A client’s IT Infrastructure Manager recently asked me if a change to their remote access controls would jeopardize their compliance with the ISO 27001 standard. The question revealed that the organization did not have a simple process to follow when making information security decisions—and I’m sure they are not the only ones with this problem.
So here’s a list of questions and activities to go through that enable any organization to make information security management decisions in compliance with the ISO 27001:2013 standard. This blog post provides a simple explanation of the seven information security management processes required for ISO 27001:2013 compliance.
|INFORMATION SECURITY MANAGEMENT PROCESS||QUESTIONS AND ACTIVITIES TO CONSIDER FOR MAKING INFORMATION SECURITY MANAGEMENT DECISIONS IN COMPLIANCE WITH ISO 27001:2013|
|Context||What are the business issues driving or affecting this decision?
Who are the interested parties (e.g. stakeholders) for this decision and what are their security requirements?
Can the business issue(s) and information security requirements be addressed within the scope of the information security program or does the security program need to leverage interfaces or dependencies with other entities?
Has the information security program been given approval to address the business issue(s) and requirement(s)?
|Leadership||Identify the member(s) of top management responsible for ensuring the security program supports the business decision.
Does the information security policy support the business decision or is a policy change/exception required?
Did the member(s) of top management assign and communicate responsibility and authority for:
|Planning||What risks and opportunities are presented by addressing the issues and requirements for the security program to support the business decision? Have actions been planned for the security program to address the risks and opportunities?
Do existing security plans to achieve the information security objective(s) support the business decision or is a new objective and plan to achieve it needed?
|Support||Does the security program have the resources needed for the risk treatment and security plans required to support the business decision?
What competencies are required to execute the risk treatment and security plans that support the business decision? Does the organization have the required competencies or a plan to attain them?
Are the individuals responsible for executing the risk treatment and security plans aware of…
What are the communication requirements for the security program to support the business decision? What needs to be communicated internally and externally to the interested parties? When does this information need to be communicated? Who needs to receive communication? Who shall initiate communication? What process should be used for communication?
Document the following:
Ensure all documentation of the security program’s support of the business decision is created and updated with proper identification, description, formatting, reviews and approvals.
Ensure all documentation of the security program’s support of the business decision is controlled to prevent unauthorized access, change or loss of information and version history.
|Operation||Ensure someone is assigned responsibility for tracking execution of the security plans necessary to support the business decision and has a process to ensure they are carried out as planned.
Ensure someone is assigned responsibility for controlling changes to the security plans and has a process to mitigate the impact of any negative consequences.
Ensure someone is assigned responsibility for tracking and managing processes outsourced to the security program’s interfaces and dependencies that are used to support the business decision.
Ensure additional risk assessments are done (as needed) and documented to identify additional security risks associated with the security program supporting the business decision.
Execute risk treatment plans for actions to address identified security risks to the business decision.
|Performance Evaluation||Identify security metrics to evaluate the effectiveness of the security program’s support for the business decision and document the results. Consider the following:
Ensure the security program’s support for the business decision is added to the internal audit program. Determine who will be responsible for auditing the security program’s support for the business decision and when the audit should be performed. The individual responsible for the audit will need to document their audit plan, criteria, scope and reporting requirements.
Ensure top management (e.g.,steering committee for the security program) reviews the security program’s support for the decision. At a minimum, document management review of the following items:
|Improvement||Ensure there is a process to address and document nonconformities in the security program’s support of the business decision.
Ensure there is a process for corrective actions to prevent recurrence of nonconformities in the security program’s support of the business decision.
Assign responsibility and authority for the nonconformity and corrective action processes to appropriate individual(s) associated with the security program.
Ensure there is a process to track plans for continual improvement of the security program’s support of the business decision.
To connect with an expert who can tell you more, contact Pivot Point Security.