Estamos por implementar la norma ISO 27001 en una Pyme que brinda servicios basados en una aplicación software accesible mediante internet y maneja información sensible de pacientes con enfermedades. Se utilizarán tres servidores de segunda marca (XXXXX) bajo XXXXX, un servidor realizará el trabajo de XXXXX, el segundo será para la aplicación software y el tercero para gestión de la base de datos. Ese esquema estará replicado exactamente igual (es decir otros 3 servidores equivalentes) en otra localización para asegurar la redundancia en caso de fallas.
Necesitamos predefinir el costo de embarcarnos en la ISO 27001 y tenemos algunas dudas. ¿Estamos manejando información sensible protegida por leyes, es posible obtener un buen nivel de seguridad bajo el esquema planteado y utilizando XXXXX?, no nos dan los costos para pasar a hardware de primera linea. ¿vamos a necesitar un software de bóveda de claves?, ¿vamos a necesitar un software del tipo XXXXX para controlar las 20 notebook de empleados que accederán a esta información? . ¿Un esquema basado en XXXXX pasará exitosamente un pentest según nos requieren contractualmente nuestros clientes?. ¿Conviene tener un firewall físico para las oficinas donde están las notebooks de los 20 empleados?. Ojo que las notebooks pueden tambien ser utilizadas desde las casas vía teletrabajo. Bueno agradezco la orientación, obvio que 27001 no define estos consejos, pero nosotros si avanzamos con este tema tenemos requisitos contractuales que cumplir y además asegurarnos la protección de datos personas regulados por una ley y tal vez Uds. hayan tenido casos que nos permitan dimensionar el costo. No disponemos de recursos económicos altos, por eso no estamos pensando en contratar hosting con todas las seguridades, tenemos que hacerlo con nuestros propios medios. ¿Qué otro software licenciado, además de antivirus, necesitaríamos tener en cuenta en el presupuesto?. Gracias por la información.
We are about to implement the ISO 27001 standard in an SME that provides services based on a software application accessible through the internet and handles sensitive information on patients with diseases. Three second brand servers (***) will be used under ***, one server will do the work of firewal, the second will be for the software application and the third for database management. This scheme will be replicated exactly the same (that is, 3 other equivalent servers) in another location to ensure redundancy in case of failures.
We need to predefine the cost of embarking on ISO 27001 and we have some doubts.
1 - Are we dealing with sensitive information protected by laws?
2 - Is it possible to obtain a good level of security under the proposed scheme and using ***?
3 - Are we going to need a key vault software?
4 - Are we going to need ***type software to control the 20 employee notebooks that will access this information?
5 - Will a ***-based scheme successfully pass a pentest as contractually required by our clients?
6 - Is it convenient to have a physical firewall for the offices where the notebooks of the 20 employees are? Note that notebooks can also be used from home via teleworking.
7 - Well I appreciate the guidance, obviously 27001 does not define these tips, but if we move forward with this issue we have contractual requirements to meet and also ensure the protection of personal data regulated by law and perhaps you have had cases that allow us to size the cost. We do not have high economic resources, so we are not thinking of hiring hosting with all the security, we have to do it with our own means.
8 - What other licensed software, besides antivirus, would we need to consider in the budget? Thanks for the info.)
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - Are we dealing with sensitive information protected by laws?
Answer: We are not legal experts, so you need to seek an expert legal advice to get this answer considering where your organization operates from, but in most countries the protection of health data is defined by local laws and regulations.
2 - Is it possible to obtain a good level of security under the proposed scheme and using ***?
Answer: A "good level of security" will depend on the assessed risks and legal and contractual requirements your organization needs to fulfill. So, without such kind of information, it is not possible to answer if it is possible to achieve an acceptable level of security with the proposed architecture.
3 - Are we going to need a key vault software?
Answer: Like the previous answer, the need for key vault software, or any specific solution will depend on the assessed risks and legal and contractual requirements your organization needs to fulfill.
For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
4 - Are we going to need ***type software to control the 20 employee notebooks that will access this information?
Answer: The same answer for question 3 applies to this one.
5 - Will a ***-based scheme successfully pass a pentest as contractually required by our clients?
Answer: If the ***-based scheme address the relevant risks and legal and contractual requirements and is properly configured, you have good chances to be successful in a penetration test.
For further information, see:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
6 - Is it convenient to have a physical firewall for the offices where the notebooks of the 20 employees are? Note that notebooks can also be used from home via teleworking.
Answer: The same answer for question 3 applies to this one.
7 - Well I appreciate the guidance, obviously 27001 does not define these tips, but if we move forward with this issue we have contractual requirements to meet and also ensure the protection of personal data regulated by law and perhaps you have had cases that allow us to size the cost. We do not have high economic resources, so we are not thinking of hiring hosting with all the security, we have to do it with our own means.
Answer: Please note that today the costs of adopting hosting are significantly reduced, and in addition to acquisition costs, you also have to consider operational, maintenance and updating costs to evaluate if an onsite solution is competitive.
Now, about certification, there are a significant number of variables to be considered when estimating an implementation cost, such as size and complexity of the scope, a number of employees, a number of sites, etc. Additionally, you also have these main topics to consider:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee's effort and time
- The certification process
These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
8 - What other licensed software, besides antivirus, would we need to consider in the budget? Thanks for the info.)
Answer: It is our policy to not make recommendations about technical solutions, so what we can say is that you need to consider the results of risk assessment and legal and contractual requirements to be fulfilled to identify needed software.
Comment as guest or Sign in
Aug 27, 2020