fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

To assess compliance with A.5.3 "Segregation of Duties," an information security auditor would need to review evidence and documentation to ensure that an organization has appropriately implemented segregation of duties controls. The objective of segregation of duties is to prevent conflicts of interest and reduce the risk of unauthorized or fraudulent activities by ensuring that no single individual has complete control over critical processes. Here is a list of evidence that an auditor may require:

  1. Segregation of Duties Policy: A documented policy that outlines the organization's approach to segregating duties and the principles followed to achieve this goal.

  2. Roles and Responsibilities Matrix: A matrix or diagram that illustrates the roles within the organization, the associated responsibilities, and how they are segregated to prevent conflicts.

  3. Job Descriptions: Detailed job descriptions for each position in the organization, highlighting the specific responsibilities and duties associated with the role.

  4. Access Controls: Evidence of access controls implemented to restrict users' access to only the systems, data, and functions that are required to perform their specific job roles.

  5. Access Logs and Reviews: Logs and reports demonstrating that access to critical systems and applications is monitored and reviewed regularly to detect unauthorized or suspicious activities.

  6. Approval Processes: Documentation of approval workflows or authorization mechanisms for critical transactions, ensuring that multiple individuals are involved in the approval process.

  7. Documentation Review: Evidence that documents, reports, or transactions require multiple individuals to review and approve them before being considered valid or finalized.

  8. System Configuration: Documentation showing that system configurations are designed to enforce segregation of duties, preventing users from performing conflicting functions.

  9. Audit Trails: Logs or records that capture user activities within systems and applications, providing an audit trail that can be reviewed for compliance and accountability.

  10. Testing for Compliance: Records of testing or assessments conducted to ensure that segregation of duties controls are functioning as intended.

  11. Segregation of Duties Violations: Documentation of any identified violations of segregation of duties and the subsequent actions taken to address them.

  12. Incident Reports: Reports on any incidents or breaches related to unauthorized access or fraud resulting from a lack of segregation of duties.

  13. Employee Training: Records of training programs or awareness sessions conducted to educate employees about the importance of segregation of duties.

  14. Exception Handling: Evidence of how exceptions to segregation of duties are handled and reviewed, including justifications and approvals.

  15. Organizational Charts: Visual representations of the organization's structure, roles, and reporting relationships to aid in identifying areas of potential conflict.

  16. Contractual Agreements: Agreements with third-party vendors or partners that outline their responsibilities and roles in relation to the organization's processes.

  17. Change Management: Documentation showing how changes to roles, responsibilities, or access permissions are reviewed against the organization's segregation of duties principles.

  18. Regular Audits: Proof of regular internal or external audits that assess the effectiveness of segregation of duties controls.

By examining these types of evidence, an auditor can evaluate whether the organization has effectively implemented segregation of duties controls to reduce the risk of conflicts of interest and unauthorized activities.

"Segregation of duties has been implemented in the activites below and documented in the relevant appointment letters, job descriptions and various policies and procedures.

  •           initiating, approving and executing a change;
  •         requesting, approving and implementing access rights;
  •          designing, implementing and reviewing code;
  •           developing software and administering production systems;
  •           using and administering applications;
  •           using applications and administering databases;
  •          designing, auditing and assuring information security controls.                                                                         
  • Segregation is also implemented through compensation controls where segregation is complex i.e., monitoring through supervision and audit trails.                               
  • Segregation is also implemented through System enforced user rights and permissions."

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

To assess compliance with A.5.36 "Compliance with Policies, Rules, and Standards for Information Security," an information security auditor would need to review a variety of evidence and documentation to ensure that an organization is effectively adhering to its established policies, rules, and standards for information security. Here is a list of evidence that an auditor may require:

  1. Information Security Policies: Copies of documented information security policies, rules, and standards that the organization has established. These documents should outline the requirements, expectations, and guidelines for information security practices.

  2. Policy Review and Approval: Documentation showing the approval process for information security policies and procedures, including signatures from senior management or relevant stakeholders.

  3. Communication of Policies: Records of how information security policies are communicated to employees and other stakeholders within the organization.

  4. Employee Training Records: Evidence of employee training and awareness programs related to information security policies and standards.

  5. Policy Acknowledgment: Documents or logs showing that employees have acknowledged and understood the organization's information security policies.

  6. Policy Implementation: Records demonstrating how the organization has translated information security policies into actionable controls and practices.

  7. Documented Procedures: Detailed procedures, guidelines, or work instructions that provide step-by-step instructions for implementing specific security controls based on the established policies.

  8. Conformance Monitoring: Documentation detailing how the organization monitors adherence to its information security policies, rules, and standards.

  9. Exception Handling: Records of any exceptions or deviations from established policies, along with explanations and justifications for such exceptions.

  10. Incident Reports: Records of any incidents or breaches related to non-compliance with information security policies, along with actions taken to address them.

  11. Audit Findings: Reports from internal or external audits, assessments, or reviews that highlight areas of non-compliance or potential gaps with established policies.

  12. Corrective Actions: Documentation of corrective actions taken in response to identified policy violations or non-compliance issues.

  13. Policy Updates: Proof of how the organization updates its information security policies, rules, and standards to reflect changes in technology, regulations, or business operations.

  14. Evidence of Monitoring: Logs, reports, or tools that show ongoing monitoring of systems, processes, and user activities to ensure compliance with established policies.

  15. Third-Party Assessments: Documentation from third-party assessments or certifications that validate the organization's compliance with specific standards or frameworks.

