ISO - Training - Day - 1
Information Security refers to the practices, policies, and technologies used to protect sensitive data from unauthorized access, use, disclosure, modification, or destruction, ensuring its confidentiality, integrity, and availability.
Confidentiality - ensuring data is accessible only to authorized users
Integrity - ensuring data is accurate and unaltered
Availability- ensuring data is accessible when needed
Information is anything that holds meaning or value. It can be facts, data, knowledge, or details that are useful and relevant for decision-making, operations, or communication.
Information = Meaningful Data
Access Control: Need to Do and Need to Know
Need to Do:
Meaning: Access to data is granted based on the task or job that a person needs to perform.
Example: A finance team member gets access to financial data because their job requires it, but they can't access HR data, as it's not part of their duties.
Need to Know:
Meaning: Access to information is granted only if it's necessary for the individual to complete their task.
Example: Even if someone works in the IT department, they might not be allowed to view sensitive project data unless their job requires it.
Access Control: Determining who can access data based on their job responsibilities and the need to know.
Data Protection: Ensuring data is safe, secure, and only accessible to authorized individuals.
The Information Security Management System (ISMS) is a framework designed to manage and protect sensitive information within an organization. It focuses on three key elements:
ISMS provides a systematic approach to managing sensitive company information. By implementing effective policies, processes, and technologies, organizations can reduce risks and protect their critical information assets. Regular monitoring, auditing, and improvement are essential for ensuring the system's effectiveness and compliance with global standards like ISO/IEC 27001.
People: This includes the individuals within the organization who are responsible for implementing and maintaining security policies, training staff, and ensuring adherence to security protocols.
Process: Refers to the procedures and practices put in place to safeguard information, such as risk assessments, incident response, and compliance with security standards.
Technology: Involves the tools, systems, and software used to protect data, such as encryption, firewalls, access control systems, and monitoring solutions.
These three components—People, Process, and Technology—work together to ensure a holistic approach to information security, addressing both the human, procedural, and technical aspects of securing sensitive data.
Compliance vs Non-Confirmative
1. Compliance
Definition: Compliance refers to meeting and adhering to required laws, standards, regulations, or policies set by governing bodies, industry standards, or internal rules.
Example: A company that follows all legal and industry regulations, such as data protection laws (e.g., GDPR) or workplace safety standards.
2. Non-Confirmative
Definition: Non-confirmative means failing to meet or conform to the required standards or regulations. It indicates that a process or entity has not confirmed or does not comply with the expected guidelines.
Example: A company that does not meet certain ISO standards or fails to provide necessary documentation to confirm adherence to a rule.
3. Non-Compliance
Definition: Non-compliance refers to the failure or refusal to follow established rules, regulations, laws, or standards that are required by external authorities or internal policies.
Example: A company not following data protection laws like GDPR, or failing to meet safety standards set by the government.
Key Differences:
Aspect
Compliance
Non-Confirmative
Meaning
Adhering to rules, regulations, or standards.
Failing to confirm or meet required standards.
Outcome
Ensures legal, regulatory, and industry requirements are met.
Indicates a lack of confirmation or non-adherence to required standards.
Example
A business following safety or security regulations.
A business failing to provide evidence of meeting compliance standards.
Aspect
Non-Compliance
Non-Confirmative
Meaning
Failure to follow rules, laws, or standards.
Lack of proof or confirmation that rules or standards are being met.
Outcome
Results in penalties, fines, or legal issues.
Can lead to confusion or questioning due to missing documentation or verification.
Example
Not adhering to GDPR or ISO standards.
Not providing evidence during an audit to confirm compliance with regulations.
What is an Audit?
An audit is a systematic and independent examination or review of processes, systems, or financial records within an organization to ensure compliance with regulations, standards, or internal policies. The goal is to assess performance, identify areas for improvement, and ensure transparency and accountability.
General Audit Flow
Plan
Purpose: Develop an audit plan to outline the scope, objectives, and methodology of the audit.
Key Points:
Identify the area or process being audited (e.g., financial records, safety standards, data security).
Decide whether the audit will be online (using digital tools and remote access) or offline (physical on-site audit).
Set timelines, resources, and audit team roles.
Do
Purpose: Execute the audit according to the plan.
Key Points:
Collect data through observation, interviews, and document review.
Perform tests or evaluations of the systems or processes.
Identify non-compliance, gaps, or areas of risk.
Check
Purpose: Analyze the audit findings.
Key Points:
Compare the findings with the relevant standards, regulations, or internal policies.
