Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 1/144 © Professional Evaluation and Certification Board, 2022. All rights reserved. Version 12.1 Document number: ISMSLAD1V12.1 Documents provided to participants are strictly reserved for training purposes. No part of these documents may be published, distributed, posted on the internet or an intranet, extracted, or reproduced in any form or by any mean, electronic or mechanical, including photocopying, without prior written permission from PECB.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 2/144 Day 1: Introduction to the information security management system (ISMS) and ISO/IEC 27001 Section 1: Training course objectives and structure Section 2: Standards and regulatory frameworks Section 3: Certification process Section 4: Fundamental concepts and principles of information security Section 5: Information security management system (ISMS) Day 2: Audit principles, preparation, and initiation of an audit Section 6: Fundamental audit concepts and principles Section 7: Audit Approach Based on Evidence and Risk Section 8: Initiating the Audit Section 9: Stage 1 audit Section 10: Preparing for stage 2 audit (on site audit) Section 11: Stage 2 audit (Part 1) Day 3: On-site audit activities Section 12: Preparing for stage 2 audit (review) Section 13: Stage 2 audit (Part 2) Section 14: Communication during the audit Section 15: Audit procedures Section 16: Creating audit test plans
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 3/144 Day 4: Certification exam In order to optimize the learning experience,PECB recommends scheduling two short breaks (15 minutes), and a lunch break (one hour) per training day. Time of the breaks can be adjusted accordingly.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 4/144 Other references cited in this training course: ISO/IEC 27006:2015, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing ISO/IEC TS 27008:2019, Information technology — Security techniques — Guidelines for the assessment of information security controls ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary ISO 19011:2018, Guidelines for auditing management systems ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements ISO/IEC 17024:2012, Conformity assessment — General requirements for bodies operating certification of persons ISO/IEC 17065:2012, Conformity assessment — Requirements for bodies certifying products, processes and services ISO/IEC Directives, Part 1: 2019, Procedures for the technical work ISO 31000:2018, Risk management — Guidelines ISO 9000:2015, Quality management systems — Fundamentals and vocabulary ISO 55000:2014, Asset management — Overview, principles and terminology
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 5/144 Other acronyms used throughout this training course: AGI: Artificial General Intelligence AI: Artificial Intelligence BS: British Standard COBIT: Control Objectives for Information and Related Technology CPD: Continuing Professional Development CRAMM: CCTA Risk Analysis and Management Method EA: European co-operation for Accreditation FISMA: Federal Information Security Management Act GAAS: Generally Accepted Auditing Standards HIPAA: Health Insurance Portability and Accountability Act IaaS: Infrastructure as a Service IAF: International Accreditation Forum IAS: International Accreditation Service ICT: Information and Communications Technology IMS2: Integrated Implementation Methodology for Management Systems and Standards NC: Nonconformity NIST: National Institute of Standards and Technology
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 6/144 OCTAVE: Operationally Critical Threat, Asset and Vulnerability Evaluation OECD: Organization for Economic Co-operation and Development OED: Oxford English Dictionary PaaS: Platform as a Service PCI DSS: Payment Card Industry Data Security Standard SaaS: Software as a Service SoA: Statement of Applicability SOX: Sarbanes-Oxley Act SQL: Structured Query Language STE: Security Testing and Evaluation
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 7/144 Note on Terminology Used The terminology used throughout this training course is based on the following standards: ISO 19011:2018, ISO/IEC 17021-1:2015, ISO/IEC 27000:2018, ISO/IEC 27001:2022, ISO/IEC 27005:2022, ISO 9000:2015, and so on. In this training course, we have strived to bring together best practices from several international standards. Practitioners of this field sometimes use different terminology or can use the same or similar terminology to mean different things. The meaning of a word or specific term depends upon context. Therefore, please pay attention to the specific context in which that specific term is being used, along with its standard reference. For example: “Documented information” is the term that replaced the terms “documents” and “records” in the revised management system standards which are based on the High-Level Structure (HLS) of the Annex L format. This term is defined as “information required to be controlled and maintained by an organization and the medium on which it is contained.” Therefore, based on ISO (https://www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/documented_information.pdf), there are two types of documented information: 1. Documented information that should be maintained, such as policies, procedures, etc. 2. Documented information that should be retained, such as records. Throughout this training course, we refer at times to records without referring to them as “documented information.” The presentation of the ISO clauses is an example of such an approach: ISO/IEC 27001, Annex A 5.33 Protection of records Control
