Document 36 Information Security Management Systems …imsworld.org/wp-content/uploads/2015/10/Doc-36-issue-2-ISO-27001... · ISMS Scheme Document Doc 36 / 2 Page 2 of 22 1 Introduction

Doc 36 Issue: 1

Document 36 Information Security Management Systems

Scheme Document

ISMS Scheme Document

Doc 36 / 2 Page 1 of 22

Table of Contents

1 Introduction .................................................................................... 2

2 Definitions ...................................................................................... 2

3 Related External Standard Documents .......................................... 3

4 Conflicts of Interest ........................................................................ 4

5 Governing Board Representation ................................................... 4

6 Competence Requirements ........................................................... 5 6.1 Auditor Competence .................................................................................................. 5 6.2 Audit Team Selection ................................................................................................. 6 6.3 Auditor Grade Requirements ..................................................................................... 7 6.4 On-Going Evaluation / Monitoring of Auditor Competence ......................................... 8 6.5 Specific Role Competence ......................................................................................... 8 6.5.1 Lead Auditor .............................................................................................................. 8 6.5.2 Auditors ..................................................................................................................... 8 6.5.3 Certification Officer .................................................................................................... 8

7 Assessment and Certification Process ........................................... 9 7.1 ISMS General Process Flow .....................................................................................10 7.2 Contract Review and Issue of Quote .........................................................................11 7.3 Determination of complexity ......................................................................................13 7.4 Sector Specific Categories of Information Security Risk ............................................15

8 ISMS Assessment Process .......................................................... 15 8.1 Initial Audit Preparations ...........................................................................................16 8.2 Stage 1 Assessment .................................................................................................17 8.3 Stage 2 Assessment .................................................................................................17 8.4 Surveillance Assessments ........................................................................................18 8.5 Reassessments ........................................................................................................19 8.6 Special Audits ...........................................................................................................19

9 Certification Decision/Review ....................................................... 19

10 Combined/Integrated Assessments ............................................. 19

11 Multiple Sites ............................................................................... 20

12 Complaints ................................................................................... 20

13 Control of Certification Marks ....................................................... 21 Audit Plans ............................................................................. Error! Bookmark not defined.

15 Document Revision History .......................................................... 21


Doc 36 / 2 Page 2 of 22

1 Introduction This document gives an overview of the assessment and certification arrangements of IMS International for ISO 27006 accreditation, and makes reference to associated procedures and documents. The Quality System of IMS International has been developed to meet the requirements of ISO 17021, and is described in the Quality Manual (Doc 01). This document complements the Quality Manual by addressing the additional requirements specific to the assessment and certification of Information Security Management Systems. In order to provide certification services to ISO 27001, IMS are accredited to ISO 27006; this document has incorporated those specific requirements.

2 Definitions Certificate-Certification issued by IMS in accordance with the conditions of its accreditation and bearing an accreditation symbol or statement. Certification Body-Third party that assesses and certifies the ISMS of a client organisation with respect to published ISMS standards, and any supplementary documentation required under the system. Certification Document-Document indicating that a client organisation’s ISMS conforms to specified ISMS standards and any supplementary documentation required under the system. Control-Means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be administrative, technical, management, or legal nature. (Control is also used as a synonym for safeguard or countermeasure) Control Objective-Statement describing what is to be achieved as a result of implementing controls. Information Security-preservation of confidentiality, integrity and availability of information. Mark-Legally registered trade mark or otherwise protected system which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operation by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard. Organisation-Company, corporation, firm, enterprise, authority or institution, or part of combination thereof, whether incorporated or not, public or private, that has its own functions and administration and is able to ensure that information security is exercised. Statement of Applicability-Documented Statement Describing the Control Objectives and Controls that are relevant and applicable to the organisations ISMS. Risk-Combination of the probability of an event and its consequence.


Doc 36 / 2 Page 3 of 22

3 Related External Standard Documents ISO/IEC 27000 Overview and vocabulary ISO/IEC 27001 Information security management systems -- Requirements ISO/IEC 27002 Code of practice for information security management ISO/IEC 27003 Information security management system implementation guidance ISO/IEC 27004 Information security management – Measurement ISO/IEC 27005 Information security risk management ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27007 Guidelines for information security management systems auditing ISO/IEC 27008 Guidelines for auditors on information security controls ISO/IEC 27010 Guidelines for Inter-Sector Communications ISO/IEC 27011 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27031 ICT Readiness for Business Continuity ISO/IEC 27032 Guidelines for Cybersecurity ISO/IEC 27033-1 Guidelines for Network Security (NS) ISO/IEC 27033-2 Guidelines for Design and Implementation of NS


