Expert Advice Community

Guest

Filling documents

  Quote
Guest
Guest user Created:   Jun 16, 2021 Last commented:   Jun 16, 2021

Filling documents

Hello Dejan,

As *** internal contact for ISO 27001, a query arose while filling out your documents.

I have tried to include information from the VDA ISA 5.0 questionnaire in your documents. In doing so, I often read about requirements that have to be determined.

Are the following requirements in your document

"02.1_Anhang_1_Liste_gesetzlicher_amtlicher_vertraglicher_rerichtungen_Premium_DE.docx" (02.1_Appendix_1_List_of_Legal_Regulatory_Contractual_and_Other_Requirements)

determined and then referenced in the respective documents to be created later and implemented in a suitable manner or where exactly are these requirements written down?

1 - Requirements for the procurement, commissioning and approval for the use of non-organizational IT services are determined

2 - Requirements and procedures for the use of confidentiality agreements when passing on sensitive information

3 - The procedures for user authentication are defined and implemented on the basis of business and security requirements.

4 - The requirements for development and test environments have been determined

5 - Measures to meet the requirements with regard to intellectual property rights and the use of software products protected by copyright (procurement and license management) are defined and implemented.

6 - Requirements from business relationships (e.g. reporting obligations to the client) are determined and implemented.

7 - Requirements for key sovereignty have been determined and met.

8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined and implemented.

9 - Extended requirements for the control and administration of networks have been identified and implemented

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 16, 2021

The purpose of this template is not to define requirements, only to identify where they can be found, who defined them, who are responsible for their implementation, and by which date.

Requirements are defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this annex.

For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

Considering that:
1 - Requirements for the procurement, commissioning, and approval for the use of non-organizational IT services may be determined by the IT manager together with the key users of such services and documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
2 - Requirements for the use of confidentiality agreements when passing on sensitive information may be determined by information owners, and their way of implementation documented in the “Information Classification Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
6 - Requirements from business relationships (e.g., reporting obligations to the client) are documented in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in documents which will depend on the requirements defined.
7 - Requirements for key sovereignty may be determined by the IT manager together with the users of services that use these keys, and their way of implementation documented in the “Policy on the Use of Encryption”, located in folder 08_Annex_A_Security_Controls >> A.10_Cryptography.
8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.
9 - Extended requirements for the control and administration of networks are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.

Once requirements are defined and identified in the List of Legal Regulatory Contractual and Other Requirements:
3 - The procedures for user authentication are documented in the “Access Control Policy”, located in folder 08_Annex_A_Security_Controls >> A.9_Access_Control
4 - The requirements for development and test environments are documented in the “Secure development policy”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
5 - Measures to meet the procurement and license management requirements with regard to intellectual property rights and the use of software products protected by copyright are documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance, and in the “IT Security Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management.

This article will provide you a further explanation about requirements identification:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 16, 2021

Jun 16, 2021

Suggested Topics

Guest user Created:   May 01, 2020 ISO 27001 & 22301
Replies: 1
0 0

Denial of Service Attack

Guest user Created:   Jan 28, 2019 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Toolkit content