Expert Advice Community


Set of ISO 27001 questions

Guest user Created:   Apr 05, 2023 Last commented:   Apr 05, 2023

Set of ISO 27001 questions

1. Que es el etiquetado de datos? a qué activos aplica el etiquetado de datos?

Cuales son las buenas prácticas para el etiquetado de datos?
me pueden dar ejemplos de etiquetado de datos?

2. Que relación tienen la tasación de activos y/O  identificar el nivel de importancia del activo  con el análisis de riesgos?
Finalmente para que me sirve la tasación de activos?

3. El nivel de importancia de los activos calculado en la tasación de activos a partir del análisis de  la confidencialidad, la integridad y la disponibilidad  del activo es lo que se utiliza para estimar en el análisis de riesgos el impacto en el negocio si se materializa un riesgo?

4. Cuales son los procesos de seguridad de la Información que se deben documentar?

5. Cómo se pueden monitorear los riesgos de seguridad de la información, y el plan de tratamiento de los riesgos?

6. Qué plantillas puedo utilizar para monitorear los riesgos y el plan de tratamiento de Riesgos?

7. Cuando voy a recibir la actualización del toolkit con la nueva versión de iso 27001:2022

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Apr 05, 2023

1. What is the data label? what assets does the data label apply to?
What are the best practices for data labeling?
Can you give me examples of data labeling?

A data label is any mean you can use to attribute information to an information asset. In the context of ISO 27001, a data label is generally applied to show the information classification.

The assets to which the data label applies to will depend on how you treat classified information. For example, all information classified as secret may require assets that contain them to be labeled. 

ISO 27001 does not prescribe practices for data labeling, but some examples you may consider are:

  • adopt physical and logical data labels (e.g., adhesive labels, electronic logos, etc.)
  • place the data label in the locality of easy visualization (e.g., top of the page, top corner of a screen, etc.)
  • place the data label in an asset container (e.g., an electronic folder, a box file, etc.), so people do not need to access the asset to see the label

For further information, see:

2. What is the relationship between the classification of assets and/or identifying the level of importance of the asset with the risk analysis? Finally, what is the asset classification for me?

The risk analysis, along with the identification of legal requirements (e.g., laws, regulations, and contracts), is the main source of information for asset classification. The higher the risks related to an asset, the higher would be the asset classification.

The asset classification will help you to know how to treat information. Normally, the higher the classification, the more controls you will need to implement to protect the information.

3. The level of importance of assets calculated in the assessment of assets based on the analysis of confidentiality, integrity and availability of the assets is what is used to estimate the impact on the business if it materializes a risk?

Please note that the thinking process is the other way around. The impact of materialized risks over confidentiality, integrity, and availability of information is that will be used to estimate the classification level of an asset.

4. What are the information security processes that must be documented?

ISO 27001 does not require information security processes related to information classification to be documented, but in general, organizations document an Information Security Policy as a way to make the rules on how to classify, label, and treat information, clear to all personnel that handles information that needs to be protected.

5. How can you monitor information security risks, and the risk treatment plan?

Monitoring of risks will depend on their nature, so here are some examples:

  • Monitoring of recorded incidents
  • Monitoring of anomalous behaviors of information systems and networks
  • Monitoring of KPIs (Key Performance Indicators) of processes related to relevant risks

Regarding the Risk Treatment Plan, since it defines resources and deadlines for each action, you can use this information to track the implementation progress.

For further information, see:

6. Which templates can I use to monitor the risks and the risk treatment plan?

To monitor risks you can use the Risk Assessment Table, located in folder 05 Risk Assessment and Risk Treatment. In this table, you can include new risks or update the status of currently recorded risks.

To monitor the actions related to Risk Treatment Plan you can use the Risk Treatment Plan itself. Like in the Risk Assessment Table, you can include new actions or update the status of current actions to implement risk treatments.

7. When I receive the toolkit update with the new version of iso 27001:2022

All customers which bought their toolkits within 12 months from October 31st, 2022 are entitled to receive an updated toolkit. If this is your case you will receive your updated toolkit as soon as the Spanish version is released.

0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 05, 2023

Apr 05, 2023

Suggested Topics