Scenario 8: EsBank provides banking and financial solutions to the Estonian banking sector since September 2010. The company has a network of 30 branches with over 100 ATMs across the country.
Operating in a highly regulated industry, EsBank must comply with many laws and regulations regarding the security and privacy of dat
a. They need to manage information security across their operations by implementing technical and nontechnical controls. EsBank decided to implement an ISMS based on ISO/IEC 27001 because it provided better security, more risk control, and compliance with key requirements of laws and regulations.
Nine months after the successful implementation of the ISMS, EsBank decided to pursue certification of their ISMS by an independent certification body against ISO/IEC 27001 .The certification audit included all of EsBank's systems, processes, and technologies.
The stage 1 and stage 2 audits were conducted jointly and several nonconformities were detected. The first nonconformity was related to EsBank's labeling of information. The company had an information classification scheme but there was no information labeling procedure. As a result, documents requiring the same level of protection would be labeled differently (sometimes as confidential, other times sensitive).
Considering that all the documents were also stored electronically, the nonconformity also impacted media handling. The audit team used sampling and concluded that 50 of 200 removable media stored sensitive information mistakenly classified as confidential. According to the information classification scheme, confidential information is allowed to be stored in removable media, whereas storing sensitive information is strictly prohibited. This marked the other nonconformity.
They drafted the nonconformity report and discussed the audit conclusions with EsBank's representatives, who agreed to submit an action plan for the detected nonconformities within two months.
EsBank accepted the audit team leader's proposed solution. They resolved the nonconformities by drafting a procedure for information labeling based on the classification scheme for both physical and electronic formats. The removable media procedure was also updated based on this procedure.
Two weeks after the audit completion, EsBank submitted a general action plan. There, they addressed the detected nonconformities and the corrective actions taken, but did not include any details on systems, controls, or operations impacted. The audit team evaluated the action plan and concluded that it would resolve the nonconformities. Yet, EsBank received an unfavorable recommendation for certification.
Based on the scenario above, answer the following question:
According to scenario 8, the audit team evaluated the action plan and concluded that it would resolve the detected nonconformities. Is this acceptable?
Yes, the audit team must evaluate the action plan and verify if it is appropriate for correcting the detected nonconformities. This is part of the auditor's responsibilities to ensure that the proposed actions adequately address the issues identified during the audit.
As an auditor, you have noticed that ABC Inc. has established a procedure to manage the removable storage medi
a. The procedure is based on the classification scheme adopted by ABC Inc. Thus, if the information stored is classified as "confidential," the procedure applies. On the other hand, the information that is classified as "public," does not have confidentiality requirements: thus, only a procedure for ensuring its integrity and availability applies. What type of audit finding is this?
This scenario represents a conformity because ABC Inc. has implemented procedures for managing removable storage media that align with the classification scheme of the information stored. When information is classified as 'confidential,' more stringent procedures apply, whereas for 'public' information, the procedures focus only on integrity and availability, following the organization's defined information classification policy.
To verify conformity to control 8.15 Logging of ISO/IEC 27001 Annex A, the audit team verified a sample of server logs to determine if they can be edited or deleted. Which audit procedure was used?
The audit procedure used here is 'analysis.' The audit team analyzed server logs to verify if they can be edited or deleted, focusing on evaluating the logs' properties and the controls over their manipulation to ensure they comply with ISO/IEC 27001 requirements.
The auditor discovered that two out of 15 employees of the IT Department have not received adequate information security training. What does this represent?
This scenario represents an 'audit finding.' An audit finding refers to results that indicate a deviation from the expected performance or standards. Discovering that two employees have not received the required training is an audit finding indicating noncompliance with the organization's training requirements.
After drafting the audit conclusions, the work documents of the audit team leader were reviewed by another auditor selected by the certification body. Is this acceptable?
Yes, it is acceptable for the work documents of the audit team leader to be reviewed by another auditor after reaching audit conclusions. This is part of the quality control and assurance processes within the audit to ensure the accuracy and reliability of the audit conclusions.
Barabara
3 days agoJaney
18 days agoRoselle
27 days agoZachary
1 months agoEmeline
1 months agoLisandra
2 months agoJulio
2 months agoMy
2 months agoVi
2 months agoGlynda
3 months agoStephen
3 months agoJody
4 months agoSusy
4 months agoOnita
4 months agoHarrison
5 months agoTori
5 months agoReuben
6 months ago