Expert Advice Community

Guest

Explanation of Annexure 18 of ISO 2017:2013

  Quote
Guest
Guest user Created:   Nov 10, 2020 Last commented:   Nov 10, 2020

Explanation of Annexure 18 of ISO 2017:2013

Could you verify if my below mentioned explanation of Annexure 18 of ISO27001:2013 is correct?

ISO27001:2013  Annexure 18 Compliance: talks about regulatory and compliance breaches.

If organization outsources any of its processes with non disclosure agreements and 3rd party vendor gets involved in any kind of data breach, then the annexure control that states, "Information security is IMPLEMENTED AND EFFECTIVE" is non complied.

Auditors should take this into account and look for any data breaches that were reported not only in the audit period but also if any preventive action was taken after the last reported breach. And incident response action took place to control the damage.

The number of data breaches occuring are telling a different story.

Misuse or abuse of customer data is not a behavior issue. IT IS CRIME.

End customers not reporting data breaches is a system vulnerability. This does not mean at all that third party vendors have not compromised customer data. There had been cyberattacks where local criminals and insider or ex-employees were involved in the crime.

Organization needs, not only to audit it's vendors for policies implemented but also take strict action against every data breach that occurs and report every breach incidence regularly to regulatory authorities.

Your thoughts on this would be appreciated and enlightening.

Thank you

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 10, 2020

Please note that section 18 of ISO 27001 Annex A is about "Compliance with legal and contractual requirements", and "Information security reviews". 

Considering that, your explanation is being too specific, focusing only on data breaches, when this section's purpose is wider.
For example, depending on legal and contractual requirements you must fulfill, you may have non-compliant situations involving data disposal or data exchange with authorized entities, which may not involve a data breach.

For example, in your first paragraph, you should talk not only about regulatory issues. Additionally, section A.18.1 is about the prevention of compliance breaches. So your text should be like this:
 
"ISO27001:2013  Annexure 18 Compliance: talks about compliance with legal and contractual requirements, and prevention of breaches."
 
 Another example is in your second paragraph. You are being specific about situations (e.g., use of NDA and data breaches) when the section is not that specific about which solutions to use. So your text should be like this:
 
 "If organization outsources any of its processes, and enforces security by means of pointing out legal and contractual requirements (e.g., by enforcement of non-disclosure agreements), and 3rd party vendor gets involved in any kind of situation breaching such legal and contractual requirements (e.g., it suffers a data breach), then one more controls from section A.18.1 is non-compliant."
 
Your last two paragraphs talk about controls that are not included in section A.18.1. Reporting of vulnerabilities are related to control A.16.1.2, and actions to be taken are related to control A.16.1.5. A tip for you to write your text is to develop it based on the objectives of sections A.18.1 and A.18.2.  

Quote
0 1
Guest
Vineet Sasurkar Nov 10, 2020

Very detailed explanation. Thank you

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 10, 2020

Nov 10, 2020