The scope of the audit report consist of establishing rules and protocols to carry out an effective audit procedure for English & American plc, which is based in the Llyods of London insurance market. The company has requested for a partial ISO 27002 compliance audit which is to be undertaken by our company, CyberSAFE. English & American plc is a company which deals in the business of selling insurance and underwriting risk. The company’s audit compliance with the ISO27002 consists of aspects like physical and environmental security of its information and intellectual assets comprising IT systems, scanners, computer PCs, cloud computing systems and other IT devices (Fenz and Neubauer, 2018). The following audit plan would focus its attention upon specific details about Section 11.1 and Section 11.2 of the ISO27002 (2013) with the context of our client, English & American plc.
The business environment of the English & American plc consists of selling insurance contracts and underwriting risks to a broad base of clients like retail customers, corporate houses, government offices, and others. The company is engaged in underwriting a variety of risks including financial, non-financial, speculative and fundamental risks.
The management system of auditing holds immense importance in an organization and selection of the kind of audit system from the varieties of an option holds more than that. The presented part of the study will be highlighting the ISO27002 management system of auditing as guidance for the organization. The ISO27002 is information security, cyber security, and protection of privacy standard which involves guidance on administering systems programs of audit and is famously regarded as the ISMS program of audit (ISMS, 2022). The audit program was initially introduced in the year 2011 in the month of November and was last updated on January 21, 2020, is a kind of standard which is applied to the authorities who are required to understand or perform internal or external audits of an ISMS. This kind of understanding is also applied to administer the audit program as well.
The guided method of ISO27007 is also regarded as a member of the ISO/IEC 27000 family of standards on information security management systems or ISMSs which is popularly regarded as the systematic method for protecting information that is highly sensitive. This kind of protection is facilitated in the system as it establishes principles for a strong approach to security management and resilience up-gradation for the information. This kind of system of auditing is important for the present business as it will allow businesses to manage huge amounts of data in order to continue offering products and services. The destruction wrought by these attacks spans from celebrities being embarrassed by careless images to the theft of personal information to multimillion-dollar political demands that have been aimed at even the most powerful corporations. In accordance with this b businesses have a moral and legal obligation to protect such data from cybercriminals. The situation becomes more critical when the data contains information that is important and holds financial and medical relevance.
To accommodate such kinds of protection needs, International standards like that of ISO27000 come into play which holds all the abilities that an organisation is wanting to secure its crucial data. The kind of international standard has been well acknowledged by international business managers as one of the precious organizations AMIGO’s manager Emmie Cooney has reflected the organisation so pleased to find the kind of solution as it has made everything fit together more easily (ISO, 2022). The solution has also grabbed appreciation from organizations like METCloud, Beryl, boomerang and NHS Professionals, etc. The defined audit management system is full of scope as it prescribes a range of audit criteria that are flexible enough and can be taken into use in both ways, individually or in a combination for an information security management system audit. The kind of system is not at all limited in confined areas as it also analyses and described the plans of management systems also which is also related to outputs of an ISMS. Moreover, in order to be relevant to all kinds of organizations, the kind of standard also includes ISO audits of different scopes and scales, including those undertaken by big audit teams generally linked with larger organizations.
At last, it is needed to be stated that ISO27007 holds relevance to individuals who are required to grasp or perform internal and external audits of an information security management system along with those who administer an information security management system’s program of the audit. It is also needed to be stated that by making the use of kind of audit management system through online source holds a lot of potential to save a lot of time and money which can indirectly help an organisation in increasing its productivity and profit-making by concentrating a lot on these kinds of aspects.
The ISO 27002 is about protecting physical and environmental areas. The objective of this standard is to limit unauthorized access to physical assets of the organization which are significant and critical concerning the objectives or operations of the business. If any business organization wants to achieve the title of ISO 27002 certification, it is critically important to be a part of an information security management system (ISMS).
Section 11.1.1 of the ISO 27002 refers to the security of perimeters or boundaries and areas where either delicate or serious information or any other information processing facilities are located. Sensitive information holding appliances and devices like laptops, PCs, desktops, computers and cloud storage has to be safely enclosed and protected by suitable means. A tangible security boundary is referred to as any transition perimeter concerning two areas of differentiating security safeguard provisions.
