Guest user Created: Mar 08, 2018 Last commented: Mar 08, 2018

Procedure for document and record control

1- When creating the risk assessment, do we consider all the existing 'controls' that are in place. For example, we already have a password security policy and 2 factor authentication enabled by default, therefore our risk of someone accessing our email for example that doesn't have permission is low (no one is going to be able to guess our passwords). In this case do we need to identify them as it appears it's required in the statement of applicability.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 08, 2018

Answer: You have to identify the existent controls in the Statement of Applicability even if in the Risk Assessment they are associated to risks identified as acceptable (after all they are implemented and may be the main reason why the risk is low).

2- I'm also a little confused about this:
Documents of external origin:
"Each external document which is necessary for the planning and operation of the ISMS/compliance with GDPR must be recorded in the incoming mail register. The incoming mail register must contain the following information: (1) document number, (2) sender, (3) document name, (4) date of receipt, (5) name of the person to whom the document has been forwarded.

The person who receives mail and courier parcels must forward them to the Information security officer, who must make a record in the incoming mail register; the person who receives electronic mail must forward such a document to [job title], who must also record it in the incoming mail register. The information security officer then classifies documents according to the Policy for handling classified information and determines to whom the document should be forwarded."

This surely needs only to apply to documents from third parties i.e. suppliers who are sending us information about the GDPR/ISO27001 project, however, I don't really see how this would apply to us. We'll email these suppliers asking for clarification, they'll reply and we can log the information, but under what circumstance would they send us mail/physical post? Is this paragraph in here just to cover in case someone sends physical paperwork? Why would it be confidential in anyway? It maybe this just doesn't apply to us as a business and therefore I don't see it's purpose.

Answer: First it is important to note that by third parties you must consider not only suppliers, but also other players such as partners, customers, governments, regulations bodies, etc.

Second point is that even as a SaaS provider, it is extremely rare that an organization can work without documents from external origin being sent through physical media (e.g., official documents from government agencies), and the obligations to track all relevant external documents applies to both paper and electronic documents.

Therefore, you do not need an incoming mail register as a separate document.

Regarding confidentiality, the media on which the information is does not define its confidentiality level, but rather the evaluation of the information owner, then you can have confidential information on physical media if the information owner classifies the information as confidential, regardless the media where it is stored.

For more information regarding information classification, I suggest you this article:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 08, 2018

Expert Advice Community