Expert Advice Community

Guest

Templates content

  Quote
Guest
Guest user Created:   Mar 28, 2019 Last commented:   Mar 28, 2019

Templates content

1. Do we have to use the Measurement Report or is it enough that we mention the objectives in the Information Security Policy and mention the measuring frequency?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 28, 2019

Answer: ISO 2701 clause 9.1 Monitoring, measurement, analysis and evaluation requires documented information as evidence of the monitoring and measurement results, and one way to ensure that is by using the Measurement Report. Of, course, if your organization already has another records you can use to fulfill this clause, this report is not needed.

For further information, please read:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

2. Unauthorized use of printers, photocopiers, scanners and other shared equipment for copying Dell S2825CDN in the office at the headquarters is prevented by [specify how – e.g. by locking the facility, use of PIN numbers, access cards, etc.]. All the employees are authorized to use the printer/photocopier/scanner. Is it okay to wri te it like that?

Answer: First it is important to note that any ISO 27001 control must be implemented only if you have unacceptable risks, legal requirements, or top management decisions demanding a control to be implemented.

Considering that, if at least one of the previous circumstances applies to employees, you have to evaluate if this implementation will decrease risks to acceptable levels, or fulfill legal requirements. On the other hand, if you do not have any of the previous circumstances, you do not need to implement access control.

Second, unauthorized use refers not only to employees, but to all people that can have access to the equipment (e.g., visitors, contractors, etc.). So, you also have to consider these personnel regarding risks, legal requirements, and top management decisions, to define if any control is needed regarding them.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

3. The IT Security Policy and Security Procedures for IT Department document have a section at the end which is called "Managing records kept on the basis of this document". I could not find any templates for these records, but I do have an idea what I could write at some of these documents but it wouldn't be that much, ex. I hereby state that ______________ may take organizational assets off-site. The employee is fully responsible to take the necessary care while the assets are off-site. (at the bottom of the document a place where employer and employee both could sign). However for records such as "Security features and level of expected service for network services" I wouldn't know what to write. Do you possibly have examples for the records or something else so I can get a better picture of what I exactly have to write?

Answer: A good example for "Security features and level of expected service for network services" would be a Specification of Information System Requirements, and you can find this template on folder 08 Annex A Security Controls = =A.14 System Acquisition Development and Maintenance

For other records, in many cases organizations already have versions of them on their own operation, in paper form (corrective action record) or in information systems ( e.g. the logs of your backup system. ), that's why we do not provide them (it would be infeasible to create a template to cover all possible possibilities). In these cases we recommend customers to evaluate if their current records already comply with information required by policies and procedures. If yes, you can use them. If not, you can make a list of needed records and schedule a meeting with one of our experts, so he can guide you on how to develop such records.

You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 28, 2019

Mar 28, 2019

Suggested Topics

Guest user Created:   Nov 13, 2019 ISO 27001 & 22301
Replies: 1
0 0

Templates content

Guest user Created:   Oct 14, 2019 ISO 27001 & 22301
Replies: 1
0 0

Templates content