1. What is the data label? what assets does the data label apply to?
What are the best practices for data labeling?
Can you give me examples of data labeling?
A data label is any mean you can use to attribute information to an information asset. In the context of ISO 27001, a data label is generally applied to show the information classification.
The assets to which the data label applies to will depend on how you treat classified information. For example, all information classified as secret may require assets that contain them to be labeled.
ISO 27001 does not prescribe practices for data labeling, but some examples you may consider are:
- adopt physical and logical data labels (e.g., adhesive labels, electronic logos, etc.)
- place the data label in the locality of easy visualization (e.g., top of the page, top corner of a screen, etc.)
- place the data label in an asset container (e.g., an electronic folder, a box file, etc.), so people do not need to access the asset to see the label
For further information, see:
2. What is the relationship between the classification of assets and/or identifying the level of importance of the asset with the risk analysis? Finally, what is the asset classification for me?
The risk analysis, along with the identification of legal requirements (e.g., laws, regulations, and contracts), is the main source of information for asset classification. The higher the risks related to an asset, the higher would be the asset classification.
The asset classification will help you to know how to treat information. Normally, the higher the classification, the more controls you will need to implement to protect the information.
3. The level of importance of assets calculated in the assessment of assets based on the analysis of confidentiality, integrity and availability of the assets is what is used to estimate the impact on the business if it materializes a risk?
Please note that the thinking process is the other way around. The impact of materialized risks over confidentiality, integrity, and availability of information is that will be used to estimate the classification level of an asset.
4. What are the information security processes that must be documented?
ISO 27001 does not require information security processes related to information classification to be documented, but in general, organizations document an Information Security Policy as a way to make the rules on how to classify, label, and treat information, clear to all personnel that handles information that needs to be protected.
5. How can you monitor information security risks, and the risk treatment plan?
Monitoring of risks will depend on their nature, so here are some examples:
- Monitoring of recorded incidents
- Monitoring of anomalous behaviors of information systems and networks
- Monitoring of KPIs (Key Performance Indicators) of processes related to relevant risks
Regarding the Risk Treatment Plan, since it defines resources and deadlines for each action, you can use this information to track the implementation progress.
For further information, see:
6. Which templates can I use to monitor the risks and the risk treatment plan?
To monitor risks you can use the Risk Assessment Table, located in folder 05 Risk Assessment and Risk Treatment. In this table, you can include new risks or update the status of currently recorded risks.
To monitor the actions related to Risk Treatment Plan you can use the Risk Treatment Plan itself. Like in the Risk Assessment Table, you can include new actions or update the status of current actions to implement risk treatments.
7. When I receive the toolkit update with the new version of iso 27001:2022
All customers which bought their toolkits within 12 months from October 31st, 2022 are entitled to receive an updated toolkit. If this is your case you will receive your updated toolkit as soon as the Spanish version is released.