Does your organization comply with the ISO 27001/27002 security standards?
The ISO 27002 GAP analysis audit, proposed by DOREA-Consulting is a set of hundreds of control points, all in line with the ISO 27001 controls.
DOREA-Consulting provides a detailed reporting and schedule during the complete duration of the audit. For each meeting, off site or on site, DOREA will provide a minute of meeting protocol which summarizes all important subjects discussed during the meeting. The ISO 27002 audit provided by DOREA-Consulting GMBH can be divided in several phases. All of these phases are depicted in the description below. The duration of a typical interview will be about one day per person, depending on the responsibilities and competences of each interviewed person. DOREA-Consulting will provide for each individual interview 2 senior consultants. The consultants are experienced in one or several fields related to IT security and at least one of them possesses a valid ISO 27001 certification. DOREA-Consulting assumes that each person interviewed is in charge of a specific part of the IT organization and within its field of activity can provide adequate responses on all potential sites, concerned by the audit. Each person of your IT-staff typically responds to one or several of the following criteria below. Following 10 days after the last interview has been completed, DOREA-Consulting GMBH will provide a detailed audit report to its customer. Since the audit report is confidential, DOREA-Consulting will provide an encrypted electronic version of the report and it’s attachments in 2 separate e-mails to a single person from your organization. As part of the ISO 27002 audit report analysis, DOREA will provide several documents. All of the interviews will be consolidated into a single “database” or Excel sheet which allows extracting details of each single interview through metrics. The scoring described below is one of the metrics which are used during the complete interview and is left to the discretion of the interviewer. Nonetheless both interviewers will adjust the metrics whenever they should have a different perception of the implied risk identified through a given answer. Each document provided by DOREA-Consulting can be described as follows: Consolidated interview transcript Final Audit report The penetration service tests provided by DOREA-Consulting in cooperation with its Swiss partner is a sequence of tests and actions based on a proven methodology which relies partly on specific tools, presented at the end of this document but also on the individual experience of the consultants. In this context none of the potential harmful attacks will be executed to the end. We inform hereby that any attempt, even a harmless port scan can in some cases a machine crash and DOREA-Consulting and/or its partner is not taking any responsibility which results from such a “standard-action” which is not related to any voluntary attack on the system or its resources itself. The consultants provided by DOREA-Consulting for the external penetration test have been participating on a regular basis on several contests worldwide in order to maintain and improve their hacking skills. Any personnel acting on your organizations network has been cleared by our Swiss partner and DOREA-Consulting and can be considered as trustworthy. Before the beginning of any intervention DOREA will provide detailed personal information on each “hacker”, their CV’s as well as a time-frame/schedule in which the attack-attempt will be performed. Our personnel is committed in following specific ethical rules and is trained to avoid any harmful action to our customers information system. Vulnerability scan first result Validation Vulnerability scan - discovery Intermediate test result presentation (while on-site) The following is an example of events, our personnel attended in the past for training or “challenge” purposes.
Audit organization and logistics
The ISO 27002 gap analysis audit
The interviewers
The interview
Procedure of delivery
Structure of the report and content
The interviews are usually done by 2 senior consultants. For each question, the given answer will be summarized in a protocol type style and a scoring for each section or subsection of the question-set will be made available also
Once DOREA has provided its customer with all documents described below, an onsite presentation can be scheduled to highlight some specific sections of the audit report.
Methodology for internal/external penetration test
Each “Pentest” starts with a detailed scan of the network to identify potential resources and “hacking-vulnerabilities” which could allow taking control of a portion of the strategic resources.
Example of contests and events attended by our consultants