Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Software development company

I have a question about ISO27001, our company is a software development company. In 14 it says it services but in 6.1.5 it says regardless of the project. My Question is in our projects(we develop the code)which have a logging screen, with respect to ISO 27001 do we need to apply secure log-on password management or event logging if as a company we had a ISO 27001.

0 0

Assign topic to the user

Select user

Guest

AntonioS Jan 12, 2016

If your projects are include in the scope of the ISMS, sure, you need to implement both controls, because both are related with the protection of the information (it is the more important thing in the ISO 27001).

In the Annex A, you can find this security control: A.9.4.3 Password management system. What could happen if your company do not have this control? Any unauthorized person could have access to restricted information.

Also you can find this control: A.12.4.1 Event logging. Here you can ask me: Why this control is important? If there are many attempts of unauthorized access, it is likely that someone is trying to access to restricted information, and you need a control to avoid this.

Therefore, if you implement an ISMS in your organization, and the risk assessment determines that the risk level is not acceptable, you must implement these 2 controls.

Finally I recommend you this article where you can find more information about ISO 27001 "What is ISO 27001?": https://advisera.com/27001academy/what-is-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community