Toolkit content
1. Hi there, we need to figure out whether or not we need ISO 27001 compliance. Some of the requirements our potential client has are as follows:
Audit review, plan, and information as to the audit standards they're using Network penetration testing Internal External Application penetration testing Vulnerability scanning for network, internal and external Logical network diagram, with data flow if possible with encryption levels. Security baseline stands? Hardening standards? Info on corporate RTO and RPO standards SDLC - tollgates Application testing? SAST, DAST, SCA, IAST, MAST? All policies, standards, and procedures documents, including Secure coding standards Risk assessment document Change management Conscia to provide a summary of our most recent Disaster Recovery (DR) audit Conscia to provide network and application layout diagram for our product.
2. What is a SIEM solution? What log review tools? Frequency of the log reviews. Is some of this covered in your toolkit?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Hi there, we need to figure out whether or not we need ISO 27001 compliance. Some of the requirements our potential client has are as follows:
Audit review, plan, and information as to the audit standards they're using Network penetration testing Internal External Application penetration testing Vulnerability scanning for network, internal and external Logical network diagram, with data flow if possible with encryption levels. Security baseline stands? Hardening standards? Info on corporate RTO and RPO standards SDLC - tollgates Application testing? SAST, DAST, SCA, IAST, MAST? All policies, standards, and procedures documents, including Secure coding standards Risk assessment document Change management Conscia to provide a summary of our most recent Disaster Recovery (DR) audit Conscia to provide network and application layout diagram for our product.
First, it is important to note that the requirements you have declared as your prospects do not include ISO 27001; therefore, you do not have to comply with ISO 27001.
However, ISO 27001 provides requirements for the planning, implementation, operation, and improvement for an Information Security Management System (i.e., what you need to do), and by certification against this standard, you will be more prepared to attract new customers.
For further information, see:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
The following documents in the toolkit will help you with some of the mentioned requirements: - Audit review, plan, and information as to the audit standards: Procedure for Internal Audit (https://advisera.com/27001academy/documentation/internal-audit-procedure/), Annual Internal Audit Program (https://advisera.com/27001academy/documentation/annual-internal-audit-program/), Internal Audit Checklist (https://advisera.com/27001academy/documentation/internal-audit-checklist/), and Internal Audit Report (https://advisera.com/27001academy/documentation/internal-audit-report/)
- Info on corporate RTO and RPO: Disaster Recovery Plan (https://advisera.com/27001academy/documentation/disaster-recovery-plan/)
- Risk assessment: Risk Assessment and Risk Treatment Methodology (https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/)
- Change management: Change Management Policy (https://advisera.com/27001academy/documentation/change-management-policy/)
You can see a full list of documents included in the toolkit on this page: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
2. What is a SIEM solution? What log review tools? Frequency of the log reviews. Is some of this covered in your toolkit?
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across an IT infrastructure.
SIEM collects security data from assets like network devices, servers, domain controllers, etc., and applies analytics to that data to discover trends, detect threats and enable organizations to investigate any alerts.
ISO 27001 does not prescribe the frequency of the log reviews, only that frequency must be defined according to identified risks, so the toolkit provides templates that require the organization to define the frequency of the log reviews. You can see how this is implemented in the Security Procedures for IT Department template at this link: https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
Please note that the toolkit does not include software solutions for SIEM or tools for log review. The toolkit provides the mandatory and most common documents to be compliant with ISO 27001.
This article will provide you a further explanation about monitoring:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
Comment as guest or Sign in
Mar 06, 2020