Verify if the organization’s processes meet compliance or if improvements are needed.
Assess the effectiveness of current controls and practices.
Submit the Report
Purpose: Document the audit results and present them to management or stakeholders.
Key Points:
The audit report should include findings, evidence, and recommendations for improvement.
Clear, actionable steps for addressing any non-compliance or risks should be outlined.
Follow-Up Audit
Purpose: Ensure that corrective actions have been implemented after the audit.
Key Points:
Conduct a follow-up audit to verify if issues have been resolved and improvements have been made.
Review if the corrective actions were effective and sustained over time.
Provide feedback to ensure continuous improvement.
Summary of General Audit Flow:
Plan: Set up the audit scope, methods, and resources (online or offline).
Do: Conduct the audit, collecting data and identifying issues.
Check: Analyze findings against standards and assess effectiveness.
Submit the Report: Document results and make recommendations.
Follow-Up Audit: Verify corrective actions and ensure improvements.
Skills for Asking Questions in an AuditAsking the right questions during an audit is crucial for gathering accurate information, identifying risks, and ensuring compliance.
What is Evidence in Auditing?
Definition: Evidence in an audit refers to the information, data, or documentation that is collected and analyzed during the audit process to support findings, conclusions, and recommendations.
Importance: Evidence helps auditors verify that processes, systems, and controls are functioning as intended. It serves as the basis for evaluating compliance, assessing risks, and making decisions.
Evidence in Auditing & Importance of Oral Communication
What is Evidence in Auditing?
Definition: Evidence in an audit refers to the information, data, or documentation that is collected and analyzed during the audit process to support findings, conclusions, and recommendations.
Importance: Evidence helps auditors verify that processes, systems, and controls are functioning as intended. It serves as the basis for evaluating compliance, assessing risks, and making decisions.
Types of Audit Evidence
Documents: Contracts, reports, financial statements, policies, and procedures.
Records: Logs, system data, transaction records, inventory counts, etc.
Physical Evidence: Actual samples, items, or physical inspections of equipment, systems, or sites.
Observation: Watching processes being performed and recording findings.
Test Results: Results from testing systems, controls, or processes.
What is RISK?
Risk is the possibility of an event or situation occurring that can negatively impact the achievement of goals or objectives.
It refers to the uncertainty about the outcome of a situation and the potential for harm or loss.
What is Control from the Perspective of Risk?
Control in the context of risk management refers to the actions, measures, or systems put in place to mitigate, reduce, or eliminate the impact or likelihood of a risk event occurring.
It is a strategy to ensure that risks are managed effectively to prevent adverse outcomes or minimize their consequences if they occur.
Types of Controls in Risk Management:
Preventive Controls:
Purpose: Aim to prevent risks from occurring in the first place.
Examples:
Security protocols to prevent unauthorized access to sensitive information.
Regular employee training to prevent operational errors.
Detective Controls:
Purpose: Designed to detect risks or issues as soon as they occur.
Examples:
Intrusion detection systems in cybersecurity to identify security breaches.
Audit trails or logs to detect fraud or unauthorized transactions.
Corrective Controls:
Purpose: Focus on correcting or addressing the consequences of a risk after it has occurred.
Examples:
Backup and disaster recovery plans to restore systems after a failure.
Incident response plans to manage and mitigate the effects of a security breach.
Deterring Controls:
Purpose: To discourage undesirable behavior by highlighting the negative consequences for non-compliance or misconduct.
Examples:
Surveillance Cameras: To deter theft by making individuals aware that they are being watched.
Legal Penalties: Heavy fines or legal actions to discourage non-compliance with regulations.
Zero-Tolerance Policies: Strict rules with immediate consequences for violations (e.g., workplace harassment).
Public Disciplinary Actions: Displaying consequences of violations to deter others from similar behavior.
PPT (People, Process, Technology)
1. People:
Definition: Refers to the individuals who work within an organization and interact with systems, data, and processes.
Role: People are crucial in implementing and adhering to policies, managing risks, and ensuring the system functions effectively.
Example: Employees, managers, IT staff, auditors.
2. Process:
Definition: The set of procedures and workflows that guide how tasks and activities are completed within an organization.
Role: Processes help ensure consistency, efficiency, and compliance with standards and regulations.
Example: Approval workflows, risk management processes, security protocols.
PPT (People, Process, Technology) - Short Notes
1. People:
Definition: Refers to the individuals who work within an organization and interact with systems, data, and processes.
Role: People are crucial in implementing and adhering to policies, managing risks, and ensuring the system functions effectively.
