Marketplace and Quality Assurance Presentation - Vincent Chirchir
Presentation on iso 27001-2013, Internal Auditing and BCM
1. July 2014
Summer Internship Presentation
“Know-how of ISO 27001:2013,
Internal Auditing and Business
Continuity Management”
Company – Ltd.
Submitted By – Shantanu Rai
PRN – 13030241177
Division - D
MBA–ITBM, 2013 – 2015 batch
2. Agenda
Introduction to the Project
Analysis of Work Done
Project 1 - Roadmap for Transition to ISO 27001:2013
Project 2 – Process Map for Internal Auditing
Project 3 – Specific Scenario Business Continuity
Management Preparedness
Learning and Experience on Business and
Technology
Conclusion
July 2014
3. Introduction
• Ltd. is a part of Mahindra group conglomerate, is an Indian multinational firm which provides Information
technology, network technology solutions and business support service to the telecom industries. The firm works across fifty one
countries and provides service to six hundred thirty customers
• The vision of the firm is “We will Rise” and be among the top three leaders in each of the chosen market and segment while fostering
innovation and inclusion’
• They are into various services like communication, consulting, enterprise
architecture, infrastructure, networks, product life cycle management, testing
and Information security. They have an internal information security group to
implement well-articulated and meticulous information security
• During my internship I worked with Information security group of the
organization which is a support function on three projects.
• The first one was Road map for transition to ISO 27001:2013, the second one
was to understand the Process map of Internal Auditing and the third one was
a specific Case scenario on Business continuity management preparedness.
Slide No. 1 July 2014
4. Project 1 - Roadmap for Transition to ISO 27001:2013
Analysis of Work Done
Slide No. 2 July 2014
• Currently the organization is ISO 27001:2005 compliant and aims to go for the upgraded version of ISO 27001:2013
• This is done by doing the gap analysis and checking the status of the controls. Adding applicable new controls, removing the redundant
controls
• It is a part of harmonization change effort from ISO and it is better aligned with business
• The reason for shifting to ISO 27001:2013 is Market Assurance and Governance
5. Slide No.3 July 2014
• The roadmap for transition includes preparation of list of documents which are shown in the excel sheet:
• There are sheets for mapping of Controls and Requirements along with deleted and added Controls and Requirements
• The Statement of Applicability which tells status of controls and the reason the control is selected (Legal, Business, Contractual or Risk
Related)
• The Gap Assessment sheet gives the idea about the gaps existing in Controls implemented in the organization and to which level are they
optimized and what needs to be fulfilled
6. Scheduling
of Audit
Preparing
of Audit
Conducting
Audit
Preparing
Audit
Report
Follow Up
Action
Information Security Monitoring and Compliance
Project 2 – Process Map for Internal Auditing
• Auditing is done in house
with help of a tool which
schedules the audit
automatically
• Frequency of the audit
depends upon client’s
requirement and project
criticality
• Thus the audit cycle and
audit plan is fixed
between auditor and
project manager
• Audit includes the
making the checklist for
the audit
• The auditor prepares a
questionnaire including
all the relevant points
and the areas which are
to be covered while
conducting the audit
• The audit is conducted
by primary and the
secondary auditor who
put up the questions
to the Project manager
or the SPOC
responsible for the
project
• The questions are
asked keeping the
current information
security policy as a
benchmark
• After the audit is
conducted the evidence
are collected based on
which an audit report is
prepared
• The audit report
includes strengths
observed, non-
conformities along with
corrective and
preventive actions
which must be taken to
avoid any deviation
from the normal
standard
• The follow up actions
are taken by the auditor
in order to make sure
that the non-conformity
is cleared by the project
manager in the given
span of time
• The report is escalated
to higher management
in case of repeated non-
conformities and
appropriate action is
taken accordingly
Slide No. 4 July 2014
7. Project 3 – Specific Scenario Business Continuity Management Preparedness
• Business Continuity describes the processes and procedures an organization puts in place to ensure that essential functions can continue
during and after a business interruption such as a disaster or system downtime
• BCM seeks to prevent interruption of mission-critical services during a business interruption up to the point where full services and
operations are fully re-established
• A BCM enables critical services or products to be continually delivered in the event of a business interruption
BCP lays out a process to ensure that critical operations
continue to be available during the interruption.
