Expert Advice Community

Guest

Security controls to mitigate cybersecurity threats

  Quote
Guest
AntonioS Created:   Jan 13, 2016

Security controls to mitigate cybersecurity threats

We have received this question: Which control clause(s) in ISO27001:2013 correspond to each of the following areas to mitigate cyber security threats:  1. Home, mobile working : Info. security regardless of how/where employees access company's info. assets  2. User Education and Awareness: All interested parties should be aware of key risk and how to report incidents.  3. Incident Management: Ability of the company to contain incidents and return to business as usual quickly.  4. Info. risk Management Regime: Tone from the top  5. Managing User Privileges: Role based security on a need to know/need to have basis  6. Removable Media Controls: Safe use and disposal of media  7. Monitoring: Preventive, reactive and corrective measures to curb unexpected activity  8. Secure configuration: Configuration and change management to maintain integrity and availability  9. Malware Protection: Effective Patch management to reduce exploitation of known vulnerabilities  10. Network Security: Knowing and controlling who accesses to the network    Answer: First let me say you that I SO 27001 is not for a specific sector, for example cybersecurity, so ISO 27001 is a global standard that you can use to establish an Information Security Management System to protect information in any type of environment (including cybersecurity, but it is not only for this). Anyway, I will show you the clauses of ISO 27001:2013 that are more related to each point: 1.- A.6.2.1 Mobile device policy and A.6.2.2 Teleworking 2.- Clause 7.3 Awareness and A.7.2.2 Information security awareness, education and training 3.- Entire domain A.16 Information security incident management 4.- I suppose that you mean Risk management, if so, the clauses related to this in ISO 27001: 2013 are 6.1.2 Information security risk assessment, 6.1.3 Information security risk treatment, 8.2 Information security risk assessment and 8.3 Information security risk treatment 5.- A.9.2.3 Management of privileged access rights  6.- A.8.3.2 Disposal of media 7.- Clauses 9.1 Monitoring, measurement, analysis and evaluation and 10.1 Nonconformity and corrective action 8.- A.12.1.2 Change management (there is no control on this standard to manage specifically the configuration of CIs – Configuration Items) 9.- A.12.2.1 Controls against malware, and regarding to vulnerabilities you also have the A.12.6.1 Management of technical vulnerabilities and A.12.6.2 Restrictions on software installation 10.- A.13.1.1 Network controls, A.13.1.2 Security of networks services, A.13.1.3 Segregation in networks, and A.9.1.2 Access to networks and network services   Finally, these articles related to cybersecurity can be interesting for you: “Which one to go with – Cybersecurity Framework or ISO 27001?” : https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/ “What is cybersecurity and how can ISO 27001 help?” : https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/ “ISO 27001 vs. ISO 27032 cybersecurity standard” : https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/ And this free eBook can be also interesting for you “9 Steps to Cybersecurity” : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016