Example: Employees, managers, IT staff, auditors.
2. Process:
Definition: The set of procedures and workflows that guide how tasks and activities are completed within an organization.
Role: Processes help ensure consistency, efficiency, and compliance with standards and regulations.
Example: Approval workflows, risk management processes, security protocols.
3. Technology:
Definition: The tools and systems used to support and enable the organization’s operations.
Role: Technology helps automate tasks, store data securely, and improve efficiency in decision-making and communication.
Example: Software applications, security systems, databases, cloud storage.
People manage and execute tasks, Processes provide structured workflows, and Technology supports and enhances operations. Together, they ensure the success and security of an organization.
What are Assets?
Assets are valuable resources owned by an organization that are used to achieve its objectives, ensure operations, or provide benefits.
Examples: Physical assets (e.g., computers, buildings), data, intellectual property, software, human resources, and financial resources.
What is Asset Value?
Asset value refers to the importance or worth of an asset, considering its contribution to the organization and the impact it has if lost or compromised.
The value of an asset is based on its criticality to the organization’s operations, its sensitivity, and the risk associated with it.
How to Calculate Asset Value Based on CIA?
The asset value is assessed by evaluating each CIA component and the impact it would have if compromised:
Confidentiality: Is the asset’s data sensitive? What would happen if it was exposed or leaked?
Integrity: How important is the accuracy of the asset's data? What are the consequences of data being altered?
Availability: How critical is the asset’s availability? What would be the impact if it became unavailable?
Summary:
Assets are resources that help an organization achieve its goals.
Asset value is determined by the importance of the asset, particularly how confidential, accurate, and available it is.
Using the CIA model, organizations can calculate asset value by evaluating the risks and impacts to Confidentiality, Integrity, and Availability.
Risk Management Process: Overview
The Risk Management Process helps organizations identify, assess, prioritize, and manage risks to minimize their impact and ensure business continuity. It consists of the following key steps:
Collect the inventory of the assets of the organization before proceeding with the risk management.
1. Risk Identification
Definition: The first step is to identify potential risks that could affect the organization’s objectives, operations, or resources.
Methods:
Brainstorming: Discussing possible risks with team members.
Risk Checklists: Using predefined lists of common risks.
Historical Data: Looking at past incidents or risks.
Expert Opinions: Consulting experts or stakeholders.
Examples of Risks:
Cybersecurity threats
Natural disasters
Financial instability
Operational errors
2. Risk Evaluation (Risk Assessment)
Risk Evaluation Matrix
Definition: A tool used to evaluate and prioritize risks based on their likelihood and impact.
Purpose: To help understand the severity of risks and decide which risks need the most attention.
Steps:
Likelihood: Estimate the probability of the risk occurring (e.g., Low, Medium, High).
Impact: Assess the potential consequences if the risk occurs (e.g., Low, Medium, High).
Risk Score: Multiply the likelihood and impact to get the overall risk score (Higher score = higher priority).
Risk Matrix Example:
Impact \ Likelihood
Low (1)
Medium (2)
High (3)
Low (1)
1 (Low Risk)
2 (Low Risk)
3 (Medium Risk)
Medium (2)
2 (Low Risk)
4 (Medium Risk)
6 (Medium Risk)
High (3)
3 (Medium Risk)
6 (Medium Risk)
9 (High Risk)
High-risk scores (7-9): Need immediate attention (e.g., cyberattacks, major financial risks).
Medium-risk scores (4-6): Monitor regularly and plan mitigation strategies.
Low-risk scores (1-3): Can be accepted or monitored with minimal intervention.
3. Risk Treatment (Response & Mitigation)
Definition: After evaluating risks, the next step is to decide how to treat each risk based on its priority.
Select and implement applicable controls (e.g., preventive, detective, corrective, external) to manage risks.
Risk Treatment Strategies:
Risk Avoidance:
Eliminate the risk entirely by changing the project plan or business process.
Example: Avoid a risky business venture.
Risk Reduction/Mitigate:
Mitigate the risk by taking steps to reduce the likelihood or impact.
Example: Install stronger cybersecurity measures to reduce the chance of a data breach.
Risk Transfer:
Transfer the risk to a third party (e.g., insurance, outsourcing).
Example: Purchasing insurance to cover financial losses due to natural disasters.
Risk Acceptance:
Accept the risk when it’s within the organization’s risk tolerance or the cost of treatment outweighs the potential impact.
Example: Accepting minor operational risks with minimal impact.