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 8/144 Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release. This is done solely to clarify understanding.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 9/144 This section presents the objectives of the training course and its structure, including the examination and certification process and the importance of being a certified auditor.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 10/144 To break the ice, trainer(s) and participants introduce themselves by stating their: Name Current position Knowledge and experience regarding information security management Knowledge and experience regarding ISO/IEC 27001 and other related standards (ISO/IEC 27002, ISO/IEC 27003, ISO/IEC 27005, etc.) Knowledge and experience regarding auditing practices Training course expectations
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 11/144 PECB helps professionals show commitment and competence by providing them with valuable education, evaluation, and certification against internationally recognized standards. Our principal objectives and activities are: 1. Establishing the minimum requirements necessary to certify professionals 2. Reviewing and verifying the qualifications of applicants for eligibility to be considered for the certification evaluation 3. Developing and maintaining reliable, valid, and current certification evaluations 4. Granting certificates to qualified candidates, maintaining records, and publishing a directory of the holders of valid certificates 5. Establishing requirements for the periodic renewal of certification and determining compliance with those requirements 6. Ascertaining that our clients meet ethical standards in their professional practice 7. Representing its members, where appropriate, in matters of common interest
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 12/144 All should be aware of the exit doors in the facility in case any emergency arises. All should agree on the training course schedule. All should arrive on time. All should set their smartphones on silent or vibrate mode (if you need to take a call, please do so outside the classroom). Recording devices are prohibited because they restrict free discussions. All sessions are designed to encourage participants to interact and take the most out of the training course. Customer Service To ensure customer satisfaction and continual improvement, PECB Customer Service has established a support ticket system for handling complaints. In case of inconvenience, we invite you to discuss the situation with the trainer first. If necessary, do not hesitate to contact the head of the training organization where you are registered. In all cases, we remain at your disposal to arbitrate any dispute that may arise between you and the training organization. To send comments, questions, or complaints, please open a support ticket on the PECB website, at the PECB Help Center (https://pecb.com/help). In case of dissatisfaction with the training (trainer, training room, equipment, etc.), the examination, or the certification processes, please open a ticket under Make a complaint category on the PECB Help Center (https://pecb.com/help). If you have suggestions for improving PECB’s training course materials, we are willing to read and evaluate your feedback. You can do so directly from our KATE application or you can open a ticket directed to the Training Development Department on the PECB Help Center (https://pecb.com/help).
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 13/144 This training course is intended to help participants strengthen their knowledge and skills which will help them in auditing an information security management system. From an educational perspective, competence consists of the following three elements: 1. Knowledge 2. Skill 3. Behavior (attitude) Several exercises will allow participants to strengthen their personal skills which are necessary to conduct audit activities, such as decision-making, teamwork, presentation, and report-writing skills. The case study and discussions simulate real-life situations. Important note: The PECB Certified ISO/IEC 27001 Lead Auditor training course is intended for both internal and external auditors. The audit techniques and the competence of auditors are common to all types of audits. The characteristics of the different types of audits will be explained during this training course. Internal audits will be discussed in a dedicated section of Day 4. The objective of this training course is to help participants acquire knowledge on audit techniques, not acquire expertise in information security management. However, basic knowledge of information security management concepts is necessary for the successful completion of this training course. If participants wish to obtain in-depth knowledge on the implementation and the management of an ISMS, we recommend them to take the PECB Certified ISO/IEC 27001 Lead Implementer training course.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 14/144 To complete this training course successfully, these two factors are crucial: Trainer’s instructions Participants’ involvement Interaction by means of questions and suggestions is highly encouraged. Participants can best contribute to the training by partaking in exercises, case studies, and discussions. Participants are also advised to take personal notes. Quizzes, in particular, are important since they help preparing for the certification exam. At the end of each day, there is a slide with a set of exercises given as homework. Completing the homework may help you better understand this training course, however, they are not mandatory. Remember: This training course is yours; you are the main contributor to its success. In addition to the training course materials, PECB also offers free content to help trainees get additional information and stay updated. Such free materials include: Articles Whitepapers InfoKits Magazine Webinars