Doc 36 / 2 Page 4 of 22

ISO/IEC 27033-3 Reference Networking Scenarios ISO/IEC 27034-1 Guidelines for Application Security ISO/IEC 27035 Information Security Incident Management ISO/IEC 27799 Information security management in health using ISO/IEC 27002

4 Conflicts of Interest IMS International does not provide consultancy services and do not have any direct links to any consultancy body. Within the ISO 27006 (ISMS) scheme; IMS are permitted to be involved with certain activities without them being considered as consultancy or having potential conflict of interest. These activities include:

Planning and being present at information meetings, examination of documents, auditing and follow up of non-conformities

Arranging and participating as a lecturer in training courses, provided that, where the courses relate to information security management, related management systems or auditing. IMS’ involvement shall not provide specific information and shall remain generic in content which is freely available in the public domain.

Publishing on request, information describing our interpretation of the requirements

Activities prior to the audit, solely aimed at determining readiness for certification audit (sometimes known as a gap analysis). These activities shall not result in any certification recommendations or advice that would threat impartiality. These activities shall also not be used as justification to reduce the eventual certification audit duration.

Performing second and third party audits to standards or regulations which are not part of the scope of accreditation.

Identifying and making recommendations for improvement as long as they are not specific

Should any of these activities be performed by any person involved within the ISMS scheme or specific client organisation, these shall be declared within the Auditor Appointment Acknowledgement before each auditing activity takes place. This process is controlled via procedure 7.

5 Governing Board Representation To ensure the impartiality of the assessment and certification process, decisions on certification and the Strategic and Policy direction of IMS, appropriate representation will be required on the Governing Board (otherwise known as the impartiality committee). As a minimum, the requirements for the representative should include:


Doc 36 / 2 Page 5 of 22

Have a good knowledge of Information Security issues, and in particular as related to security risks and techniques for their mitigation and control;

Have an up-to-date working knowledge of Information Security legislation and regulations, and access to more detailed information where required;

Have an understanding of the principles of Information Security Management System and their application;

Have an understanding of the requirements of ISO 27001 & 27006;

Have some knowledge of the Information Security issues relating to a range of industry sectors, and/or access to more detailed information where required.

6 Competence Requirements

6.1 Auditor Competence All auditors used to carry out ISO 27001 assessments will be assessed and approved by IMS International to ensure that they meet the scheme requirements. The procedure for recruitment, training and monitoring of auditors is set out in Proc 11 but Sector Specific Information is shown within this document. A list of approved ISO 27001 auditors, along with the areas they are approved to assess, is given in the IMS Skills Matrix (Doc 10). The Scope Review Forms relevant to the EA code defines the minimum requirements for ISO 27001 auditors in terms of qualifications, skills and experience. IMS have developed their competence assessments into sector specific categories depending on the complexity, risk level and general processes likely to be performed by the client organisations. During the contract review stage, the relevant code shall be assigned to the client as highlighted below. The code shall be reviewed and confirmed as part of the stage 1 assessment by the Lead Auditor. It is important to understand that the highest level always applies if an overlap of processes / services exists with a client, multiple scope sectors may also be applicable to a single client organisation.

Table 1

Code RISK LEVEL

ISMS SCOPE SECTORS

ISMS SCOPE EXPERIENCE OR QUALIFICATIONS REQUIRED

A LOW

General IT System Low Risk / Low Complexity Sectors All categories other than those defined as high risk & Complexity below.

Experience and Competency measured within the IMS Mandatory ISMS Auditor Approval Form.

B C

HIGH

Financial service providers. Telecommunications Providers.

Additional experience and knowledge (i.e. additional to that required for low complexity) of key aspects gained in each technical area in the last 3 years, from at least two of the following:-


Doc 36 / 2 Page 6 of 22

D E F G H

IT Asset Disposal & Recycling services Contact/ Call centre providers Government, Public and Private Sector Organisations which process and store large quantities of Personally Identifiable Data or Sensitive Information National infrastructure such as utilities, transportation, & nuclear facilities Web-based service & Retail companies (e-Commerce retailers & Software developers) Healthcare providers Aerospace

Previous employment

experience – employer, dates duration position held

ISMS auditing experience – client, dates, number of days etc.

Consultancy – client, dates, number of days etc.

Education (degree, diploma, certificate issued by university, college or professional body) - Institution/training provider, course and relevant units, any qualifications gained

Training, including ‘on-the-job’ training - training provider, course and relevant units, any qualifications gained

Other relevant experience, supported by suitable evidence (specific details required)

Self Study

Details to be recorded on the ISMS Sector Code Qualification Forms ( A to H) Approval required by IMS Management

6.2 Audit Team Selection The audit team shall have appropriate work experience and practical application of the below items. Each auditor within the team does not need to know the entire range of applications below in relation to Information Security, but the audit team as a whole shall have enough appreciation and experience to cover the ISMS scope being audited.

