fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.11 Return of Assets would include:

  1. Asset Inventory: Documentation of an asset inventory that includes all company-owned assets issued to employees, contractors, or third parties.

  2. Asset Assignment Records: Records of asset assignments, detailing which assets were assigned to specific individuals, along with dates and any relevant agreements or contracts.

  3. Employee Termination Process: Proof of a defined process for collecting and deprovisioning assets from employees who are leaving the organization, including steps for retrieving physical assets (laptops, mobile devices) and revoking access to digital assets (accounts, systems).

  4. Contractual Agreements: Copies of agreements or contracts that outline the responsibilities of employees and users in returning company assets upon termination or contract completion.

  5. Asset Recovery Procedures: Documentation of procedures outlining how assets are recovered from terminated employees or when a contract ends. This may include coordination with HR, IT, and other relevant departments.

  6. Verification and Validation: Records of procedures to verify that all assigned assets are returned, and validation that access to systems and accounts has been properly revoked.

  7. Data Wiping or Erasure: Evidence of data wiping or erasure processes for digital assets, ensuring that sensitive data is securely removed before reassigning or disposing of assets.

  8. Asset Disposal or Reassignment: Documentation of procedures for disposing of assets that are no longer needed or reassigning them to other employees or users.

  9. Documentation of Exceptions: Records of any exceptions or instances where assets were not returned, along with the actions taken to resolve these situations.

  10. Management Oversight: Proof of management oversight to ensure that asset return procedures are consistently followed and that deviations are addressed promptly.

  11. Audit Trails: Audit trails or logs demonstrating the collection and return of assets, including the names of individuals involved, dates, and any relevant approvals.

By examining these pieces of evidence, an auditor can assess whether the organization has effective processes in place to ensure the proper return of assets when employees or users leave the organization or when contracts are terminated. This helps prevent unauthorized access to company information and assets and ensures that assets are properly managed throughout their lifecycle.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.10 Acceptable Use of Information and Other Associated Assets would include:

  1. Acceptable Use Policy: Access to the organization's Acceptable Use Policy (AUP) that outlines the rules and guidelines for using information and associated assets.

  2. Communication of AUP: Proof of regular communication and distribution of the AUP to all employees, contractors, and third parties who have access to the organization's information and assets.

  3. Employee Training: Documentation of training sessions or awareness programs conducted to educate employees and users about the AUP and its importance.

  4. Employee Acknowledgment: Records of employees and users acknowledging their understanding and agreement to adhere to the AUP.

  5. Asset Classification: Details about how information and assets are classified according to their sensitivity or criticality, and how these classifications align with usage permissions.

  6. Access Control Measures: Evidence of access controls in place to ensure that users can only access information and assets that are relevant to their roles and responsibilities.

  7. Monitoring and Auditing: Documentation of procedures for monitoring and auditing users' activities to detect any violations of the AUP.

  8. Consequences for Violations: Information about the consequences for violating the AUP, including disciplinary actions and potential legal consequences.

  9. Reporting Mechanisms: Records of established reporting mechanisms for users to report any suspected violations or breaches of the AUP.

  10. Review and Update: Proof of regular reviews and updates of the AUP to ensure it remains aligned with changing technologies, business processes, and security requirements.

  11. Incident Reports: Records of any incidents related to violations of the AUP, along with the actions taken to address and prevent such incidents in the future.

  12. Management Oversight: Evidence of management oversight to ensure that the AUP is effectively enforced and that necessary adjustments are made when required.

By assessing these pieces of evidence, an auditor can determine whether the organization's acceptable use policies are well-defined, effectively communicated, and consistently followed by employees and users. This helps ensure that information and associated assets are used in a secure and responsible manner.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

To assess compliance with A.5.37 "Documented Operating Procedures," an information security auditor would examine how an organization develops and maintains documented operating procedures to ensure consistent and secure operations. Here's a breakdown of the evidence and areas an auditor might focus on:

  1. Documentation Existence:

    • Verify the presence of documented operating procedures that outline specific steps, actions, and guidelines for various information security-related processes and activities.

  2. Scope and Coverage:

    • Evaluate whether the documented procedures cover critical information security areas, such as access control, incident response, change management, etc.

  3. Content Accuracy:

    • Examine if the documented procedures accurately reflect the current processes and practices being followed within the organization.

  4. Consistency and Standardization:

    • Assess whether the procedures promote consistent and standardized approaches to carrying out security-related tasks across different teams or departments.

  5. Process Flow:

    • Review the clarity and completeness of process flows within the documented procedures, ensuring that they provide a step-by-step guide for each process.

  6. Roles and Responsibilities:

    • Verify that the documented procedures clearly outline the roles and responsibilities of individuals involved in each process.

  7. Authorization and Approval:

    • Assess whether the documented procedures have been reviewed, authorized, and approved by appropriate stakeholders within the organization.

  8. Version Control:

    • Examine if version control mechanisms are in place to track changes to the documented procedures over time and maintain an audit trail.

  9. Accessibility:

    • Verify that authorized personnel can easily access the documented procedures when needed and that they are stored in a secure and organized manner.

  10. Training and Awareness:

    • Assess whether the documented procedures are used for training new personnel and raising awareness about proper procedures across the organization.

  11. Alignment with Policies:

    • Review if the documented procedures align with the organization's information security policies and standards.

  12. Updates and Maintenance:

    • Examine how often the documented procedures are reviewed and updated to ensure they remain relevant and effective.

  13. Change Management Integration:

    • Evaluate whether changes to the documented procedures go through a proper change management process to ensure consistency and quality.

  14. User-Friendly Format:

    • Assess if the documented procedures are presented in a user-friendly format, making them easy to understand and follow.

  15. Cross-References:

    • Verify if the documented procedures reference relevant policies, standards, and guidelines to provide a comprehensive context.

  16. Reporting and Metrics:

    • Review if the documented procedures include reporting requirements and metrics to measure the effectiveness of the processes.

  17. Feedback Mechanism:

    • Assess whether there is a feedback mechanism for personnel to suggest improvements or report issues with the documented procedures.

By reviewing these areas, an auditor can determine whether the organization has established effective procedures that are well-documented, up-to-date, accessible, and aligned with information security objectives. These procedures contribute to consistent and secure operations throughout the organization.

 

USER GUIDES

Image
Empowering organizations to achieve their performance objectives through a unique blend of consulting expertise and technology-driven solutions.

More Links

FEATURED SERVICES

Performance Improvement Consulting

ISO Management Systems Training

Customized Consulting Services

Technology Integration Solutions

 

ISO Compliance Software
Integrate . Mantain . Comply

Search