develop their own information security management practices.
Implement commonly accepted information security controls
select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001.
It is designed to be used by organizations that intend to: The controls recommended in ‘27002, and the general structure of ‘27002, form an excellent basis to get you started, and you might also like to consider and blend in applicable controls from other standards from NIST, ISF, ISACA etc.ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). So, in a nutshell, I would encourage you to develop your own ICQs, refining and updating them with every use. I use these questions as a guide to the evidence gathering and interviewing element of the audit fieldwork. My approach to developing ICQs is to think quite broadly about the information security risks in the area of interest, structure my thoughts using a mind-map or diagram of some sort, work out the general and specific controls I would typically anticipate or expect to see based on the standards, experience and other sources of good practice guidance, and then write up a series of open questions that arise concerning what the organization actually does to address the relevant risks. Over the years, I have developed and used hundreds of ICQs for various assignments, including one based on ISO/IEC 27002 that has been evolving ever since the standard was known as the Code of Practice for Information Security (even before it became BS7799!). ICQs are more open-ended in style than most checklists, giving the auditor plenty of latitude to consider and assess things in context using his/her professional skills, experience and judgment rather than trying to impose a fixed set of criteria (a tick-list). You appear to be asking for a data center security audit checklist: I prefer what auditors call Internal Controls Questionnaires (ICQs). My recent note regarding the processes common to any internal audit apply here.
0 kommentar(er)
