Control A.14.3.1
I want to ask you other questions:
1) I understand that the CISO performs internal audits in a company, but who should audit the CISO?
2) Our company is dedicated to selling ERP in SaaS mode (software as a service), how should control A.14.3.1 (Protection of test data) be implemented? ... it is necessary to obfuscate the information of customers who are in the database?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1) I understand that the CISO performs internal audits in a company, but who should audit the CISO?
Answer: First is important to note that CISO is a very bad choice for the internal auditor because of the obvious conflict of interest (this role is in general responsible for all the ISMS, and auditors cannot audit their own work).
Considering that, you must consider another person to be the internal auditor (e.g., train another employee as internal auditor, or hire an external auditor).
For further information about CISO, see:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
2) Our company is dedicated to selling ERP in SaaS mode (software as a service), how should control A.14.3.1 (Protection of test data) be implemented? ... it is necessary to obfuscate the information of customers who are in the database?
Answer: The way to implement control A.14.3.1 will depend on the results of risk assessment and identified legal requirements. For example, risk assessment may identify that only strict control to test database is enough, or that creation of randomized dummy customer data may be needed. Additionally, contractual clauses may require the use of specific techniques, or forbid others, and some regulations like GDPR may require anonymization of test data.
This article will provide you a further explanation about the software development life cycle:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
This material will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Feb 09, 2021