ISO - Training - Day - 2

Corrective Action

Corrective action refers to the steps taken to fix a problem or nonconformity that has been identified during an audit in an Information Security Management System (ISMS).

1. Corrective Action

• Definition: Steps taken to fix a problem after it has been identified.

• Goal: To eliminate the causes of nonconformities (issues or problems) so that they don’t happen again.

• Example: If an unauthorized person accesses sensitive data, a corrective action might be to strengthen the access control policy and train staff on the updated policy.

2. Preventive Action

• Definition: Steps taken to prevent potential problems before they happen.

• Goal: To address possible risks and issues before they occur, based on past experiences or identified risks.

• Example: Installing additional security software to prevent future data breaches.

3. Root Cause Analysis

• Definition: The process of finding the real reason why a problem occurred.

• Goal: To identify the underlying causes of an issue, not just the symptoms.

• Method: Common techniques include the "5 Whys" (asking "Why?" five times) or a fishbone diagram.

• Example: If a data breach happens, root cause analysis might reveal that the issue was poor staff training on data handling, not the security software itself.

Key Differences:

• Corrective Action fixes existing problems.

• Preventive Action prevents future problems.

• Root Cause Analysis finds out why a problem happened in the first place.

Processes

Processes are work practices or workflows, the steps or activities needed to accomplish business objectives.

• Processes are described in procedures.

• Virtually all business processes involve and/or depend on information making information a critical business asset.

Information security policies and procedures define how we secure information appropriately and repeatedly.

4 Context of the organization

4.1 Understanding the organization and its context: The organization must identify external and internal issues that are relevant to its purpose and impact its ability to achieve the desired outcomes of its ISMS. This involves understanding the broader context, as outlined in ISO 31000:2018, to effectively address potential risks and opportunities. Works on the organization nature

4.2 Understanding the needs and expectations of interested parties: The organization must identify interested parties relevant to the ISMS, determine their requirements, and decide which of these requirements will be addressed through the ISMS. This ensures the system aligns with the expectations of key stakeholders.

Interested parties is person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a decision or activity (2.41 point)

4.3 Determining the scope of the information security management system: The organization must define the boundaries and applicability of its ISMS, considering internal and external issues, stakeholder requirements, and interactions with other organizations. The scope must be documented and clearly available for reference.

Determining the scope (locication and function) for org. The scope shall be available as documented information.

Documented Information: information required to be controlled and maintained by an organization

4.4 Information security management system: The organization must establish, implement, maintain, and continually improve an ISMS, including the necessary processes and their interactions, to meet the requirements of ISO/IEC 27001. This ensures ongoing effectiveness and adaptation to changing security needs.

5 Leadership

5.1 Leadership and commitment: Top management must demonstrate leadership in the ISMS by ensuring alignment with the organization's strategic goals, providing necessary resources, and integrating ISMS requirements into business processes. They should communicate the importance of information security, ensure the system achieves its intended outcomes, promote continual improvement, and support other management roles in fulfilling their responsibilities for ISMS effectiveness.

5.2 Policy: Top management must establish an information security policy that aligns with the organization’s purpose, sets security objectives, commits to meeting relevant requirements, and supports continual improvement. The policy must be documented, communicated within the organization, and made available to interested parties as appropriate.

5.3 Organizational roles, responsibilities and authorities: Top management must ensure that roles, responsibilities, and authorities related to information security are clearly assigned and communicated. This includes assigning responsibility for ensuring the ISMS meets the requirements and reporting its performance to top management, with the option to delegate reporting within the organization.

7. Support

7.1 Resources: The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

7.2 Competence: The organization must determine the required competence for individuals affecting information security, ensure they are competent through education, training, or experience, and take actions to fill any competence gaps. It must also evaluate the effectiveness of these actions and retain documented evidence of competence.

7.3 Awareness: All personnel must be aware of the organization's information security policy, understand their role in the effectiveness of the ISMS, including the benefits of improved security, and recognize the consequences of not complying with ISMS requirements.

7.4 Communication: The organization must determine the need for both internal and external communications related to the ISMS, including what information to communicate, when to communicate it, with whom to communicate, and how to communicate it.

7.5 Documented information: The organization’s ISMS must include documented information required by the standard and any additional information deemed necessary for the system's effectiveness. The extent of documented information may vary based on the organization's size, complexity, processes, and the competence of its personnel.

• 7.5.1 General

• 7.5.2 Creating and updating

• 7.5.3 Control of documented information

6 Planning

6.1 Actions to address risks and opportunities

• 6.1.1 General (Planning): The organization must consider internal and external issues (Clause 4.1) and stakeholder requirements (Clause 4.2) to identify risks and opportunities. Actions should be planned to address these risks, ensuring the ISMS can achieve its goals, prevent undesired effects, and promote continual improvement. The actions should be integrated into ISMS processes and evaluated for effectiveness.

