(ISO) Using ISO/IEC17799 and ISO/IEC27001 Standard as Audit Checklist for IT Auditors

Course Introduction

Auditing is crucial to the success of any management system. As a result, it carries with it heavy responsibilities, tough challenges and complex problems. This three-day course prepares delegates for the necessary knowledge for ISO/IEC 27001 and trains them on how to conduct audits the ISMS in accordance with its requirements. It also empowers them to give practical help and information to those who are working towards compliance and certification. Effective auditing is the only way to ensure that the measures you put in place to protect your organization and your customers are properly managed and achieve the desired result.

Recent high profile information security breaches and the value of information are highlighting the ever increasing need for organizations to protect their information.

Both the objective and result of the course will be the construction of effective ISMS under the expert tutelage and guidance of an expert. Take the knowledge and skills imparted during this exercise and use them to improve and protect your business.

Course Objectives

The objective of this course is to provide delegates with the necessary skills to implement ISMS that is compliant with the requirements of ISO/IEC 27001. The course utilizes a dynamic methodology that will provide delegates with a framework for implementation.

Course Prerequisite

The course is designed for people who have a basic knowledge of Information security management systems (ISMS) and ISO/IEC 27001 International Standard.

Target Group

Those wishing to implement a formal Information Security Management System (ISMS) in accordance with ISO/IEC 27001.
Existing security auditors who wish to expand their auditing skills.
Consultants who wish to provide advice on ISO/IEC 27001 certification.
IT and Quality Professionals.
Staff tasked with the implementation and management of a ISO/IEC 27001 Information security management system.
Information security consultants.

Learning Level

Intermediate
Course Duration

3 Days


Course Outline
Thailand laws in accordance with ISO/IEC 27001
ISO/IEC 27001 –Information Security Management Systems requirements
ISO/IEC 27002 – Code of practices for information security management
Security Policy
Organization of information security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity Management
How to develop gap analysis questionnaire for assessing the standard requirements
What is a Statement of Applicability (SOA)
Understanding the audit terminology
Understanding the certification process
Understanding the audit life cycle
Demonstrate how to use checklist and Gap Analysis
Real World Practices: ISO/IEC 27001 Gap Analysis Workshop
Real World Practices: How to develop Acceptable Use Policy (AUP)

Date: November 30, 2006
Location: Metro Toronto Convention Centre, North Building, Meeting Room 202 A and B
Description: Speakers will be discussing the role of standards in the Health, Retail and Tourism industries.

Agenda:

8:00 TO 8:45
Conference Registration and Continental Breakfast

8:45 TO 8:55
Conference Opening Note
MR. PREDRAG ZIVIC, ISO17799-27001 USER GROUP CHAIR CSO & CTO SCIENTON

8:55 TO 9:15
Introductory presentation: Identity abuse, privacy and security
DR GORDON ATHERLEY, PRINCIPAL, GREYHEAD ASSOCIATES. CONFERENCE CHAIR

9:15 TO 10:00
Cobit and ISO17799-ISO27001 Myths & Secrets
MR. ANTON AYLWARD, INTEGRITY INC.

10:00 TO 10:15
Coffee Break, Networking and Phone Calls

10:15 TO 11:00
PHIPA Implications and the Use of ISO17799-ISO27001 Safeguards
MR. BOBBY SINGH, SENIOR DIRECTOR SMART SYSTEMS FOR HEALTH AGENCY (SSHA)

11:00 TO 11:45
Security Convergence ?sical and Digital Security Protect LCBO Infrastructure
MR. CHARLIE MACMILLAN, MANAGER SECURITY INFRASTRUCTURE, LCBO

11:45 TO 13:00
Lunch

13:00 TO 13:45
SSE-CMM, ISO17799, ISO27001 Mappings and Misconceptions
MR. PREDRAG ZIVIC, COO, SCIENTON TECHNOLOGIES INC.

13:45 TO 14:30
The ISO Standards: The Hospital Perspective
JEFF CURTIS, CLINICAL ANALYST, SUNNYBROOK HEALTH SCIENCES CENTRE

14:30 TO 14:45
Coffee Break

14:45 TO 15:30
Aligning ISO17799/ISO27001 with Regulatory Compliance
SAM RAMPADO and MARC MACKINNON , DELOITTE CONSULTING

15:30 TO 16:15
Wrap-Up & Tutorial Summary
DR GORDON ATHERLEY, PRINCIPAL, GRAYHEAD ASSOCIATES, CONFERENCE CHAIR

Registration Fee: Register by November 20th and save on your registration fee: $300.00 + 6%GST ($318.00). All registrations after November 20th are $350.00 + 6%GST ($371.00).

