ISO 27001 & 22301 - Expert Advice Community

Position Description Question

I wanted to touch base with you about a quick question. This is about ISO27001 control regarding stipulating Information Security obligations in Position Descriptions.

We are an ISO-27001:2013 compliant company and we have generic Info Sec roles and responsibilities articulated in our Position Description.

I wanted to know if there is a need to articulate role-specific Info Sec roles and responsibilities as well in PD’s. For example, a Backup Engineer’s Info Sec roles and responsibilities would be different than that of a Network Engineer. Some views in our company are that it would be overkill as ISO doesn’t mandate going into such details.

Necessity to include specific user

Hi, as an IT Security Engineer I am the "Project Manager" for our company (as a role in Conformio). We have a senior project manager at our company as a consultant for ISO27001. He is sporadically consulted on our documents due to his experience in ISO certification. Do we need to include him in our Conformio and documentation or not with regard to the ISO27001 standard or not?

HR as asset and risk owner of SA

Could you elaborate a little bit more on this one?

How HR is asset and risk owner of SA, and the threat is social engineering.

Asset inventory

A question arose about the item “asset inventory”: in control A.8.1.1, should the table contain all assets individually or by group as in the risk analysis table?

Example: In the risk analysis, we identified a group of professionals as “specialist employees” and did the risk analysis on this asset, then in the asset inventory table do we need to define each of these people? Another example: we also defined in the risk analysis worksheet “employees' computers” as an asset, in the inventory table do we need to specify one by one?

Career in GRC domain.

Apart from your foundation what cybersecurity certification I should be looking for as a starter in GRC domain.

ISO 27001 Management Review : Fulfillment of the security objectives

Greetings all.

I have a question about one the topic to be addressed during the ISO 27001 Management Review. The Fulfillment of the security objectives.I have some challenges to present this topic.

To fulfill this requirement I was thinking of addressing the ISO 27001 6.2 requirements (6.2. f what will be done, 6.2.g, what resources will be required, 6.2.h who will be responsible, 6.2.i when it will be complete, 6.2.j how the results will be evaluated) through a table that would contain columns for these different topics:

 
Recommendation (from the risks assessment)
Risks (covered by the recommendation)
Roadmap Project (which contain all the details of the resources, the deadline, the responsible)
Related Security Objective
Related KPI with target
Progress Status of the project.

Is it something that you think can help address this ?

Thanks for your valuable recommendations.

Doubts about the package of documents to buy

Hello, I would like your advice on what package of documents is useful for me to work on some rules and policies of ISO 27,000.

I have to comply with these points:

1. Secure management of electronic and paper information (secure means of printing, storage, transfer).

2. Timely management of critical and security updates of the operating systems of any equipment and corporate applications that receive, process and/or protect CLIENT information.

3. Correct administration of the antivirus systems that protect the equipment that receives, processes and/or protects the CLIENT's information.

4. Appropriate controls to protect against unauthorized access to IMR's corporate networks (protection of wired and wireless networks, intrusion detection, etc.).

5. Adequate controls over the privileges/profiles of all users, as well as administrative permissions exclusively to prevent the installation of unauthorized software, blocking of portable applications, games, unauthorized programs and any other code or executable files that could put at risk the information that is processed in the equipment with access to CLIENT information.

6. Appropriate controls for good use of internet connectivity, taking care that CLIENT information cannot be exposed in services such as public email, instant messaging, social networks, discussion forums, file sharing sites, among others. .

7. Appropriate procedures for the correct administration of Security Incidents (information theft, misuse of information, damage to equipment with CLIENT information, among others).

8. Appropriate controls for access to equipment containing CUSTOMER information, procedures for managing users due to employee termination or role changes, etc.

9. Correct controls to guarantee the integrity of the equipment when it is unattended (automatic locks with screen protection, physical locks to secure equipment, etc.).

10. Correct and complete documentation to ensure that the personnel who access the CLIENT's information have complied with a formal hiring process, signature of confidentiality agreements, among others.

11. Appropriate procedures to control confidentiality agreements with third parties, indicating the prohibition of contracting/sharing/accessing CLIENT information with unauthorized third parties, without having previously documented the CLIENT's authorization.

Query on ISMS Scope

I had a small query on the outlined ISMS scope in the organisational units. 

Can you check the attached image if it is correct for the organisational unit highlighted scope? 

• I have added myself (IT security admin) and the Internal Audit Team. 
  • I will be leading the ISMS implementation while the Audit team will perform the internal audit of the ISMS implementation. 
• With the location and network in scope and out of scope, 
  • Can we include all offices in scope as listed in the previous document as the outsourcing team will be working across Nepal offices?

As we cannot segregate office locations specifically for the outsourcing division, we will assess and implement ISO controls accordingly for the outsourcing team.

Questions related to ISO 27001 Controls

I am curious to know about the coverage of all controls during the external audit. To one of my question, you said that only the controls which are applicable can be considered.

So, my next question is I am working for an IT Software company and Can I skip any or all the following controls:

A 6.2 Mobile devices and teleworking
A 7: Human resources security
A 8: Asset Management
A9 : Access control
A 10 : Cryptography
A 11. Physical and environment security
Please advise. I would like to know:

a. What are the criteria for selecting a control?

b. What all are the mandatory controls (a must control) which the external auditor would like to see for certifying the company?

My understanding is that all the controls are applicable to all the industries, companies etc.  Hence the question.

Different companies in scope ISO 27001

1 - I have some questions regarding ISO 27001- ISMS scope and organizational units. We are implementing the documentation in two of our companies (same corporate group). The whole Company X is within the scope but only the compliance office in Company Y. We include them both in the scope. Is this correct or do we have two sets of documentation? We are using the same equipment and facility at the moment.

2 - I also have a question regarding Risk assessment table. To be compliant with the ISO standard- should we change the risks in the risk assessment after the risk treatment? For example, if risk X has been reduced due to implementation of a policy, should we change the risk from e.g., 3 to 2 in the risk assessment? Or should we not change the risks after treatment at all?