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 15/144 ISO 19011 provides guidance on auditing management systems, including the principles of auditing, managing an audit program, and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process. It applies to all organizations that wish to conduct internal and external audits. Source: www.iso.org International Federation of Accountants (IFAC) is a global organization for accounting. It operates in more than 130 countries with over 175 members and associates to protect public interest by encouraging the use of the best practices in accounting. Standards developed by the IFAC provide guidance in the following fields: audit, insurance, control, and services related to quality, training, ethics, and accounting. Source: www.ifac.org The Institute of Internal Auditors (IIA) is a global organization that advocates, educates, and connects internal auditors worldwide. It also develops international guidance almost exclusively for internal audits. This guidance is based on careful analysis, consultations, and the fundamental principles concerning the performance of internal audit services by members of the IIA. Source: www.theiia.org Generally Accepted Auditing Standards (GAAS) are audit standards developed by the AICPA (American Institute of Certified Public Accountants), including general standards, standards by activity sector, and report standards with interpretations. Source: www.aicpa.org
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 16/144 The purpose of the certification exam is to evaluate whether candidates have grasped the audit concepts and techniques so that they are able to plan and manage an audit program and lead a team of auditors. The PECB Examination Committee ensures that the exam questions are adequate and based on professional practice. All competency domains are covered in the exam. To read a detailed description of each competency domain, please visit the PECB website.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 17/144 Individuals who do not meet all the prerequisites for certification cannot claim to be PECB ISO/IEC 27001 Lead Auditor-certified. A less experienced candidate can apply for the “PECB Certified ISO/IEC 27001 Auditor” credential or “PECB Certified ISO/IEC 27001 Provisional Auditor” credential. PECB certifications are valid for three years. In order to maintain and renew a certification, PECB certified professionals must comply with certain requirements. The certification process, including its maintenance and renewal, will be explained in detail in the last day of this training course.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 18/144 After passing the exam, candidates have a maximum period of three years to apply for the respective credential.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 19/144 Certification is a formal recognition of your professional competence to perform job-related responsibilities. An internationally recognized certification can help you maximize your career potential and reach your professional goals. Research shows that certified auditors earn considerably higher salaries than noncertified auditors.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 20/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 21/144 This section introduces the International Organization for Standardization (ISO) and the ISO/IEC 27001 standard. The advantages of having an ISMS in place are also discussed.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 22/144 ISO applies the following principles when developing international standards: 1.ISO standards respond to a need in the market. ISO only develops standards for which a market demand exists, as a response to formal requests from industry sectors or stakeholders (e.g., consumer groups). Typically, the request for a standard is communicated to national members who then contact ISO. 2.ISO standards are based on global expert opinion. ISO standards are developed by various technical committees (TCs) with experts from all over the world. These experts negotiate all aspects of the standard, including its scope, key definitions, and content. 3.ISO standards are developed through a multi-stakeholder process. The technical committees consist of experts from relevant industries, but also from consumer associations, academia, NGOs, and governments. 4.ISO standards are based on consensus. The development of ISO standards is based on a consensus approach, and comments from all stakeholders are taken into account. All ISO country members, regardless of the size or strength of the economy, are on the same footing in terms of their influence in standard development. For more information, please visit: https://www.iso.org.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 23/144 The ISO/IEC 27000 family of standards is a series of information security standards. It includes the following: ISO/IEC 27000: Presents the basic concepts and the vocabulary that applies when establishing an information security management system (A free copy of this standard can be downloaded on the ISO website.) ISO/IEC 27001: Defines the requirements for an information security management system (ISMS) and provides a reference set of information security controls in its Annex A ISO/IEC 27701: Specifies the requirements and provides guidance for establishing, maintaining, and continually improving a privacy information management system (PIMS) as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management (as a result of the processing of PII) ISO/IEC 27002: Provides generic information security controls and their implementation guidance ISO/IEC 27003: Guidance on implementing or setting up an ISMS ISO/IEC 27004: Guidance on monitoring and measuring information security performance and ISMS effectiveness ISO/IEC 27005: Guidance on managing information security risks, in accordance with ISO/IEC 27001 requirements ISO/IEC 27006: Requirements for organizations auditing and certifying an ISMS ISO/IEC 27007: Guidance for information security management systems auditing ISO/IEC TS 27008: Guidance for auditors on information security controls ISO/IEC 27011: Guidance on the implementation of information security controls in the telecommunications industry ISO 27799: Guidance on the use of ISO/IEC 27002 in health informatics
