Guest user Created: Jun 14, 2018 Last commented: Jun 14, 2018

Information security behaviour evaluation

1 - I am a graduate student in information security. I want to examine the behaviour of employees in the field of information security in the organization. For this purpose, I intend to use the ISO 27001 standards for evaluation. I did a lot of research in this field but unfortunately I could not get the right answer and I would ask you to guide me in this area. Now, my question is: can one assess the behaviour of an employee in terms of observing the security principles, such as "not submitting the organization's information on social networks", and so on, using ISO standards? Or are these standards only applicable to the assessment of organization information security at a higher organizational level?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 14, 2018

Answer: ISO 27001 is perhaps not the best framework to examine the behaviour of employees, however you can use the following clauses as a guideline:
- clause 7.3 (awareness): this clause requires the organization to ensure employees to be aware of the information security policy, their contribution to the the protection of the information a nd performance of the Information Security Management System, and the consequences of information security incidents.
- clause 9.1 requires the organization to monitor, measure, analyse and evaluate security controls and process, including controls directly related to human resources, such as A.7.2.2 (Information security awareness, education and training) and A.8.1.3 (Acceptable use of assets)

By assessing these requirements you can have an overview of the employees information security behaviour (e.g., by the results of an information security policy understanding survey, number of non conformities or security incidents related to employees, etc.).

2 - And the other question is, if this is feasible, is there a check list for this job?

Answer: For this evaluation, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

This checklist has questions that can help you assess if standard's requirements are being fulfilled.

These articles will provide you further explanation about ISO 27001 awareness:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

These materials will also help you regarding ISO 27001 awareness:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 14, 2018

Expert Advice Community