To register via FAX form, please CLICK HERE


To register ON LINE, please CLICK HERE


The conference attendees will earn 7 (seven) CPEs

Cancellations: Cancellations must be received in writing by November 16th. You will be eligible for a prompt refund less a $50.00 administrative fee. If you are unable to attend, delegate substitution is permitted up to, and including, the day of the conference.



Speakers' Bios:

Anton Aylward, was pioneering security long before information was recognized as an asset by regulatory requirements. This has given him a perspective developed over 20 years on the psychological (sociological? cultural?) transitions necessary within organizations to make security an effective and integral element of business procedures and policies. It has also given him the experiential knowledge to provide the contextual insight necessary to make sense of the regulatory frameworks, the business drivers, the product vendors, and how they inter-relate in the security landscape today. He graduated in Electronics from the University of Kent, with subsequent management training from Marconi Electronics. His professional designations include CISSP, and CISA certifications. He has done extensive work in implementing COBIT and other leading information security frameworks in organizations including Bank of Montreal, Rogers, Government of Ontario, MacDonalds Canada, ING Direct and others. (?ritus movens?atƳ Latin੮

Mr. Bobby Singh has 12+ years experience in IT Security with extensive experience in Risk Management, Business Operations, Public Relations, Consulting and Auditing. As the Director of Information Security for the Smart Systems for Health Agency, Mr. SinghƳ role involves ensuring that security is built-in both at the enterprise-level and to SSHA product and service offerings. He provides leadership in the development and promotion of security standards and practices within the Agency; and the establishment and maintenance of security standards and practices that enhance credibility and engender trust. He has extensive experience developing and implementing security programs for public and private sector organizations. Prior to joining SSHA, Mr. Singh has held positions at Bank of America and Deloitte were he focused on delivering security services to clients and developing the Security practice. Mr. Singh received his MBA form University of Pittsburgh and holds CISSP, CISM, CISA and CPA designations

Gordon Atherley is Principal of Greyhead Associates, which provides research and related services on difficult and sensitive topics in healthcare IT. He holds the UK equivalents of the Canadian MD and PhD degrees, and the LLD(hc) from CanadaƳ, Simon Fraser University.

Mr. Predrag Zivic, with over 19 years of information technology experience is in charge of defining the strategy of Scienton's development and service. His vision enabled Scienton to work closely with its clients to implement information risk, operation risk and security management solutions using the Information Security Model?, Risk Cube? and Trust Model Router?. Mr. Zivic, as the management and technical leader for Scienton, GE-Capital and Platinum Technologies groups provided growth and leading risk and security solutions to Fortune 1000 clients.
In an effort to learn and contribute, Mr. Zivic has achieved CISSP, CISM, CISA and was one of the first 100 ISO17799/BS7799 certified practitioners in the world and he also wrote papers on risk and security metrics and management.

Price Include

Computer 1 set/person
CD-ROM 1 disk (If prepared)
Master Text Book
Class Material 1 set/person
Lunch / Morning & Afternoon Coffee Break


Instructor

CISSP, SSCP, CISA, CISM, SANS GIAC GCFW, CompTIA Security+, CCSA 2000,
CCNA, MCSE, MCDBA, MCP+Internet, Master CNE, CNI, CNA, ITIL,
(ISC)2 Asian Advisory Board Member, ISACA Bangkok Chapter Board Member
President & Founder, ACIS Professional Center


Why do we need an international standard on information security management?
To implement information security controls to meet an organizations requirements as well as a set of controls for business relationships with other organizations. The most effective way to do this is to have a common standard on best practice for information security management such as BS ISO/IEC 17799:2005. Organizations can then benefit from common best practice at a truly international level, ensuring that they can protect their business processes and activities to satisfy business needs.

Does BS ISO/IEC 17799 contain requirements specific to the UK legal system?
No. The first version of BS 7799, published in 1995, did make reference to a number of UK legislative requirements, however recent revisions do not have these references as the text is now more general to satisfy international readership.

