27001 Information Security Management System Flashcards
What is the Asset and Risk Assessment Register
The register details all the threats and vulnerabilities of the company due to the asset information it holds, processes or has access to.
What are the steps of Change Request (IS)
- An assessment is made in the Change Request and Risk Assessment. This includes details, justification, authorisation, any threats/risks.
- Change Request Implementation - providing a list of actions that need to be completed in order to manage effectively.
- A new supplier approval form (if applicable)
- Test Results Form - to confirm the results of the change and if it performed as expected.
What examples can you provide that require the Asset and Risk Assessment Register to be updated?
Security Incident
Identification of a new threat/vulnerability.
Any change in legal contracts.
How to control the versioning of documents?
The Owner can be found in the Control of Documented Information Procedure.
What is the Information Classification, Labelling and Handling Rules Document?
This features the classifications of the documents. Eg. Public, highly confidential etc. The document also includes document types and storage requirements.
What documents does the Business Context and Critical Requirements Management Procedure connect to?
Business Risk Register - details of how this document should be filled out can be found in section 6.0
When should the Business Risk Register be updated?
At least annually.
Following any external or internal issues that could effect the business.
What examples does the Change Control Procedure apply to?
Computer Hardware, Software, Suppliers of critical services, equipment or software.
What are the objectives of the Security Incident Management Procedure?
To ensure all security incidents are reported promptly so any adverse effects can be limited.
Root causes can be identified and preventative action taken to prevent future incidents taking place.
Whoosh can meet the aims of the Information Security Policy.
What document should be refereed to an employee is suspended due to a data security issue?
The Security Incident Management Procedure.
If the confidentiality of a document is compromised, where should this be reflected?
The Asset and Risk Assessment Register and Personal Information Processing Register should be reviewed and edited in accordance to the Information Asset and Risk Management Procedure.
What is the difference between Business Risk Register and Asset and Risk Assessment Register?
Asset and Risk Assessment Register is asset specific. Any risks that are due to assets eg Service or data compromise due to social networking attacks. Business Risks is across the whole company.
