Inzinc's Motto: Passion to Deliver Quality

ISO 27001 Articles

Articles on ISO 27001

Articles by Sudhir G K, CEO and Chief Consultant

ISO 27001 Article # 1:

The importance of Statement of Applicability in ISO 27001:2013

The Statement of Applicability is one of the key documents in the implementation of ISO 27001:2013.

What is SOA ?

The Statement of Applicability (SOA) (ISO 27001 Clause 6.1.3 d) is a statement that defines what controls (out of the 114 controls given in the Annex A of the ISO 27001:2013) are applicable and will be implemented.

Why is the SOA important?

The SOA is a good summary of the accepted controls that are being implemented in an organization as part of the ISMS drive. This provides a ready checklist against which the implementation can be checked. Since the SOA justifies the inclusion and exclusion of controls from Annex A, we clearly know that the selected controls need to have a policy, procedure and records and thus keeps a check on whether the controls can be demonstrated when required.

A well written SOA helps in deciding on minimum required documentation that is sufficient to demonstrate that the selected controls are implemented.

Thus, if you invest time in writing a good SOA, the ISMS implementation in your organization will be at optimum level and with a better focus.

Inzinc ISO 27001 Consultants in India will explain our clients with a Sample of the Statement of Applicability and guide them with examples.

ISO 27001 Article # 2
Clear Desk and Clear Screen Policy (Control No. A.11.2.9 of ISO 27001:2013)

To enhance the security and confidentiality of information, it is recommended to adopt a clear desk policy for papers and removable storage media, and a clear screen policy for information processing facilities. This aims to reduce the risk of unauthorised access, loss of, and damage to information during and after normal working time or when areas are left unattended.

Do’s and Dont’s of Clear Desk

  • Keep papers and computer media in locked cabinets or other types of security furniture when not in use or not in seat or after working hours.
  • If such safety furniture is not available, the office / room doors must be locked when left unattended.
  • Confidential / sensitive information must be removed from the work place and stored in a locked area.
  • When Confidential sensitive or classified information are printed care should be exercised to clear information from printer memory immediately.
  • The reception desk can be vulnerable to visitors who can get access to information easily if desk is not cleared with sensitive information. Care must be taken to keep sensitive information under lock and key.

Do’s and Dont’s of Clear Screen

  • Incorporate a screen saver with password protection
  • Do not leave computers / computer terminals logged on when unattended.
  • The Windows + L Lock must be activated when there is no activity for a short span of time.
  • Computer screens must be angled away from the view of unauthorised persons.
  • Users should log off or lock their machines (by pressing the Windows key and L) and activate password locked screen when they leave their area for a break.

ISO 27001 Article # 3
The Difference between ASSET OWNER and RISK OWNER

Risk owner is a new concept introduced in the ISO 27001:2013 standard which needs to be understood properly during the Risk Management process.The Risk owner should be identified in the risk register in the risk assessment section of the risk register. Also, the risk owner's approval of the risk treatment must be sought and must get reflected in the Risk register. These two are necessary as per the clauses 6.1.2 (c) (2) and 6.1.3 (f) of the ISO 27001:2013 standard.

Here knowing the difference between the asset owner and risk owner is of paramount importance. Here is the difference.

Asset Owner is the person who is responsible for the asset he owns whereas Risk Owner is a person who is the authority and is accountable in managing a risk. The Risk Owner is responsible for resolving the risk and due to his/her higher position in the organization structure has the authority to take the suitable action to resolve the risk. Asset owner is more concerned with the operational control and risk owner is concerned with the business risk.
For example, the asset owner of a UPS may be the General Administration Executive whereas the risk owner can be the General Administration Manager. As an asset owner, the General Administration Executive manages the UPSdaily but the General Administration Managerwill be responsible for risks of UPS failure and hence has the authority for planning and investing in a good UPS with backup enough to ensure continuity of business operations.

Article # 4
Some Do's andDon’ts regarding information security

Below mentioned are some of the Do’s and Don’ts that may be followed as Information Security Best Practices

  • Follow safe browsing habits - if a web site looks shady, it usually is shady. Don’t further click on links or downloads;
  • Use devices that you trust to connect to the cloud, i.e. minimize the use of public computers which do not fulfil the security standard;
  • Enable and use two-factor authentication if available from cloud service providers; 
  • Choose different passwords and credentials for IT systems and public cloud services;
  • Change passwords regularly;
  • Log off sessions when finished;
  • Don’t open or click on links in strange or unsolicited e-mail;
  • Install anti-malware software on computing devices
Top