Search results

Conformio and Annex A controls

Thank you very much for your help Rhand, this is exactly what I wanted to know.I will be able to go ahead with the project with peace of mind.

Have a nice day😀Carlos

Mapping of requirements on controls

Please note that to map an external requirement such as a requirement for an Insurance company, you should use the Register of Requirements module.

In the field “To what area is this requirement related?” you can use the option “Specifying mandatory safeguards”, and in the field “Description of the requirement,” you can inform clause A.7.2.2.

As for the security awareness training, you can record this need in the Training module.

Performing Information security and POPIA compliance gap analysis

For deliverables 1, 2, and 3 a good approach would be developing checklists based on ISO 27001 and POPIA requirements to perform the gap analysis and plans on how to apply them and specific timelines. Besides the reports themselves, additional deliverables would be these checklists and plans.  

Regarding deliverable 4, sorry but this deliverable requires technical expertise that is out of our scope of work.  

These tools can help you to have a general idea about the gap analysis:

• Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
• EU GDPR Readiness Assessment Tool https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/

Since gap analysis has similarities with internal audit, you may benefit from this material:

• ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

For further information, see:

• How similar is the South African POPIA to the EU GDPR? https://advisera.com/eugdpracademy/blog/2021/08/23/how-similar-is-the-south-african-popia-to-the-eu-gdpr/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Question about GRC committee

First is important to note that 27001 does not regulate, not even mention a GRC committee. It only requires that relevant functions to information security are defined.

Considering that, the first steps would be for the committee to agree on what are the top-level objectives of information security, and what kind of role & authority the committee has so that it does not conflict with those of the security officer.

After that, as an information security officer, in case of objectives, are changed, and also considering the committee’s roles and authorities, you should evaluate if any changes are required in the ISMS. In case changes are required these need to be evaluated by management representatives to decide if they will be implemented or not. The following steps are similar to those related to ISMS implementation:

• update ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties

• update risk assessment and treatment methodology

• perform a risk assessment and define a risk treatment plan

• controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

• people training and awareness

• controls operation

• performance monitoring and measurement

• perform internal audit

• perform management critical review

• address nonconformities, corrective actions, and opportunities for improvement

For further information, see:

• Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/

Asset inventory

ISO 27001 does not prescribe the information to be included in an inventory of assets, so organizations can define them as best they fit their needs.

Both alternatives have disadvantages and advantages:

• by using the owner’s name, it is easier to identify who to contact, but the inventory will need to be updated every time the asset’s owner changes.
• by using the owner’s role changes in the inventory, you won’t need to update the inventory if a new person is in charge, but the inventory will become less personal, and you will need additional information to identify the person.

You also can use both information to write your inventory. The turnover rate in your organization will help you assess which approach is better for your organization

For further information, see:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

• Do we need separate Cloud Security Policy?

  Unless you have a legal requirement (e.g., law, regulation, or contract) demanding a Cloud Security Policy, you do not have to implement one. The Information Security Policy is enough to provide guidelines for the protection of information in cloud environments

  For further information, see:

  • What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

• Revision to 27002 question

  Please note that the elements (Attribute, Control, Purpose, Guidance, and Other information) are part of each control and that each control is referred to at least one element in the five control attributes. So, by electing one attribute to sort the controls, you can group them according to each element they cover.

  For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective.

  Considering that, you can work these controls together considering that you can develop a Physical Security Monitoring Policy (a preventive measure), which can define rules for implementing CCTV monitoring and motion sensors for detection of unauthorized access (a detective measure).

  For more detailed information about the ISO 27002 revision, please download this free white paper: 

  • What are the new security controls in ISO 27002:2022? https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-iso-27002/

• A.5.1.1 Policies for Information Security

  Please note that ‘Setting top-level information security objectives and intentions’ is related to the Information Security Policy, which is a mandatory document for ISO 27001, so it needs to be implemented regardless of whether the controls from sections A.5 and A.7 are applicable or not, so then they are not linked to these controls.

• Register of legal, contractual and other requirements

  1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

  In this step, you need to record all laws, regulations, standards, and contracts that put information security requirements for your company.

  This step will help you identify which security controls you need to consider in your ISMS implementation.

  For further information, see:

  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
  • Conformio video “Register of requirements” https://vimeo.com/showcase/6734609/video/508420680

  2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

  To help you define your ISMS scope, please access this free tool:

  • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

  3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

  ISO 27001 does not require to have a separate Asset inventory, so in Conformio the Risk Register is used for listing the assets.

  In Conformio assets are identified as part of the information risk assessment and treatment, in the Risk Register module, so you only need to identify assets that are relevant to the information you want the ISMS to protect. You should include all assets that you control - those could be the assets you are using (e.g., your people), that you purchased (e.g., laptops), or that you provide to third parties (e.g., Software-as-a-Service).

  4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

  ISO 27001 does not prescribe the content of an IT Security policy, so you can develop it as a single document or as multiple documents covering specific areas.

  In Conformio you can either use a single document for the IT Security policy or use some documents separately. You can define that after performing the risk assessment step and Conformio suggests the documents you need to develop within the Statement of Applicability step, considering the applicability of controls.

  For further information, see:

  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
  • How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/