Managing a Team;

Management Systems and processes applicable to ISMS;

Knowledge of legislation and regulations in the particular Information Security field;

Identifying Information Security related threats and incident trends;

Identifying the vulnerabilities of the client organisation and understanding the likelihood of their exploitation, their impact and their mitigation and control;

Knowledge of ISMS controls and their implementation;

Knowledge of ISMS effectiveness review and measurement of controls;

Related and/or relevant ISMS standards, industry best practices, security policies and procedures;

Knowledge of incident handling methods and business continuity;

Knowledge about tangible and intangible information assets and impact analysis;


Doc 36 / 2 Page 7 of 22

Knowledge of the current technology where security might be relevant or an issue;

Knowledge of Risk Management processes and methods

Competence to trace indications of security incidents in the client organisation’s ISMS back to the appropriate elements of the ISMS

All members of the audit team shall be qualified for ISO 27001:2013 by completing the General Scope Review (Form 31 ISMS General). The audit team shall include at least one person at Lead Auditor Grade who has the approved relevant ISMS Sector Competence Code (recorded in the IMS Competency Records on an ISMS Sector Code Form 31 (A-G)) appropriate to the scope of the audit. Sector Code A is the general classification for Low Risk and Low Complexity Sector Clients. Auditor Grade ISMS auditors can undertake surveillance audits only or act as team members on Initial Stage 1, Stage 2 and Recertification audits to gather further experience necessary for Lead Auditor status. To enable the gathering of approved sector codes for higher risk and complexity audits, auditors at both levels may act as team members under the guidance of Lead Auditors that have achieved approval in the relevant Higher Risk / Higher Complexity sector codes B to G.

6.3 Auditor Grade Requirements These are set out within the IMS 27001 ISMS Auditor Prerequisites Form (Form 31B) At the discretion of the General Manager in conjunction with an already approved Lead Auditor, the audit experience for qualification of an auditor can be reduced (Excluding the need for participation in stage 1 and stage 2 audits) if a candidate can provide verifiable evidence of holding one of following professional qualifications: Computerised Systems & Computer Network experience

CCNP (Cisco Certified Network Professional)

Other relevant professional qualification in terms of computer network engineering, such as MCP (Microsoft Certified Professional) in Server and/or Workstation technologies, TCNA (Tenable Nessus Certified Auditor).

Information security

CISSP (Certified Information Systems Security Professional)

CISM (Certified Information Security Manager)

CCSP (Cisco Certified Security Professional)

Other relevant professional qualification directly related with information security Auditor qualifications

CISA (Certified Information System Auditor)

CIA (Certified Internal Auditor registered under ISACA)

Registered national ISMS auditor or lead auditor (e.g. IRCA, JRCA, etc.)

Other relevant professional qualification in terms of auditor qualification


Doc 36 / 2 Page 8 of 22

Successful completion of a witnessed audit is required to qualify as an auditor. The assessment audit must be performed by an approved ISMS Lead Auditor, and recorded on the relevant Form 14. An ISMS Scheme Auditor Assessment Sign-Off Report must be completed as a record of candidate competency to demonstrate the specific competency requirements.

6.4 On-Going Evaluation / Monitoring of Auditor Competence Auditors shall be under review for each audit where the audit report is processed for Certification Decision. Each auditor shall also receive an observed audit every three years as per Procedure 11.

6.5 Specific Role Competence

6.5.1 Lead Auditor These are set out within the IMS 27001 ISMS Auditor Prerequisites Form. Successful completion of a witnessed audit is required to qualify as a lead auditor, following the process as defined in the IMS 27001 ISMS Auditor Prerequisites Form, the lead auditor under assessment shall conduct the entire audit, including review of all ISO 27001 requirements and all applicable Annex A controls. The requirements and controls reviewed must be recorded on the ISMS Scheme Auditor Assessment Sign-Off Report.

6.5.2 Auditors At the discretion of the IMS Management, the audit experience and approval for qualification of a lead auditor or auditor may be reduced if a candidate can provide verifiable evidence of approval as a lead auditor or auditor by another accredited Certification Body or provides evidence that they are certified as an ISMS Auditor or Lead Auditor through IRCA. Acceptable evidence includes previous audit logs, letter of auditor approval, the front page of previous audit reports, or IRCA auditor registration numbers, etc. In such circumstances, only the successful completion of a single witnessed full (Stage 1 and Stage 2) audit is required to qualify the lead auditor or auditor.

