Expert Advice Community

Home / ISO 27001 & 22301 / Content and scope of External Threat Monitoring

Guest

Content and scope of External Threat Monitoring

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jul 15, 2022 Last commented:   Jul 15, 2022

Content and scope of External Threat Monitoring

ISO 27001 & 22301
at present, the most immediate question I have is this – what is the content and scope of External Threat Monitoring? Would it be adequate to comply with US’ FISMA Act 2002 (it is a US Act but is adopted worldwide as a best practice), and, as part of FIMA compliance, should we adopt NIST’s standards, namely, FIPS 199, FIPS 200, and the NIST 800? External threat monitoring [job title] is responsible for monitoring suppliers, manufacturers, and security reference groups in order to identify external threats that can impact applications and systems, and [job title] must select actions to be taken in case new threats are identified.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Jul 15, 2022

1 - At present, the most immediate question I have is this – what is the content and scope of External Threat Monitoring?

I’m assuming you are referring to the Security Procedures for IT Department template.

Considering that, the definition of what to monitor (content) from which assets (scope) related to external threats will depend on the results of risk assessment and applicable legal requirements. The relevant risks and elements defined in laws, regulations, and contracts you need to fulfill will point out which assets you need to monitor, and which threats you are most exposed to.

For example, in case you have relevant risks related to zero days vulnerabilities related to operating systems, you may need to include monitoring of related manufacturers. Also, in case you have a contractual clause related to ensuring data availability in the supply chain, you may need to monitor the situation of your suppliers.

2 - Would it be adequate to comply with US’ FISMA Act 2002 (it is a US Act but is adopted worldwide as a best practice), and, as part of FIMA compliance, should we adopt NIST’s standards, namely, FIPS 199, FIPS 200, and the NIST 800?  

First is important to note that you only need to implement FISMA and related standards if they are required (e.g., due law or contract). In case they are not required there is no need to go for them.

Considering that, FISMA is most related to ISO 27001 clauses 4 to 10 (requirements for information security management), not to controls from Annex A (which are more related to FIPS 199, FIPS 200, and the NIST 800). 

Specifically for implementing threat monitoring, NIST 800-53 has security controls that can be used to implement it, but this standard is not required to implement ISO 27001, and you only should use it if you are prepared to do some extra work.

This article will provide you with further explanation about threat monitoring:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 15, 2022

Jul 15, 2022

Suggested Topics
Guest user Created:   Oct 21, 2023 ISO 27001 & 22301
Replies: 1
0 0

Exclusions of the ISMS scope
Guest user Created:   Oct 06, 2023 ISO 27001 & 22301
Replies: 1
0 0

Certification scope