  16. Management Reporting: Records demonstrating how compliance with information security policies is reported to senior management or the board of directors.

  17. Review of Access Controls: Evidence of regular reviews of user access rights and permissions to systems and data, ensuring that they align with established policies.

  18. Configuration Management: Documentation showing how configuration management processes align with information security policies and standards.

  19. Change Management: Records demonstrating how changes to systems, applications, and configurations are reviewed against established policies before implementation.

  20. Performance Metrics: Data indicating key performance indicators (KPIs) related to compliance with information security policies, rules, and standards.

  21. Documentation Retention: Proof of how records related to compliance with policies are retained and managed over time.

By examining these types of evidence, an auditor can determine the extent to which an organization complies with its information security policies, rules, and standards and whether there are any areas of non-compliance that need to be addressed.

Managers, service, product or information owners should identify how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.

If any non-compliance is found as a result of the review, managers should:

  •            identify the causes of the non-compliance;
  •            evaluate the need for corrective actions to achieve compliance;
  •            implement appropriate corrective actions;
  •            review corrective actions taken to verify its effectiveness and identify any deficiencies or weaknesses.
  • Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews when an independent review takes place in the area of their responsibility.
  • Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review.

 

Technical compliance should be reviewed, either by IT or as part of an independent review, preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Technical compliance reviews are also performed by many organizations. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information life cycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a ‘snapshot’ at a point in time and must be repeated at recurring intervals in order to become an effective method or process.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.35 "Independent Review of Information Security" would include:

  1. Audit Reports: Copies of audit reports conducted by independent auditors or internal audit teams, assessing the organization's information security controls, policies, and practices.

  2. Scope and Objectives: Documentation outlining the scope, objectives, and criteria of the independent review, indicating what aspects of information security were assessed.

  3. Audit Plan: Evidence of a structured audit plan, including methodologies, sampling techniques, and timelines used to conduct the review.

  4. Findings and Recommendations: Detailed findings from the independent review, including any identified weaknesses, vulnerabilities, and non-compliance issues. Corresponding recommendations for improvements should also be provided.

  5. Corrective Actions: Documentation of corrective actions taken in response to identified findings and recommendations, along with evidence of their implementation and effectiveness.

  6. Follow-Up: Records of follow-up audits or assessments conducted to verify the implementation and effectiveness of corrective actions.

  7. Auditor Qualifications: Proof of qualifications and certifications of the independent auditors involved in the review, demonstrating their competence and expertise in information security.

  8. Risk Assessment: Documentation indicating how the organization's risk assessment process influenced the scope and focus of the independent review.

  9. Documentation Review: Evidence of the auditors' examination of relevant documentation, policies, procedures, and controls related to information security.

  10. Interviews: Notes or transcripts from interviews conducted with key personnel responsible for information security practices and controls.

  11. Testing Methods: Documentation of testing methods employed to assess the effectiveness of information security controls, such as vulnerability assessments, penetration testing, or security scanning.

  12. Compliance Assessment: Proof of compliance with relevant information security standards, frameworks, or regulations, as evaluated through the independent review.

  13. Third-Party Verification: Records of any third-party certifications or attestations obtained to validate the organization's information security practices.

  14. Executive Summary: A summary report outlining the key findings, strengths, weaknesses, and overall effectiveness of the organization's information security controls.

  15. Continuous Improvement: Documentation demonstrating how the organization utilizes the results of independent reviews to drive continuous improvement in its information security posture.

  16. Audit Program Management: Evidence of how the organization manages its independent review program, including planning, scheduling, and reporting processes.

  17. Board and Management Reporting: Documentation of how the findings and recommendations from independent reviews are reported to the organization's board of directors and senior management.

  18. Evidence of Follow-Up Actions: Proof that recommendations from previous independent reviews were addressed and resolved in subsequent audits.

  19. Non-Disclosure Agreements: If applicable, copies of non-disclosure agreements (NDAs) or confidentiality agreements signed between the organization and independent auditors.

  20. Stakeholder Communication: Documentation of how the results of independent reviews are communicated to relevant stakeholders, such as employees, customers, or regulatory bodies.

  21. Lessons Learned: Records of lessons learned from previous independent reviews and how they contributed to enhancing the audit process and information security practices.

By examining these types of evidence, an auditor can assess whether the organization has conducted independent reviews of its information security controls and practices, identified areas for improvement, and implemented corrective actions to enhance its overall security posture.

In addition to the periodic independent reviews, the organization should consider conducting independent reviews when:

  •           laws and regulations which affect the organization change;
  •           significant incidents occur;
  •           the organization starts a new business or changes a current business;
  •           the organization starts to use a new product or service, or changes the use of a current product or service;
  •          the organization changes the information security controls and procedures significantly.

The outcome of independent review and actions taken would be discussed in the subsequent management review as well. Alongside periodic reviews, it may be necessary to initiate ad-hoc reviews. These reviews can be justified across 5 key areas:

  • Any laws, guidelines or regulations are amended which affect the organisation’s information security operation.
  • Major incidents occur that have an impact on information security (data loss, intrusion etc).
  • A new business is created, or major changes are enacted to the current business.
  • The organisation adopts a new product or service that has information security implications or makes underlying changes to the current product or service.
  • Major changes are made to the organization’s bank of information security controls, policies, and procedures.
  • Internal Auditing, External and assessments by consultants or certified auditors, Regulator assessments, Monthly/ Quarterly/ Annual Management reviews.

 

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search