6.5.3 Certification Officer The Certification Officer/Decision Maker is responsible for making the decision for or against certification, and as such must have relevant working knowledge of Information Security issues, ISO 27001, and the Sector Code for which the Certification Review is taking place. In addition to this, Certification Officers must have working knowledge of IMS procedures and processes for certification. These requirements are specified within the Certification Officer Scope Review, and approved Certification Officers identified on the ISO 27001 Skills Matrix (Doc 10).


Doc 36 / 2 Page 9 of 22

6.5.4 Auditor Competence Reviewer The auditor competence shall be reviewed and authorised by a Lead Auditor who is already deemed competent by IMS through experience and qualifications. This person shall review all completed scope reviews issued by auditors and determine their competence. When satisfied, they shall be added to the skills matrix (Doc 10) and available for use on audits to which EA code they have been approved against. The office personnel are trained to assign auditors to audits against the assigned EA code of each client. As long as the auditor has been approved to the EA code, then they are suitable for audit selection. Should there be any queries regarding the competence, the Lead Auditor who assigned the initial competence satisfactory shall be consulted.

6.5.5 Technical Expert From time to time it may be required to use the resources of an external Technical Expert, this Technical Expert may have the relevant experience within the field but not necessarily in relation to auditing experience. Any Technical Expert will be required to complete the relevant Scope Review (Form 31’s) relevant to the sector to which they are being utilised against. The specific sector knowledge is to be demonstrated but not necessarily the auditing or consultancy areas.

6.6 Briefing of Auditors The General Manager or their delegate shall brief all auditors for the planned audits and will deliver training on the certification and auditing process. Should the General Manager not have the technical experience for some of the training needs, an external organisation shall be used to deliver this training in consultation with the Impartiality Committee ISMS experts.

7 Assessment and Certification Process The process for planning and carrying out assessments, and for certifying clients is shown in the Audit Cycle Management Procedure (Proc 16), and in various procedures including Proc 3 (issuing quotes and contract review), Proc 4 (Assessment Scheduling). The flow chart below gives an overview of this process, and details additional requirements for undertaking ISMS audits.


Doc 36 / 2 Page 10 of 22

7.1 ISMS General Process Flow

Undertake

Document Review

if Required

Stage 1 planned

and performed

Update Certificate

Log (certificate

File)

Responsibilities Additional Inputs

Procedure 3

Procedure 16

Procedure 4 and section

6 of this document

As per contract review

requirement

Procedure 16

Competent as per Skills

Matrix

Administration

Competent as per Skills

Matrix

Auditor

Administration

Operations Manager

Application Forms

received

Form 1

Form 1CAll Employees

Contract Review

Quote Accepted

and Client File

Setup

Assign Audit

Team

Client Ready

for Stage 2?

Stage 2 planned

and performed

Yes

Certification

ReviewProcedure 6

Agree Actions with

Client and

Request Evidence

Review and Close

out Actions

No Procedure 16

Procedure 16Administration

Administration


Doc 36 / 2 Page 11 of 22

7.2 Contract Review and Issue of Quote Proc 03 sets out the procedure for contract review and issuing of quotes. Additional requirements for these activities relevant to ISO 27001 assessments are set out below. All applications will be reviewed to ensure that IMS International has the capability and competence to carry out the assessment. Competence requirements for undertaking Contract Review are detailed on the ISO 27001 Skills Matrix (Doc 10). Quotes will be prepared by the General Manager or the Business Developments Director. In addition to completion of Form 1 (Audit Questionnaire), applicants for ISO 27001 assessment will also be required to complete an ISMS Supplemental Questionnaire (Form 1D). This form will be used to assess the complexity associated with the client’s activities, and will be classified according to the categories in Table 1 & Table 3. The information within the sector codes within Table 1 is not necessarily the sector that the client falls into, it is the information type that is being processed by the client. The relevant sector code shall be identified within the contract review and documented. In deciding the complexity of the ISMS, the person undertaking the contract review will seek out technical expertise where required. This could include identified technical experts (see 6.5.5), relevant websites and documentation etc. Based on the classification, the person undertaking the contract review will determine the number of auditor onsite days required. This will be based on the guidance number of days given in the table below, taking into account additive and subtractive factors as described in Proc 3 and the level of complexity.