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 24/144 The history and reasoning behind the development of the standards pertaining to the ISO/IEC 27000 family: A need for better practices and controls to support trade and governments in the implementation and improvement of information security was expressed. The United Kingdom’s Department of Trade and Industry formed a working group consisting of information security specialists. A “Code of practice,” essentially a set of controls (BS 7799), was published. Many of these are recognizable in today’s ISO/IEC 27002. This was followed up with an “Information security specification” (BS 7799-2, the former BS 7799 that initially became BS 7799-1). These documents were eventually adopted as ISO standards, BS 7799-2 becoming ISO/IEC 27001, and BS 7799-1 becoming ISO/IEC 27002; this logically puts the requirements first and the code of practice (guidance) second. They were later supplemented by ISO/IEC 27003, ISO/IEC 27004, ISO/IEC 27005, and various sector- specific interpretive guidance standards. ISO standards undergo revision every five years so as to keep up with the developments in various industries. ISO/IEC 27001 was reviewed in 2019, and the version of 2013 remained in use until 2022. Both ISO/IEC 27001 and ISO/IEC 27002 were revised in 2022. The third edition of ISO/IEC 27002 was published in February 2022, followed by the publication of the third edition of ISO/IEC 27001 in October 2022.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 25/144 ISO/IEC 27001 is: A set of normative requirements for the establishment, implementation, operation, monitoring, and review of an information security management system (ISMS) A set of requirements for selecting security controls tailored to the needs of each organization based on industry best practices An internationally recognized process, defined and structured to manage information security An international standard that fits all types of organizations, regardless of their size or sector in which they operate (e.g., commercial enterprises, government agencies, nonprofit organizations) ISO/IEC 27001, clause 0.1 General This document has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time. The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It is important that the information security management system is part of and integrated with the organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization. This document can be used by internal and external parties to assess the organization's ability to meet the organization’s own information security requirements.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 26/144 ISO/IEC 27002: ISO/IEC 27002 provides guidelines for the implementation of information security controls necessary to treat the information security risks of an ISMS based on ISO/IEC 27001. It provides a list of information security controls generally practiced in the information security industry, their purpose, and implementation guidance. Clauses 5 to 8, in particular, provide detailed guidance to support the controls specified in Annex A of ISO/IEC 27001:2022. ISO/IEC 27002, clause 1 Scope This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations: a. within the context of an information security management system (ISMS) based on ISO/IEC 27001; b. for implementing information security controls based on internationally recognized best practices; c. for developing organization-specific information security management guidelines.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 27/144 ISO/IEC 27701: A set of requirements for the establishment, implementation, maintenance, and improvement of a privacy information management system (PIMS) A standard that provides guidance for PII controllers and PII processors An international standard that fits all types of organizations, regardless of their size or sector in which they operate ISO/IEC 27701, clause 1 Scope This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 28/144 Some of these standards that are already published or under development: ISO/IEC 27010: Information security management for inter-sector and inter-organizational communications ISO/IEC 27011: Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations ISO/IEC 27013: Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 ISO/IEC 27014: Governance of information security ISO/IEC TR 27015: Information security management guidelines for the financial services ISO/IEC TR 27016: Organizational economics ISO/IEC 27017: Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27018: Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ISO/IEC 27031: Guidelines for information and communication technology readiness for business continuity ISO/IEC 27032: Guidelines for cybersecurity ISO/IEC 27033: Network security ISO/IEC 27034: Application security ISO/IEC 27035: Information security incident management ISO/IEC 27036: Information security for supplier relationships ISO/IEC 27037: Guidelines for identification, collection, or acquisition and preservation of digital evidence ISO/IEC 27038: Specification for digital redaction ISO/IEC 27039: Selection, deployment, and operations of intrusion detection systems (IDPS) ISO/IEC 27040: Storage security ISO/IEC 27041: Guidance on assuring suitability and adequacy of investigative methods ISO/IEC 27042: Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043: Incident investigation principles and processes ISO/IEC 29100: Privacy framework
