Does your organization comply with the ISO 27001/27002 security standards?
The ISO 27002 GAP analysis audit, proposed by DOREA-Consulting is a set of hundreds of control points, all in line with the ISO 27001 controls.
ISO 27002 gap analysis
- Interviews on site
- Final reporting and GAP reporting
- PENETRATION TEST
- Internal: Automatic scans and manual investigations
- External: Scans and hack"attempts" to services exposed to the internet
- Kick off
- Preparation
- ISO 27002 & Pentests & Analysis
- Final Reporting & Presentation
Audit organization and logistics
DOREA-Consulting provides a detailed reporting and schedule during the complete duration of the audit. For each meeting, off site or on site, DOREA will provide a minute of meeting protocol which summarizes all important subjects discussed during the meeting.
The ISO 27002 gap analysis audit
The ISO 27002 audit provided by DOREA-Consulting GMBH can be divided in several phases. All of these phases are depicted in the description below.
The interviewers
The duration of a typical interview will be about one day per person, depending on the responsibilities and competences of each interviewed person.
DOREA-Consulting will provide for each individual interview 2 senior consultants. The consultants are experienced in one or several fields related to IT security and at least one of them possesses a valid ISO 27001 certification.
The interview
DOREA-Consulting assumes that each person interviewed is in charge of a specific part of the IT organization and within its field of activity can provide adequate responses on all potential sites, concerned by the audit.
Each person of your IT-staff typically responds to one or several of the following criteria below.
- The person is sufficiently trained to understand and respond to the specific questions of each field of activity or responsibility
- All answers are given in a cooperative mode and can be considered as truthful
- DOREA will not double-check each answer and will trust any statement made by the interviewed person.
- However in case of blatant contradictions between one or several questions, DOREA will reformulate the questions again and attempt to clarify possible misunderstandings.
- DOREA is not responsible if the interviewed person cannot provide answers due to a lack of availability or knowledge or any other reason.
Procedure of delivery
Following 10 days after the last interview has been completed, DOREA-Consulting GMBH will provide a detailed audit report to its customer.
Since the audit report is confidential, DOREA-Consulting will provide an encrypted electronic version of the report and it’s attachments in 2 separate e-mails to a single person from your organization.
Structure of the report and content
As part of the ISO 27002 audit report analysis, DOREA will provide several documents.
The interviews are usually done by 2 senior consultants. For each question, the given answer will be summarized in a protocol type style and a scoring for each section or subsection of the question-set will be made available also
All of the interviews will be consolidated into a single “database” or Excel sheet which allows extracting details of each single interview through metrics. The scoring described below is one of the metrics which are used during the complete interview and is left to the discretion of the interviewer. Nonetheless both interviewers will adjust the metrics whenever they should have a different perception of the implied risk identified through a given answer.
Once DOREA has provided its customer with all documents described below, an onsite presentation can be scheduled to highlight some specific sections of the audit report.
Each document provided by DOREA-Consulting can be described as follows:
Interview transcript
- Individual transcript of each interview in Excel format.
- The Excel sheet will contain at least the following information for each question.
- ISO 27001 control reference
- Questions asked by DOREA
- Answers provided by the interviewed person
- Synthetic
- Certainty factor (value 1…5)
- Some questions may not be answered with a 100% certainty. This can have several reasons. Either the interviewed person doesn’t know for sure, in this case DOREA will check the answer as uncertain and will wait for a final confirmation
- which must be provided within 2 days following the onsite interview.
- Scoring (max 100%)
- Estimated scoring towards the ISO 27001 recommendation and good practice. The scoring depends highly on the context as well as on the risk exposure.
- Weighted scoring (max 500%)
- Equals to the importance value multiplied by the estimated scoring. (optional)
- DOREA comments and recommendations on potential gaps
Consolidated interview transcript
- Excel sheet with all interview transcripts
- This sheet will use Pivot tables to represent the different field of activities, categories and controls of the ISO 27001
Final Audit report
- This document is the synthetic report of the ISO 27002 security audit and includes the following chapters:
- Introduction and context of the audit
- A list of all questions related to the ISO 27001 control points
- Radar diagrams for each group of questions, comments, summary of important gaps detected.
- Recommendations for improvements to close gaps if possible
- Final summary per section.
- Identification of major threats if any found
Methodology for internal/external penetration test
The penetration service tests provided by DOREA-Consulting in cooperation with its Swiss partner is a sequence of tests and actions based on a proven methodology which relies partly on specific tools, presented at the end of this document but also on the individual experience of the consultants.
Each “Pentest” starts with a detailed scan of the network to identify potential resources and “hacking-vulnerabilities” which could allow taking control of a portion of the strategic resources.
In this context none of the potential harmful attacks will be executed to the end. We inform hereby that any attempt, even a harmless port scan can in some cases a machine crash and DOREA-Consulting and/or its partner is not taking any responsibility which results from such a “standard-action” which is not related to any voluntary attack on the system or its resources itself.
The consultants provided by DOREA-Consulting for the external penetration test have been participating on a regular basis on several contests worldwide in order to maintain and improve their hacking skills. Any personnel acting on your organizations network has been cleared by our Swiss partner and DOREA-Consulting and can be considered as trustworthy. Before the beginning of any intervention DOREA will provide detailed personal information on each “hacker”, their CV’s as well as a time-frame/schedule in which the attack-attempt will be performed. Our personnel is committed in following specific ethical rules and is trained to avoid any harmful action to our customers information system.
Vulnerability scan - preparation
- Any information provided by customer about infrastructure, network, etc.
- Configuration of scanning tool
Vulnerability scan first result
- List of discovered items and exposed services
Validation
- customer can add or remove IP address
Vulnerability scan - discovery
- Identifies open ports
- Applications and versions
- Potential threat based on information from vulnerability scan
Intermediate test result presentation (while on-site)
- specific analysis if required on targeted items if possible.
Example of contests and events attended by our consultants
The following is an example of events, our personnel attended in the past for training or “challenge” purposes.
- Fortinet - certified eng.
- Secure computing - Sidewinder G2 accreditation
- Secure computing - Sidewinder G2 accreditation
- CCNA - Cisco certified eng.
- Blackhat Europe 2009, SAP security
- Defcon XVI, Las Vegas Contest[/block]