Table 2

No of Effective Employees

ISMS Auditor Time for Initial Audit (auditor

days) based on low complexity


days) based on medium

complexity


days) based on high complexity

1-10 3.5 5 6

11-25 5 7 9

26-45 6 8.5 11

46-65 7 10 13

66-85 8 11 14

86-125 8.5 12 15

126-175 9 13 17

176-275 10 14 18

276-425 10.5 15 19

426-625 11.5 16.5 21

626-875 12.5 17.5 22


Doc 36 / 2 Page 12 of 22

876-1175 13 18.5 24

1176-1550 13.5 19.5 25

1551-2025 14.5 21 27

2026-2675 15.5 22 28

2676-3450 16 23 30

3451-4350 17 24 31

4351-5450 17.5 25 31.5

5451-6800 18.5 26 33

6801-8500 19 27 35

8501-10700 19.5 28 37.5

Follow progression

“Employees” as referenced above refers to all individuals whose work activities relate to the scope of the ISMS. The total number of employees for all shifts is the starting point for determination of audit time. Unlike QMS and EMS assessments, the total reductions applied should not reduce the on-site auditor time to below 70% of the time shown within the table The effective number of employees includes non-permanent (seasonal, temporary, and sub-contracted) staff that will be present at the time of the audit. The effective number of employees shall be calculated using the number of direct involvement employees (directly involved with the ISMS) plus a weighting of the indirect employees (not directly involved with the ISMS). The organisations application questionnaire and any supporting information shall be utilised to determine the number of direct and indirect employees and the calculation shown on the contract review form (Form 2). A weighting of 0.1 is given to the indirect employees to the direct employees which identifies a suitable effective number. For example: 5 direct employees have been identified and 100 indirect for a given organisation; 100 (Indirect) x 0.1=10, 10 +5 (Direct) =15. The effective number of employees would therefore be 15. Table 2 is subsequently utilised to determine the level of complexity of the organisation. Through the audit planning stage, IMS shall agree with the client the timing of the audit which will best demonstrate the full scope of the organisation. Consideration shall be given to season, month, day/night and shift. Part time employees should be treated as full-time-equivalent employees. This determination will depend upon the number of hours worked as compared with full-time employees. If remote auditing techniques such as interactive web-based collaboration, web meetings, teleconferences and/or electronic verification of the organisation’s processes are utilised to interface with the organisation. Should these processes be identified during the contract review and/or stage 1 assessment, they shall be clearly documented within the contract review form (Form 2). This information shall be passed onto the relevant auditor who shall plan the audit accordingly, the time allocated for off-site processes shall be built into the audit programme.


Doc 36 / 2 Page 13 of 22

Should the contract review determine that more than 30% of time can be allocated to remote auditing activities, justification shall be clearly documented within the contract review form (Form 2) and communicated to UKAS for approval prior to implementation. Factors that can influence the audit time in terms of complexity can include:

Factors related to the size of the ISMS scope (e.g. number of information systems used, volume of information processes, number of users, number of privileged users, number of IT platforms, number of networks, and their size);

Factors related to the complexity of the ISMS (e.g. criticality of information systems, risk situation of the ISMS, volumes and types of sensitive and critical information handled and processed, number and types of electronic transactions, number and size of any development projects, extent of remote working taking place, extent of the ISMS documents);

The type(s) of business performed within the scope of the ISMS, and the security, legal, regulatory, contractual and business requirements related to these types of business;

Extent and diversity of technology utilised in the implementation of the various components of the ISMS (such as the implemented controls, documentation and/or process control, corrective/preventive action, information systems, IT systems, networks, e.g. whether these are fixed, mobile, wireless, external, internal);

Number of sites within the ISMS scope, how similar or different these sites are, and whether all of the sites or a sample will be audited;

Previously demonstrated performance of the ISMS;

Extent of outsourcing and third part arrangements used within the scope of the ISMS and dependency on these services; The standards, legislation and regulations which apply to the certification, and any sector-specific requirements that might apply.

7.3 Determination of Complexity The complexity of the ISMS scope needs to be considered when deciding audit time and auditor competence. The complexity category assigned to an ISMS scope can be used to decide:

The auditors competence requirements for the ISMS audit

The audit time requirements for the ISMS audit By using the table below, aspects of an ISMS scope’s complexity can be classified into three categories: high, medium and low, using a number of different factors. The overall effective category of complexity can be taken as the average category of all the factors considered, and the outcome is the category. The complexity shall be reviewed each year during the assessments and the Head Office informed of any significant changes that could impact future audits.


Doc 36 / 2 Page 14 of 22

Table 3

Complexity Factor

Category Significance

High Medium Low Number of employees + contractor staff

≥ 1000 ≥ 200 < 200 -Scale of ISMS Implementation -Management Information System -Production management-related systems -Sales/distribution/general service-related systems -Information technology /information services and related systems -construction/ship-building/plant engineering-related systems

Number of users ≥ 1million ≥ 200,000 < 200,000 -Financial systems -Governments, schools, medicals/hospitals systems

Number of sites ≥ 5 ≥ 2 1 -Scale of ISMS Implementation -Physical and environmental security (Control objectives and controls guide A.9)

Number of servers ≥ 100 ≥ 10 < 10 -Scale of ISMS Implementation -Physical and environmental security (Control objectives and controls guide A.9) -Access control (Control objectives and controls guide A.11) -Telecommunications and operation management (Control objectives and controls guide A.10)

