I am working on a ISO 27001. The company is using email for many purposes. They are using to exchange some confidential records / documents internally and also with external parties. Just wanna know what type of control should be put on e-mail . Encryption for outlook is not very easy.
Could you please advise ?
Answer:
In ISO 27001 you can implement the solution that you want to protect the confidential information, and there are many options. In your specific case, if the information transferred are files, you can encrypt these files with utilities software (for example AES Crypt, which is free), and you can send the encrypt file through email. Maybe this option can be more easy for you that configure Outlook to encrypt the emails, although it is also a good and a very common option.
If the information transferred is only text, maybe you can include the text in a Microsoft Word, encrypt the file and send it in the same way that I said before.
By the way, the control in the Annex A of ISO 27001 related to emails is the 13.2.3 Electr onic messaging, although here is not mandatory to encrypt the information, but is very recommendable, because you need to ensure the protection of the information from unauthorized access.
Here is also important to keep care with the management of external parties, so this article can be interesting for you “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Finally, maybe our online course can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 22, 2016