Security controls to mitigate cybersecurity threats
We have received this question:
Which control clause(s) in ISO27001:2013 correspond to each of the following areas to mitigate cyber security threats:
1. Home, mobile working : Info. security regardless of how/where employees access company's info. assets
2. User Education and Awareness: All interested parties should be aware of key risk and how to report incidents.
3. Incident Management: Ability of the company to contain incidents and return to business as usual quickly.
4. Info. risk Management Regime: Tone from the top
5. Managing User Privileges: Role based security on a need to know/need to have basis
6. Removable Media Controls: Safe use and disposal of media
7. Monitoring: Preventive, reactive and corrective measures to curb unexpected activity
8. Secure configuration: Configuration and change management to maintain integrity and availability
9. Malware Protection: Effective Patch management to reduce exploitation of known vulnerabilities
10. Network Security: Knowing and controlling who accesses to the network
First let me say you that I SO 27001 is not for a specific sector, for example cybersecurity, so ISO 27001 is a global standard that you can use to establish an Information Security Management System to protect information in any type of environment (including cybersecurity, but it is not only for this). Anyway, I will show you the clauses of ISO 27001:2013 that are more related to each point:
1.- A.6.2.1 Mobile device policy and A.6.2.2 Teleworking
2.- Clause 7.3 Awareness and A.7.2.2 Information security awareness, education and training
3.- Entire domain A.16 Information security incident management
4.- I suppose that you mean Risk management, if so, the clauses related to this in ISO 27001: 2013 are 6.1.2 Information security risk assessment, 6.1.3 Information security risk treatment, 8.2 Information security risk assessment and 8.3 Information security risk treatment
5.- A.9.2.3 Management of privileged access rights
6.- A.8.3.2 Disposal of media
7.- Clauses 9.1 Monitoring, measurement, analysis and evaluation and 10.1 Nonconformity and corrective action
8.- A.12.1.2 Change management (there is no control on this standard to manage specifically the configuration of CIs Configuration Items)
9.- A.12.2.1 Controls against malware, and regarding to vulnerabilities you also have the A.12.6.1 Management of technical vulnerabilities and A.12.6.2 Restrictions on software installation
10.- A.13.1.1 Network controls, A.13.1.2 Security of networks services, A.13.1.3 Segregation in networks, and A.9.1.2 Access to networks and network services
Finally, these articles related to cybersecurity can be interesting for you:
Which one to go with Cybersecurity Framework or ISO 27001? : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
What is cybersecurity and how can ISO 27001 help? : https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
ISO 27001 vs. ISO 27032 cybersecurity standard : https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/
And this free eBook can be also interesting for you 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
ISO 27001 and cybersecurity
Supplier Security Policy
Gap AnalysisISO 27001, version 2015?
Capacity Management Procedure
Could you help me with the following question please?:
Is need or mandatory to perform a Gap Analysis before to begin the isms implementation? Its Gap Analysis is about the ISO 27002 controls? Or about the requirements of the ISO 27001?
Which is the best way to perform this activity? based in the CMMI?
Thanks so much.
Hi community, I have the following doubt:
How you assess the value of an asset regarding the Confidentiality, Integrity and Availability? You do a average among these values?
For example, if in my asset's qualitative analysis I assign 5 in confidentiality, 3 in the integrity and 1 in availability, which would be the asset value?
5+3+1/3 = 3
5 because is the highest value??
Or, Which way do you recommends for compliance with the ISO?
Thank so much.