Number of workstations + PC + Laptops

≥ 300 ≥ 50 < 50 Access control (Control objectives and controls guide A.11)

Number of application development and maintenance staff

≥ 100 ≥ 20 < 20 Information systems acquisition, development and maintenance (Control objectives and controls guide A.12)

Network & Encryption Technology

External / internet connection with encryption / digital signature / PKI requirements

External / internet connection with use of encryption in built in standard facilities and without digital signature / PKI requirements

External / internet connection without encryption / digital signature / PKI requirements

-Access control (Control objectives and controls guide A.11) -Telecommunications and operation management (Control objectives and controls guide A.10)


Doc 36 / 2 Page 15 of 22

Significance in Legal Compliance

Incompliance leads to possible prosecution

Incompliance leads to significant financial penalty or goodwill damage

Incompliance leads to insignificant financial penalty or goodwill damage

-Laws and Guidelines (Control objectives and controls guide A.15)

Applicability of Sector-specific risk *see below (7.4) examples of sector specific risk

Sector-specific law and regulation applies

No applicable sector-specific law and regulation but significant sector-specific risk applies

No applicable sector-specific law and regulation and no applicable sector-specific risk applies

-Scale of ISMS Implementation --Laws and Guidelines (Control objectives and controls guide A.15)

7.4 Sector Specific Categories of Information Security Risk Risks to information may be specific to the type of information considered or the sector in which an organisation operates. The following examples illustrate different categories of risk and reflect the competence assessments (Scope Reviews Form 31s) developed by IMS:

Code A-General IT Systems (Low Risk)

Code B-Financial Service Providers (High Risk)

Code C-Telecommunications Providers (High Risk)

Code D-IT Asset Disposal & Recycling Services (High Risk)

Code E- Government, Public and Private Sector Organisations which process and store large quantities of Personally Identifiable Data or Sensitive Information (High Risk)

Code F- National Infrastructure such as utilities, transportation, nuclear facilities (High Risk)

Code G- Web-based Services & Retail Organisations (High Risk)

Code H- Aerospace (High Risk)

8 ISMS Assessment Process

Proc 4 details the procedure for planning assessments, whilst the IMS Auditor Handbook (Doc 32) sets out the procedures and requirements for carrying out assessments. Additional requirements for planning and undertaking ISO 27001 assessments are set out within this scheme document. ISO 27001 initial assessments will be undertaken in two stages. The aims and areas to be covered for each stage of the assessment are detailed in procedure 16. For each audit, the auditor shall complete the relevant audit report form as detailed within each audit section and the ISMS compliance Matrix (form 73), this form will highlight the areas that the audit has covered to ensure full coverage over the cycle. The auditor also has available the Auditor Control Objectives and Control Guide (Form 75), this is a mandatory document that needs to be completed for the initial and reassessment


Doc 36 / 2 Page 16 of 22

visits but not surveillance visits, however during the surveillance visits the document should be used as an audit guide. The auditor can chose to make their own notes in another format as long as the information shows full coverage of the audit scope.

8.1 Initial Audit Preparations Prior to the onsite audit, the client is required to submit a copy of their Documented Management System and any associated documentation. The documentation shall include:

Documented statements of the ISMS Policy and objectives;

The Scope of the ISMS;

Procedures and controls in support of the ISMS;

A Description of the Risk Assessment methodology;

The risk assessment report;

The risk treatment plan;

Documented procedures;

Internal Audit Programme and Evidence;

The Statement of Applicability. After acceptance of the quotation to proceed with ISO 27001 certification, a welcoming letter shall be issued to the client which will highlight the required documentation to be received prior to the stage 1 assessment being planned. This process shall be performed as identified within procedure 04 (Assessment Scheduling and Audit Team Appointment). The stage 1 assessment shall not be planned until this information has been received.

8.2 Audit Planning Procedure 4 is to be followed which highlights the audit planning and audit team appointment process. In addition to the requirements within Procedure 4, The ISMS Audit Programme and Compliance Matrix (Form 73) is used to help plan and control the ISMS audit programme. Form 73 shall be started during the stage 1 assessment and shall be used to plan out the stage 2 and subsequent surveillance visits from that point, the plan shall however be reviewed upon every assessment and adjusted as necessary. The Form is also used after each assessment to highlight the findings generated as part of that assessment. The individual audit plans shall be completed as per Procedure 4 using the standard IMS Plan templates (Form 12s). Time for remote working to be clearly shown within the audit plan and shall include a detailed description of the type of remote working (Teleconferencing, Web Meeting, Interactive Web-based communications and remote electronic access to the ISMS Documentation and/or ISMS Processes). Remote auditing of remote client sites (multiple sites) shall be considered as remote auditing even if the activity is performed whilst on the clients premises.