Steps in Treatment:
Determine the Action: Choose one or more treatment options based on the evaluation.
Implement the Plan: Put the selected risk treatment actions into place (e.g., deploy new security measures, hire more staff, purchase insurance).
Monitor: Continuously monitor the risk to ensure the treatment is effective.
4. Monitoring and Review
Definition: Regularly monitor and review the risks and the effectiveness of the treatment strategies.
Purpose: To ensure that the risks are being properly managed and to adapt the strategies as necessary.
Steps:
Regularly check for new risks or changes in existing risks.
Assess the effectiveness of the treatment plan.
Update the risk management plan based on new data or changes in the organization.
Summary of the Risk Management Process:
Risk Identification: Identify all potential risks that could affect the organization.
Risk Evaluation: Use a Risk Evaluation Matrix to assess the likelihood and impact of identified risks.
Risk Treatment: Select and implement strategies to avoid, reduce, transfer, or accept risks.
Monitoring & Review: Continuously monitor the risks and update the treatment strategies as needed.
What is a Threat?
Threat is any potential event or action that could compromise the confidentiality, integrity, or availability (CIA) of information or information systems. It represents a potential cause of harm or damage to an organization’s assets, resources, or operations.
Examples of Threats:
Cyberattacks (e.g., hacking, phishing)
Natural disasters (e.g., floods, earthquakes)
Human error (e.g., accidental data deletion)
Theft (e.g., physical theft of devices or data)
Malicious insiders (e.g., employees deliberately misusing data)
What is the Difference Between Risk and Threat?
Threat:
Definition: A threat is a potential cause that may exploit a vulnerability and result in harm to the organization.
Focus: It focuses on the source or event that can cause damage.
Example: A cybercriminal trying to steal company data is a threat.
Risk:
Definition: Risk is the likelihood of a threat exploiting a vulnerability and the impact it will have on an organization's assets or operations.
Focus: It focuses on the probability of the threat occurring and the consequences of that event.
Example: The risk of a cyberattack causing a data breach, considering how likely the attack is and the potential damage it could cause (e.g., financial loss, reputational damage).
Key Differences:
Aspect
Threat
Risk
Definition
A potential cause of harm or damage.
The probability and impact of that threat exploiting a vulnerability.
Focus
The source of the potential harm (e.g., hacker, natural disaster).
The likelihood and consequences of a threat exploiting a vulnerability.
Example
A hacker attempting to break into a system.
The likelihood of the hacker successfully breaching the system and the damage it could cause (e.g., data loss, reputational damage).
Difference Between Threat, Risk, and Vulnerability
Threat:
Description: A potential cause of harm or damage that could exploit a vulnerability.
Example: A hacker attempting to breach a system.
Risk:
Description: The likelihood of a threat exploiting a vulnerability and the potential impact it would have.
Example: The risk of a hacker accessing sensitive data and causing financial damage.
Vulnerability:
Description: A weakness or flaw in a system that could be exploited by a threat.
Example: An outdated software system with a known security flaw.
Key Differences:
Aspect
Threat
Risk
Vulnerability
Definition
A potential event or action that could cause harm.
The likelihood and impact of a threat exploiting a vulnerability.
A weakness in a system that can be exploited by a threat.
Focus
The source of harm (e.g., hacker, malware).
The probability of harm and its consequences.
A system’s weakness or flaw that a threat can exploit.
Example
Cyberattack, natural disaster, human error.
Chance of data breach and its financial impact.
Outdated software with security flaws.
Summary:
Threat: Potential cause of harm.
Risk: It refers to the uncertainty about the outcome of a situation and the potential for harm or loss.
Vulnerability: Weakness that allows threats to exploit the system.
What is information?
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.
Destroyed
CIA Category: Availability
Explanation: When information or a system is destroyed, it leads to the loss of access or availability. The data can no longer be accessed or used, affecting business continuity.
Example: A fire destroys all backup copies of critical data, making it inaccessible.
Corrupted
CIA Category: Integrity
Explanation: Corruption refers to data or systems being altered in an unintended or unauthorized manner, which affects its accuracy and reliability.
Example: A database is corrupted due to a malware infection, causing the data to become inaccurate or unreliable.
Lost
CIA Category: Confidentiality or Availability (depending on context)
Explanation:
If the data is lost permanently or accidentally without being accessed, it can affect Availability (it is no longer accessible).
If the data is lost in terms of being accessed by unauthorized parties, it affects Confidentiality (it is exposed to unauthorized individuals).
Example:
Availability: Losing access to a server due to a hardware failure.
