If you've been reading your blog, you probably think I'm convinced ISO 27001 is the most perfect document ever written. In fact, it's not true - the subject, usually the same weaknesses of the standard of teaching emerged and are working with our customers. Here he tips me how to solve them together are:
Obscure reference
Some rather vague standard requirements are:
* Clause 4.3.1 c) requires that the ISMS documentation should include ... "ISMS processes and controls to support - it does not mean that a document control that are applicable should be written for each (133 are controlled in a contract?) In my view, it is not necessary - I usually advise my clients to the point of view of the policies and procedures that are required to conduct risk reduction and to write. All other controls can be briefly described in the statement of applicability as it is applied to describe all the controls that should include.
* (Un) documented policies and procedures - A to contract many controls, policies and procedures the term "documents" are mentioned without. In fact, this means that such policies and procedures to be written down, but the level to 95% of readers is unclear.
* External parties / third party - these terms are used interchangeably, which can be confusing. It would be nice if the word was used.
Standard Organization
Some of the standard requirements, are scattered or unnecessary repeated:
* Some controls are located just at the wrong place - for example, A.11.7 mobile computing and teleworking Access Control is located in section A.11. To deal with the mobile computing access control, A.11 Section Although most natural to take care of issues related to mobile computing and teleworking is not defined place.
A.6.2 external parties, A.8 Human resources security and A.10.2 third party service management - * outside parties scattered around the standards-related issues. Cloud computing and with the advance of other types of outsourcing, a document or documents which will deal with third parties collect a set of rules that all is fair.
* Staff awareness and training standards required both in the body of the Section 5.2.2, and control A.8.2.2. Not only is this unnecessary duplication, but also causes additional confusion - in principle, contracts can be excluded from A each control, you end a requirement that is different because it really necessary for the body of It is not possible except the standard can. The same thing internally (body of Standard Section 6) Audit and information security controls with independent reviews have A.6.1.8.
* Contract A to control something really can be applied broadly, and they can contain other controls - for example, controls assets A.7.1.3 so common that it is acceptable to use the example A .7.2.2 can cover for (property handling classified information on termination of employment), (A.8.3.2 return), A.9.2.1 (Equipment Safety), A.10.7.1 (removable media management), A.10.7.2 (settlement media), A.10.7.3 (Information handling procedures, etc.) I usually advise my clients to a document that will cover all controls to be sure.
Problems or not?
Here are some issues that are generally problematic as are brought to the attention, but I agree with them:
* Standard too vague, it does not go into enough detail - if the technology that is being used to go into more detail about was, it will soon be outdated, if it means in more detail was known about and / or organizational solutions, it will not apply to all types and sizes of organizations - a large bank to be organized quite differently from a small marketing agency, but to be able to apply for both the ISO 27,001 should have been.
Standard lot more flexibility * - where some security controls risk assessment by the critics to be taken out if there may be risks related to the concept means. If they ask - "How is it possible to get back or have to get anti-virus protection?" In fact, with the advancement of technologies such as cloud computing, security of such organization responsible for implementing ISO 27,001 can not. (However, this rather high if the risk of outsourcing in terms of other types of security controls will be required.)
Now what?
Definitely need to change the standard - ISO / IEC 27001:2005 is the current version of six years now, and hopefully the next (2012 or expected in 2013) is amended to address most of the above issues.
Although these shortcomings can often cause confusion, I think the standard of the positive aspects outweigh the negative ones in large quantities. And yes, I am really convinced by the level of information security management framework is the best.
http://www.nonoba.com/bowiee81
http://friendsite.com/bowiee81
http://boxesandarrows.com/person/643881-davidd87
http://songza.com/user/ramerd82
http://www.desotoexplorer.com/weblogs/ramerd82/2011/apr/03/hi/
http://www.rifflet.com/users/davidd87
http://www.robotentertainment.com/user/davidd87
http://en.xihalife.com/u/942158/
http://www.politicalcortex.com/user/ramerd82/
http://www.magcloud.com/user/davidd87
http://www.checkoutmyink.com/profile/bowiee81
http://www.robotentertainment.com/user/ramerd82
http://www.robotentertainment.com/user/bowiee81
http://caloriecount.about.com/profile/bowiee81
http://www.ted.com/profiles/866297
http://www.tor.com/community/users/ramerd82
http://songza.com/user/bowiee81
http://www.thehollywoodgossip.com/profiles/bowiee81/
http://www.wayn.com/waynprofile.html?wci=view
http://www.landislife.org/user/davidd87
http://www.epractice.eu/en/welcome
http://www.india-friends.com/bowiee81
http://www.paintermagazine.co.uk/show_profile.php
http://cam1chat.com/members/ramerd82/
http://en.xihalife.com/u/942121/
http://www.education.com/answers/profile/davidd87/
No comments:
Post a Comment