Compliance Audit ISOIEC 27001 ISMS Precertification Audit Performed

  • Slides: 8
Download presentation
Compliance Audit: ISO/IEC 27001 ISMS Precertification Audit Performed by Experis U. S. , Inc.

Compliance Audit: ISO/IEC 27001 ISMS Precertification Audit Performed by Experis U. S. , Inc. Amanda Noble, City Auditor Stephanie Jackson, Deputy City Auditor February 14, 2018

Audit Objective • To assess whether the city is ready to meet ISMS (Information

Audit Objective • To assess whether the city is ready to meet ISMS (Information Security Management System) certification requirements • ISO/IEC 27001: 2013 is the internationally recognized information security management standard • Compliance benefits include increased predictability, consistency and effectiveness of information security processes, which reduces risk

Methodology • City Auditor’s Office contracted with Experis U. S. , Inc. to perform

Methodology • City Auditor’s Office contracted with Experis U. S. , Inc. to perform a compliance audit to assess the city’s readiness to meet certification requirements

Findings • AIM (Atlanta Information Management) and its OIS (Office of Information Security) have

Findings • AIM (Atlanta Information Management) and its OIS (Office of Information Security) have strengthened security by: o Monitoring and reporting on vulnerabilities o Deploying tools and controls to enhance security o Establishing the Information Security Governance Board, which provides forum for stakeholder views and participation

Findings (cont. ) • Remaining gaps that prevent certification include: o Lack of formal

Findings (cont. ) • Remaining gaps that prevent certification include: o Lack of formal processes to identify, assess, and mitigate risks o Lack of processes to manage risks associated with third-party service providers and suppliers o Unclear data classification policies o Incomplete measurement, reporting and communication related to risks

Recommendations for Certification • Improve the level of clarity and understanding of the ISMS

Recommendations for Certification • Improve the level of clarity and understanding of the ISMS and its processes • Provide sufficient evidence to demonstrate the effective operation of the ISMS • Establish a documentation portfolio sufficient to meet the ISMS compliance requirements • Establish sufficient degrees of rigor and formality around information security issues management

Recommendations for Certification (cont. ) • Establish security metrics that properly track issues, communicate

Recommendations for Certification (cont. ) • Establish security metrics that properly track issues, communicate progress and report ISMS performance based on stakeholder needs • Incorporate and maintain an appropriate level of strategic focus in the ISMS • Determine, deploy and maintain and appropriate level of ISMS program resourcing

Questions?

Questions?

Precertification Precertification What is precertification The purpose ofPrecertification Precertification What is precertification The purpose of
PELAKSANAAN ISMS DI UNIVERSITI PUTRA MALAYSIA ISMS ISMSPELAKSANAAN ISMS DI UNIVERSITI PUTRA MALAYSIA ISMS ISMS
Normas ISOIEC de Segurana da Informao ISOIEC 27001Normas ISOIEC de Segurana da Informao ISOIEC 27001
What Is ISO 27001 ISO 27001 titled InformationWhat Is ISO 27001 ISO 27001 titled Information
ISO 27001 Information Security Management System ISMS InformationISO 27001 Information Security Management System ISMS Information
ESTNDAR ISOIEC INTERNACIONAL 27001 ISO la Organizacin InternacionalESTNDAR ISOIEC INTERNACIONAL 27001 ISO la Organizacin Internacional
ISOIEC 27001 2005 Information Security Management System CertificationISOIEC 27001 2005 Information Security Management System Certification