Search results

Using ISMS results to prove SOX-ITGC controls

IT General Controls (ITGC) are controls that are common to IT processes, providing stable and effective operation of application controls. They cover fields like creation/acquisition of systems, SDLC Process, access control, backup, change control, etc. 

SOX is a United States federal law, that sets requirements for improving the accuracy and reliability of financial disclosures of organizations trading on U.S. territory.

Considering that, an ISMS compliant with ISO 27001 can be one way to fulfill the requirements of SOX-ITGC.

However, being compliant with ISO 27001 would not enable you full compliance with SOX-ITGC, this could only be a part of your compliance effort.

For more information, please see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/

• Main advantages of implementing the ISO 14001 standard

  I don’t have experience in the mining industry, but I can point to some articles that can help you:

  • Why mining companies should obtain ISO 14001 certification - https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/
  • 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
  • How to Use Good Environmental Objectives - https://advisera.com/14001academy/knowledgebase/how-to-use-good-environmental-objectives/
  • Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/ 

  The advantages of ISO 14001 for a company are based on the context, current performance, and interested parties' expectations.

• Combine roles inside an (ITSM) organization

  Yes, you can combine roles inside your (ITSM) organization. This is not unusual, particularly for smaller organization.

  Here are more details:

  • What ITIL roles can be combined in one person? https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/
  • Defining roles and responsibilities for ISO 20000-based IT Service Management https://advisera.com/20000academy/blog/2017/10/18/defining-roles-and-responsibilities-for-iso-20000-based-it-service-management/

  • ISO27001 13.1.1 + 13.1.2

    If a company is cloud-based, and it does not have its own network - in such a case a company should mark controls A.13.1.1 and A.13.1.2 as not applicable in the Statement of Applicability because there would be no risks nor third-party requirements that would require such controls to be implemented.

  • CE Mark

    For the European market, all medical devices must be in compliance with Medical device regulation MDR 2017/745.  In this document, all relevant information is what needs to be prepared to get the CE mark.

    You can find the MDR in full text on the following link: https://advisera.com/13485academy/mdr/

    Also, you can find a lot of supporting reading material in our ISO 13485Academy on the following link: https://advisera.com/13485academy/free-downloads/

  • 7.4 Physical security monitoring

    Including physical security monitoring inside the Access Control Policy is an acceptable option to document this control, in case you consider this documentation relevant to your organization.

    An alternative would be a document called Procedures for Working in Secure Areas.

    To see how this document can include physical security monitoring, please access this demo: https://advisera.com/27001academy/documentation/procedures-for-working-in-secure-areas/

  • New control names

    First is important to note that such classifications are defined only in ISO 27002, and they are not mandatory to be used to be compliant with ISO 27001.

    Considering that, these classifications are known in ISO 27002 as control attributes, and they provide a standardized way to sort and filter controls against different views to address the needs of different groups. 

    The detective, corrective and preventive attributes belong to the “control type” attribute category. ISO 27002 provides other four categories that can be used instead of “control type” to sort controls:

    • Information security properties: Confidentiality, Integrity, and Availability
    • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
    • Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
    • Security domains: Governance and ecosystem, Protection, Defense, and Resilience

    For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while its Concept attribute is identify. As for control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective, while its Concept attribute is protect and detect.

    For further information, see:

    • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

  • Gap analysis results

    1 - Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

    Please note that besides the ISMS scope, required by clause 4.3, there is no other documentation required by section 4 of the standard. The ISMS Scope is documented within Conformio.

    Clause 4.1 requires the context of the organization to be determined, but it does not need to be documented.

    Clause 4.2 requires interested parties and their requirements to be determined, and this is documented in the List of legal, regulatory, and contractual requirements.

    For further information, see:

    • For clause 4.1: How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

    2 - Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

    The standard requires risks to be identified considering the loss of confidentiality, integrity, and availability, and this is done in Conformio by assessing the impact taking into account C-I-A - this is also specified in the Risk Assessment Methodology. The standard does not require C-I-A to be assessed separately.

    For further information, see:

    • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    • Audit questions

      1. One of my client is outsourced the IT and Software Development, I have to do the internal audit for this client, in scope document they have mentioned as entire organization. In that case do I have to audit the IT department

      I’m assuming that your client is outsourcing its IT and Software Development.

      Considering that, in terms of the IT department you need to audit the contract/service agreement they have with the outsourcing company, to evaluate if the outsourced services are being managed by the company and fulfilled by the provider.

      In case the client is providing IT and Software Development to other companies, then you need to audit the IT department.

      For further information, see:

      • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
      • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

      2. One of the client is operating on Co-working space, Physical, access, IT, and Networking security is Managed by the provider, In this scenario do the client needs to have access, network, physical security polices and procedures

      In this scenario, the client needs to have the Access control policy because it is a mandatory document according to ISO 27001. Regarding network and physical security policies, the client can decide on its own whether these are needed or not. The fact that the client is using outsourced services has no impact on this situation.