One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1779372 |
| Date de publication | 2020-06-27 09:50:37 (vue: 2020-06-29 11:00:30) |
| Titre | NBlog June 26 - things an ISO27k SoA doesn\'t say |
| Texte | According to ISO/IEC 27001:2013, organisations are supposed to consider all the information security controls outlined in Annex A, confirming that they have done so by preparing a Statement of Applicability "that contains the necessary controls .... and justification for inclusions, [states] whether they are implemented or not, and [gives] the justification for exclusions of controls from Annex A".That ineptly-worded requirement in a poorly-constructed and in fact self-contradictory clause of the standard is generally interpreted, in practice, in the form of an SoA table with a row for every Annex A control* and columns for applicability, justifications and implementation status of each control*.Three exclusive states are generally used. Each control* is either:Applicable and implemented; orApplicable but not implemented; orNot applicable.... implying a simple decision tree with just two binary questions: First, is the control* applicable (yes or no)?If the control* is applicable, is it implemented (yes or no)?Hmmmm, that's all very well in theory but here are some of the options I've heard as an auditor, or thought if not expressed as an auditee:Applicable under some circumstances – the control applies in specific situations only and is not generally applicablePartially applicable – the control is not enough to mitigate the risk and needs to be modified and/or complemented by other controls; as described, it's not really what we want to doApplicable and partially implemented – we did this at least onceApplicable and allegedly implemented – someone claims to have done this at least onceApplicable and apparently implemented - someone genuinely but naively and perhaps inadvisedly believes they have truly nailed this oneImplemented but inapplicable – to pacify out auditors, we “just did it” ... even th |
| Envoyé | Oui |
| Condensat | how if what 100+ 15applicable 2600 27001 27001:2013 27002:2013 about accept access according acoustic act actively actual actually addressed advisories afraid after again agreed all alleged allegedly allocated alluded also although and/or annex annual any anyway anywayimplemented apparently appear applicability applicable applicablepartially applies appropriate appropriately approved are aren argue around aside asked aspects associated assurance atomic auditee:applicable auditor auditors authorised available away backup backups bad badly bear been before being believes bin binary blinking broad broken bubapplicable business busy but can cells ceo certificate certificateno chair challenge changed changing circumstances claims classic clause clearedyou clients columns come comfy competently compiling complemented complete completed completely complex complexity compliance complied complying conditions confirming consider considered constructed contains continue contradictory control control* controlapplicable controlled controls controls; convinced copies count couplers course cover crude cupboard damage date day decade decayingapplicable decide decided decision deemed deep default delivered demand described despite did diligence diligently disabled disagree disclosure doapplicable documented does doesn doing don done doneimplementation down dreamin drop dubious due dust each editorial effective effectivelyapplicable efficiency” either either:applicable else elsewhere enough entirely environmental especially etc even every evidence evidently exactly example:there exclusions exclusive excuses expect expensive exploitedapplicable expressed fact failed failure falls fancy far fear filter filters findings fine fooled forgotten form formulated four from functional further gathering generally generic genuinely get getting given gives going grammar great had happened happening has hash have haven head heard help here hey hmmmm hodgson hold” hourly houstonapplicable how howapplicable idea ignoring implementation implementations implemented implemented; implementing implied implying inadequately inadvisedly inapplicable inappropriate incidents including inclusions ineffective ineptly information infosec instance intended international interpreted involved isms isn iso/iec iso27k issuego issues itapplicable itself it” joking jolly jump june just justification justifications justify know knows last lawyers least leave lengthy lied light lights limited list listed litany literally little lot lots love made make making manage managed management mandated many materials matters may means meddle merely might mind mistaken: mitigate mitigated modified more most must myriad nailed naively nblog necessary need needs neglected nerve never nobody noises normal not now numerous obscure off offapplicable office offit often ola once onceapplicable one oneapplicable oneimplemented only options options:applicable orapplicable organisation organisations ornot other otherwise ought out outlined over owner pacify pal parchment partially particular people perfect perform perhaps person philosophical place plain planned plus point pointless policy poorly position pps practical practice preparing presence pretty prevent principle prioritising probably problem procedures progress proposed proud ps pull punctuationapplicable purchased questions e questions: first quietly ready really reason reasonable receivedinapplicable record regret regular regularly related relatively reliance reports requirement resources response resulted right risk risks row safely sake same say schedule scope secret section securely security seems selector self several should shown simple simplicity simply sitting situations slowly smile soa sod some someone something somewhere soon sort specific spreadsheet standard standardapplicable standards start stated statement states status stored straightforward stuff substitution;testing such sufficient suggest suggested suite supposed supposedly sure suspect syl table take taken technic |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.