ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Security controls to mitigate cybersecurity threats

    We have received this question: Which control clause(s) in ISO27001:2013 correspond to each of the following areas to mitigate cyber security threats: 1. Home, mobile working : Info. security regardless of how/where employees access company's info. assets 2. User Education and Awareness: All interested parties should be aware of key risk and how to report incidents. 3. Incident Management: Ability of the company to contain incidents and return to business as usual quickly. 4. Info. risk Management Regime: Tone from the top 5. Managing User Privileges: Role based security on a need to know/need to have basis 6. Removable Media Controls: Safe use and disposal of media 7. Monitoring: Preventive, reactive and corrective measures to curb unexpected activity 8. Secure configuration: Configuration and change management to maintain integrity and availability 9. Malware Protection: Effective Patch management to reduce exploitation of known vulnerabilities 10. Network Security: Knowing and controlling who accesses to the network Answer: First let me say you that I SO 27001 is not for a specific sector, for example cybersecurity, so ISO 27001 is a global standard that you can use to establish an Information Security Management System to protect information in any type of environment (including cybersecurity, but it is not only for this). Anyway, I will show you the clauses of ISO 27001:2013 that are more related to each point: 1.- A.6.2.1 Mobile device policy and A.6.2.2 Teleworking 2.- Clause 7.3 Awareness and A.7.2.2 Information security awareness, education and training 3.- Entire domain A.16 Information security incident management 4.- I suppose that you mean Risk management, if so, the clauses related to this in ISO 27001: 2013 are 6.1.2 Information security risk assessment, 6.1.3 Information security risk treatment, 8.2 Information security risk assessment and 8.3 Information security risk treatment 5.- A.9.2.3 Management of privileged access rights 6.- A.8.3.2 Disposal of media 7.- Clauses 9.1 Monitoring, measurement, analysis and evaluation and 10.1 Nonconformity and corrective action 8.- A.12.1.2 Change management (there is no control on this standard to manage specifically the configuration of CIs – Configuration Items) 9.- A.12.2.1 Controls against malware, and regarding to vulnerabilities you also have the A.12.6.1 Management of technical vulnerabilities and A.12.6.2 Restrictions on software installation 10.- A.13.1.1 Network controls, A.13.1.2 Security of networks services, A.13.1.3 Segregation in networks, and A.9.1.2 Access to networks and network services Finally, these articles related to cybersecurity can be interesting for you: “Which one to go with – Cybersecurity Framework or ISO 27001?” : “What is cybersecurity and how can ISO 27001 help?” : “ISO 27001 vs. ISO 27032 cybersecurity standard” : And this free eBook can be also interesting for you “9 Steps to Cybersecurity” :
  • ISO 27001 and cybersecurity

  • Confidentiality levels

  • Supplier Security Policy

  • Gap AnalysisISO 27001, version 2015?

  • Capacity Management Procedure

  • Gap Analysis

    Hi friends, Could you help me with the following question please?: Is need or mandatory to perform a Gap Analysis before to begin the isms implementation? Its Gap Analysis is about the ISO 27002 controls? Or about the requirements of the ISO 27001? Which is the best way to perform this activity? based in the CMMI? Thanks so much. Best regards.
  • Assets value

    Hi community, I have the following doubt: How you assess the value of an asset regarding the Confidentiality, Integrity and Availability? You do a average among these values? For example, if in my asset's qualitative analysis I assign 5 in confidentiality, 3 in the integrity and 1 in availability, which would be the asset value? 5+3+1/3 = 3 or 5 because is the highest value?? Or, Which way do you recommends for compliance with the ISO? Thank so much. Best regards
  • ISO 27001/ISO 27002 vs COBIT

  • Understanding the organization and its context