Tag: Risk Mitigation

ISO 27001

ISO 27001 Annex : A.11.2 Equipment

info savvy

ISO 27001 Annex : A.11.2 Equipment Its objective is to avoid loss, damage, theft, or compromise of assets and disrupt the operations of the organization.

A.11.2.1  Equipment Siting and Protection

Control- To mitigate the risk of environmental hazards, risks, and unauthorized access, the equipment should be sited and secured.

Implementation Guidance- To protect equipment, the following directives should be considered:

  1. In order to minimize unnecessary access in work areas, equipment should be sited;
  2. Information processing facilities that handle sensitive information should be carefully positioned to reduce the risk of unauthorized persons viewing information during their use;
  3. In order to avoid unauthorized access, storage facilities should be secured;
  4. Objects requiring special protection should be protected to reduce the required level of overall protection;
  5. The risk of potential threats to the environment and physicality such as theft, fire, explosives, smoke, and water, dust, vibrations, chemical effects, interference with electrical supplies, interference with communications, electric radiation and vandalism should be minimized;
  6. Guidelines should be defined for eating, drinking and smoking close to information processing facilities;
  7. Environmental factors such as temperature and humidity for factors which may have a negative effect on the operation of information processing facilities should be monitored;
  8. Lightening protection for all buildings, and lightning protection filters for all incoming power and communications lines should be implemented;
  9. In order to reduce the risk of information leakage due to electromagnetic emanation, sensitive information treatment equipment should be secured.
  10. Special protection methods such as keyboard membranes for equipment in industrial environments should be considered;

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

The Organization wishes that its information to remain within the CIA triads. They also ensure that the physical security controls are properly and efficiently implemented to protect the confidentiality, authenticity and/or integrity of the organization’s information and information processing facilities. The physical and environmental protection of the company is covered in Annex 11 of ISO 27001. This famous certification of lead auditor and lead implementer covers all the annexes to the security of information by implementing appropriate access controls to ensure authorized access to protect the organization. Infosavvy, a Mumbai-based institute, offers certifications and training for multiple-domain-like management of information security, cybersecurity, and many others, including the IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). This certification covers several audits to keep an organization safe from the intended destructor. Infosavvy will help you to understand and identify the full extent of the physical and environmental security of your organization that is necessary to protect the operations of your organization from attacks. We have trained trainers who have ample know-how and experience in order to make sure that the information security is effectively handled. The applicant will, therefore, gain the skills needed to conduct the ISMS audit using commonly agreed audit concepts, procedures and techniques

A.11.2.2  Supporting Utilities

Control- Equipment should be secured against power failures and other disruptions caused by the supporting infrastructure failures.

Implementation Guidance- The support facilities (e.g. power, telecommunications, water, gas, sanitation, air conditioning, and ventilation) should consider the following points:

  1. conform to specifications and local legal requirements of the equipment manufacturer;
  2. be periodically assessed for its ability to fulfill corporate growth and relations with other supporting utilities;
  3. to be regularly inspected and tested for effective functioning;
  4. keep Alarm for detecting malfunctions if necessary;
  5. Have multiple physical routing feeds, if necessary.

It should be provided with emergency lighting and communication. Emergency switches and valves should be located close to emergency exits or equipment rooms for power, water, gas or other utilities.

Other Information- Additional redundancy can be achieved through several routes from more than a single utility provider for network connectivity.

Also Read : ISO 27001 Annex : A.11 Physical and Environmental Security

A.11.2.3  Cabling Security

Control- Cable for power and telecommunications that carry data or support services should be safeguarded from interception, interference, or damage.

Implementation Guidance- The following cable safety guidelines should be taken into account:

  1. power and telecommunications lines should be underground or subject to appropriate, alternative, security into information processing facilities where possible;
  2. Power cables should be isolated in order to avoid interference from communication cables;

Read More : https://www.info-savvy.com/iso-27001-annex-a-11-2-equipment/

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Clause 6.1.3 Information security risk treatment

info savvy

Information security risk treatment

Required activity

The organization defines and applies an information security risk treatment process.

 Implementation Guideline

Information security risk treatment is that the overall process of choosing risk treatment options, determining appropriate controls to implement such options, formulating a risk treatment plan and obtaining approval of the Risk treatment plan by the Risk owner(s).All steps of the knowledge security risk treatment process also because the results of its application are retained by the organization as documented information.

Information security risk treatment options

Risk treatment options are:

  1. Avoiding the Risk by deciding to not start or continue with the activity that provides rise to the Risk or by removing the Risk source (e.g. closing an e-commerce portal);
  2. Taking additional risk or increasing risk so as to pursue a business opportunity (e.g. opening an e-commerce portal);
  3. Modifying the Risk by changing the likelihood (e.g. reducing vulnerabilities) or the results (e.g. diversifying assets) or both;
  4. Sharing the Risk with other parties by insurance, sub-contracting or risk financing; and
  5. Retaining the Risk supported the Risk acceptance criteria or by informed decision (e.g. maintaining the prevailing e-commerce portal because it is).

Each individual risk should be treated in line with information security objectives by one or more of those options, so as to satisfy risk acceptance criteria. Determining necessary controlsSpecial attention should tend to the determination of the required information security controls. Any control should be determined supported information security risks previously assessed. If a corporation features a poor information security risk assessment, it’s a poor foundation for its choice of data security controls.Appropriate control determination ensures:

  1. All necessary controls are included, and no unnecessary controls are chosen; and
  2. The planning of necessary controls satisfies an appropriate breadth and depth.

As a consequence of a poor choice of controls, the proposed information security risk treatment can be:

  1. Ineffective;
  2. Inefficient and thus inappropriately expensive.

To ensure that information security risk treatment is effective and efficient, it’s therefore important to be ready to demonstrate the connection from the required controls back to the results of the Risk assessment and risk treatment processes. It is often necessary to use multiple controls to realize the specified treatment of the knowledge security risk for instance , if the choice to vary the results of a specific event is chosen, it may require controls to effect prompt detection of the event also as controls to reply to and recover from the event.When determining controls, the organization should also take under consideration controls needed for services from outside suppliers of e.g. applications, processes and functions. Typically, these controls are mandated by entering information security requirements within the agreements with these suppliers, including ways to urge information close to which extent these requirements are met (e.g. right of audit). There could also be situations where the organization wishes to work out and describe detailed controls as being a part of its own ISMS albeit the controls are administered by outside suppliers. Independently of the approach taken, the organization always should consider controls needed at their suppliers when determining controls for its ISMS.


Click here for continue:- https://www.info-savvy.com/iso-27001-6-1-3-information-security-risk-treatment/

————————————————————————————————————
This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