There are five main ways to invoke BCM. There are drills
conducted at regular interval in order to test the
resumption of operations at time of disaster. Also to make
sure that the BCM plan is reviewed and updated to reflect
current operating environment. There were five types of
drills conducted as :
1. Call Tree Drill
2. Table Top Drill
3. Project Rehearsal
4. Environment Rebuilt Drill
5. Data Restoration Drill
Slide No. 5 July 2014
8. Business Continuity Plan for a given scenario
Step 1 - Resource
Distribution
Step 2 - Critical
Process Priority
Step 3 -
Calculations of
BCM variables
Step 4 - Stetting of
Infrastructure
Step 5 - Incidence
Response Activities
Step 6 - Business
Resumption Plan/
Post Disaster
Activities
• It is for back up of
different location
or different
resources
• If site A the main
location is down
then one can shift
to site B which
would be in
different city and if
site B is down one
can shift to site C
which might be in
different nation
thus continuing the
business without
any interruption
• It is done to
identify most
critical process of
the project or the
organization and
utmost priority is
given to it for
respond time and
resolution time
• Respond and
resolution time is
set as per the SLA
• There must be an
incident response
team in order to
report the incident
happened
• Incidents are
classified on the
basis of the severity
• It defines key
responsibilities of
the people involved
at the time of
incident. It also tells
whom and how to
communicate the
incident
• Plan to bring the
business back to
normal
• Establish a damage
assessment team
• Calculation of
impact of the
disaster
• Submission of the
disaster report in
the documented
form
• Establish team to
work on restoration
of all the loss
• The calculation of
the variables like
RTO, MAO and
MBCO will give
an estimate of
how much time it
will take to
respond and
resolve a ticket
• It tells all the
hardware and
software must be
uniquely
identified
• All the critical
infrastructure
items must have a
back and
redundant item in
case of
breakdown
Slide No. 6 July 2014
9. Learnings and Experience on Business and Technology
Road Map for transition to ISO 27001:2013 Process Map for Internal Auditing
Specific scenario BCM
preparedness
• Understanding the key difference
between the two policies
• By doing the gap assessment analysis
one could trace the gaps in the existing
policy
• By preparing the statement of
applicability one can see the status of all
controls and at which level they are
optimized in the organization
• They can add the controls which are not
documented and managed in the
organization and remove the one which
is not needed in the organization
• It encompasses all the activities going in
the organization
• One gets the idea of preparation of audit
checklist, methodology of conducting the
audit, putting up the questionnaires,
collecting evidences and observation and
report writing. It also tells about corrective
and preventive action given by the auditor
to the auditee
• It gives clear idea of risks which could
breach the security if the audits are not
conducted in the respective manner
• The case scenario related to business
continuity management gave an idea
about the resilience of the firm
• The calculation of RTO, MBCO, MAO and
other BCM variables gives idea how to
lay the BCM plan according to the SLA
and other agreement which has been set
by the supplier
• By framing the business continuity plan
one can get the idea how the resources
are distributed as a part of back up at
different locations, setting infrastructure,
incident reporting, how to resume the
business after the disaster has happened,
estimation of the losses and other post
disaster activities which must be taken
Slide No. 7 July 2014
10. • Preparation of mapping sheets, gap assessment sheet, control monitoring matrix and statement of applicability gave an idea how to go for
upgraded ISO/IEC 27001:2013 version
• By conducting IT Internal Auditing we learnt the process to scrutinize the live projects in the organization, write audit report and give
corrective and preventive action to the auditee
• The case scenario related to Business Continuity Management gave an idea about the resilience of the firm. It gave an idea of the various
ways through which one can conduct the business continuity drills and invoke continuity plan in case of any disaster
Conclusion
Slide No. 8 July 2014
THANK YOU