Working in a company where we try to implement ISO 27001

weakness

Starting to get Involved
Hi,

I'm working in a company where we try to implement ISO 27001
We prepare assets inventory form
But how we determine cia profile
Operator instruction?
Process form, etc.?
Thank you for your support.
 
Last edited by a moderator:

AndyN

Moved On
Re: Working in a company we try to impement ISO 27001

Welcome:

Before you start developing anything to meet ISO27000, what are you trying to achieve? Do you want to be Certified, for example? Does your highest level of management including your CISO in agreement with the need for an Information Security Management System? Have you had a "Gap Analysis" performed for you, so in addition to the obvious things that ISO 27001 requires, you know everything else you need to work on and have a plan, including some external help?

Without these things, you will not get very far, even with us here, helping you!
 

weakness

Starting to get Involved
I have implementation gantt chart for certification.We prepared an assets inventory form for determine
-asset inventory
-risk assesment
-SOA etc..
But we are in first step determine assets.
Operation instructions for example.Operator instruction prepares in process than quality department approved and shared with related document how can we decide this CIA profile.
 
M

Michalm

Are you sure?
What about Annex A - A.8.1.1
Assets associated with information and information processing
facilities shall be identified and an inventory of these assets shall

be drawn up and maintained.
 

John Broomfield

Leader
Super Moderator
Hi,

I'm working in a company where we try to implement ISO 27001
We prepare assets inventory form
But how we determine cia profile
Operator instruction?
Process form, etc.?
Thank you for your support.

weakness,

First define the types of information you want to secure. For example, you could start with the intellectual property of customers and yourselves.

Then analyze the processes that generate, use and share such information and this will determine the assets that need to be made secure. Remember that information may be documented or in the form of prototypes. People who steal intellectual property are adept at reverse-engineering innovative products.

This also defines the scope of your ISMS.

Do not just make a list of the assets you happen to have. Quite separately from info sec your IT department should know this already.

John
 

Richard Regalado

Trusted Information Resource
Before defining the type information, an organization needs to understand and realize why they need information security. Normally there are 3 requirements to start off with:

- legal requirements

- contractual requirements

- the organization's own business requirements

Once the reason is clear, decide whether or not infosec is for you.
 
G

griffo

In the 2013 version of ISO 27001 you don't need to identify assets.
However, it cannot hurt if you decide to identify your assets.

For me, planning to migrate from the 2005 version soon, I'm having hard time trying to imagine what the RA process would look like without a list of all assets. What is your thought on that? How do you tackle this challenge?
 

Richard Regalado

Trusted Information Resource
I agree with you griffo. I started with BS7799 and asset-based RA. I'm developing 2 approaches right now to address the 'relaxed' requirements for RA of the 2013 version.

One approach is to determine risks per process within the scope.

2nd approach is the outright identification of risks. This would entail referencing from a list of risks and determining if a particular risk exists in the organization.

I'll be honest to say though that I find the asset-based approach more thorough in ensuring that the most relevant risks are identified and assessed, processed and eventually modified to meet the risk acceptance criteria.

Add:
For companies using the 2005 version, there already exist a list of risks. But they have to go back to the initial assessment as some of the risks may have been treated along the way and taken off the radar.
 
Top Bottom