Professional Documents
Culture Documents
ISACA Making The SoA An Information Security Governance Tool PDF
ISACA Making The SoA An Information Security Governance Tool PDF
• CO 8 (Asset Management)
• Scope of responsibilities. In this subsidiary
A careful reading of the ISO/IEC 27001:2013 context, two types of responsibilities are
standard helps clarify that the previously considered:
mentioned control objectives are compulsory. – The HR department is responsible for hiring
Indeed, any organization targeting such a personnel for fixed or long-term contracts;
standard has to fix at least one high-level candidate background screening is the HR
information security policy and one set of department’s responsibility.
responsibilities to control its application – Any department, including HR, that is willing
throughout the organization. Any organization to hire subcontractors is responsible for
has to manage the assets and the stakeholders; verifying a candidate’s background.
therefore, it is necessary to identify them.
• Declining the ISO/IEC 27001:2013 requirement
2. With the help of the risk assessment results, in the organizational context given the scope;
shed light on the priorities relating to every declining one or more items to come later:
set of measures—To be able to determine the – Requirement 1 (responsibility of HR
minimum responses that correlate to each set department)—Before hiring personnel, the
of measures of the SoA, it is worth analyzing the following verifications are to be performed
organization-level risk assessment and ranking for considered candidates: identity control,
the corresponding priorities (e.g., 1 = low risk, low criminal record, education, professional
priority; 2 = medium risk, medium priority; 3 = high credentials and contact of former employers.
risk, high priority) to weigh every measure. – Requirement 2 (responsibility of all
departments)—Before hiring subcontractors,
Avoid waiting until the perfect risk assessment
the same verifications previously mentioned
is complete. Perfection is a lure and a hurdle
should be performed.
against a successful quick scan of the SoA.
Rather, develop a first version by considering • Examining how much the concerned organization
which control objective the organization is complying with previous requirements:
considers a major risk. Should the enterprise take – Compliance with requirement 1: 1 (Full
up the exercise again, the second version can compliance)
widen the scope of the risk assessment. – Compliance with requirement 2: 0, 2 The
organization has handled the personal