Expert Advice Community

Guest

Assets detail level and segregation of duties

  Quote
Guest
Guest user Created:   Feb 10, 2020 Last commented:   Feb 10, 2020

Assets detail level and segregation of duties

We ordered your ISO27001 toolkit to prepare ourselves to XYZ audit. Our company XYZ is XYZ employee company developing and licensing own software as SaaS. Dev ops infrastructure is hosted internally but all SaaS services are provisioned from AWS cloud. Employees in our company are divided into two groups sales/marketing and developer. Developers have several roles because they are developing software, administering the production system and to some extent provide customer support. Most of the admin processes (finance and payroll) are outsourced. Typical arrangements in companies that are about our size.
  1. I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.
  2. Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.
0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 10, 2020

1. I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.

ISO 27001 does not prescribe a detail level for assets, so organizations can define the detail level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to a SaaS service.

Included in the toolkit you bought you have access to a tutorial that can help you fill in the risk assessment.

2. Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.

To implement separation of duties it is not mandatory to define strict roles (e.g., to have a developer and a tester), you only have to ensure that a single person does not perform the whole process. For example, if you have two developers, one can make the development and deployment of a system, and the other can perform test and acceptance of release candidate of this same system and you can change the places for another system.

If this arrangement is not possible, you can consider compensation controls like:
- Monitoring activities
- Audit trails
- Management supervision

This article will provide you a further explanation about segregation of duties:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 10, 2020

Feb 10, 2020

Suggested Topics

Guest user Created:   Jan 11, 2021 ISO 27001 & 22301
Replies: 1
0 0

Assets ISO 27001

Guest user Created:   Nov 26, 2020 ISO 27001 & 22301
Replies: 1
0 0

Question about assets