Organizations must set up safe zones to protect treasured information and other data/ material assets that have access to authorized personnel only. This is related to the risk assessment and risk appetite of the organisation. The most basic example of such include, offices that contain valuable information that must be accessed by employees with granted permission to such premise or premises (Kurniawan and Riadi, 2018). In the case of English & American plc, its physical intellectual assets like desktops, cloud computing systems, or even physical documents like bonds and contracts must be kept in a separate room with a suitable security perimeter and restricted entry.
This section of the ISO 27002 standards states that secure areas must be shielded by suitable entry mechanisms and controls such that only authorized personnel are granted entry or access. To use a simple example, only personnel who have been granted the alarm access code and a key can enter the workplace. Organizations that are more risk-averse, as well as those that have more sensitive data at risk, may go even farther with policies that incorporate biometrics and scanning technology. Entry limitations must be determined and implemented based on the nature and location of the area to be guarded, as well as the organization’s ability to implement such controls if, for example, the site is not within the organization’s control. Entry control measures must be strong, tested, and monitored, and they may also need to be recorded and audited.
Controlling visits will be crucial, and the processes involved should be investigated. Access to locations where sensitive or classified information is processed or stored should be handled with caution. While areas holding important IT infrastructure equipment, in particular, must be adequately secured and access restricted to those who have a genuine need to be there. The auditor will want to see appropriate controls in place, as well as frequent testing and monitoring.
It is critically important to evaluate the accessibility of sensitive information holding rooms to specific persons or groups of persons when, how and how long. It is as significant and critical as the set-up of a restricted perimeter itself as mentioned under the 11.1.1 section of ISO 27002. The 11.1.3 section further illustrates the extent to which the grant of entry must be given at what times and the respective mode or medium of entry. Every intricate detail has to be illustrated and briefly mentioned while the preparation of the audit report and its documents. Some of these details include who can see or even hear the proceedings happening at these rooms? Such intricate details are often left out in the case of mismanagement or poorly managed firms or organizations. But for the compliance of ISO 27001 & ISO 27002, it is a must and mandatory practice to enlist and highlight such details. Examples of such details often include whether access granted to people have been kept a record chronologically, does the security system updates itself when staff leave or no longer require access to sensitive information rooms; and is the staff or any other personnel is vigilant enough or whistle blow in times of non-compliance or any access which is unauthorized by the organization.
This is a control mechanism or measure which describes how physical safeguard would be provided and facilitated in terms of disasters, accidents and malicious attacks. This section sheds light upon the control mechanisms which are in place or could be utilized in terms of unfortunate circumstances like physical, natural disasters (Johansen, 2020). Further, this section also illustrates the control mechanisms for circumstances that are man-made like terrorists or intruder attacks that are tangible or physical in nature. Any virtual intruder attack in the form of a virus, malware, or hacker attack is intangible in nature. Control prevention mechanisms for such hacking attacks are not being discussed under this section.
Lloyds of London has been a pioneer and market leader in the insurance industry. It is one of the organizations which operates in more than 200 territories, led by vigilant underwriters and brokers. The London premise of Lloyds is one of their premier head-offices which comprise data of high-sensitivity and critical nature.
Once the access controls for secure areas have been defined and implemented, it is critical that they be supplemented by procedural controls pertaining to hazards that may occur while inside the secure area. For example, there may be a requirement for:
After inspecting the secure area access controls, the auditor will examine to determine if they are backed, if necessary, by suitable policies and procedures, and that documentation of their administration is kept.
Under this section of ISO 27002, access points are being monitored to avoid unauthorised access, entry points such as delivery and loading areas and other locations where unauthorised individuals might enter the premises must be regulated and, if feasible, segregated from information processing facilities. Cloud-only or digital workrooms may not require a policy or control over delivery and loading zones; in this case, they would make a note of it and clearly remove it from the Statement of Applicability (SOA).
This section of the ISO 27002 standard focuses its attention upon the protection of equipment from unnecessary access and physical risks like theft, fire, explosives, smoke, dust, vibrations, chemicals, water and electric radiation. Furthermore, this part of the ISO 27002 also provides a framework for routinely non-formal activities like eating, drinking and smoking. Environmental factors like humidity and temperature control are also part of this section of the standard. Furthermore, this section of the standard also provides for lightning protection for the office buildings and filters for all incoming communications and power cables should be safely kept in place and implemented.
