SSR2-ICANNSecurity-workplan-draft
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
IDKey Action StepActionExpected OutcomeData Source / Evaluation MethodologySkillResponsibleTimelineReferenceComment
2
1.0Gap Analysis Information Security Management System ISO 27001Planning and performing a gap-analysis based on ISO 27001Report with recommendations how to comply with ISO 27001* Interview
* Documentation Review
* Site visit
AUD, ISM, RM
3
1.1ScopingRead all relevant documentation of the organizational structure and talk with stakeholders to identify boundaries, external groups, etc. to define the scope of the audit.Agreed ISMS audit scope.* Interview
* Documentation Review
AUD, ISM
4
1.2Pre-AuditRead all relevant documentation of the ISMS in order to become acquainted with the processes in the management system and to find out if there are non-conformities in the (mandatory) documentation with regard to ISO 27001Base for creating a (customized) audit workplan/checklist in consideration of the Statement of Applicability.* Interview
* Documentation Review
AUD, ISM
5
1.3Preparing for main auditCollect and study previous audit findings and
possible outstanding issues.
* Prepare all relevant documents that will be needed for the realization of the audit.
* Create a audit checklist (must be in-depth and based on ISO 27001, following a predefined path and checking for compliance with controls).
(Customized) audit workplan/checklist and an audit plan agreed with management.* Interview
* Documentation Review
AUD, ISM
6
1.4Planning the main audit* Plan which departments and/or locations to visit and which ressources are needed.
* Ensure the availability of all the resources needed and other logistics that may be required by the auditor.
Detailed workplan with committited ressources.* Interview
* Documentation Review
AUD, ISM, RM
7
1.5Performing the auditPerform the audit and try to find adequate evidence to ascertain that:
* The ISMS is compliant with ISO 27001 (further information in the following sheets - ref. checklist 27001, Annex A)
* The information security policy is still an accurate reflection of the business requirements.
* An appropriate risk assessment methodology is being used.
* The documented procedures are being followed (i.e. within the scope of the ISMS) and are meeting their desired objectives.
* Technical controls (e.g. firewalls, physical access controls) are in place, are correctly configured and working as intended.
* The residual risks have been assessed correctly and are still acceptable to the management of the company.
Documented audit findings* Interview
* Documentation Review
* Site visit
AUD, ISM, LG, RM
8
1.6ReportingSummarize all the (non)conformities and write an audit report ReportAUD
9
10
2.0Gap Analysis Business Continuity Management System ISO 22301Planning and performing a gap-analysis based on ISO 22301Report with recommendations how to comply with ISO 22301* Interview
* Documentation Review
* Site visit
AUD, BCM, RM
11
2.1ScopingRead all relevant documentation of the organizational structure and talk with stakeholders to identify boundaries, external groups, etc. to define the scope of the audit.Agreed BCMS audit scope.* Interview
* Documentation Review
AUD, BCM
12
2.2Pre-AuditRead all relevant documentation of the BCMS in order to become acquainted with the processes in the management system and to find out if there are non-conformities in the (mandatory) documentation with regard to ISO 22301.Base for creating a (customized) audit workplan/checklist in consideration of the Statement of Applicability.* Interview
* Documentation Review
AUD, BCM
13
2.3Preparing for main auditCollect and study previous audit findings and
possible outstanding issues.
* Prepare all relevant documents that will be needed for the realization of the audit.
* Create a audit checklist (must be in-depth and based on ISO 22301, following a predefined path and checking for compliance with controls).
(Customized) audit workplan/checklist and an audit plan agreed with management.* Interview
* Documentation Review
AUD, BCM
14
2.4Planning the main audit* Plan which departments and/or locations to visit and which ressources are needed.
* Ensure the availability of all the resources needed and other logistics that may be required by the auditor.
Detailed workplan with committited ressources.* Interview
* Documentation Review
AUD, BCM
15
2.5Performing the auditPerform the audit and try to find adequate evidence to ascertain that the BCMS is compliant with ISO 22301 (further information in the following sheets - ref. check list)
* The business continuity policy is still an accurate reflection of the business requirements.
* An appropriate risk assessment methodology is being used.
* The documented procedures are being followed (i.e. within the scope of the BCMS) and are meeting their desired objectives.
* Technical controls are in place, are correctly configured and working as intended.
* The residual risks have been assessed correctly and are still acceptable to the management of the company.
Documented audit findings* Interview
* Documentation Review
* Site visit
AUD, BCM, LG, RM
16
2.6ReportingSummarize all the (non)conformities and write an audit report ReportAUD
17
18
3.0Scope of ICANN’s SSR responsibilitiesReview and analyze ICANN's Scope of SSR resonsibilitiesReport with recommendations
19
3.1ICANN action zoneReview and analyze the documentation and produce recommendations.Report * Interview
* Documentation Review
AUD, ISM
20
3.2ICANN influence zoneReview and analyze the documentation and produce recommendations.Report * Interview
* Documentation Review
AUD, ISM
21
3.3ICANN coordination zoneReview and analyze the documentation and produce recommendations.Report * Interview
* Documentation Review
AUD, ISM
22
23
4.0ICANN Compliance
24
4.1RegistrarsReview and analyze the level of compliance requirements for registrar agreements.Report with recommendations* Interview
* Documentation Review
AUD, LG
25
4.2RegistriesReview and analyze the level of compliance requirements for registry agreements.Report with recommendations* Interview
* Documentation Review
AUD, LG
26
4.3Vetting ROReview and analyze ICANN's processes around vetting registry operators .Report with recommendations* Interview
* Documentation Review
AUD, BCM, LG
27
4.4Vetting EBEROReview and analyze ICANN's processes around vetting (emergency backend) registry operators.Report with recommendations* Interview
* Documentation Review
AUD, BCM, LG
28
4.5Data Escrow ProviderReview and analye ICANN's processes around vetting data escrow provider.Report with recommendations* Interview
* Documentation Review
AUD, BCM, LG
29
30
5.0TBD
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu