ISO 27001 & 22301 - Expert Advice Community

Toolkit content

Mientras tanto, te doy un poco de contexto de lo que buscamos a fin de que puedas por favor adelantarnos unas dudas por esta vía. En la organización hicimos un diagnostico de Ciberseguridad basado en NIST CSF, el cual entre otras cosas develó la necesidad de estructurar el Gobierno de Seguridad por medio de la elaboración y formalización de diferentes documentos (Políticas, Procedimientos, Normativas, etc), los cuales en gran medida hacen match con los documentos que ustedes ofrecen a través del "Paquete Premium ISO 27001+22301".

No obstante, observamos que hay un grupo de documentos que necesitamos desarrollar y que no se encuentran entre sus packs, lo que quisieramos saber es si quizás estén nombrados de otra forma, o incluso están contenidos como parte de otros documentos: 

·  Política y/o proceso de gestión de amenazas
·  Política y/o estrategia de monitoreo  
·  Política y/o proceso de gestión de vulnerabilidades
·  Política de gestión de datos (reposo, en tránsito y en terceros)
·  Política de obsolescencia y gestión de parches  
·  Política de gestión de la capacidad
·  Política de adopción de nuevas tecnologías  
·  Políticas y/o normas de gestión de líneas base de seguridad (Servers, SOs, Bases de datos, equipos telco, etc)
·  Política de logs de auditoría
·  Plan de comunicación corporativa para incidentes cibernéticos
·  Risk Impact Analysis (RIA)
·  Plan de Crisis

==

In the meantime, I give you a bit of context of what we are looking for so that you can please anticipate some doubts in this way. In the organization we made a Cybersecurity diagnosis based on NIST CSF, which among other things revealed the need to structure the Security Government through the preparation and formalization of different documents (Policies, Procedures, Regulations, etc.), which into a large extent they match the documents that you offer through the "Premium Package ISO 27001 + 22301".

However, we observe that there is a group of documents that we need to develop and that are not among their packs, what we would like to know is if they may be named in another way, or are even contained as part of other documents:

• Threat management policy and / or process
• Policy and / or monitoring strategy
• Policy and / or vulnerability management process
• Data management policy (rest, in transit and in third parties)
• Obsolescence policy and patch management
• Capacity management policy
• Policy for the adoption of new technologies
• Policies and / or management standards for security baselines (Servers, OSs, Databases, telco equipment, etc.)
• Audit log policy
• Corporate communication plan for cyber incidents
• Risk Impact Analysis (RIA)
• Crisis Plan

Implementing and verifying items

Cómo se implementa y cómo se verifica el cumplimieNto de cada ITEM?
 

27001 ISMS Scope Question

Hi,

Are you able to help clarify our ISMS scope please? We have just started this process and I want to make sure I understand properly.

Question 1 Scope - Processes and Services

We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.

We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.

Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?

Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?

Question 2 - IT Networks and Infrastructure

Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS). 

2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?

2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?

2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.

Starting with SOA

One item that came up on a gap analysis which has me confused:

*** has space in colocation data centers in the *** and ***.

We have 1 product (very low demand) running in *** and 1 product (also low demand) running in ***. We will be shifting more of our VM capacity to *** in the latter part of 2021, and the 2 products running in *** and ***nwill be in ***.

A) we do not host customer data (customers are required to use test data)

B) from a processing perspective, overwhelmingly, it’s on-prem (in colocation data centers) instead of Public Cloud

I am trying to figure out how to get started with the SoA so that I don't do this 2x.

Any advice would be appreciated.

Implementation of ISO controls

After reviewing what we’ve done so far for the ISO27001 implementation, there has been a bit uncertainty about the implementation of ISO controls.

Before starting with ISO27001 we already did a lot of things as secure as possible.

This has been resulting in not a lot of risks in our risk assessment and not many controls stated applicable in the Statement of Applicability.

I read on various articles that the SoA should probably have 80 – 90% of the controls stated applicable, whereas we only have a handful at most.

My question is whether we’re doing this right or might be misinterpreting something. Or perhaps our approach has been inadequate.

So far we’ve identified a few risks, decided which controls we should implement, and implemented those with help from the toolkit and videos. Hopefully you could give us a new perspective and help us find hidden risks.

ISMS responsible and CISM

Is there a difference between ISMS responsible and CISM?

Can we be GDPR and ISO 27001 compliant with 1 employee?

Can we be gdpr and iso27001 compliant with 1 employee? 2 employees? And working with freelancers/consultants

Including SOC 2 controls in SoA

I hope you're doing well. I watched the ISO 27001 Lead Auditor Exam training videos and found them to be very useful! Thank you for offering this free training. I am leading the ISO 27001 internal audit efforts at my company for the first time this year and wanted to seek your guidance. Our company's ISMS is ISO 27001 certified and we also have a SOC 2 Type 1 certification.

1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

ISO 27001 confidentiality

Which section of iso 27001 mentioned o confidentiality?

Documenting Statement of Applicability

1. How to start documenting Statement of Applicability.

2. What approach to follow?

3. Who all should one interact with?