Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Metodología de Gestión de Riesgos

  • Audit trail

  • ISO 27007

  • Changes in ISO 27001

  • ITIL and ISO 27001

  • Requirements of interested parties

  • ROSI

  • Group assets

  • ISO 27001 - ¿Por dónde empezar?

  • Security controls to mitigate cybersecurity threats

    We have received this question: Which control clause(s) in ISO27001:2013 correspond to each of the following areas to mitigate cyber security threats: 1. Home, mobile working : Info. security regardless of how/where employees access company's info. assets 2. User Education and Awareness: All interested parties should be aware of key risk and how to report incidents. 3. Incident Management: Ability of the company to contain incidents and return to business as usual quickly. 4. Info. risk Management Regime: Tone from the top 5. Managing User Privileges: Role based security on a need to know/need to have basis 6. Removable Media Controls: Safe use and disposal of media 7. Monitoring: Preventive, reactive and corrective measures to curb unexpected activity 8. Secure configuration: Configuration and change management to maintain integrity and availability 9. Malware Protection: Effective Patch management to reduce exploitation of known vulnerabilities 10. Network Security: Knowing and controlling who accesses to the network Answer: First let me say you that I SO 27001 is not for a specific sector, for example cybersecurity, so ISO 27001 is a global standard that you can use to establish an Information Security Management System to protect information in any type of environment (including cybersecurity, but it is not only for this). Anyway, I will show you the clauses of ISO 27001:2013 that are more related to each point: 1.- A.6.2.1 Mobile device policy and A.6.2.2 Teleworking 2.- Clause 7.3 Awareness and A.7.2.2 Information security awareness, education and training 3.- Entire domain A.16 Information security incident management 4.- I suppose that you mean Risk management, if so, the clauses related to this in ISO 27001: 2013 are 6.1.2 Information security risk assessment, 6.1.3 Information security risk treatment, 8.2 Information security risk assessment and 8.3 Information security risk treatment 5.- A.9.2.3 Management of privileged access rights 6.- A.8.3.2 Disposal of media 7.- Clauses 9.1 Monitoring, measurement, analysis and evaluation and 10.1 Nonconformity and corrective action 8.- A.12.1.2 Change management (there is no control on this standard to manage specifically the configuration of CIs – Configuration Items) 9.- A.12.2.1 Controls against malware, and regarding to vulnerabilities you also have the A.12.6.1 Management of technical vulnerabilities and A.12.6.2 Restrictions on software installation 10.- A.13.1.1 Network controls, A.13.1.2 Security of networks services, A.13.1.3 Segregation in networks, and A.9.1.2 Access to networks and network services Finally, these articles related to cybersecurity can be interesting for you: “Which one to go with – Cybersecurity Framework or ISO 27001?” : “What is cybersecurity and how can ISO 27001 help?” : “ISO 27001 vs. ISO 27032 cybersecurity standard” : And this free eBook can be also interesting for you “9 Steps to Cybersecurity” :