Confidentiality: A sensitive document is lost and ends up in the hands of unauthorized individuals.
Summary:
Destroyed → Availability (loss of access or functionality)
Corrupted → Integrity (altered data affecting accuracy and reliability)
Lost → Confidentiality (unauthorized access) or Availability (inaccessibility of data)
By ensuring the CIA Triad is protected, organizations can minimize the risks associated with these issues.
Security Elements:

People:
People who use or have an interest in our information security include:
Shareholders / owners
Management & staff
Customers / clients, suppliers & business partners
Service providers, contractors, consultants & advisors
Authorities, regulators & judges
Our biggest threats arise from people (social engineers, unethical competitors, hackers, fraudsters, careless workers, bugs, flaws …), yet our biggest asset is our people (e.g. security-aware employees who spot trouble early)
Processes:
Processes are work practices or workflows, the steps or activities needed to accomplish business objectives.
Processes are described in procedures.
Virtually all business processes involve and/or depend on information making information a critical business asset.
Information security policies and procedures define how we secure information appropriately and repeatedly.
What is Information Security???
Preservation of confidentiality, integrity and availability of information.
NOTE: In addition, other properties, such as authenticity, accountability, non-repudiation , and reliability can also be involved.
What is Information Security Management System???
An Information security management system is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives.
ISMS Sections Overview
1. Section 0-3: Informational
Purpose: These sections provide contextual and foundational information related to the ISMS.
Content:
Overview of Information Security: Defines key concepts, goals, and objectives of the ISMS.
Scope of ISMS: Describes the boundaries of the information security management system, including the areas and departments it covers.
Key Roles and Responsibilities: Identifies the stakeholders responsible for implementing and maintaining ISMS, like the information security officer, management, and employees.
Importance: This part ensures everyone involved has a clear understanding of why the ISMS is in place, and how it aligns with the organization’s objectives.
2. Section 4-10: Operative Requirements
Purpose: These sections lay out the specific requirements and processes needed for effective information security management.
Content:
Section 4: Context of the organization, considering internal and external issues affecting ISMS.
Section 5: Leadership and top management's role in setting the direction for ISMS.
Section 6: Planning, including risk assessment and addressing potential security risks.
Section 7: Support, including resources and training to support ISMS processes.
Section 8: Operational controls and procedures for handling information securely.
Section 9: Performance evaluation, including monitoring and reviewing the effectiveness of the ISMS.
Section 10: Continuous improvement, ensuring that the ISMS evolves and adapts to new risks and challenges.
Importance: These sections define how ISMS should operate within the organization to safeguard information effectively and meet security objectives.
3. Annexure A - Requirements and Statement of Applicability
Purpose: This section provides a detailed list of controls and their applicability based on the organization’s risk assessment and specific needs.
Content:
Statement of Applicability: A document that outlines the controls to be applied, their justification, and how they help mitigate identified risks.
The annex lists security controls from ISO/IEC 27001 standards, such as access control, incident management, and business continuity.
It specifies which controls are applicable, why they are needed, and how they will be implemented within the organization.
Importance: This section helps ensure transparency and accountability, showing which security measures are in place and ensuring they align with the organization’s identified risks and needs.
Summary:
Sections 0-3 (Informational): Provide foundational knowledge about ISMS, its purpose, scope, and roles.
Sections 4-10 (Operational Requirements): Outline the detailed processes and actions needed for implementing and maintaining ISMS.
Annexure A (Statement of Applicability): Lists and justifies the specific security controls that should be applied to address the organization's risks. (6.1.3 - d section)
1. Shall
Meaning: Mandatory requirement – something that must be done.
Usage: When the word "shall" is used, it means that the organization must comply with the requirement or action.
Example: "The organization shall implement access controls for sensitive data."
2. Should
Meaning: Recommended action – something that ought to be done but is not mandatory.
Usage: "Should" suggests a best practice or a recommendation, but if not followed, it’s not considered a nonconformity.
Example: "The organization should conduct regular security training for employees."
3. May Be
Meaning: Optional – something that is possible but not required.
Usage: "May be" suggests flexibility, indicating that it's an option, not a requirement.
Example: "The organization may be able to implement additional encryption on mobile devices."
Key Takeaways:
"Shall" = Must do it (mandatory).
"Should" = Recommended (good practice, but not required).
"May be" = Optional (it’s a possibility, not an obligation).
Hacker's Mantra:
Everything is theoretically impossible, until it is done. -- Robert A. Heinlein
Last updated
Was this helpful?