidating task, especially if you have no prior knowledge of the Standard and don’t know where to start.

That’s why we’ve compiled implementation tips from the ISO 27001 experts in this free green paper, Implementing an ISMS – The nine-step approach.

Download your copy today to:

  • Get to grips with the basics of an ISO 27001 ISMS;
  • Discover our tried-and-tested nine-step implementation approach that will save you time and money;
  • Establish important considerations for every step of your ISMS project; and
  • Identify the challenges you may face when creating your ISMS.

The post 5 ways to improve your information security in 2019 appeared first on IT Governance Blog.

Documentation required by ISO 27001

Organisations seeking ISO 27001 compliance must prove their compliance with the Standard by completing appropriate documents.

List of documents required for ISO 27001 compliance


How should you approach ISO 27001 documentation? >>


Organisations must also complete documents in Annex A, which details a list of controls that must be considered for inclusion in the Statement of Applicability.

Although only some of these are mandatory, any control that’s relevant must be documented. This will typically include:

  • 7.1.2 and A.13.2.4 Definition of security roles and responsibilities
  • 8.1.1 An inventory of assets
  • 8.1.3 Rules for the acceptable use of assets
  • 8.2.1 Information classification scheme
  • 9.1.1 Access control policy
  • 12.1.1 Operating procedures for IT management
  • 12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
  • 14.2.5 Secure system engineering principles
  • 15.1.1 Supplier security policy
  • 16.1.5 Incident management procedure
  • 17.1.2 Business continuity procedures
  • 18.1.1 Statutory, regulatory, and contractual requirements

Where to start with ISO 27001 documentation

Given the number of documents you need to complete and the lack of guidance from the Standard, the documentation stage can be incredibly time-consuming and stressful. There is no right way to approach the process, but organisations usually commit to one of three methods.

The first is trial and error, which we wouldn’t recommend. The documentation process is simply too big to go into without a plan, and even though you’ll quickly learn from your mistakes, you’ll burn through a lot of money doing so.

The second method is to bring in consultants to guide you through what you need to know. This is the most expensive approach, but it’s also the safest, reducing the risk of costly mistakes.

This approach is also the fastest route to ISO 27001 compliance, but don’t expect overnight success: consultants will need to learn your systems and processes before they can begin.

The third method is to purchase a documentation toolkit. These are packages that contain template documents and tools to help you meet the Standard’s requirements.

Some toolkits, such as our ISO 27001 ISMS Documentation Toolkit, include direction and guidance from expert ISO 27001 practitioners.

The toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Find out more >>


A version of this blog was originally published on 27 October 2017.

The post Documentation required by ISO 27001 appeared first on IT Governance Blog.

Data security and the legal sector – ISO 27001 for law firms

With the legal sector reporting an increase in targeted attacks in 2018, information security management remains a serious issue for law firms. The confidential information and large volumes of client funds they hold are highly desirable to cyber criminals, so it’s not surprising that 60% of law firms reported that they suffered a security incident last year (PwC Law Firms’ Survey 2018).

With increased levels of cyber attacks, information security must be a priority. While a cyber criminal or terrorist organisation may be held off by firewalls and intrusion detection systems, these systems cannot manage the intricacies of business relationships or global trade. As such, a security regime focused solely on technology will fail.

Tackle cyber threats head on with ISO 27001

Leading law firms are implementing ISO/IEC 27001:2013 (ISO 27001), the international standard for information security, to tackle cyber threats head on. Management teams can safeguard their firm by employing a best-practice ISMS (information security management system) and certifying to ISO 27001.

ISO 27001 certification is increasingly demanded of law firms when tendering for major projects. Achieving accredited certification to ISO 27001 will put law firms in the running for these tenders and demonstrates that they are committed to protecting their clients’ confidential data, offering a powerful, visible assurance of their commitment to meeting obligations to clients and business partners.

In addition to severe fines, cyber security and data protection failures also risk seriously damaging a firm’s reputation. Having the correct measures in place will protect a firm’s credibility, minimise risk and maintain the level of trust that clients deserve.

Support with your ISO 27001 project

Whether you are just getting started, preparing a business case for ISO 27001, or your project is already underway, we encourage you to read our new green paper ISO 27001 for Law Firms. It outlines the benefits of ISO 27001 and stresses the importance of stringent data security in the legal sector.

For further support with your firm’s ISO 27001 project, complete an enquiry form to contact our experts or call our team on +44 (0)333 800 7000 to discuss your firm’s requirements.

The post Data security and the legal sector – ISO 27001 for law firms appeared first on IT Governance Blog.