by

Iso 27002 Checklist

Several people have asked for an IT Audit Program Template for an audit based on the ISO/IEC 27002:2005(E) security standard. This template, which can be found here

  1. Iso 27002 Checklist Xls

[download]

Familiarise yourself with ISO 27001 and ISO 27002 Before you can reap the many benefits of ISO 27001, you first need to familiarise yourself with the Standard and its core requirements. The ISO/IEC, ISO/IEC and ISO standards will serve as your principal points of reference. Plain English ISO IEC 27002 Checklist. ISO IEC is a comprehensive information security standard. Use it to protect and preserve the confidentiality, integrity, and availability of information. ISO IEC Information Security Checklist.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security controls. Iso iec translated into plain english 8. Organizational asset management organization: your location: completed by: date completed. . ISO 27002 is a (long) of list of 133 IS controls divided over 11 chapters originally dating from the nineties. Practice shows that ‘just’ implementing ISO 27002 is not the way to secure organizations because not all controls are equally relevant for all organizations. To address this ISO 27002 was supplemented with ISO.

will help you in your assessment of an organization’s information security program for CobiT Maturity Level 4.

CobiT Maturity Level 4 Managed and Measurable, states that the status of the Internal Control Environment is “There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.”

CobiT Maturity Level 4 Managed and Measurable, states that for the Establishment of Internal Controls; “IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally.”

As an example, one of the questions in the section on “Allocation of information security responsibilities” is written as follows:

Are the assets and security processes associated with each particular system identified and clearly defined?

Iso 27002 controls checklist

While this is a straightforward “yes” or “no” question, in order to answer that question the IT auditor would need to look at an organization’s Business Impact Analysis and verify that the assets and security processes were indeed identified and clearly defined.

You will also notice that I have cross-referenced each of the steps to the appropriate sections within CobiT.

I hope the template ISO27002 Security Framework will be of assistance to you.

Kenneth

Several people have asked for an IT Audit Program Template for an audit based on the ISO/IEC 27002:2005(E) security standard. This template, which can be found here

[download]

will help you in your assessment of an organization’s information security program for CobiT Maturity Level 4.

CobiT Maturity Level 4 Managed and Measurable, states that the status of the Internal Control Environment is “There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.”

CobiT Maturity Level 4 Managed and Measurable, states that for the Establishment of Internal Controls; “IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally.”

As an example, one of the questions in the section on “Allocation of information security responsibilities” is written as follows:

Are the assets and security processes associated with each particular system identified and clearly defined?

While this is a straightforward “yes” or “no” question, in order to answer that question the IT auditor would need to look at an organization’s Business Impact Analysis and verify that the assets and security processes were indeed identified and clearly defined.

You will also notice that I have cross-referenced each of the steps to the appropriate sections within CobiT.

I hope the template ISO27002 Security Framework will be of assistance to you.

Iso 27002 Checklist Xls

Kenneth Free dazzle video capture software.