One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 5555746 |
| Date de publication | 2022-07-05 11:41:40 (vue: 2022-07-05 00:05:31) |
| Titre | The discomfort zone |
| Texte |  Compliance is a concern that pops up repeatedly on the ISO27k Forum, just this morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 "Identification of applicable legislation and contractual requirements", members generally ask what laws are relevant to the ISMS. That's a tough one to answer for two reasons. Firstly, I'm not a lawyer so I am unqualified and unable to offer legal advice. To be honest, I'm barely familiar with the laws and regs in the UK/EU and NZ, having lived and worked here for long enough to absorb a little knowledge. The best I can offer is layman's perspective. I feel more confident about the underlying generic principles of risk, compliance, conformity, obligations, accountabilities, assurance and controls though, and have the breadth of work and life experience to appreciate the next point ...Secondly, there is a huge range of laws and regs that have some relevance to information risk, security, management and the ISMS. The mind map is a brief glimpse of the landscape, as I see it ...That's a heady mix of laws and regs that apply to the organisation, its officers and workers, its property and finances, its technologies, its contracts, agreements and relationships with employees and third parties including the authorities, owners, suppliers, partners, prospects and customers, and society at large. There are obligations relating to how it is structured, operated, governed, managed and controlled, plus all manner of internal rules voluntarily adopted by management for business reasons (some of which concern obligations under applicable laws and regs). Noncompliance and nonconformity open the can-o-worms still wider with obligations and expectations about 'awareness', 'due process', 'proof' and more, much more.That A.18.1.1 control is - how shall I put it - idealistic:"All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization."All requirements?! Oh boy! Explicit! Documented! Maintained! This is bewildering, scary stuff, especially for relatively inexperienced infosec or cybersecurity professionals who seldom set foot outside of the IT domain. We're definitely in the |
| Envoyé | Oui |
| Condensat | firstly compliance good that 27001 about absorb accepted account accountabilities acknowledging adopted advice again against agreements all annex answer anyway applicable apply appreciate approach appropriately are argue around arrange ask assumes assurance attempt authorities avoid awareness awareness/training away barely being best bewildering both boy breadth brief business but can carving case ciso classic clear comfortable competent complementing complete compliance concern confident conflicts conformity consequences constraining contracts contractual control controlled controls cost customers cyber cybersecurity date dealing definitely departments deserve/require designed despite diagrams disagreements discomfort discomforting documented domain dropping due each effective else employees enough entire entirely especially evaluated even everyone example existing expectations experience explicit explicitly explore explored familiar feel finance finances foot forum fraught fresh from gaps generally generic glimpse good governed guidance handed have having heady held here honest how huge idealistic: identification identified ignoring incidents including inexperienced information infosec instance intellectual internal intrigued involvement involving isms iso iso27k issue its jolly just kept knowledge landscape large larger laws lawyer layman lead legal legal/compliance legislation legislative legitimately less level life little lived long luck maintained make makes managed management manager manner map marketing materials may meanwhile meet members mind misunderstandings mitigate mix more morning much narrower narrowing nasty next nicely noncompliance nonconfomity nonconformity normally not obligations obvious off offer officer officers one open operated operations orbit organisation organisations organization other ought outside owners pager particularly parties partners parts perhaps personally perspective plus point policies pops possibility precisely principles privacy process professionals promise proof property prosecuted prospects put qualifies r18 range rated really reason reasons reduced regs regulatory relating relationships relatively relevance relevant repeatedly requirements residual response responsible risk risks rules sacked sales say scared scary scope screen secaware secondly security see seldom sense set shall share shouldered simply skirt slopey sobering society some someone soon specialists statutory steer structured study stuff suppliers system talking team technologies that these third this though through today tolerable toolkit top tough two uk/eu unable under underlying unduly unfortunately unqualified view voluntarily well what where which who wider within witless won work worked workers worklife workshop worms your zone |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.