How the people in this function get the specif task for doing the monitoring? I have two options:
1) They do it by themselves and they need to somehow capture it (I'm not sure what is the best way)
2) Someone is about to 'give them' the task (again not sure how to capture it)
Answer:
I am not sure if I have understood the question, but from my point of view is better option 2), because on this way you can have 2 levels: manager (coordinates and plans the execution of all tasks) and technical expert (perform technically all tasks). The last can be useful for example for the change management (clause A.12.1.2 ISO 27001:2013): an user identifies changes, the manager analyze and approve them and requests to a technical expert to do the necessary changes.
So from my point of view is very important to have clearly defined roles and responsibilities. These articles related to information security and ISO 27001- can be interesting for you :
What is the job of Chief Information Security Officer (CISO) in ISO 27001? : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Roles and responsibilities of top management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
"How to perform monitoring and measurement in ISO 27001" : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
We received another question:
> How to ensure that the monitoring is done i.e. I need to have some role creating the monitoring task and other role to execute it. That is clear and understood. What I'm trying to find out is the 'format' of this task. Should it be task as part os the problem? incident? change? I don't think those are appropriate types. So how to do it? Is there any special process including task types for monitoring? Which type is it?
Answer:
If you need to assign someone with the responsibility of doing a monitoring task, this is usually done through a written procedure - therefore, this is not part of the problem, incident or a change, because this is a continuous task that needs to be done daily, weekly, monthly, etc.
Comment as guest or Sign in
Jan 13, 2016