SoA « The InfoSec Blog

Information Gathering and Risk Assessment

Posted by Anton Aylward

On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it all all, the assets, the threats and so forth, and trying to make it into a risk assessment.

It was easy for the more experienced of us to see what he was missing.

He was missing something very important -- a RISK MODEL
The model determines what you look for and how it is relevant.

Tagged as: Classical Equation, controls, ISO/IEC 27000, ISO/IEC 27001, ISO27K, Mehari, METHODS, MODEL, NIST, RA, Risk analysis, Risk assessment, Risk Management, Risk Management Plan, SCOPE, SoA, THREAT, Tree_of_life Religion_and_mythology Continue reading

Control objectives – Why they are important

Posted by Anton Aylward

http://blog.iso27001standard.com/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Let us leave aside the poor blog layout, Dejan's picture 'above the fold' taking up to much screen real estate. In actuality he's not that ego-driven.

What's important in this article is the issue of making OBJECTIVES clear and and communicating (i.e. putting them in your Statement of Objective, what ISO27K calls the SoA) and keeping them up to date.

Dejan Kosutic uses ISO27K to make the point that there are high level objectives, what might be called strategy[1], and the low level objectives[2]. Call that the tactical or the operational level. Differentiating between the two is important. They should not be confused. The high level, the POLICY OBJECTIVES should be the driver.

Yes there may be a lot of fiddly-bits of technology and the need for the geeks to operate it at the lower level. And if you don't get the lower level right to an adequate degree, you are not meeting the higher objectives.

Tagged as: Apple, books, Dejan Kosutic, FOSS, Fredrick Winslow Taylor, Godwin Law, Human Resources Security, ISO/IEC 27001, ISO27001, ISO27K, OBJECTIVES, Policy, SoA, Stephen Hawking, Windows Environment Continue reading

Help on ISO-27000 SoA

Posted by Anton Aylward

This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on 'Controls'.

But if you are using closed-source products such as those from Microsoft, are you giving up control? Things like validation checks and integrity controls are are 'internal'.

Well, its a bit of a word-play.

SoA contains exclusions on controls that are not applicable because the organization doesn't deal with these problems (ie ecommerce)
SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.

With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted

The key to the SOA is SCOPE.

Tagged as: controls, COSO, Enterprise Risk Management, insurance, International Organization for Standardization, ISO-27000, ISO/IEC 27000, ISO/IEC 27001, Microsoft, Risk, Risk assessment, Risk Management, Risk Treatment Plan, SCOPE, Service-oriented architecture, SoA, Statement of Applicability, support Continue reading

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

M	T	W	T	F	S	S
« Nov
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Information Gathering and Risk Assessment

Posted by Anton Aylward

Control objectives – Why they are important

Posted by Anton Aylward

Help on ISO-27000 SoA

Posted by Anton Aylward

Availability

Popular Pages

Categories

Archives

Calendar of Posts

Meta

Security Links