General information
Today the audit of the ISMS is a necessary and demanded event. A number of organizations whose business is closely connected with the use of information technologies, for example, banks, oil, gas, energy and telecommunications companies, have become more active in conducting the audit of the ISMS.
The audit of the ISMS can be initiated by the management of the bank (company), (internal audit of the ISMS), counterparties (for example, the audit of the ISMS may be the client’s requirements or the clause in the Contract), and third party – supervisory bodies (NBU) (audits conducted by independent companies).
External audit of the ISMS provides an understanding that an ISMS is created, implemented, controlled and functioning in the bank or company under audit, which meets the requirements not only of ISO standards, but also regulatory documents of the National Bank of Ukraine and other regulatory bodies. External Audit of ISMS will provide an opportunity to assess the quality of ISMS on the following issues:
– a set of assets has been identified and implemented by ISMS asset management, the correctness of risk assessment,
– an evaluation of the effectiveness, monitoring and analysis of the functioning of the ISMS,
– support and improvement.
In addition, the external audit of the ISMS will provide an opinion on how much management has demonstrated support for processes and efforts related to planning. implementation, operation, control, maintenance and modernization of ISMS in accordance with the requirements of standards and regulations
Normative documents and decisions of the NBU
The Board of the National Bank of Ukraine adopted Resolution No. 474 of October 28, 2010, “On Recruiting Exchange Rates for Managing Information Security in the Banking System of Ukraine”
Following the publication of this Resolution, the following NBU standards come into force:
Composition of the ISO series
ISO / IEC 27001 до: 2013 Information security management systems. Requirements- Система менеджменту інформаційною безпекою. Вимоги.
ISO / IEC 27000 до: 2016 Information security management systems. Overview and vocabulary – Система менеджменту інформаційної безпеки. Огляд і термінологія.
ISO / IEC 27002 до: 2013 Code of practice for information security management – Практичні правила щодо управління інформаційною безпекою.
ISO / IEC 27003: 2010 Information Security Management Systems Implementation Guidance – Керівництво по впровадженню системи менеджменту інформаційною безпекою.
ISO / IEC 27004: 2009 Information security management. Measurement – Вимірювання ефективності системи менеджменту інформаційною безпекою.
ISO / IEC 27005: 2011 Information security risk management – Управління ризиками інформаційної безпеки.
ISO / IEC 27006 до: 2015 Requirements for bodies providing audit and certification of information security management systems – Вимоги до органів аудиту і сертифікації систем менеджменту інформаційною безпекою.
ISO / IEC 27007: 2011 Guidelines for Information Security Management Systems auditing (FCD) – Керівництво для аудиту СМІБ.
ISO / IEC 27008: 2011 Guidance for auditors on ISMS controls (DRAFT) – Керівництво по аудиту механізмів контролю СМІБ.
ISO / IEC 27011: 2008 Information security management guidelines for telecommunications organizations based of ISO/ IEC 27002 – Керівництво з управління інформаційною безпекою для телекомунікацій на основі ISO /IEC 27002.
ISO / IEC 27799: 2008 Information security management in health using ISO / IEC 27002 – Керівництво з управління інформаційною безпекою для організацій охорони здоров’я на основі ISO / IEC 27002.
[rt_icon icon_name="icon-link-ext"] auditing services BAB
[rt_icon icon_name="icon-link-ext"] accounting services BAB
03038, Ukraine, Kyiv
Nikolay Grinchenko str., 4
+380 44-521-40-07