Doc 36 / 2 Page 17 of 22

Remote Auditing Techniques shall not constitute more than 30% of the total audit time. Should more than 30% be determined, the audit plan shall be justified and approved by UKAS prior to the activity taking place.

8.2 Stage 1 Assessment The main requirements for stage 1 assessments are defined within the Management Audit Cycle (Proc 16) and Auditor Handbook (Doc 32). With regards to the ISMS stage 1 assessment, the audit shall obtain documentation on the design of the ISMS which includes the documented information required by ISO 27001 and any additional documentation determined by the client as being necessary for the effectiveness of the ISMS. The Auditor Handbook (Doc 32) and Audit Report (Form 9E) highlights specific documentation and requirements for the stage 1 assessment. An audit report (Form 9E) shall be prepared and provided to the organisation. The Auditor Control Objectives and Control Guide (Form 75) shall be started during the stage 1 assessment and completed during the stage 2. The completed report shall be returned to IMS for review prior to proceeding with the stage 2 assessment preparations, this shall be documented on Form 11B. The audit team shall be reviewed to ensure that the team members have the necessary competencies for the organisation. If as a result of the review, further types of information and records will be required for examination during the stage 2 audit these shall be communicated to the organisation through the stage 2 scheduling letter. The review shall be performed by a competent Certification Officer as defined within the Skills Matrix (Doc 10).

8.3 Stage 2 Assessment The main requirements for stage 2 assessments are defined within the Management Audit Cycle (Proc 16) and Auditor Handbook (Doc 32). The ISMS Stage 2 audits shall focus on the below areas:

Assessment of information security related risks, and that the assessments produce comparable and reproducible results;

Documentation requirements;

Control objectives and controlled based on the risk assessment and risk treatment processes;

Reviews of the effectiveness of the ISMS and measurements of the effectiveness of the information security controls, reporting and reviewing against the ISMS objectives;

Internal ISMS audits and management reviews;

Management responsibility for the information security policy;


Doc 36 / 2 Page 18 of 22

Correspondence between the detected and implemented controls, the Statement of Applicability, and the results of the risk assessment and risk treatment process, and the ISMS policy and objectives;

Implementation of controls, taking into account the organisations measurements of effectiveness and controls, to determine whether controls are implemented and effective to achieve the stated objectives;

Programmes, processes, procedures, records, internal audits, and reviews of the ISMS effectives to ensure that these are traceable to management decisions and the ISMS policy and objectives

An audit report (Form 9F) shall be prepared and provided to the organisation. The completed report shall be returned to IMS for the Certification Decision to be made and any additional activities performed such as chasing the client for corrective actions. This is performed during the normal certification cycle as per Procedure 16. The Auditor Control Objectives and Control Guide (Form 75) shall be completed during the stage 2 and be submitted as part of the auditors audit report.

8.4 Surveillance Assessments The main requirements for surveillance visits are defined within the Management Audit Cycle (Proc 16) and Auditor Handbook (Doc 32). ISMS Surveillance audits shall focus on the below areas:

The system maintenance elements which are internal ISMS audits, management reviews, corrective and preventive actions;

Communications from external parties as required

Changes to the Documented Management System;

Areas subject to change

Selection of ISO 27001 elements as per the audit programme;

Any additional areas highlighted from pre-audit planning such as appeals, complaints, industry changes etc

The effectiveness of the ISMS with regard to achieving the objectives of the organisations information security policy;

The functioning of procedures for the periodic evaluation and review of compliance with relevant information security legislation and regulations

Actions taken on non-conformities identified during the last audit An audit report (Form 9G) shall be prepared and provided to the organisation. Completion of the Auditor Control Objectives and Control Guide (Form 75) is not mandatory during surveillance visits but is to be used as an audit aid (do not need to record evidence within document). The auditor may complete the document should they wish. Should there be any changes within the organisation that would require an internal review or recommendation for suspension or withdrawal be made by the auditor, this shall be identified within the audit report summary section. When reports signify, the administration department shall issue for Certification Decision/Review as per procedure 6.


Doc 36 / 2 Page 19 of 22

8.5 Reassessments Reassessment audits shall follow the main requirements as defined within the Management Audit Cycle (Proc 16) and Auditor Handbook. An audit report (Form 9H) shall be prepared and provided to the organisation. The Auditor Control Objectives and Control Guide (Form 75) shall be completed as part of the audit evidence during reassessments.

