| Project Name: | |
|---|---|
| Date of Submission: | |
| Created By: | |
| Version Number: | 1.0 |
| Confidentiality Level: | Confidential |
| Customer Name: |
1. Information management is an essential part of good IT governance, which in turn is a cornerstone in corporate governance. An integral part of the IT governance is information security, in particular pertaining to sensitive information and other critical assets.
2. Information and information systems are both an extremely valuable and important asset that requires protection against risks that would threaten its confidentiality, integrity and/or availability. Suitable information security controls must therefore be selected and implemented.
3. performed an Internal Audit to measure the maturity level of the existing Information System Management System (ISMS) implementation and the relevant security controls as required by the ISO 27001 (Information Security) within the company.
4. This audit details the results of the Internal Audit to assess of the current level of compliance with the ISO 27001 (Information Security).
5. The review was carried out by discussions with key employees, validating the existence of working processes and documented procedure and by using TITANS SECURITY methodology designed and built to help identify gaps and concerns in the ISO 27001 standard compliance arrangements.
1. ISO 27001 is the formal international security standard against which organizations may seek independent certification of their information security management system (ISMS). It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving documented ISMS.
2. The ISO 27001 standard contains 2 main parts:
2.1 ISMS Activities;
2.2 Annex A - Controls;
3. The ISMS main activities include:
3.1 Internal Audits;
3.2 Management Review;
3.3 Risk Assessment and Risk Treatment Plan (RTP);
3.4 Documents and Records Controls;
3.5 Management Commitment (resources and responsibilities);
3.6 Corrective Actions;
3.7 Statement of Applicability (SOA);
4. The Annex A refers to 14 chapters, based on 114 controls, and 35 control objectives, as followed:
4.1 Information Security Policies;
4.2 Organization of Information Security;
4.3 Human Resource Security;
4.4 Asset Management;
4.5 Access Control;
4.6 Cryptography;
4.7 Physical and Environmental Security;
4.8 Operations Security;
4.9 Communications Security;
4.10 System Acquisition, Development and Maintenance;
4.11 Supplier Relationships;
4.12 Information Security Incident Management;
4.13 Information Security Aspects of Business Continuity Management;
4.14 Compliance;
1. The internal audit was designed to assess and determine the current level of compliance with ISO 27001:2013 standard requirements within .
2. To estimate the efforts required for both ISO 27001 standard maintenance and improvement.
1. Review of internal documentation (Policies, Procedures, Standards, Baselines, Records, etc.);
2. Review of existing security controls.
3. Interview with key principals or relevant employees for validating the adequacy of the ISMS implementation and management within .
4. Assess gaps according to system requirements and control objectives.
5. Fill in Corrective Actions Forms/Reports and follow-up for validating enclosure.
1. The Internal Audit at is scheduled for once a year.
2. This Internal Audit has been performed between and .
3. The next Internal Audit is scheduled for .
1. The audit was performed against the ISO 27001/2 standard requirements (for Information Security).
2. Regulatory and Law Requirements (as applicable for );
3. Risk Assessment and Risk Management Process.
1. The CISO will be in charge of supervising the Internal Audits (including the mitigation of all Non-Conformities).
2. The Internal Audit will be performed by either the Security Team or a 3rd party (to provide objectivity for the testing plan).
1. The audit scope was based on the activities of .
2. This compliance assessment (Internal Audit) evaluated most of the requirements in the standard against the ISMS Scope (as defined in the section below), and which are designed to achieve the 35 objectives of the standard within its 14 key areas as applicable.
3. Our Internal Audit detailed findings of the work undertaken are provided within this document which shows that the work covered following 14 key areas of the ISO 27001 standard:
3.1 Information Security Policies;
3.1.1 Audit Area: Policies Implementation and Enforcement.
3.2 Organization of Information Security;
3.2.1 Audit Area: Involvement of Security in Project Management; Mobile Device Policy, Teleworking Policy.
3.3 Human Resource Security;
3.3.1 Audit Area: Screening Process; Training and Awareness, Termination and Change of Employment.
3.4 Asset Management;
3.4.1 Audit Area: Return of Assets, Data Classification process, Disposal of media process.
3.5 Access Control;
3.5.1 Audit Area: User Registration, Access Provisioning, Access Removal, Periodical Access Rights Review.
3.6 Cryptography;
3.6.1 Audit Area: The use of encryption within PT.
3.7 Physical and Environmental Security;
3.7.1 Audit Area: Clear Desk and Clear Screen.
3.8 Operations Security;
3.8.1 Audit Area: Change Management, Backup and Restore, Hardening and Configuration Management, Vulnerability Assessment and Management; Capacity Management; Logging and Monitoring.
3.9 Communications Security;
3.9.1 Audit Area: Network Security Controls.
3.10 Systems Acquisition, Development and Maintenance;
3.10.1 Audit Area: SDLC Framework, Security Guidelines, Developers Competence (training), and Change Management.
3.11 Supplier Relationships;
3.11.1 Audit Area: 3rd Party Risk Analysis.
3.12 Information Security Incident Management;
3.12.1 Audit Area: Incident Management, SIEM implementation.
3.13 Information Security Aspects of Business Continuity Management;
3.13.1 Audit Area: DRP, Drill/Testing.
3.14 Compliance;
3.14.1 Audit Area: Configuration Management, Compliance to Company Policies.
1. The Internal Audit process was based on the interviews with the key principals and the review of the existing documents/records provided by the company.
2. The Internal Audit process didn't provide an assessment on the effectiveness of the existing controls, including the implementation of all existing documentation (policies, procedures, standards, etc.).
| Topic | Finding | Remediation Plan |
|---|