• 6.1.2 Risk Assessment: The organization must define a risk assessment process that includes establishing risk criteria (acceptance and assessment), identifying and analyzing risks related to the confidentiality, integrity, and availability of information, and evaluating risks based on the likelihood and consequences. The results must be documented, and risks should be prioritized for treatment.

• 6.1.3 Risk Treatment: The organization must define a risk treatment process to select appropriate options based on the risk assessment. This includes determining necessary controls, ensuring no essential controls are omitted (referencing Annex A), and producing a Statement of Applicability. A treatment plan should be formulated, and approval should be obtained from risk owners for the treatment plan and acceptance of residual risks. Documentation of the risk treatment process is required.

6.2 Information security objectives and planning to achieve them

The organization must set information security objectives that align with the security policy, are measurable, and consider risk assessments. These objectives must be monitored, communicated, and updated as necessary, with documented evidence retained. The organization should plan how to achieve these objectives by defining actions, required resources, responsibilities, timelines, and evaluation methods.

6.3 Planning of changes:

When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.

8 Operation

8.1 Operational planning and control

The organization must plan, implement, and control processes to meet requirements and actions from Clause 6. This includes establishing criteria for processes and ensuring they are controlled according to these criteria. Documented information should be available to confirm that processes are carried out as planned. Additionally, the organization must manage planned changes and assess the impact of unintended changes, taking corrective actions as needed to address any negative effects.

8.2 Information Security Risk Assessment: The organization must perform information security risk assessments at planned intervals or when significant changes occur, using the criteria defined in Clause 6.1.2. Documented information of the risk assessment results must be retained.

8.3 Information Security Risk Treatment: The organization must implement the information security risk treatment plan and retain documented information of the treatment results to ensure risks are effectively managed.

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

The organization must determine what needs to be monitored and measured, including information security processes and controls, and establish methods to ensure valid, comparable results. It should define when and who will perform the monitoring and measurement, as well as when and by whom the results will be analyzed and evaluated. Documented information should be available as evidence. The organization must evaluate the performance of information security and the effectiveness of the ISMS.

9.2 Internal audit

• 9.2.1 General (Internal Audits): The organization must conduct internal audits at planned intervals to check whether the ISMS conforms to its own requirements, the ISO/IEC 27001 standards, and is effectively implemented and maintained.

• 9.2.2 Internal Audit Programme: The organization must establish, implement, and maintain an internal audit program, including the audit frequency, methods, responsibilities, planning, and reporting. The program should consider the importance of the processes and previous audit results. The organization must define audit criteria and scope, ensure auditors are objective and impartial, and report audit results to relevant management. Documented information should be retained as evidence of the audit program and results.

9.3 Management review

• 9.3.1 General: Top management must review the ISMS at planned intervals to ensure it remains suitable, adequate, and effective.

• 9.3.2 Management Review Inputs: The review should consider:

  • Status of actions from previous reviews.

  • Changes in external and internal issues affecting the ISMS.

  • Changes in the needs and expectations of interested parties.

  • Feedback on information security performance, including trends in nonconformities, corrective actions, monitoring results, audit results, and achievement of security objectives.

  • Feedback from interested parties.

  • Results of risk assessments and the status of the risk treatment plan.

  • Opportunities for continual improvement.

• 9.3.3 Management Review Results: The results of the management review should include decisions on opportunities for continual improvement and any necessary changes to the ISMS. Documented information must be retained as evidence of the management review results.

PDCA Cycle in ISMS (ISO 27001)

The PDCA cycle (Plan-Do-Check-Act) is a continuous improvement process used to implement and manage the Information Security Management System (ISMS). It helps ensure that the ISMS remains effective and aligned with the organization's information security goals.

1. Plan:

   • Define the information security objectives, policies, and processes.

   • Conduct risk assessments to identify threats, vulnerabilities, and potential impacts.

   • Establish controls and plans to mitigate risks.

2. Do:

   • Implement the processes, procedures, and controls as planned.

   • Ensure resources and responsibilities are in place.

   • Execute the risk treatment plan and monitor activities.

3. Check:

   • Monitor and measure the performance of the ISMS through audits, reviews, and assessments.

   • Evaluate if objectives are being met, and identify areas of non-conformance or improvement.

4. Act:

   • Take corrective and preventive actions to address issues identified during the "Check" phase.

   • Make adjustments and improvements to the ISMS processes based on the evaluation results.

   • Update policies and procedures to enhance effectiveness.

The PDCA cycle ensures continual improvement by iterating through these steps, making the ISMS more efficient and adaptive to changing risks and requirements.

10 Improvement

10.1 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

Hacker's Mantra: Software Engineering might be science; but that's not what I do. I'm a hacker, not an engineer. -- Jamie Zawinski