Implementation of ISO Standard in software
I hope that you can help me or possibly refer me to the right address to solve my problem.
We are working on developing software for documentation, management, and planning of LAN / WAN networks. Our clients are mostly ISPs, who use our software to document passive infrastructure. We received a request for a "history" module in which "certain" changes in the database will be saved and which is necessary for ISO certification, in order to determine the status before the change itself.
Unaware of the certification requirements, we are unable to find out what changes to facilities (buildings, cables, pipes, services, etc.) are important, and what information we need to validate and store.
I hope that I have managed to bring you closer to the topic of this problem.
Assign topic to the user
Please note that ISO 27001 prescribes "what" needs to be achieved in terms of information security, not "how" to do that.
The definition of which is important depends on the results of risk assessment and the identification of relevant requirements (e.g., customer's requirements, laws, regulations, contracts, etc.).
Considering that, for the identification of what needs to be recorded for validation and storage, you need to check:
- which risks related to changes they consider relevant?
- which laws, regulations, and contracts are related to this demand?
With these answers, you will have the bases for the requirements to be implemented in your software.
This article will provide you a further explanation about requirements and risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding ISO 27001:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 22, 2020