Management, compliance & auditing

ISO27002 Security Framework – Audit Program Template

June 15, 2011 by Kenneth Magee

Several people have asked for an IT Audit Program Template for an audit based on the ISO/IEC 27002:2005(E) security standard.  This template, which can be found here

[download]

will help you in your assessment of an organization’s information security program for CobiT Maturity Level 4.

CobiT Maturity Level 4 Managed and Measurable, states that the status of the Internal Control Environment is “There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.”

CobiT Maturity Level 4 Managed and Measurable, states that for the Establishment of Internal Controls; “IT process criticality is regularly defined with full support and agreement from the relevant business process owners.  Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored.  External control reviews are organized occasionally.”

As an example, one of the questions in the section on “Allocation of information security responsibilities” is written as follows:

Are the assets and security processes associated with each particular system identified and clearly defined?

While this is a straightforward “yes” or “no” question, in order to answer that question the IT auditor would need to look at an organization’s Business Impact Analysis and verify that the assets and security processes were indeed identified and clearly defined.

You will also notice that I have cross-referenced each of the steps to the appropriate sections within CobiT.

I hope the template ISO27002 Security Framework will be of assistance to you.

Kenneth

Posted: June 15, 2011
Articles Author
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

Website LinkedIn
In this Series
Related Bootcamps
Incident Response

12 responses to “ISO27002 Security Framework – Audit Program Template”

  1. valdez ladd says:
    June 16, 2011 at 2:34 am

    Thank you, Thank you, & blessingsfor the ISO 27002

    Reply
  2. Ankita says:
    June 28, 2011 at 5:46 am

    This piece of article is really very informative … Thank you so much!

    Reply
  3. Benson Dana says:
    June 29, 2011 at 12:16 pm

    This is outstanding. Very generous of you. Thanks!

    Reply
  4. Donna Hulteng says:
    July 5, 2011 at 3:50 pm

    Thanks Ken!! This is EXCELLENT!

    Reply
    • Kenneth Magee says:
      July 5, 2011 at 6:51 pm

      Donna,

      You’re welcome. Please let me know if it is applicable to the banking industry or if there should be some “tweaks.”

      Ken

      Reply
  5. John says:
    November 3, 2011 at 5:01 pm

    Thanks Ken, this will be very useful with our ISO alignment initiative.

    Reply
  6. Vikas Srivastava says:
    December 5, 2011 at 1:26 pm

    Thanks a lot Kenneth, this is indeed a very useful resource.

    Reply
  7. Sandeep Jopat says:
    September 27, 2012 at 1:34 pm

    very useful resource,

    Reply
  8. Iqbal says:
    October 22, 2012 at 4:37 am

    Hey Kenneth,
    This stuff is really helpful and informative. I am wondering if you have ever written something on IT audit in relation to compliance with SOX 404 and other sections.

    Regards,

    iqbal

    Reply
  9. James Rike says:
    April 23, 2013 at 11:51 pm

    Thank you for the audit tool which is extremely helpful.

    Reply
  10. Isaias says:
    January 10, 2014 at 12:28 am

    Hey Ken,

    Thanks a lot for the share. Very helpful.

    Cheers!,

    Reply
  11. Amy Cadena says:
    March 30, 2014 at 5:24 pm

    Hi Kenneth,
    I am working on my Phd in Information Security and I’m interested in talking with you about your expertise in the cyber security and risk management field. Please call me or email me at 2102741479.

    Thank you,
    Amy Cadena

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *