One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 2148832 |
| Date de publication | 2020-08-26 12:38:57 (vue: 2021-01-06 20:37:56) |
| Titre | NBlog Aug 26 - ISMS templates |
| Texte | Systematically checking through ISO/IEC 27001:2013 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to ... which can make it tricky to both comply with the standard and persuade the certification auditors of that.Here's an example, one of the document templates from SecAware ISMS Launchpad: That succinct one-pager addresses two requirements from the standard:Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance;Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness." - an implicit documentation requirement that the certification auditors will probably check for compliance, and although the standard doesn't literally demand it, they may well insist on seeing written evidence that management reviews have been planned.Those clauses lay out fairly succinctly what it means to internally audit or management review the ISMS: I have interpreted the requirements in terms of activities that might be performed quarterly over two years as shown on the schedule, with brief descriptions about the approaches to be taken ... but, as with all the SecAware materials, they are merely generic suggestions that customers are encouraged to adapt. Large, mature organisations with Internal Audit functions, for instance, may well engage them to plan and perform the ISMS internal audits using their conventional audit approach and whatever associated documentation they normally produce. They may prefer to audit the ISMS just once during the three year certification cycle, or conversely they may want to focus on a series of specific areas of risk and concern over successive audits, perhaps integrating the ISMS audit work with other IT, risk, cybersecurity or complian |
| Envoyé | Oui |
| Condensat | find imagine large yesterday 27001:2013 about absolute accept activities adapt addresses adequacy again all alluded already although ambiguous anyway approach approaches are area areas associated audit auditors audits aug based been blankly blanks blog both brief but can carefully certification check checking clauses clearly completed compliance compliance;clause comply concern continuity conventional conversely currently customers customised cybersecurity cycle definitely demand descriptions designed determining develop developing document documentation documents doesn during earth effectiveness encouraged engage ensure establish evidence example exercise experience explicit explicitly eye faced fairly feel fill first focus from functions generic have head help here hope hoping how identified implement implementing implicit information insist inspiring instance integrating interesting internal internally interpreted interpreting intervals involves isms isms: iso/iec issues its just keep know launchpad:that lay literally maintain make management mandatory many materials mature may means merely might minimum more nblog need news normally noted objectives often once one only organisation organisations organization other others out over packs pager part passing perform performed perhaps persuade plan planned prefer preparation probably produce programme provide quarterly reporting requirement requirements resources review reviews reviews: risk says schedule scopes scratching screen secaware security seeing series shall short shown significant simple since small some specific standard standard:clause staring start successive succinct succinctly suffice suggestions suitability supplementary system systematically tackling taken template templates terms them then these third those three through today top tricky two typical used using very want well what whatever where which will wondering wording work would written year years your yourself |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.