Expert Advice Community

Guest

PDCA and security controls

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

PDCA and security controls

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

I just thought I should reach out with some questions on the ISO 27001 Annex A controls for which I am having a hard time making a clear cut difference on what will suffice as the Plan, Do, Check and Act.
It is clear enough for some while some just get me pulling my hair. Some of the control I am finding challenges with for which I am seeking your expertise are:
A.8.1.2 (Ownership of assets)
A.12.1.4 (Separation of development, testing and operational environments)
A.14.1.2  (Securing application services on public networks)
A.14.1.3  (Protecting application services transactions)
Just a point of note Dejan, we have an understanding of what is technically required done and is being done.
What is tricky again is the fact that some of the “Do” look more like the “Plan” and some are just tricky to proof how they are “checked”.
 

Answer:

First of all, remember that the implementation of controls is performed after the risk assessment. So, the difference between Plan, Do, Check, Act is:

Plan: You establish a plan for the implementation o f controls, that is, you need a treatment plan (you will need to identify necessary tasks, resources, deadline, etc). 
Do: Yo implement the controls, according the plan 
Check: You check if the controls are implemented correctly (for example through the internal audit)
Act: If after check the controls you identify something wrong, you need to perform actions to correct and improve it.

So, 1. You need to perform the risk assessment, and 2. You need to perform the risk treatment. If you want more information about it, please read this article “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
About the controls, I will give you an example:

A.8.1.2 (Ownership of assets) : Example of asset: A server. Who can be the ownership? An administrator of the server 
A.12.1.4 (Separation of development, testing and operational environments) : You have an independent virtual machine for the development, another for the testing an another for the production.
A.14.1.2  (Securing application services on public networks): You have in your web an access for employees which can connect from their home. This connection need to be done through secure channel (IPSEC, SSL, etc)
A.14.1.3  (Protecting application services transactions): Transactions between applications (Databases, ERPs, etc) need to be through a secure channel (IPSEC, SSL, etc)

So, in this case, after the risk assessment, if you need to implement one of these controls, you need: a. A plan to implement them, b. Implement actions according the plan, c. Check the implementation of the controls, d. Take actions if needed
Finally, maybe this article can be interesting for you “Has the PDCA Cycle been removed from the new ISO standards?” : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016