Expert Advice Community

Guest

Questions ISO 27001

  Quote
Guest
Guest user Created:   Dec 17, 2022 Last commented:   Dec 17, 2022

Questions ISO 27001

Good morning, is it possible to help me with the following Questions

1. Every information security policy must have at least one procedure associated with it.

2. Can security policies and procedures be written in the same document or should they be separate documents?

3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?

4. What is the difference between Policies, standards and Procedures?

5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?

6. Can the technology leader also be responsible for information security?

7. Do you have any template (template) of how to write a strategic information security plan?

8. Can you send me examples of Major nonconformities and minor nonconformities?

9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?

10. Is an information security incident the Materialization of a security risk?

11. What is the difference between an information security event, an information security incident and an information security risk? 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 17, 2022

1. Every information security policy must have at least one procedure associated with it.

ISO 27001 does not specify that you need to have procedures related to policies, nor does it specify what kind of policies and procedures to write. Our recommendation for smaller companies is to use a minimum number of policies and procedures to avoid overhead.

For further information, see:

2. Can security policies and procedures be written in the same document or should they be separate documents?

ISO 27001 does not prescribe how policies and procedures must be documented, so organizations can develop them as best fit their needs.

Considering that, policies and procedures can be part of the same document but you have to take care to not create a document too big or complex to use or maintain. In such cases, it is best to keep policies and procedures as separate documents.

For further information, see:

3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?

Strategic and technical information generally have different publics (e.g., strategic information for top management, and technical information for operational staff), so while you can have both information in the same document, in general, they are developed as separate documents.

4. What is the difference between Policies, standards and Procedures?

A policy defines a certain intention and gives direction (e.g., Information Security Policy), whereas a standard specifies a standardized way of doing something (e.g., ISO 27001 specifies how to manage information security).

As for a procedure, it defines the steps required for performing an action (e.g., a procedure back defines the steps to back up information).

5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?

ISO 27001 does not prescribe who should be responsible for information security, so organizations can designate this person as best fit their needs.

So, this person being or not being part of the area of information technology is an acceptable possibility.

For further information, see:

6. Can the technology leader also be responsible for information security?

This role can also be an alternative for the person responsible for information security.

7. Do you have any template of how to write a strategic information security plan?

Please note that ISO 27001 does not require a strategic information security plan to be developed. A similar high-level document compliant with ISO 27001 is the Information Security Policy, located in the folder General policies in your toolkit.

For further information, see:

8. Can you send me examples of Major nonconformities and minor nonconformities?

First, it is important to note that major nonconformities and minor nonconformities are commonly used only in certification audits. Internal audits do not require the application of such classifications.

Examples of minor non-conformities: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc.Examples of major non-conformities: management review not performed, and a minor non-conformity not being resolved within the defined deadline.

For further information, see:

9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?

Please note that ISO 27001 does not prescribe who must perform vulnerability tests, so both alternatives are accepted by the standard.

10. Is an information security incident the Materialization of a security risk?

Your assumption is correct.

Risk refers to the probability of something negatively affecting information.

An information security incident means that something in fact negatively affected the business or information which should be protected.

11. What is the difference between an information security event, an information security incident and an information security risk?

An event refers to something that happened that is relevant to be recorded, but you are not sure it negatively impacted information security.

An incident refers to something that happened and that in fact has negatively affected information security.

Risk refers to the probability of something happening and negatively impacting information security.

For further information,see:

For additional support, we suggest these materials:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 17, 2022

Dec 17, 2022

Suggested Topics