A Comprehensive Guide to Information Security Management and Audit

The text is written to provide readers with a comprehensive study of information security and management system, audit planning and preparation, audit techniques and collecting evidence, international information security (ISO) standard 27001, and asset management. It further discusses important topics such as security mechanisms, security standards, audit principles, audit competence and evaluation methods, and the principles of asset management. It will serve as an ideal reference text for senior undergraduate, graduate students, and researchers in fields including electrical engineering, electronics and communications engineering, computer engineering, and information technology. The book explores information security concepts and applications from an organizational information perspective and explains the process of audit planning and preparation. It further demonstrates audit techniques and collecting evidence to write important documentation by following the ISO 27001 standards. The book: Elaborates on the application of confidentiality, integrity, and availability (CIA) in the area of audit planning and preparation Covers topics such as managing business assets, agreements on how to deal with business assets, and media handling Demonstrates audit techniques and collects evidence to write the important documentation by following the ISO 27001 standards Explains how the organization’s assets are managed by asset management, and access control policies Presents seven case studies

Table of Contents:
Chapter 1: Information Security & Management System 1. Information Security Overview 1.1 The OSI Security Architecture 1.2 Information Security 1.3 Security Services 1.4 Security Mechanisms 1.5 The CIA and DAD Triads 1.6 ISMS Purpose and Objectives 1.7 Frameworks 1.8 Security Standards 1.9 Standard 1.10 Security Procedures 1.11 Security Guidelines 1.12 Compliance vs. Conformance Chapter: 2 Audit Planning and Preparation 2.1 Reasons for Auditing 2.2 Audit Principles 2.2.1 Planning 2.2.2 Honesty 2.2.3 Secrecy 2.2.4 Audit Evidence 2.2.5 Internal Control System 2.2.6 Skill and Competence 2.2.7 Work Done by Others 2.2.8 Working Papers 2.2.9 Legal Framework 2.2.10 Audit Report 2.3 Process of Audit Program Management 2.3.1 Preparing for an Audit 2.3.2 Audit Process 2.4 Audit Competence and Evaluation Methods 2.4.1 Audit of Individuals 2.4.2 Audit of Sole-Trader’s Books of Accounts 2.4.3 Audit of Partnership Firm 2.4.4 Government Audit 2.4.5 Statutory Audit 2.4.6 Audit of Companies 2.4.7 Audit of Trust 2.4.8 Audit of Co-operative Societies 2.4.9 Audit of other Institutions 2.4.10 Tax Audit 2.4.11 Balance Sheet Audit 2.4.12 Partial Audit 2.4.13 Internal Audit 2.4.14 Management Audit 2.4.15 Post & Vouch Audit 2.4.16 Audit in Depth 2.4.17 Interim Audit 2.5 Audit Responsibilities 2.5.1 Reporting on the Financial Statements 2.5.2 Unmodified Opinions 2.5.3 Modified Opinions 2.5.4 Emphasizing Certain Matters without Modifying the Opinion 2.5.5 Communicating "Other Matters" 2.5.6 Other Information Included in the Annual Report 2.5.7 Other Legal and Regulatory Requirements 2.5.8 Reporting on the Financial Statements 2.6 Audit Time and Process Flow 2.6.1 What is a Process? 2.6.2 Process Description 2.6.3 Control of Processes 2.6.4 Advanced Process and System Modelling 2.7 ISMS Audit Check List 2.7.1 Why ISO 27001 Checklist is Required? What is the Importance of ISO 27001 Checklists? 2.7.2 Who all can use ISO 27001 Audit Checklist? 2.7.3 How many ISO 27001 Checklists are Available? 