BS ISO/IEC 17799:2005 is consistent with the OECD (Organization for Economic Cooperation and Development) guidelines on privacy, information security and cryptography. BS ISO/IEC 17799:2005 best practice controls are described in a way that can be implemented in a variety of legal and cultural environments. For example, BS ISO/IEC 17799 does not prescribe particular solutions to protection of IP or personal data privacy. It does however specify the security objectives that need to be achieved whatever the implementation circumstances.

Does BS ISO/IEC 17799:2005 imply mandatory international certification?
No, it does NOT imply a mandatory international certification scheme. As organizations interconnect electronically there is a clear benefit in having a common framework for information security management. The standard can help build trust between trading partners and provides a common benchmark for assessing an organization's information security management system (ISMS).

Those organizations that require their management system to be certified should use BS ISO/IEC 27001:2005 (BS 7799-2:2005). Going for certification is a business decision and not something based on or mandated by an international standard.

Doesn't GMITS overlap with BS ISO/IEC 17799:2005?
There is NO overlap between GMITS and BS ISO/IEC 17799:2005; the two documents are complementary to one another. GMITS provides a framework for thinking about managing IT security whereas BS ISO/IEC 17799:2005 specifies a set of controls to implement the ideas given in GMITS. GMITS discusses high level concepts about IT security management whereas BS ISO/IEC 17799:2005 specifies a comprehensive range of controls for the development of an information security management system.

GMITS also introduces general requirements and techniques for risk analysis and management. BS ISO/IEC 17799:2005 applies these techniques to select the controls most appropriate for the business needs. In fact the process defined in parts of GMITS requires that suitable controls be selected and suggests seeking specific controls from standards such as BS ISO/IEC 17799:2005. This illustrates the important complementary relationship between GMITS and BS ISO/IEC 17799:2005.

How does the Common Criteria relate to BS ISO/IEC 17799:2005?
The scope and purpose of the Common Criteria (CC) and BS ISO/IEC 17799:2005 are neither in conflict nor contradict each other. BS ISO/IEC 17799:2005 specifies controls that can be used to establish an information security management system. Some of these controls may be implemented using evaluated products. The CC addresses the evaluation of security products and systems made up of products.

Therefore organizations using BS ISO/IEC 17799:2005 might well choose to use a control based on a firewall that has been evaluated against the CC as a means of increasing assurance that the firewall control will really work as claimed. Thus BS ISO/IEC 17799:2005 and the CC are complementary and do not overlap.

Is BS ISO/IEC 17799:2005 technology independent?
YES, it is technology independent. BS ISO/IEC 17799:2005 concentrates on the management aspects of information security, defining the controls in enough detail to make them applicable across many different applications, systems and technology platforms without losing any of the benefits provided by standardization.

Does BS ISO/IEC 17799:2005 imply the need to use UK standards and methods for risk assessment?
Although BS ISO/IEC 17799:2005 is a risk-based approach to establishing effective information security it does not imply or mandate any UK standards or methods for risk assessment or risk management. Risk assessment is now also covered in BS ISO/IEC 27001:2005 (BS 7799-2:2005)

What does accredited mean?
In the UK , the United Kingdom Accreditation Service (UKAS), operates under a Memorandum of Understanding from Department of Trade and Industry. UKAS accredit the competence of certification bodies to perform services in the areas of product and management system approval.
Similar organizations exist in other countries with responsibility for accreditation within their own national boundaries. You should always look for an accredited certification body when seeking ISO/IEC 27001:2005 certification for your organization, or when reviewing an organization's claims, to be certain that you can rely on their certificate.

What is BS ISO/IEC 27001:2005 (BS 7799-2:2005)?
This new international standard specifies requirements for establishing, implementing and documenting information security management systems (ISMS). It specifies security controls to be implemented by an organization following a risk assessment to identify the most appropriate control objectives and controls applicable to their own needs. This standard forms the basis of an assessment of the ISMS of the whole, or part of an organization and is used as the basis for the ISO/EC 27001:2005 certification.

How long does a certificate last?
A certificate will normally be valid for three years, subject to satisfactory maintenance of the system, which will be checked during surveillance visits at least annually. Thereafter, certificates will typically be renewed for a further three years.

How can I find out more?
For more information on BS ISO/IEC 17799:2005 please click here. There is also a FAQs section for BS ISO/IEC 27001:2005.