11.2.2 Supporting Utilities: This section states that equipment must be safeguarded against any power failures and other kinds of disruptions that may be caused by backing infrastructure failures. Therefore, to protect against such harms and inconveniences, electricity storage and other appliances like generators and power backups must be set up in place and effective and efficient enough so that they may generate power to carry on existing operations for the disruptive time periods. In the case of Lloyds of London, computer systems and other electronic devices must be backed up using power generators and other electricity backup pieces of equipment. For effective and smooth operations during power failures, it is a must for Lloyds to set up power generators with adequate capacities so that operations do not get hindered.
Lloyds of London, the insurance company should be careful of the fact that their internet, telephone and broadband cables must be safely secured and mitigation measures for interruptive risks like interception and damage are properly in place and taken care of during unforeseen circumstances.
It is the due responsibility of the management to encrypt the data when any information bearing equipment is in the process of transportation or geographic switch. While transporting such pieces of equipment, proper mechanisms of encryption systems should be in place to ensure the privacy of companies’ data. The top-level management of the organization must be cautious during such events and place them at most attention and funds for proper facilitation of such events.
Unattended equipment is another risk for any organization which occurs or takes place when there is an unattended system running for a stipulated time period. Such instances occur when employees are gone off charge, left the premises, rooms where the system is located. The reasons for unattended equipment could arise from the following situations like employees going to restrooms, employees leaving sensitive information premise due to urgency, and many other such unique scenarios are possible. For a company like Lloyd of London, an unattended user equipment scenario is very much possible and could lead to significant loss of data in the form of hacking or malware attacks from suspicious entities. Further, to mitigate against such forms of risks, a central server or a highly-advanced technological system must be set up, which would automatically cut-off or log-off sessions within the set period of time of inactivity. It is also recommended to raise awareness among employees about such issues at the workplace, especially while handling pieces of critical equipment like laptops, computers, and data cloud systems.
According to this section of the standard, if a workplace has a vigorous level of physical access control but insignificant external footfall & visitor traffic, then such controls are deemed to be redundant. This section further states that the screening policies and their implementation should be a function of risk assessment and profile of the specified company or organization.
Audit Plan Conclusion
With every aspect of the audit procedure being covered in this report, it can be concluded that English & American plc is one such organization which must be in compliance with adequate ISO standards for its relevancy, market stature and aggressiveness in the London insurance marketplace. Further it should be highlighted that English & American plc should implement secure areas and equipment security parameters to ensure compliance with the required section of 11.1 and 11.2 of the ISO 27002. Very detailed and intricate specifications about the ISO 27002 has been highlighted with the help of this audit report.
References
Fenz, S. and Neubauer, T., 2018. Ontology-based information security compliance determination and control selection on the example of ISO 27002. Information & Computer Security, https://www.emerald.com/insight/content/doi/10.1108/ICS-02-2018-0020/full/html
ISMS, 2022. ISO/IEC 27007 management system auditing. [online] ISMS.online. Available at:
<https://www.isms.online/iso-27007/#:~:text=What%20is%20ISO%2FIEC%2027007,the%20competence%20of%20ISMS%20auditors.> [Accessed 26 February 2022].
ISMS.online. 2022. ISO 27001 – Annex A.11: Physical & Environmental Security. [online] Available at: <https://www.isms.online/iso-27001/annex-a-11-physical-and-environmental-security/> [Accessed 28 February 2022].
ISO, 2022. ISO/IEC 27007:2020. [online] ISO. Available at: <https://www.iso.org/standard/77802.html> [Accessed 26 February 2022].
Johansen, K., 2020. Implementation of ISO 27002: 2017 Cyber Security Risk Management guide,
https://www.theseus.fi/bitstream/handle/10024/345405/Johansen_Krista.pdf?sequence=2
Kurniawan, E. and Riadi, I., 2018. Security level analysis of academic information systems based on standard ISO 27002: 2003 using SSE-CMM. arXiv preprint arXiv:1802.03613,
https://www.researchgate.net/profile/Imam-Riadi-2/publication/323029044_Security_level_analysis_of_academic_information_systems_based_on_standard_ISO_270022003_using_SSE-CMM/links/5a7d699c458515dea40f96f0/Security-level-analysis-of-academic-information-systems-based-on-standard-ISO-270022003-using-SSE-CMM.pdf
Pcaobus.org. 2022. AS 2101: A
udit Planning. [online] Available at: <https://pcaobus.org/oversight/standards/auditing-standards/details/AS2101> [Accessed 28 February 2022]
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download
