fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.8.9 Configuration Management would include:

  1. Configuration Management Policy: Documentation of a configuration management policy that outlines the organization's approach to managing and controlling the configuration of information systems, software, and hardware.

  2. Configuration Baselines: Evidence of established configuration baselines for different information systems, applications, and hardware components. These baselines serve as reference points for configuration changes and ensure consistency and integrity.

  3. Configuration Change Control Process: Documentation of the process for requesting, reviewing, approving, and implementing configuration changes. This process should include change management controls to prevent unauthorized or unapproved changes

  4. Change Authorization Records: Records of authorized configuration changes, including details such as the change request, approval, implementation date, and person responsible for the change.

  5. Configuration Item Identification: Identification of configuration items (CIs) and their relationships, including hardware components, software modules, and network devices.

  6. Configuration Item Status Accounting: Tracking and recording the status of configuration items throughout their lifecycle, including updates, changes, and retirement.

  7. Configuration Management Tools: Evidence of tools or software used for configuration management, such as version control systems, configuration management databases (CMDBs), or automated change management systems.

  8. Configuration Auditing: Records of configuration audits conducted to verify the accuracy and completeness of configuration items against the established baselines.

  9. Security Settings and Controls: Documentation of security settings and controls applied to configuration items to ensure compliance with security policies and standards.

  10. Configuration Management Training: Evidence of training provided to relevant personnel on configuration management procedures, processes, and best practices.

  11. Incident and Issue Tracking: Logs or records of incidents or issues related to configuration management, along with the organization's response and resolution actions.

  12. Compliance Documentation: Evidence of compliance with relevant industry regulations, legal requirements, and standards related to configuration management.

These pieces of evidence to assess the organization's configuration management practices. This includes evaluating the effectiveness of their change control processes, the accuracy and completeness of configuration data, and their ability to maintain a secure and controlled IT environment through proper configuration management.

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.21 Managing Information Security in the Information and Communication Technology (ICT) Supply Chain would include:

  1. Supply Chain Security Policy: Documentation of a comprehensive supply chain security policy that outlines the organization's approach to managing information security risks related to ICT suppliers and service providers.

  2. Supplier Selection Criteria: Evidence of established criteria and processes for evaluating and selecting ICT suppliers based on their information security capabilities, compliance with security standards, and track record.

  3. Supplier Contracts and Agreements: Copies of contracts or agreements with ICT suppliers that include specific information security requirements, responsibilities, and obligations.

  4. Information Security Requirements: Documentation of the information security requirements communicated to ICT suppliers, such as security standards, data protection requirements, incident reporting procedures, and access controls.

  5. Supplier Security Assessments: Records of security assessments or audits conducted on ICT suppliers to evaluate their information security practices and identify potential risks.

  6. Incident Management with Suppliers: Evidence of procedures in place for reporting and managing security incidents involving ICT suppliers, including incident response and communication protocols.

  7. Supply Chain Risk Assessment: Documentation of risk assessments conducted to identify and assess potential information security risks associated with the ICT supply chain.

  8. Third-Party Security Assessments: Evidence of third-party assessments or certifications obtained from independent organizations that evaluate the security posture of ICT suppliers.

  9. Continuous Monitoring: Records of ongoing monitoring and evaluation of ICT suppliers' information security practices and performance.

  10. Incident and Issue Tracking: Logs or records of incidents, breaches, or issues related to ICT suppliers and the organization's response and resolution actions.

  11. Training and Awareness: Evidence of training and awareness programs for employees involved in managing the ICT supply chain, emphasizing information security best practices and risk management.

  12. Compliance Documentation: Evidence of compliance with relevant industry regulations, legal requirements, and standards related to information security in the ICT supply chain.

These pieces of evidence to assess the organization's efforts to manage information security risks in the ICT supply chain effectively. This includes evaluating the organization's processes for supplier selection, contract management, risk assessment, incident management, and ongoing monitoring to ensure that the ICT supply chain remains secure and resilient against potential threats and vulnerabilities.

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.8.10 Information Deletion would include:

  1. Deletion Policy: Documentation of a formal information deletion policy that outlines the organization's approach to securely and permanently deleting data when it is no longer needed.

  2. Data Retention Schedule: A schedule or plan indicating the retention periods for different types of data and when data should be deleted after it has met its retention requirements.

  3. Deletion Procedures: Detailed procedures and guidelines on how data deletion is carried out, ensuring that data is securely erased from storage media and systems.

  4. Data Deletion Tools and Technologies: Documentation of the data deletion tools and technologies used by the organization to implement secure data erasure, including information about their configuration and integration with relevant systems.

  5. Data Deletion Implementation: Evidence of the successful implementation of data deletion techniques on databases, file systems, and other storage media, including logs or records of data deletion activities.

  6. Verification of Deletion: Processes or mechanisms in place to verify that data has been securely and permanently deleted and cannot be recovered.

  7. Compliance Documentation: Evidence of compliance with data protection regulations and legal requirements related to data deletion and data privacy.

  8. Access Controls: Evidence of access controls and permissions granted to users who have the authority to delete data, ensuring that only authorized individuals can perform data deletion activities.

  9. Training and Awareness: Evidence of training and awareness programs for employees involved in data deletion processes, ensuring they understand the importance of securely deleting data and the potential risks of improper data disposal.

  10. Data Deletion Audit Logs: Logs or records of data deletion activities, changes, and access, as well as any incidents or anomalies related to data deletion.

These pieces of evidence to assess the adequacy and effectiveness of the organization's data deletion controls, ensuring that data is securely and permanently erased when no longer needed and that the data deletion processes comply with relevant regulations and standards.

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search