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 29/144 1. Improvement of security: General improvement of information security effectiveness Better management of information security controls 2. Good governance: Awareness and empowerment of personnel regarding information security Increase of the top management accountability for information security 3. Increased international recognition: Conformity to industry standards Conformity to national and international laws 4. Improved customer satisfaction: Increase of customer loyalty Increase of customer confidence 5. Competitive advantage: Fulfillment of the requirements and expectations of customers and interested parties Consolidating the confidence of the organization’s customers, suppliers, and partners
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 30/144 ISO/IEC 27002, clause 5.31 Legal, statutory, regulatory and contractual requirements Control Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date. Purpose To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security. Guidance Legislation and regulations The organization should: a. identify all legislation and regulations relevant to the organization’s information security in order to be aware of the requirements for their type of business; b. take into consideration compliance in all relevant countries, if the organization: conducts business in other countries; uses products and services from other countries where laws and regulations can affect the organization; transfers information across jurisdictional borders where laws and regulations can affect the organization; c. review the identified legislation and regulation regularly in order to keep up to date with the changes and identify new legislation; d. define and document the specific processes and individual responsibilities to meet these requirements.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 31/144 1. Data protection Many countries have established data protection laws that aim at safeguarding data confidentiality and integrity. As such, personal information is subject to management and adequate recording. Therefore, organizations must implement appropriate measures to ensure the protection of privacy and personal data. 2. Privacy In order to comply with certain laws, many organizations are obliged to establish a policy for the protection of privacy, often designed to achieve the following objectives: Increase awareness of regulatory, legal, and business requirements regarding the treatment and protection of personal information Establish a clear and comprehensive organizational policy for the treatment of personal information Establish the responsibility of all persons processing personal information Enable the organization to meet its commercial liability, legal, and regulatory obligations with respect to personal information 3. Cyber crimes Cyber crimes encompass crimes that target an organization’s computer networks. The damage of such crimes can be devastating; financial losses, reputation damage, etc. The organization must be aware of such crimes and implement the adequate countermeasures (that are in compliance with the applicable laws) in order to cope with such crimes. Protective measures cannot be considered as crimes (e.g., responding to spam by countermeasures such as buffer overflow attack).
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 32/144 4.Digital signature Nowadays, the law recognizes the validity of digital signatures and that it is a technological tool that allows verifying who the author of a document is and verifying that its content has not been modified. As a result, an electronic document that is digitally signed has the same legal validity as a hard copy document signed in handwriting, as long as there are regulations that give full legal value to it. In some countries, electronic records must ensure the preservation of “traces” as evidence of integrity and safety procedures developed on the basis of recognized standards for electronic records (e.g., in France, the AFNOR NF Z 42 -013 or more internationally, the standard ISO 14721 for the “Space data and information transfer systems — Open archival information system (OAIS) — Reference Model”). 5.Intellectual property The aim of laws that govern intellectual property rights is to protect certain intangible assets. Intellectual property rights provide legal protection and competitive advantage to small and medium enterprises. 6.Commerce and electronic payments From a legal standpoint, in most countries it is quite essential to prove in court that a customer bought the product or service sold by the organization. It should also be possible to satisfy the tax authority by demonstrating in which period the individual transactions took place. The big difference between electronic commerce and trade by paper is the medium in which transactions are stored. It is much more difficult to make changes to hard copy files in comparison to electronic files. Another aspect is the possibility that a competitor may offer the same products from a server located in a tax haven. Finally, when a consumer buys a product on a website, it is not always easy to determine which national law applies. 7.Records management Some national laws require from organizations to maintain and regularly review their records. Similar requirements exist at a governmental level. In some countries, organizations are legally obliged to issue reports or to provide records for legal purposes.