Expert Advice Community

Guest

Help with ISO 27001 implementation

  Quote
Guest
Guest user Created:   Oct 15, 2020 Last commented:   Oct 16, 2020

Help with ISO 27001 implementation

Dear Advisera Support Team

I have just purchased your "ISO 27001/ISO 22301 Risk Assessment Toolkit English" because I really find your concept practical according to the free downloadable materials on your website. Unfortunately after having looked through all the contents of the package, I am not fully satisfied with the purchase while expected more examples related to the asset-threat-vulnerability approach as written here in this site:

Diagram of ISO 27001:2013 Risk Assessment and Treatment process (advisera.com)
 
Could you please help me out? What I am looking for is more examples like this, something like a collection which ISO controls could address which threat and vulnerability types, a matching table would really help me. I would like to seek your support and advise here, especially when the assets would be infrastructure elements like a Domain Controller or a VPN gateway.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 15, 2020

There is no definitive document we can recommend, since, for each organization, the applicable controls may vary according to the organization's risk tolerance and results of risk assessment (for the same vulnerability one or more controls may be applicable). Additionally, such documents may mislead organizations while implementing their own practices, because they may understand that these are the solution for their risk, without considering their own organizational context.

For the assets you mentioned, here are a couple of examples of applicable threat, vulnerabilities, and controls:

  • Domain controller: misuse of information systems - inadequate user rights - A.9.2.1 User registration and de-registration
  • Domain controller: application errors - inadequate change control - A.12.1.2 Change management
  • VPN: information interception - inadequate network management - A.13.1.2 Security of network services
  • VPN: unauthorized network access - inadequate user rights - A.9.1.1 Access control policy

These materials will also help you regarding risk treatment:

Quote
0 0
Guest
Guest user Oct 16, 2020

Thanks it is already somewhat of a help that I could use as a starting point. 

Tough I would like to approach this topic from a more pragmatic and analytic way. I have seen on your website a categorization of ISO27k controls into organizational, technological, etc. on a pie chart so show with numbers. Could you please send me such a categorization which controls fall into which category?

It would be also much appreciated if you could suggest on high-level which control main-or sub-chapters would you suggest to include as generally applicable for doing risk assessment for a Domain Controllers and a VPN gateway. 

Furthermore in case doing risk assessment for such infrastructure elements, would you suggest to include additional assets like administrators therein? Or even documentation, facilities, because that is also related to my above question, if we have around 30 organizational type controls, the evaluation of those could be more or less the very same way applied to all infrastructure elements or what would you suggest to avoid double work?

This we could also discuss personally in the course of the online expert support session offered, I am available for this purpose tomorrow or today afternoon.

Quote
0 0
Expert
Rhand Leal Oct 16, 2020

1. Tough I would like to approach this topic from a more pragmatic and analytic way. I have seen on your website a categorization of ISO27k controls into organizational, technological, etc. on a pie chart so show with numbers. Could you please send me such a categorization which controls fall into which category?

Please note that this is not a definitive list, because other people can use criteria different for grouping the controls. Broadly speaking we have:

  • Sections related to organizational issues: A.5, A.6., A.8, A.15
  • Section related to human resources: A.7
  • IT-related sections: A.9, A.10, A.12, A.13. A.14, A.16, A.17
  • Section related to physical security: A.11
  • The section related to legal issues: A.18

2. It would be also much appreciated if you could suggest on high-level which control main-or sub-chapters would you suggest to include as generally applicable for doing risk assessment for a Domain Controllers and a VPN gateway.

Since Domain Controllers and VPN gateways are technological solutions, controls from sections A.9, A.10, A.12, A.13. A.14, A.16, A.17 would be generally applicable for risk treatment. Please note that for risk assessment you can consider such controls as guidance to help identify potential risks (controls are not used during risk assessment).

3. Furthermore in case doing risk assessment for such infrastructure elements, would you suggest to include additional assets like administrators therein? Or even documentation, facilities, because that is also related to my above question, if we have around 30 organizational type controls, the evaluation of those could be more or less the very same way applied to all infrastructure elements or what would you suggest to avoid double work?

This we could also discuss personally in the course of the online expert support session offered, I am available for this purpose tomorrow or today afternoon.

In your risk assessment, you should include all infrastructure elements that can impact information security, not only technical equipment (e.g., human error on DC configuration may be a relevant risk for you, or lack of formal procedures may cause important records not to be registered).

During the assessment, what you can do to minimize rework is to assess how the risk related to these assets impacts the information security, not the DC or the VPN gateway.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 15, 2020

Oct 16, 2020

Suggested Topics

Guest user Created:   Sep 04, 2020 ISO 27001 & 22301
Replies: 1
0 0

About implementing ISO 27001

User guest Created:   Jul 14, 2020 ISO 27001 & 22301
Replies: 2
0 0

ISO 27001 queries

Guest user Created:   Jun 09, 2020 ISO 27001 & 22301
Replies: 1
0 0

Project before implementation