Towards standardization of audit procedures for the new version of ISO/IEC 27002

The integration of information technology as a fundamental part of the operational core of organizations has increased their exposure to information security risks and, consequently, has introduced the need for adequate security measures. The implementation of an Information Security Management System is covered by several international standards belonging to the ISO/IEC 27000 family, some of which can be used for certification purposes. This process requires that an accredited certification body reviews the entire documentation and verifies the related controls' implementation by carrying out the audit. Since it is a complex activity with a remarkable subjectivity margin, a guidance such as ISO/IEC 27008 (Guidelines for the assessment of information security controls) is essential. However, this document does not provide a detailed procedure for each security control to be verified so this could lead to different evaluations' accuracy. The purpose of this thesis work is devoted to solving the gap between what should be verified and how this verification is performed by defining procedures used during audits for testing the actual implementation of information security controls. To achieve this objective, first of all, the guidance of ISO/IEC 27002 (Information security controls) and the procedures of PCI-DSS standard have been analysed in order to understand how each control should operate and how its verification should be performed. Hence, a suitable structure of the audit procedure has been defined and an initial version of audit procedures for all controls has been developed accordingly. In the following step, it has been reviewed by aggregating some of the procedures in order to improve and optimize their applicability. As a final result, a table of audit procedures has been generated, ready to be sent over as contribution for the guidance of ISO/IEC 27008 standard. The thesis presents the analysis of the reference standards, the design choices and their motivation, and further considerations over the developed audit procedures and their future utilization.