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 33/144 ISO/IEC 27001 and Regulatory Frameworks Examples United States: Federal Information Security Management Act (2002): FISMA (legislation on information security management) imposes a series of processes that must be followed for any information system used by the American Federal Government, its contractors, or suppliers. NIST 800-53 (2006): NIST 800-53 (National Institute for Standards and Technology) provides guidelines to secure information systems within the federal government by choosing and specifying security controls. These guidelines apply to every part of an information system that processes, stores, or transmits federal information. It is issued by the U.S. Department of Commerce. Europe: General Data Protection Regulation — GDPR: This regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. Regulation (EC) n°45/2001: This is a regulation concerning the protection of individuals with regard to the processing of personal data by the community institutions and bodies and on the free movement of such data. The text includes provisions which guarantee a high level of protection of personal data. It also provides for the establishment of an independent supervisory body to monitor the application of these provisions. International and industry repositories: OECD Principles (2002): OECD (Organization for Economic Cooperation and Development) has developed guidelines regulating the security of information systems and networks based on nine principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment. COBIT (1994+): Developed by the ISACA and the ITGI, COBIT (Control Objectives for Information and Related Technology) is a reference frame to manage the governance of information systems. COBIT provides information technology managers, auditors, and users with indicators, processes, and best
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 34/144 practices to help them maximize advantages stemming from the information technologies recourse and the elaboration of the governance and the control of an organization.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 35/144 1. What does the ISO/IEC 27001 standard provide? A. Requirements for organizations certifying an information security management system B. Requirements for an information security management system C. Guidance for auditing an information security management system 2. Organizations can obtain certification against the ISO/IEC 27002 standard if they implement all of its information security controls. A. True B. False 3. The implementation of ISO/IEC 27001 is a legal requirement in most countries. A. True B. False 4. What is the aim of laws with regard to intellectual property rights? A. Protecting certain intangible assets B. Ensuring that certain assets are regularly reviewed C. Providing asset management reports for legal purposes 5. Which of the following is one of the objectives of the privacy protection policy? A. To increase awareness regarding the legal requirements for protecting personal information B. To increase awareness regarding cybercrimes that target an organization’s computer network C. To increase awareness regarding the validity of digital signatures in electronic documents
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 36/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 37/144 This section presents the steps of obtaining a certification, describes briefly the main parties involved in the certification scheme, and provides information on the accreditation and certification bodies, respectively.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 38/144 Note: Continual improvement refers to the ongoing process that an organization undergoes in order to improve their procedures, processes, and products or services. Surveillance audit refers to the activity that is performed once a year (sometimes more,) based on the organization’s needs to ensure that their management system is in conformity to the respective management system standard.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 39/144 As displayed on the slide, the following parties are involved in the certification scheme: Accreditation bodies are organizations responsible for the assessment and accreditation of certification bodies Management system certification bodies are organizations which perform audits on their clients’ management systems and grant certifications Personnel certification bodies are organizations which certify individuals (not only auditors but also trainers, implementers, etc.) Auditees are organizations whose management system is subject to audit Important note: The accreditation and certification activities are not performed by ISO but by specialized and independent accreditation and certification bodies. The mission of ISO is to develop international standards, not to verify whether ISO standards are implemented in accordance with the requirements defined in those standards.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 40/144 ISO/IEC 17011 provides general requirements for accreditation bodies in assessing and accrediting certification bodies. Compliance with the requirements of ISO/IEC 17011 proves that the accreditation bodies are competent and reliable in offering accreditation services. Commonly, there is only one accreditation authority in each country. However, in the United States, there are several accreditation bodies: IAS and ANAB. The International Accreditation Service (IAS) accredits certification programs for persons, products, and management systems according to ISO/IEC 17024, ISO/IEC 17065, and ISO/IEC 17021-1. The ANSI National Accreditation Board (ANAB) supervises the certification bodies accredited against ISO/IEC 17021-1. Accreditation authority groups: European co-operation for Accreditation (EA) is the European network of accreditation organizations based in Europe. The members include UKAS, COFRAC, BNAC, ENAC, etc. Source: https://european-accreditation.org International Accreditation Forum (IAF) is the international association of accreditation organizations for systems in management, product, services, individuals, and other programs. The objective of IAF is to ensure that the member organizations only certify competent organizations and establish agreements of mutual recognition among its members. Source: https://www.iaf.nu
