Configuration Management Policy & Procedure

Please note that guidelines related to a Configuration Management Policy are spread in the following templates:

• Bring Your Own Device (BYOD) Policy, located in folder 08 Annex A Security Controls >> A.6 Organization of Information Security
• Mobile Device and Teleworking Policy, located in folder 08 Annex A Security Controls >> A.6 Organization of Information Security
• IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset management

Together, these policies define user acceptable behavior when using software (e.g., only system admin has access to install), refer to the need to document configurations, and support the use of detection solution within users’ systems.

The information about software baseline can be included in the Inventory of Assets template, located in folder 08 Annex A Security Controls >> A.8 Asset management

For general reporting and remediation of installation or execution of unauthorized software you can consider the Incident Management Procedure, located in folder 08 Annex A Security Controls >> A.16 Information security incident management

Regarding procedures for implementation of solutions, please note that these are related to the specific solution adopted, so in this case, you need to develop the procedures using our blank template.

For further information, see:

• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

For the Internal Audit Program,  Scope is defined as: ISMS Policies, Audit Criteria :ISO 27001 Annex A controls as per SoA and/or Regulatory requirements (Since the regulatory requirement refers to ISMS standard compliance)...Please validate whether this approach is right/ wrong.

Thanks for the feedback. 

A follow-up questions based on above advise :  So trust we can keep the scope & criteria as follows for internal audit purpose

Scope : ISMS Policies (ex : HR Security Policy, Access Control Policy)

Criteria : ISO 27001 Annex A controls  and/or Regulatory requirements (ex: BS7858, ISO 27001)

For the Internal Audit Program,  Scope is defined as: ISMS Policies, Audit Criteria :ISO 27001 Annex A controls as per SoA and/or Regulatory requirements (Since the regulatory requirement refers to ISMS standard compliance)...Please validate whether this approach is right/ wrong.

You need to audit the ISMS policies considering the standard as a whole, not only controls from Annex A, and the criteria must be clear (i.e., not “or”, only “and”). Considering that your text should be:

Scope: ISMS Policies
Audit Criteria: ISO 27001 Annex A controls as per SoA and applicable Legal requirements (laws, regulations, and contracts).

Thanks for the feedback. 

A follow-up questions based on above advise :  So trust we can keep the scope & criteria as follows for internal audit purpose

Scope : ISMS Policies (ex : HR Security Policy, Access Control Policy)

Criteria : ISO 27001 Annex A controls  and/or Regulatory requirements (ex: BS7858, ISO 27001)

The scope needs to be a close one (i.e., you need to define the specific policies that will be audited, not provide examples). In case it is unfeasible to audit all policies in a single audit, you can plan two or more audits to cover all policies.

The criteria must be clear and defined (i.e., not “or”, only “and”).

Considering that your text should be:

Scope for audit 1: ISMS Policies (HR Security Policy, Access Control Policy)
Criteria for audit 1: ISO 27001 and BS7858

Scope for audit 2: ISMS Policies (Secure development Policy, Supplier Security Policy)
Criteria for audit 2: ISO 27001 and applicable legal requirements (laws, regulations, and contracts) defined in the List of Regulatory, Contractual and Other Requirements.

Hi 

Hope you are doing well

Just had a query related to Training & Awareness Plan

 Does The Training & Awareness Plan mention in ISO 27001Toolkit is for all the employees in organization or just for the Internal Audit Team training? 

Thank You & regards

The content of the Training & Awareness Plan needs to include needed training and awareness activities for all personnel included in the ISMS scope, not only the Internal Audit Team.

For example, it can include basic training for regular final users and at the same time advanced security techniques for IT and SW development personnel.

This article will provide you a further explanation about awareness and training:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.