Infosec procedures
Assign topic to the user
Control A.10.1.2 is covered in our template Policy on the Use of Encryption. You can take a look at its demo at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
A vulnerability procedure is not mandatory for ISO 27001 and is not a common document adopted by organizations, so there is no template covering the specific clause of the standard related to it (control A.12.6.1 - Management of technical vulnerabilities).
Control A.12.6.1 does not prescribe how many scans are necessary for each classification asset. You should define these based on the results of risk assessment and applicable legal requirements.
This article will provide you with a further explanation about key management:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
This article will provide you with a further explanation about vulnerability management:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
For detailed processes and more technical reference you should consider NIST Special Publications:
- Technical Guide to Information Security Testing and Assessment https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
- Secure Software Development Framework (SSDF) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
- A Framework for Designing Cryptographic Key Management Systems https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-130.pdf
- Recommendation for Key Management: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf and https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt2r1.pdf
Comment as guest or Sign in
Feb 14, 2022