Expert Advice Community

Guest

Configuration Management Policy & Procedure

  Quote
Guest
Guest user Created:   Mar 12, 2021 Last commented:   Jul 09, 2021

Configuration Management Policy & Procedure

For our ISMS we need to have a "Configuration Management Policy & Procedure" to address the requirements of external parties (ex: regulators).   I do not see any template for the same in the toolkit provided. Kindly assist on the Configuration Management Policy to help address below requirements. - A configuration management policy and procedure including a baseline of the software configuration of individual assets - baseline config is part of asset register & standardized - Documentation supporting a detection solution in place within the User Systems - only system admin have access to install - The implementation of solutions to detect and prevent the installation or execution of unauthorized software - only system admin have access to install - Documented procedures for reporting and remediating the installation or execution of unauthorized software - only system admin have access to install
0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 12, 2021

Please note that guidelines related to a Configuration Management Policy are spread in the following templates:

  • Bring Your Own Device (BYOD) Policy, located in folder 08 Annex A Security Controls >> A.6 Organization of Information Security
  • Mobile Device and Teleworking Policy, located in folder 08 Annex A Security Controls >> A.6 Organization of Information Security
  • IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset management

Together, these policies define user acceptable behavior when using software (e.g., only system admin has access to install), refer to the need to document configurations, and support the use of detection solution within users’ systems.

The information about software baseline can be included in the Inventory of Assets template, located in folder 08 Annex A Security Controls >> A.8 Asset management

For general reporting and remediation of installation or execution of unauthorized software you can consider the Incident Management Procedure, located in folder 08 Annex A Security Controls >> A.16 Information security incident management

Regarding procedures for implementation of solutions, please note that these are related to the specific solution adopted, so in this case, you need to develop the procedures using our blank template.

For further information, see:

Quote
0 0
Guest
Rohit Daniel Jun 29, 2021

For the Internal Audit Program,  Scope is defined as: ISMS Policies, Audit Criteria :ISO 27001 Annex A controls as per SoA and/or Regulatory requirements (Since the regulatory requirement refers to ISMS standard compliance)...Please validate whether this approach is right/ wrong.

Quote
0 0
Guest
Atul Kamat Jun 29, 2021

Thanks for the feedback. 

A follow-up questions based on above advise :  So trust we can keep the scope & criteria as follows for internal audit purpose

Scope : ISMS Policies (ex : HR Security Policy, Access Control Policy)

Criteria : ISO 27001 Annex A controls  and/or Regulatory requirements (ex: BS7858, ISO 27001)

Quote
0 0
Expert
Rhand Leal Jun 30, 2021

For the Internal Audit Program,  Scope is defined as: ISMS Policies, Audit Criteria :ISO 27001 Annex A controls as per SoA and/or Regulatory requirements (Since the regulatory requirement refers to ISMS standard compliance)...Please validate whether this approach is right/ wrong.

You need to audit the ISMS policies considering the standard as a whole, not only controls from Annex A, and the criteria must be clear (i.e., not “or”, only “and”). Considering that your text should be:

Scope: ISMS Policies
Audit Criteria: ISO 27001 Annex A controls as per SoA and applicable Legal requirements (laws, regulations, and contracts).

Quote
0 0
Expert
Rhand Leal Jun 30, 2021

Thanks for the feedback. 

A follow-up questions based on above advise :  So trust we can keep the scope & criteria as follows for internal audit purpose

Scope : ISMS Policies (ex : HR Security Policy, Access Control Policy)

Criteria : ISO 27001 Annex A controls  and/or Regulatory requirements (ex: BS7858, ISO 27001)

The scope needs to be a close one (i.e., you need to define the specific policies that will be audited, not provide examples). In case it is unfeasible to audit all policies in a single audit, you can plan two or more audits to cover all policies.

The criteria must be clear and defined (i.e., not “or”, only “and”).

Considering that your text should be:

Scope for audit 1: ISMS Policies (HR Security Policy, Access Control Policy)
Criteria for audit 1: ISO 27001 and BS7858

Scope for audit 2: ISMS Policies (Secure development Policy, Supplier Security Policy)
Criteria for audit 2: ISO 27001 and applicable legal requirements (laws, regulations, and contracts) defined in the List of Regulatory, Contractual and Other Requirements.

Quote
0 0
Guest
Rohit Daniel Jul 08, 2021

Hi 

Hope you are doing well

Just had a query related to Training & Awareness Plan

 Does The Training & Awareness Plan mention in ISO 27001Toolkit is for all the employees in organization or just for the Internal Audit Team training? 

Thank You & regards

Quote
0 0
Expert
Rhand Leal Jul 09, 2021

The content of the Training & Awareness Plan needs to include needed training and awareness activities for all personnel included in the ISMS scope, not only the Internal Audit Team.

For example, it can include basic training for regular final users and at the same time advanced security techniques for IT and SW development personnel.

This article will provide you a further explanation about awareness and training:

This material will also help you regarding awareness and training:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 12, 2021

Jul 09, 2021