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 41/144 The following is a list of accreditation authorities for several countries (see the complete list on the IAF website: www.iaf.nu): Argentina: Organismo Argentino de Acreditación (OAA), https://www.oaa.org.ar Australia and New Zealand: Joint Accreditation System of Australia and New Zealand (JAS-ANZ), https://www.jas-anz.org/ Austria: Federal Ministry for Digital and Economic Affairs (BMDW), https://www.bmdw.gv.at Belgium: Belgian Accreditation Body (BELAC), https://economie.fgov.be/belac Brazil: General Coordination for Accreditation (CGCRE), https://www.gov.br/inmetro/pt-br Canada: Standards Council of Canada (SCC), https://www.scc.ca/ Chile: Instituto Nacional de Normalización (INN), https://www.inn.cl/ China: China National Accreditation Service for Conformity Assessment (CNAS), http://www.cnas.org.cn Egypt: Egyptian Accreditation Council (EGAC), https://www.egac.gov.eg/ Finland: Finnish Accreditation Service (FINAS), https://www.finas.fi/Sivut/default.aspx France: Comité Français d’Accréditation (COFRAC), https://www.cofrac.fr/ Germany: Deutsche Akkreditierungsstelle GmbH (DAkkS), https://www.dakks.de/en/home-en.html Hong Kong, China: Hong Kong Accreditation Service (HKAS), https://www.itc.gov.hk India: National Accreditation Board for Certification Bodies (NABCB), http://nabcb.qci.org.in/ Iran: National Accreditation Center of Iran (NACI), http://isiri.gov.ir/en Ireland: Irish National Accreditation Board (INAB), https://www.inab.ie/
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 42/144 Japan: International Accreditation Japan (IAJapan), https://www.nite.go.jp/en/iajapan/ Korea: Korea Accreditation System (KAS), http://web.kats.go.kr/kas/english/ Malaysia: Standards Malaysia (DSM), https://www.jsm.gov.my/ Mexico: Entidad Mexicana de Acreditación (EMA), https://www.ema.org.mx/portal_v3/ Netherlands: Dutch Accreditation Council (Raad Voor Accreditatie) (RvA), https://www.rva.nl/ Norway: Norwegian Accreditation (NA), https://www.akkreditert.no// Pakistan: Pakistan National Accreditation Council (PNAC), http://www.pnac.org.pk Philippines: Philippine Accreditation Office (PAB), https://www.dti.gov.ph/pab/ Portugal: Instituto Português de Acreditação (IPAC), http://www.ipac.pt Romania: Romanian Accreditation Association (RENAR), https://www.renar.ro/ Russian Federation: Scientific Technical Center on Industrial Safety (STC-IS), http://www.oaontc.ru Singapore: Singapore Accreditation Council (SAC), https://www.sac-accreditation.gov.sg/ Slovenia: Slovenska Akreditacija (SA), https://www.slo-akreditacija.si/ South Africa: South African National Accreditation System (SANAS), https://www.sanas.co.za Spain: Entidad Nacional de Acreditación (ENAC), https://www.enac.es/ Sweden: Swedish Board for Accreditation and Conformity Assessment (SWEDAC), https://www.swedac.se Switzerland: Swiss Accreditation Service (SAS), https://www.sas.admin.ch/sas/de/home.html Thailand: National Standardization Council of Thailand (NSC), https://www.tisi.go.th/ Tunisia: Tunisian Accreditation Council (TUNAC), http://www.tunac.tn Turkey: Turkish Accreditation Agency (TURKAK), https://www.turkak.org.tr/ United Arab Emirates: Emirates International Accreditation Center (EIAC), https://eiac.gov.ae/ United Kingdom: United Kingdom Accreditation Service (UKAS), https://www.ukas.com/ United States: ANSI-ASQ National Accreditation Board (ANAB), https://anab.ansi.org/ United States: International Accreditation Service (IAS), https://www.iasonline.org/ Uruguay: Organismo Uruguayo de Acreditación (OUA), https://www.organismouruguayodeacreditacion.org Vietnam: Bureau of Accreditation (BoA), http://www.boa.gov.vn/en NOTE: The URLs that begin with “HTTP” use a basic type of hypertext transfer protocol which is not secure in terms of information security. On the other hand, the URLs that begin with “HTTPS” use a standard security technology that establishes an encrypted connection which is much more secure.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 43/144 ISO/IEC 17021-1, Introduction Certification of a management system provides independent demonstration that the management system of the organization: a. conforms to specified requirements; b. is capable of consistently achieving its stated policy and objectives; c. is effectively implemented. ISO/IEC 17024, Introduction This International Standard has been developed with the objective of achieving and promoting a globally accepted benchmark for organizations operating certification of persons. Certification for persons is one means of providing assurance that the certified person meets the requirements of the certification scheme. In either case, this International Standard can serve as the basis for the recognition of the certification bodies for persons and the certification schemes under which persons are certified, in order to facilitate their acceptance at the national and international levels. ISO/IEC 17065, Introduction The overall aim of certifying products, processes or services is to give confidence to all interested parties that a product, process or service fulfils specified requirements. Parties that have an interest in certification include, but are not limited to: a. the clients of the certification bodies; b. the customers of the organizations whose products, processes or services are certified; c. governmental authorities; d. non-governmental organizations; and e. consumers and other members of the public.