Expert Advice Community

Guest

Questions about toolkit documents

  Quote
Guest
Guest user Created:   Apr 25, 2019 Last commented:   Apr 25, 2019

Questions about toolkit documents

1. A.6.1.4: No requirements (besides law, which is a question mark for me at this moment) or (unacceptable) risks that demand the implementation of this control, I don't think the GDPR requires having a list, but it requires that we report incidents to the Data Protection Authority. Does this mean that it is mandatory to implement this control?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 25, 2019

Answer: Special interest groups covered by A.6.1.4 refer to manufacturers, specialized forums, professional associations and other groups that can help you with information security issues, while a Data Protection Authority is more related to A.6.1.4 Contact with authorities. So, to fulfill GDPR regarding Data Protection Authority control A.6.1.4 would be more appropriated.

For further information see:
- Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

2. Is it okay to write the same name in "Author" and "Approved by" in the Document Control Table at the start of the document?

Answer: For small companies the author and the approver of a document may be the same person, but normally these roles are performed by different persons, so the approver can verify if the document was properly written and does not rise unacceptable risks.

For further information see:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

3. A.9.2.5 Review of user access rights Records: ISO 27001 probably does not describe which records must be included, is it okay to have 4 fields: Name of system / network / service / physical area & Type & Date & Results with the following records as an example:
Datacenter & Physical area & 24 April 2019 & Only the appropriate personnel have access rights.

Answer: To be effective, an access review record must contain at least these information: the asset (system / network / service / physical area, etc.), the asset owner, the list of people who can have access to the asset, the activities authorized to be performed by them, by the asset owner, the actual activities these people can perform, any decision made regarding found discrepancies, and the date the review was performed. Of course you can include more information, but these are the minimum to ensure the review process was properly performed.

4. Let us say that Control A and Control B both have an unacceptable risk, but this unacceptable risk is already reduced to acceptable by Control A. Does this mean that control B does not have any unacceptable risks (anymore) ?

Answer: Your understanding is correct (if the risk is reduced to acceptable level only by implementing one control (A or B), there is no need to implement the other), but you have to think in terms of risks that may be treated by several controls, not controls that have risks in common.

5. If the unacceptable risks for a particular control are being transferred to a third party, what do we write for this control in the "Implementation method" if we do not have enough information about how they have implemented this control?

Answer: In the implementation method column you can either write a brief description of how the control is being implemented by the third-party or refer to a document which contains this information (e.g., a service agreement or a contract). It is important to understand that you have to have minimal information about how the third party implements the control, because on the contrary you cannot manage the risk.

6. Do values after treatment have to be filled in, in case of other risk treatment options than "1. Selection of controls ?"

Answer: For any risk option selected for risk treatment you have to fill in the values after treatment, because these are used to define residual risk.

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment and Risk Treatment tables, using real data as examples.

For further information about residual risks see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 25, 2019

Apr 25, 2019

Suggested Topics