SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Guest

Control A14.1.1

  Quote
Guest
Guest user Created:   May 24, 2018 Last commented:   May 24, 2018

Control A14.1.1

I am working on this control and it refers to the Security Requirement Specification – I can only find the template Appendix_Specification_of_Information_System_Requirements_EN.docx.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 24, 2018

This document does not have a lot of details and seem unrelated to the topic of acquiring a new information system. Can you please help by providing examples on this doc?

Answer: The basic difference between internal developed and acquired information systems is that when systems are acquired, the information systems requirements identified in this template should be included in the contract or service agreement established between the organization and the supplier. When the information systems is developed internally, the information in this template is included in the organization's development process.

Here are some examples for each field in this template, considering the information system will be acquired:
- Name of information system: Contract Payment Reporting System (CPRS)
- Version of existing information system: New system to be acquired (the inf ormation in this field will define which and how acquiring information will be included in the "Method of checking and testing implemented security controls")
- Impact value from risk assessment: 7 (in a scale from 1 to 9)
- Functional specification of the information system: The system must maintain information that identifies each entity in the contract, including: entity name, entity ID number, entity contact information, etc.
- Necessary automated controls: The system must prevent the duplicate entry of contract records (e.g., by editing contract ID numbers or entity names.). The system must provide on-line warning message to the user when duplication is identified.
- Necessary manual controls: The system only must sent information about contracts after an authorized user approves the request.
- Method of checking and testing implemented security controls: The security controls in the acquired CPRS will be tested by an independent party using as reference the ISO 15048:2008 - Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance components

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 24, 2018

May 24, 2018