ISO27001 audit in real-time....
1) opening meeting
1) opening meeting
Introductions
Blah blah blah
Auditer w domain experience
Key person unavailable (not a problem - business continuity)
Changes since Covid-19?
Emergency test of home-working for all staff: no major issues
Acquired another company
Sharepoint migration
Integration of previous acquisition
2) asset management
Review policy
Responsibility for mobile phones
Hardware inventory
Is Excel adequate? You must have assets everywhere 😳
This is workstations and laptops
Review last starter / joiner
Review leaver process - ticketed 👍
Returned equipment re-imaged and securely stored
Secure disposal policy
Searching for record of disposal
How do you ensure WEEE if you give old kit to staff 🤷♂️
Last WEEE certificate?
Need to maintain inventory of disposed equipment - WEEE certified
Opportunity for improvement
Information classification policy
USB controls
Tea time 🍵
Who actually does this 🤷♂️
Who can provide traceability for all their equipment through lifecycle 🤷♂️
Who still maintains equipment inventory in Excel? What else do you use?
3) access control
Access control policy
New starters process (again)
New starter form -> ticketed
Another worksheet
Includes apps and networks 👍
Review ticket
How are creds communicated?
Password policy
Enforced via GPO
Can we look at GPO?
Outsourced to MSP
Let’s review local policy
Local policy doesn’t match GPO 😳
Attempt to change password against policy fails 👍
Regular review of access rights
Process for non-ad accounts
Not IT responsibility -> application owner/admin
Control of domain admins
Logging and MFA
Review of domain admins
Generic MSP acct being replaced with named individuals
Leavers form
Compare w AD
Disabled 😅
Break for lunch 😋
This audit is better than most - the auditor has some knowledge of IT 😬
NB. We didn’t review network assets or cloud services!
4) operations security
Provide overview of infrastructure
(I won’t go into detail)
Various technologies for management and monitoring
Vulnerability management
MSP
Reporting
Patch management reports?
Defer to MSP
Outsources SOC
Review of network monitor dashboard
Lots of false positives
Behavioral monitoring and tuning
SOC is 24x7 but we’re 9x5
Reviewing antivirus tools
Checking client version (slightly out of date)
Still in support, no critical updates
Back to patch mgmt
Security updates immediately
Feature updates monthly
Feature updates monthly
Capacity monitoring (RMM)
Backup processes
Evidence?
Segue - home working
Physical controls 🤷♂️
Physical controls 🤷♂️
MFA enabled for users
Endpoint monitoring
Application version control biggest issue
Restrict local admin rights
Application whitelist (RMM)
Back to backups...
Dashboard report acceptable 🤨
No question of validating backups via restore 🤷♂️
Clock synchronisation
NTP.... telephones 🤷♂️
(I’d focus on cctv)
Password GPO revisited
One opportunity for improvement
5) supplier management
Please provide overview
Cross-functional approach ->
Commercial and Operational
Commercial and Operational
Eg contractual and service management
How do we track all this?
List of suppliers?
List of suppliers?
Another worksheet (Microsoft rules!)
A balanced scorecard
Based on commercials, tickets, sla, training...
Who manages access controls for suppliers?
And compliance / onboarding?
Reviewing contracts, etc
Onboarding worksheet ->
Financials
Services
Certifications
Financials
Services
Certifications
Do we ask for SOA for 27001 certs?
Due diligence is mainly commercial
Tiered categories for security assurance based on risk
5) closing
No significant issues; one opportunity for improvement
Recommendation for continued certification 👍
6) post-facto
Controls per group:
Assets management (10)
Access control (14)
Operations security (14)
Supplier relationships (5)
Assets management (10)
Access control (14)
Operations security (14)
Supplier relationships (5)
One hour for each only scratches the surface
This was a six monthly surveillance audit. The certification cycle is three years.
Certification and renewal covers all controls and management framework
But there is limited time and limited knowledge, so can only be sampled
You really have to rely on your internal audit process to identify issues
It’s easy to be compliant AND insecure 😟
If you depend on MSPs, make sure they’re doing what you expect of them. Make sure you clarify your expectations.
To rely on the MSP to demonstrate how they do eg patch mgmt, means you probably aren’t managing them adequately
How do you know they are doing backups
How do you know they are patching systems?
How do you know who has access to what?
Hod do you know if they’re monitoring the network?
Who they gonna call out of hours?
How do you know they configured systems securely?
What firewall rules are enabled?
And why 🤷♂️
• • •
Missing some Tweet in this thread? You can try to
force a refresh
