fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.7.9 Security of Assets Off-Premises would include:

  1. Policy and Procedures: Documentation of policies and procedures outlining how assets are secured when taken off-premises, including laptops, mobile devices, portable storage media, or any other equipment containing sensitive information.

  2. Asset Inventory: An up-to-date asset inventory that includes details of all assets that are allowed to be taken off-premises. This inventory should track the asset's owner, location, purpose, and any necessary security measures applied.

  3. Asset Tracking and Accountability: Evidence of a system or process in place to track the movement of assets off-premises and ensure their accountability. This may involve check-in/check-out procedures or electronic tracking systems.

  4. Encryption and Data Protection: Proof of encryption and data protection measures applied to sensitive information stored on assets taken off-premises. This is crucial to safeguard data in case of loss or theft.

  5. Access Control: Documentation of access control measures implemented to restrict unauthorized access to off-premises assets. This may involve password protection, biometrics, or multi-factor authentication.

  6. Physical Security Measures: Verification of physical security measures in place to protect assets during transit and at remote locations. This may include secure carrying cases, locks, or security seals.

  7. Training and Awareness: Records of training and awareness programs provided to employees about the importance of safeguarding assets off-premises and the specific security measures to follow.

  8. Incident Reports: Records of any security incidents related to assets taken off-premises, including the actions taken to mitigate the risks and prevent similar incidents in the future.

  9. Compliance with Policies and Procedures: Confirmation that employees and users adhere to the established policies and procedures related to off-premises asset security.

  10. Regular Audits and Reviews: Documentation of regular audits or reviews conducted to assess the effectiveness of off-premises asset security measures and identify areas for improvement.

By reviewing these pieces of evidence, an auditor can determine whether the organization has appropriate controls in place to secure assets when taken off-premises, mitigating the risk of loss, theft, or unauthorized access to sensitive information

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.7.8 Equipment Siting and Protection would include:

  1. Physical Security Measures: Documentation and physical observations of security measures implemented to protect equipment from unauthorized access, tampering, theft, or damage. This may include locked server rooms, access control systems, surveillance cameras, and alarm systems.

  2. Equipment Siting Policy: Evidence of a policy that outlines the requirements for the appropriate siting of equipment, taking into consideration factors such as environmental conditions, accessibility, and potential risks.

  3. Risk Assessment: Records of risk assessments conducted to identify potential threats and vulnerabilities related to equipment siting and the corresponding mitigating controls put in place.

  4. Secure Mounting: Verification that equipment, such as servers, routers, and switches, is securely mounted in designated locations to prevent accidental or intentional tampering.

  5. Cable Management: Physical observations and documentation of cable management practices to ensure cables are organized, labeled, and protected to avoid accidental disconnection or damage.

  6. Environmental Controls: Evidence of environmental controls in place to protect equipment from temperature, humidity, and other environmental factors that may affect its performance or longevity.

  7. Redundancy and Backups: Documentation of redundancy measures and backup systems to ensure continuous operation of critical equipment in case of failures or disasters.

  8. Maintenance and Monitoring: Records of regular equipment maintenance schedules and monitoring activities to identify potential issues or anomalies promptly.

  9. Incident Reports: Records of any security incidents related to equipment siting or protection, along with the actions taken to address and prevent such incidents in the future.

  10. Compliance with Standards: Confirmation that the organization follows relevant industry standards, best practices, and regulatory requirements related to equipment siting and protection.

By examining these pieces of evidence, an auditor can assess whether the organization has implemented effective measures to safeguard its equipment, ensuring the availability, integrity, and confidentiality of information systems and data.

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.7.7 Clear Desk and Clear Screen would include:

  1. Policy and Procedures: Documentation of clear desk and clear screen policies and procedures that outline the requirements for employees to maintain a tidy and secure workspace, ensuring that sensitive information is not left unattended on desks or screens.

  2. Employee Training: Evidence of security awareness training provided to employees, specifically covering the importance of adhering to clear desk and clear screen policies and the potential risks associated with leaving sensitive information exposed.

  3. Workstation Configuration: Physical observations and records of workstation configurations to verify compliance with clear desk and clear screen requirements, such as ensuring that employees lock their computers when not in use or enable screen savers with password protection.

  4. Physical Inspections: Regular physical inspections of work areas to confirm that employees are following clear desk practices and not leaving sensitive documents or information visible to unauthorized individuals.

  5. Incident Reports: Records of any security incidents related to clear desk and clear screen violations, along with the actions taken to address and prevent such incidents in the future.

  6. Monitoring and Reporting: Documentation of monitoring mechanisms in place to track and report on compliance with clear desk and clear screen policies.

  7. Disposal Procedures: Procedures for the secure disposal of sensitive information, ensuring that documents are shredded or securely discarded to prevent unauthorized access.

  8. Clean Desk Audits: Internal audits or assessments conducted to evaluate the effectiveness of clear desk and clear screen practices within the organization.

  9. Management Oversight: Evidence of management oversight and involvement in promoting and enforcing clear desk and clear screen policies.

By reviewing these pieces of evidence, an auditor can assess whether the organization has implemented appropriate measures to maintain a clean and secure working environment, reducing the risk of unauthorized access to sensitive information and enhancing overall information security.

 

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search