As far as I understand is we have to select few areas (of our choice and appropriate to bank's business) like BCP, Incident Management, Document review, etc. Then we need to assign some statistical parameters to evaluate the efficiency (in terms of success/failure %). Finally periodically analyze the results to get a trend or efficiency of implementation.
However, I wanted an expert's advice on all points of "Clause 9.1 Monitoring, measurement, analysis and evaluation" so that nothing is missed during external audit. If you can explain me in detail and help me with any working paper, I would be grateful to you.
Answer: If you are certified, all the ISMS processes should be monitored and measured (and continually improved), along with the most important controls (the ones that counters the highest risks) or that are required by your national bank) regulatory entity. The ones you propose are possible candidates, if they meet these conditions. If not, youre wasting your time and money.
Until now, ISO hasnt provided much usable input for this. It is expected that it will rapidly change. The objective of (future) ISO27004 will be to help organisations to a) monitor and measure information security, b) to monitor and measure the effectiveness of the management system and its processes, c) analysing and evaluating the results. Current draft could become CD in October and be published by end of 2015 or begin 2016.
I'm not sure what this external email service provider is doing for you, but I assume they are sending emails to certain email lists on your behalf.
The risks I see are the following:
1) They could sell your email list to someone else
2) They could send your emails to wrong people
3) They could delay sending emails or not send emails at all
I'm not sure what would be the impact of these risks for your company, this is something you would have to assess on your own.
This might also help you: A catalogue of threats and vulnerabilities: https://www.infosecpedia.in**************************
Should all applicable controls from Annex A to be fully implemented by the time
Answer: Ideal situation would be to implement all the controls marked as applicable in the Statement of Applicability prior to certification audit.
You could leave less significant controls to be implemented after the certification, under the following conditions: (1) to plan their implementation in the Risk treatment plan, and (2) to accept all the residual risks that were not decreased. There is no magic number on the proportion of how many controls must be implemented, and it is in the certification auditor's discretion to raise a non-conformity in su ch cases. Therefore, to be safe you should implement majority of controls prior to certification audit and make sure you implement all the most important ones.
ISO 27001:2013
The process you have set in place seems pretty systematic, but the auditor will look at the results, not the process itself. So for example, the auditor will check if risk owners are nominated for each risk (this is something that is new in 2013 revision), he won't care how you made this transition.
To be honest, I'm not sure how the certification body will react in this case, but basically I agree with your consultant - certification bodies should not issue certificates according to 2005 revision after September 2014. The best course of action here would be to contact your certification body and ask them about their approach.
Minimum of three months for records for certification audit
It is true that ISO 27001 does not require the minimum period of records (i.e. minimum period of the ISMS operation before the certification), however some certification bodies do have such requirements and some don't. Therefore, you should speak to the certification body you have chosen and see what criteria do they have.
You have to assess the impact of risks to confidentiality, integrity and availability of your information - this is part of the risk assessment process. As part of this process you can identify also the assets, but this is not mandatory.
Answer: In section A.12.1 of ISO 27001 you'll find the following objective: "To ensure correct and secure operations of information processing facilities."; further, when you read each control in A.12 you'll see they are very IT oriented.
Question about ISO 27002
You don't have to use ISO 27002. ISO 27002 are only the guidelines that are not mandatory; you only have to comply with what is written in ISO 27001. You'll find a more detailed explanation here: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Which assets to assess during the risk assessment
If all of these 500 applications are within the ISMS scope, they have to assess all of them. However, if you have similar applications then you do not have to perform risk assessment for each of them separately - you can treat all similar applications as a single asset during the risk assessment process.