Explanation of Annexure 18 of ISO 2017:2013
Could you verify if my below mentioned explanation of Annexure 18 of ISO27001:2013 is correct?
ISO27001:2013 Annexure 18 Compliance: talks about regulatory and compliance breaches.
If organization outsources any of its processes with non disclosure agreements and 3rd party vendor gets involved in any kind of data breach, then the annexure control that states, "Information security is IMPLEMENTED AND EFFECTIVE" is non complied.
Auditors should take this into account and look for any data breaches that were reported not only in the audit period but also if any preventive action was taken after the last reported breach. And incident response action took place to control the damage.
The number of data breaches occuring are telling a different story.
Misuse or abuse of customer data is not a behavior issue. IT IS CRIME.
End customers not reporting data breaches is a system vulnerability. This does not mean at all that third party vendors have not compromised customer data. There had been cyberattacks where local criminals and insider or ex-employees were involved in the crime.
Organization needs, not only to audit it's vendors for policies implemented but also take strict action against every data breach that occurs and report every breach incidence regularly to regulatory authorities.
Your thoughts on this would be appreciated and enlightening.
Thank you
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that section 18 of ISO 27001 Annex A is about "Compliance with legal and contractual requirements", and "Information security reviews".
Considering that, your explanation is being too specific, focusing only on data breaches, when this section's purpose is wider.
For example, depending on legal and contractual requirements you must fulfill, you may have non-compliant situations involving data disposal or data exchange with authorized entities, which may not involve a data breach.
For example, in your first paragraph, you should talk not only about regulatory issues. Additionally, section A.18.1 is about the prevention of compliance breaches. So your text should be like this:
"ISO27001:2013 Annexure 18 Compliance: talks about compliance with legal and contractual requirements, and prevention of breaches."
Another example is in your second paragraph. You are being specific about situations (e.g., use of NDA and data breaches) when the section is not that specific about which solutions to use. So your text should be like this:
"If organization outsources any of its processes, and enforces security by means of pointing out legal and contractual requirements (e.g., by enforcement of non-disclosure agreements), and 3rd party vendor gets involved in any kind of situation breaching such legal and contractual requirements (e.g., it suffers a data breach), then one more controls from section A.18.1 is non-compliant."
Your last two paragraphs talk about controls that are not included in section A.18.1. Reporting of vulnerabilities are related to control A.16.1.2, and actions to be taken are related to control A.16.1.5. A tip for you to write your text is to develop it based on the objectives of sections A.18.1 and A.18.2.
Comment as guest or Sign in
Nov 10, 2020