8.6 Special Audits There are a number of reasons that a special audit is required, mainly major modifications to the Management System. Within the Terms and Conditions agreed with clients, the organisation is required to inform IMS of any significant changes to their system which includes location changes and management changes. Upon receipt of notification of any changes, the organisation will be required to complete another audit questionnaire (Form 1E), this completed form shall go through the contract review process (Proc 3) to determine if any additional audits are required. The Surveillance assessment audit report (Form 9G), shall be used to record the audit performed. A special audit may also be required to close out any major non-conformances which cannot be verified off-site. In this case the CAP form shall be used to record the evidence of closure. Additional notes may be taken by the auditor if required. The completed CAP form and any supporting notes shall be presented for Certification Review.

9 Certification Decision/Review All reports from the stage 1 and stage 2 or Reassessment assessment shall be presented to the Certification Review Officer, the reports shall also include the auditor notes and any additional evidence gathered during the assessments, Audit Reports (Form 9s) and Auditor Control and Objectives Guide (Form 75). The Certification Review Officer shall be appointed from the Skills Matrix (Doc 10). Procedure 6 defines the full certification review process, Form 11B shall be used to record the review of the stage 1 report. The same form shall be used again after the stage 2 assessment and signed of when the certification decision has been made.

10 Combined/Integrated Assessments Combining assessments with other management standards is permitted within the ISMS scheme providing that all the elements related to the ISMS scheme are clearly reported. We would therefore follow the general integrated management system audit requirements as defined within Procedure 3 but would ensure that the audit reports themselves are produced independently of the other management system standards. Any audit notes produced by the auditor shall highlight the standard and clause numbers related to each of the management


Doc 36 / 2 Page 20 of 22

standards to enable the Decision Maker/Certification Reviewer to identify all requirements that have been audited. Where a client is applying for an integrated assessment for ISO 9001 and ISO 27001, the guidance number of audit days will be calculated by adding together the guidance numbers for ISO 9001 assessments and ISO 27001assessments. However, integrating the two standards in a single assessment may be considered as a subtractive factor when assigning actual audit days required. This will be justified on the Contract Review form (Form 02). Procedure 3 details this process.

11 Multiple Sites Procedure 3 defines the requirements for controlling multiple site organisations providing they meet the requirements of a multiple site organisation within procedure 3 and below:

All sites are operating under the same ISMS, which is centrally administered and audited and subject to central management review;

All sites are included within the clients internal ISMS audit programme;

All sites are included within the clients ISMS management review programme. The sample shall be taken from all sites based upon judgemental choice to reflect factors such as complexity, variations, critical information systems, legal requirements etc. Any site within the clients’ organisation where significant risks have been identified will be audited during the initial stage 2 audit. The three year programme shall consider the high risk activities and sites and be planned as such. The head office shall be audited during the stage 2 assessment, annually during surveillance visits and during the reassessments.

12 Complaints Procedure 10 sets out the general procedure for dealing with complaints received about IMS and also regarding IMS’ clients. Should a complaint be received regarding one of IMS’ clients, procedure 10 shall be followed by the General Manager. When reviewing the corrective actions received from the organisation the General Manager shall ensure that containment action includes: Notification to appropriate authorities if required by regulations or other requirements;

Restoring conformity;

Preventing re-occurrence;

Evaluating and mitigating any adverse security incidents and their associated impacts;

Ensuring satisfactory interaction with other components of the ISMS;

Assess the effectiveness of the containment and corrective action taken. During the review of the complaint, the General Manager may request the services of a competent person with regards to information security, this may include the Governing Board Representative or another auditor (as per the Skills Matrix Doc 10).


Doc 36 / 2 Page 21 of 22

Clients shall make available any complaint investigations and records to IMS when requested, to control this process the Terms and Conditions (Doc 7) stipulate this requirement.

13 Appeals The appeals process shall be managed as per Procedure 8 (Appeals and Disputes), the General Manager is responsible for this process but will utilise Technical Experts such as the members of the Impartiality Committee from a technical standpoint. Other technically competent personnel such as Lead ISMS auditors will also be utilised as needed.

14 Control of Certification Marks When an organisation has been granted ISMS Certification they shall be issued with IMS Logos relevant to the scheme. The logos shall be emailed over to the certified client and issued with Doc 34-Rules Governing the Use of Logos. During each subsequent assessment, the auditor shall verify the use of the logos and make specific comments within the audit report summary, highlighting any miss-use issues. Any miss-use issues shall be identified as a non-conformance and corrective actions requested along with any supporting evidence of completion.

15 Document Revision History

Date Amendment Revision

Initial Release of Document 1

6th October 2014 Revised from internal audit findings Verified and clarified the sector codes Included Aerospace Sector Code Gave some additional information relating to how the complexity score is reached. Included the appeals process Expanded the specific competence areas to include audit assignment and briefing. Section 6.3, referred to Form 32B instead of 31B Included information regarding the Technical Expert competence

2