I just thought I should reach out with some questions on the ISO 27001 Annex A controls for which I am having a hard time making a clear cut difference on what will suffice as the Plan, Do, Check and Act.
It is clear enough for some while some just get me pulling my hair. Some of the control I am finding challenges with for which I am seeking your expertise are:
A.8.1.2 (Ownership of assets)
A.12.1.4 (Separation of development, testing and operational environments)
A.14.1.2 (Securing application services on public networks)
A.14.1.3 (Protecting application services transactions)
Just a point of note Dejan, we have an understanding of what is technically required done and is being done.
What is tricky again is the fact that some of the Do look more like the Plan and some are just tricky to proof how they are checked.
First of all, remember that the implementation of controls is performed after the risk assessment. So, the difference between Plan, Do, Check, Act is:
Plan: You establish a plan for the implementation o f controls, that is, you need a treatment plan (you will need to identify necessary tasks, resources, deadline, etc).
Do: Yo implement the controls, according the plan
Check: You check if the controls are implemented correctly (for example through the internal audit)
Act: If after check the controls you identify something wrong, you need to perform actions to correct and improve it.
A.8.1.2 (Ownership of assets) : Example of asset: A server. Who can be the ownership? An administrator of the server
A.12.1.4 (Separation of development, testing and operational environments) : You have an independent virtual machine for the development, another for the testing an another for the production.
A.14.1.2 (Securing application services on public networks): You have in your web an access for employees which can connect from their home. This connection need to be done through secure channel (IPSEC, SSL, etc)
A.14.1.3 (Protecting application services transactions): Transactions between applications (Databases, ERPs, etc) need to be through a secure channel (IPSEC, SSL, etc)