2.7.4 How to find out which ISO 27001 Checklists are Suitable for me? 2.7.5 Important Information on ISO 27001 Checklist File 2.7.6 Who has Prepared and Who has Validated ISO 27001 Checklists? 2.7.7 What is the Basis of the ISO 27001 Checklists? 2.7.8 How to use ISO 27001 Checklist? Chapter 3: Audit Techniques and Collecting Evidence 3.1 Auditor Quality and Selection 3.2 Audit Script 3.3 Audit Stages 3.4 Audit Techniques 3.5 Collecting Evidence Through Questions 3.6 Observation 3.7 Reporting to Audit Finding 3.8 Audit Team Meeting 3.9 Nonconformities and Observation 3.10 Corrective and Preventive Actions. Chapter 4: ISO 27001 Overview of An Information Security and Management System (CIA And DAD Triads) 4.1 Purchase A Copy of the ISO/IEC Standards 4.2 Obtain Management Support 4.3 Determine the Scope of The ISMS 4.4 Identify Applicable Legislation 4.5 Define A Method of Risk Assessment 4.6 Create an Inventory of Information Assets to Protect 4.7 Identify Risks 4.8 Assess the Risks 4.9 Identify Applicable Objectives and Controls 4.10 Set Up Pol Icy, Procedures and Documented Information to Control Risks 4.11 Allocate Resources and Train the Staff 4.12 Monitor the Implementation of The Isms 4.13 Prepare for The Certification Audit Chapter 5: Asset Management Introduction 5.1 What Are Assets According to ISO 27001? 5.2 Why Are Assets Important for Information Security Management? 5.3 How to Build an Asset Inventory? 5.4 Who Should Be the Asset Owner? 5.5 ISO 27001/ISO 27005 Risk Assessment & Treatment – 6 Basic Steps 5.6 The Basic Steps Will Shed Light on What One Have to Do 5.6.1 ISO 27001 Risk Assessment Methodology 5.6.2 Risk Assessment Implementation 5.6.3 Risk Treatment Implementation 5.6.4 ISMS Risk Assessment Report 5.6.5 Statement of Applicability 5.6.6 Risk Treatment Plan 5.7 ISO 27001 Controls from Annex A 5.7.1 How many domains are there in ISO 27001? 5.7.2 What are the 14 domains of ISO 27001? 5.8 The Importance of Statement of Applicability for ISO 27001 5.8.1 Why it is needed 5.9 ISO 27001: A.8 Asset Management 5.9.1 Introduction 5.9.2 Level of Assets 5.9.3 Asset Management 5.9.4 The Principles of Asset Management 5.9.5 Asset Life Cycle 5.9.6 Seven steps to implement Asset Management 5.10 Responsibility for Assets 5.11 Information Classification 5.12 Media Handling 5.13 BYOD 5.13.1 What are the types of BYOD? 5.13.2 Why is BYOD important? 5.13.3 Benefits of BYOD 5.13.4 Risks of BYOD 5.13.5 Keys to effective BYOD 5.13.6 Guidelines to help plan and implement effective BYOD

About the Author :
Banoth Rajkumar, B.Tech, M.Tech & Ph.D, Associate Professor, Marwadi University, Rajkot, India. IEEE senior members, Cyber Security Operations Certified Trainer, Published six text books comprising domains Networking, Computer Organization and Architecture and Computer Forensic, Published eighteen Hi-indexed SCI and Scopus Journals and Presented nine Conference papers. Along with having membership in “The Institution of Engineers (India)” and so on. Gugulothu Narsimha, B.Tech, M.Tech, PhD, Currently working as a Vice Principal & Professor in Department of Computer Science and Engineering at JNTUH College of Engineering Sultanpur, Telangana, India. An applauded academician and researcher possessing 22 years of experience in teaching, research and administration in well-reputed educational institutions majorly in state universities JNTU-Kakinada and JNTU-Hyderabad alongside private institutions. Godishala Arunakranthi, B.Tech, M.Tech, Research Scholar, Brunei University Darussalam, Brunei.Pursued Bachelor of Technology in Computer Science and Engineering and Master of Technology in Software Engineering from Jawaharlal Nehru Technological University, Hyderabad.