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 44/144 Apart from the aforementioned requirements, ISO/IEC 17021-1 acknowledges the fact that varying competences are needed for auditing different management systems. This acknowledgement is reflected in the fact that ISO has developed a series of parts of the main ISO/IEC 17021 standard that deal with auditor competence for different types of management systems. The following standards specify competence requirements for auditing and certification in the following areas: ISO/IEC 17021-2: Environmental management systems ISO/IEC 17021-3: Quality management systems ISO/IEC TS 17021-4: Event sustainability management systems ISO/IEC TS 17021-5: Asset management systems ISO/IEC TS 17021-6: Business continuity management systems ISO/IEC TS 17021-7: Road traffic safety management systems ISO/IEC TS 17021-8: Management systems for sustainable development in communities ISO/IEC TS 17021-9: Anti-bribery management systems ISO/IEC TS 17021-10: Occupational health and safety management systems ISO/IEC TS 17021-11: Facility management systems ISO/IEC TS 17021-12: Collaborative business relationship management systems
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 45/144 1. When does the surveillance audit take place? A. After conducting stage 2 audit B. After conducting the audit follow-up C. After obtaining certification 2. ISO performs accreditation and certification activities. A. True B. False 3. Which of the statements holds true? A. Certification bodies are accredited by accreditation bodies B. Certification bodies are certified by accreditation bodies C. Certification bodies are hired by accreditation bodies 4. A third party that performs the assessment of conformity of management systems is: A. An international standard B. An accreditation body C. A certification body 5. Your Market is a market research company which helps its customers determine which products and services are on demand. The company is currently evaluating the effectiveness of its information security controls through an ISMS audit. What is Your Market in this case? A. An accreditation body B. A certification body C. An auditee
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 46/144
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 47/144 This section provides information that will help the participant gain knowledge on the fundamental principles and concepts of information security, such as confidentiality, integrity, availability, vulnerability, threat, impact, information security risk, and controls.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 48/144 ISO/IEC 27000, clause 3.35 Information system Set of applications, services, information technology assets, or other information-handling components ISO/IEC 27001, Annex A controls 5.9 to 5.11 specify the information security controls linked to asset management. ISO/IEC 27001, Annex A 5.9 Inventory of information and other associated assets An inventory of information and other associated assets, including owners, shall be developed and maintained. ISO/IEC 27001, Annex A 5.10 Acceptable use of information and other associated assets Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented. ISO/IEC 27001, Annex A 5.11 Return of assets Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 49/144 ISO 9000, clause 3.8.5 Document (cont’d) EXAMPLE Record, specification, procedure document, drawing, report, standard. Note 1 to entry: The medium can be paper, magnetic, electronic or optical computer disc, photograph or master sample, or combination thereof. Note 2 to entry: A set of documents, for example specifications and records, is frequently called “documentation”. It is important to be able to differentiate between documents and records. In dictionaries, a record is a type of document, but in ISO terminology, these are distinct concepts. A record is the output of a process or control. As an example: 1. An audit procedure is a document. The implementation of this procedure (i.e., the performance of an audit) generates an audit report and these audit reports become records. 2. A documented process for management reviews is a document. This process generates records, such as management review minutes. 3. A documented procedure for continual improvement is a document. A filled corrective action form is a record.
Licensed to Kim Lyxen Ong ([email protected]) ©Copyrighted material PECB®. Single user license only, copying and networking prohibited. Downloaded: 2023-04-05 50/144 ISO/IEC 27001 applies to the protection of information, regardless of its type and form, be it numeric, paper, electronic, or verbal communication. ISO/IEC 27002, clause 0.2 Information security requirements It is essential that an organization determines its information security requirements. There are three main sources of information security requirements: a. the assessment of risks to the organization, taking into account the organization’s overall business strategy and objectives. This can be facilitated or supported through an information security specific risk assessment. This should result in the determination of the controls necessary to ensure that the residual risk to the organization meets its risk acceptance criteria; b. the legal, statutory, regulatory and contractual requirements that an organization and its interested parties (trading partners, service providers, etc.) have to comply with and their sociocultural environment; c. the set of principles, objectives and business requirements for all the steps of the life cycle of information that an organization has developed to support its operations.