Articles on ISO 27001
Articles by Sudhir G K, CEO and Chief Consultant
ISO 27001 Article # 1:
The importance of Statement of Applicability in ISO 27001:2013
The Statement of Applicability is one of the key documents in the implementation of ISO 27001:2013.
What is SOA ?
The Statement of Applicability (SOA) (ISO 27001 Clause 6.1.3 d) is a statement that defines what controls (out of the 114 controls given in the Annex A of the ISO 27001:2013) are applicable and will be implemented.
Why is the SOA important?
The SOA is a good summary of the accepted controls that are being implemented in an organization as part of the ISMS drive. This provides a ready checklist against which the implementation can be checked. Since the SOA justifies the inclusion and exclusion of controls from Annex A, we clearly know that the selected controls need to have a policy, procedure and records and thus keeps a check on whether the controls can be demonstrated when required.
A well written SOA helps in deciding on minimum required documentation that is sufficient to demonstrate that the selected controls are implemented.
Thus, if you invest time in writing a good SOA, the ISMS implementation in your organization will be at optimum level and with a better focus.
Inzinc ISO 27001 Consultants in India will explain our clients with a Sample of the Statement of Applicability and guide them with examples.
ISO 27001 Article # 2
Clear Desk and Clear Screen Policy (Control No. A.11.2.9 of ISO 27001:2013)
To enhance the security and confidentiality of information, it is recommended to adopt a clear desk policy for papers and removable storage media, and a clear screen policy for information processing facilities. This aims to reduce the risk of unauthorised access, loss of, and damage to information during and after normal working time or when areas are left unattended.
Do’s and Dont’s of Clear Desk
Do’s and Dont’s of Clear Screen
ISO 27001 Article # 3
The Difference between ASSET OWNER and RISK OWNER
Risk owner is a new concept introduced in the ISO 27001:2013 standard which needs to be understood properly during the Risk Management process.The Risk owner should be identified in the risk register in the risk assessment section of the risk register. Also, the risk owner's approval of the risk treatment must be sought and must get reflected in the Risk register. These two are necessary as per the clauses 6.1.2 (c) (2) and 6.1.3 (f) of the ISO 27001:2013 standard.
Here knowing the difference between the asset owner and risk owner is of paramount importance. Here is the difference.
Asset Owner is the person who is responsible for the asset he owns whereas Risk Owner is a person who is the authority and is accountable in managing a risk. The Risk Owner is responsible for resolving the risk and due to his/her higher position in the organization structure has the authority to take the suitable action to resolve the risk. Asset owner is more concerned with the operational control and risk owner is concerned with the business risk.
For example, the asset owner of a UPS may be the General Administration Executive whereas the risk owner can be the General Administration Manager. As an asset owner, the General Administration Executive manages the UPSdaily but the General Administration Managerwill be responsible for risks of UPS failure and hence has the authority for planning and investing in a good UPS with backup enough to ensure continuity of business operations.
Article # 4
Some Do's andDon’ts regarding information security
Below mentioned are some of the Do’s and Don’ts that may be followed as Information Security Best Practices