One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1495746 |
| Date de publication | 2019-11-22 11:56:29 (vue: 2020-01-03 15:00:04) |
| Titre | NBlog Nov 22 - who owns compliance? |
| Texte |  For some weeks now on the ISO27k Forum we've been vigorously and passionately debating whether an Information Security Management System should, or should not, include the organization's compliance with "information security-related" laws, regulations and other obligations such as contractual clauses specifying compliance with PCI-DSS.The issue arises because:The relevant infosec compliance section is tucked away at the end of ISO/IEC 27001 Annex A, which has an ambiguous status with respect to '27001 certification. Although Annex A is discretionary rather than mandatory, certifiable organizations must use Annex A as a checklist to confirm that their ISMS incorporates all the information security controls necessary to address the information risks within scope of the ISMS. Interpret that paradox as you will ... and hope that the certification auditors take the same line;It could be argued that, in a very broad sense, all the laws, regs, contracts, standards, ethical codes etc. which apply to the organization are "information security-related". The requirements are all forms of information with associated information risks. Therefore, they fall at least partially within the remit of an ISMS;Likewise, "compliance", as a whole, could be seen as an information security control, a suite of organizational activities and measures to both satisfy and be able to demonstrate conformance with requirements, plus the associated assurance, reinforcement (awareness, acceptance) and enforcement aspects. In philosophical terms, compliance is an integrity issue, and integrity is part of information security, therefore compliance is part of infosec; |
| Envoyé | Oui |
| Condensat | all being business for it the well 27001 27001 27001 annex 27001 certification ; exploit ; have ; informally able absolute acceptance access according accounting achieve activities additional address addresses addressing advice advising aim align alignment all also although ambiguous among annex apply approach approaches:an are areas argued arises aspects asset associated assorted assurance audit auditors awareness away backup bare because:the been being believes best between bigger bloated blood both broad broader building business businesslike but can certain certifiable certificate certification certified cheaply checklist choose clauses clearly codes collaboratively come complex compliance confirm conflict conformance continuity contracts contractual control controls cost could debating demand demanded demands demonstrate departments designing differently direct direction discretionary distinctions documentation documents” dog doing done drawn driven dss earn effective effectively either elsewhere emphasizes enable end enforcement enough escalated etc ethical even event evidence evolve example expects experience expertise experts explicitly extras extreme extremely extremes: fail fall falls financial focus forms forum free from fully functions future get goals good governance greater grounds guess has have having heads health helps hence hope hopefully ianal identify implementing implied implies include incorporates individuals information infosec infosec; however integrity internal interpret intersect involvement is:formally isms isms emphasizes isms;likewise iso27k issue issues its itself job joint just justified keep key knocked largely laws lawyer least legal liability light limitations limited line;it little long lose manage management managers mandatory manner matters; incorporate may measures mentioning might minimalist minimum monster more most much must use naturally nblog necessary need needs not nov now objectives obligations of iso/iec offered one only operate opportunities organization organizational organizations other out overlaps owns paper paradox part partially passionately pci perhaps personally philosophical picture plenty plus point: possible practice pragmatic prefer prime priorities pro pure purpose quickly rather read reading regardless regs regulations reinforcement related relating relationships relevant remit required requirements requirements; exploit requires resolved respect respective result risk risks risks: run safety sage same satisfied;potentially satisfies satisfy say scale scope scope: section security security; do see seems seen sense shared should should:sail simple since sole some specialist specialists specialize specific specifying standard standards starting status strictly strong success such suit suite supplement/support support system systematic systems take tax teams term terms than that the laws them then therefore these things those three through together too toolkit draws towards trouble tucked turns typically used value values version very vigorously way ways weeks what whatever where whether which who whole will within without working “mandatory |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.