ISO 27001

¡Supera tus tareas y exámenes ahora con Quizwiz!

documentation, management, information security control

3 types of ISMS requirements

all Annex A controls (114), justification for inclusion/exclusion, reviewed by by management, mapping of control objectives to identified risks, showing of implementation

SOA inclusions

ISO 27001

a comprehensive minimum baseline of information security controls that information security programs SHALL address in some manner; requirements

any item, process, or resource that is valued by an organization which could cause impact on the business

asset

a systematic, risk based approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's information security to achieve business objectives

definition of an ISMS

documented statement describing the control objectives and controls that are relevant and applicable to the organization

statement of applicability

updated

the risk treatment plan is to be used and ____proactively

organizational structure/BU, people, locations, technology, physical, assets, exclusions with justification, interfaces and dependencies, interested parties and their requirements

scope requirements

an occurrence of an undesired event, which may result in harm of an assets

threat

people, process, technology

types of info threats

a lack of safeguard or weakness of an asset or a group of assets that can be exploited by a threat

vulnerability

initial, surveillance

1 year maximum between the _____audit and ____audit

asset is expected to be decommissioned, legal obligations, cost benefit analysis

3 reasons for risk acceptance

detective, preventive, corrective

3 types of controls

accept, mitigate, avoid, transfer

4 risk treatment options

ISMS Policy

_____provides direction from "what do we do now (Mission)" to "What do we want to do in the future (Vision)" leading towards a strategy - main purpose of this is to elevate IS to the top of the "To - Do" list evolving into the "Must-Do" list

monitoring

determining the status of a system, a process, a product, a service or an activity

what happened

effectiveness measures, measure _________ -measures that express the effect that realization of planned activities has on the organizations information security objectives

person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity

interested party

process/procedures

level 2 doc that describes processes - who, what, where, when

1 3 4

level ____ through ____ docs we maintain, and level __ we retain

requirement

need or expectation that is stated, generally implied or obligatory

to protect the information assets from the loss of confidentiality, integrity, and availability

objective of any ISMS

Continuous Improvement -corrective action tracker -non-conformity reports

output of clause 10

Organization: -scope and bounds

output of clause 4

Leadership: -leadership commitment -IS Policy -Roles and responsibilities

output of clause 5

Planning: -risk assessment methodology -risk assessment + treatment plan -SOA -Information security objectives

output of clause 6

Support: -documentation standard + records -communication policy -awareness program -competence measures -assign resources

output of clause 7

Operation: -evidence of control operations -results of risk assessment + risk treatment review

output of clause 8

Performance Eval -monitoring + measurement -Internal audit (plan and results) -Management review

output of clause 9

goal

performance measures are the _____ -measures that express the planned results in terms of the characteristics of the planned activity

measurement

process to determine a value

annually

risk assessments must be conducted at a minimum

the consequence of uncertainty on objectives

risk definition

threat x vulnerability x asset

risk formula

scope, acceptance levels, acceptance criteria, risk assess/analysis, risk treatment, risk monitoring/review

risk management lifecycle


Conjuntos de estudio relacionados

Ch 6: Understanding and critically appraising the literature review

View Set

Myers Exploring Psychology Chapter 2

View Set

SHRM - HR Competencies things I keep missing

View Set

Unit 3: Job Interview Process CLS

View Set

Chapter 7: Pattern Matching with Regular Expressions

View Set