Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 31 March 2014

ISO 27001:2013 Transition Stage 3

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.

This is the third part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The RISK ASSESSMENT PROCESS identifies the risk to the organisation and prioritises the risk as a High. Medium or Low risk; once these have been determined then it is necessary to transfer the high and medium risks into a risk treatment plan, but more of that later.
The first step is to identify which assets are to be included in the risk assessment process; these are normally entered into an asset register.

Some examples of these assets will be:
  • Accounts
  • computer back-up systems
  • internal computer operating and package systems
  • desktops, laptops and servers,  
  • active directory, 
  • data links, 
  • VPN
  • Other remote connections, telephony and voice recording, human resources, buildings, utilities and emergency power systems, 
  • Secure storage of documents and records.  

This list is not exhaustive and will need to be tailored to individual organisations.

The next step is to decide on the value to the organisation; this is not necessarily the monetary value to the organisation but the value in terms of information security.  You could use any scale but for ease we tend to use low medium and high value (1, 2 or 3)

Now score each asset against the three main elements of 27001, C.I A. Confidentiality, Integrity and Availability, again using the low , medium or high method.  The scores are entered into a matrix.


Every medium or high risk is transferred to the risk treatment plan mentioned before.  The idea is to mitigate the risk.  Inevitably there will be some medium risks that will have to be accepted as acceptable, it is most unlikely that any risk in the high level would be acceptable.  The medium risks that are accepted by the management of the organisation should fall into four categories:

  • Applying appropriate controls to reduce the risk
  • Knowingly and objectively accepting risks, providing they clearly satisfy the organisation policy and criteria for risk acceptance
  • Avoiding risks by not allowing actions that would cause the risk to occur
  • Transferring the associated risks to other parties. e.g. insurers or suppliers

There are other methods that can be used for risk assessment and these are equally valid.  We feel that it is important to have a risk assessment process that is effective but easy to administer and our method meets these criteria.

Stage four of this series will look at the documentation needed for this revised Standard.


Monday, 17 March 2014

ISO 27001:2013 Transition Stage 2

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain. 

This is the second part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The revised Standard emphasises the role of "Interested Parties" and it does specify that all interested parties should be listed.  It may be useful, at this stage,  to identify just who these are.

  • Owners and/or shareholders of the business;
  • Employees;
  • Contractors;
  • Partners;
  • Sub-Contractors;
  • Clients;
  • Customers;
  • Suppliers;
  • Authorities
    • Legislation
    • Statutory
    • Regulators
    • Contractual
  • Trade Associations;
  • Trades Union.

This list is not exhaustive and should be specific to the organisation.  Against each stakeholder their requirements as far as information security, should be stated.

Having defined all the Stakeholders you can now move forward to identifying the SCOPE.   You will be generating a new S.O.A (Statement of Applicability) and defining the scope will help in deciding which elements are not applicable in the application.

Once again I would stress that these steps should not be rushed;  the better the preparation the better the final result;  my father used to drum this into me for decorating and in particular, painting of woodwork which always lasted longer if good preparation was taken.

Next time we will look at the revised requirements for Risk Assessments.

Monday, 3 March 2014

Information Security ISO27001:2013 (Stage 1)

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.

Over the next few weeks we will be showing simple steps to the transition; here is information about the mandatory policies that are required:

  • Information Security Policy – sets out the policy of the company and covers C.I.A  (confidentiality,  integrity and availability)
  • Mobile Device Policy – sets out the protections and controls for mobile devices, which includes tablets, laptops/notebooks and smart phones.
  • Termination of Employment Policy – sets out the controls and actions to be taken when an employment ends; both resignation and dismissal or redundancy is covered.
  • Teleworking Policy – sets the information security controls required for off-site workers.
  • Acceptable Use of Assets Policy - sets out the policy on use of equipment and also the uses which are not permitted.
  • Cryptographic Policy – sets out the controls for the use of cryptographic controls necessary to maximize the benefits and minimise the risks of using cryptographic techniques and to avoid inappropriate or incorrect use. 
  • Cryptographic keys Lifetime Protection Policy – Sets out the controls for the issue, protection, storage and actions for retiring keys.
  • Security for Assets while Off Site Policy- Controls to protect equipment and data when outside the protection of the organisation.
    Unattended Equipment Policy – sets out the controls to protect unattended equipment on site.
  • Clear Desk Policy – sets out the controls to protect sensitive documents or data on desks.
  • Clear Screen Policy – sets out then controls for screens to be protected from being viewed by unauthorised people.
  • Formal Information Transfer Policy - sets out the controls and protocols for the transfer of data. This include the methods of transfer and the requirement for  cryptographic controls where necessary.
These policies are required in addition to the policy usually displayed.  We recommend that these policies are prepared and kept available in a file or document repository.

This is an important stage in the transition to the new standard.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design