Professional Documents
Culture Documents
Take into account internal and external issues defined in clause 4.1 – this
article explains the details: How to define context of the organization
according to ISO 27001.
Take into account all the requirements defined in clause 4.2 – this article explains
how: How to identify interested parties according to ISO 27001 and ISO
22301.
Consider interfaces and dependencies between what is happening within the
ISMS scope and the outside world.
Another thing you should include in your ISMS scope document is a short
description of your location (you could use floor plans to describe the
perimeter) and organizational units (e.g., org charts) – this is not strictly
required by the standard, but certification auditors like to see them included.
ISO 27001 requires you to write a document for the ISMS scope – you can
merge this document with some other (e.g., Information security policy), keep it
as a separate document, or have one document with references to others (e.g.,
interested parties and their requirements, context of the organization, etc.).
Now, the key question is how to deal with these interfaces and dependencies.
Interfaces and dependencies
Let’s start with dependencies – it is probably easiest to describe them
graphically. You can draw your processes that are included in your ISMS
scope, and then outside of this circle draw the processes that are provided
from outside of your scope. By processes, I don’t mean only security or IT
processes – I mean the main business processes within your scope; if you
already implemented ISO 9001, you probably have a similar process chart. Here’s
an example:
O
nce you know the dependencies, you have to identify the interfaces. They are
important for a company to understand its ISMS boundaries, and to understand
which inputs and outputs will be going through these interfaces in order to
protect them better.
You can try to identify all the end points you control – e.g., in your local
network that could be the router (because after that point you usually have no
control of the link – the telecom company does), for your offices the interface
could be the entrance doors, etc.
Smaller scope does not mean an easier job . When leaving some parts of your
company out of the scope, this means you have to treat them as an “outside
world”: you have to limit their access to the information within the scope,
which could create more problems than initially anticipated. Limiting the
scope is usually feasible for larger companies, but not for smaller ones – see
also this article: Problems with defining the scope in ISO 27001.
Exclusion of controls has nothing to do with the ISMS scope . You cannot say
something like “we will exclude controls x, y, and z from the scope because we
don’t want them”; you can exclude the controls only if there are no risks nor
requirements which would require the implementation of those controls. In
other words, if there are risks and/or requirements, you cannot exclude related
controls. See also this article: The basic logic of ISO 27001: How does
information security work?
How to perform training & awareness for ISO 27001 and ISO 22301.
Most of the information security/business continuity practitioners I speak
with have the same problem: the employees in their companies don’t take them
seriously – not only the top managers, but also their peers.
This is due to the fact that the employees usually do not understand what
information security or business continuity is all about – in other words, you
may have perfect policies and procedures, but simply pushing those to your
internal email list won’t help. You need to explain to your colleagues why
information security and business continuity are needed, and how to perform
certain tasks – that’s the main purpose of awareness and training.
Define which knowledge and skills are required for particular personnel who
have a role in your information security management system (ISMS) or
business continuity management system (BCMS) – basically, you need to go
through every ISMS or BCMS document and see what knowledge and skills
are required of every responsible person mentioned in the document.
Perform trainings to reach the desired level of knowledge and skills – see
below for methods.
Measure whether each individual has achieved the desired level of knowledge
and skills – through testing, interviews, etc. – once you know where the gaps are,
you can start again with step #1.
And this is something that needs to be done continuously – either by the CISO /
business continuity coordinator, or by the HR department.
Methods of training
Very often, the trainings are planned via the Training plan – for example, you can plan for
the following:
Courses – see this article for more information: How to learn about ISO 27001
and BS 25999-2.
Reading literature – there are many information security and business continuity
books available, as well as magazines.
Participating in expert forums on the Internet – in some of those you can get very
concrete answers to your questions – for example, Expert Advice Community or
ISO 27001 security.
In-house trainings – delivered either by in-house experts, or by hiring consultants,
certification bodies or similar.
Methods of awareness-raising
As opposed to trainings, which give an answer to the question “How?”, awareness must
give an answer to the question “Why?” – that is, explain to your employees why they
should accept information security or business continuity.
What messages? (form & format) Messages should be clear in their form and
content to produce the expected behavior. The type of communication medium is
looked at here. You can use short stories, images, metaphors, or cartoons.
Messages should be short and focused on their real intent. You certainly remember
the SMART criteria that you can use to make sure the message is complete.
Who? Organizations should clarify who is authorized to communicate, especially
with external parties. Internally, top management and the CISO and the help desk
are good examples. Big companies have their Public Relations Officer to
communicate with the external parties.
The communicator should have the appropriate authority to make sure the message
will be received with the necessary attention and will be followed by the expected
action or reaction.
To whom? Not everybody should receive all messages. Messages should be aimed
at a specific audience, depending on the classification of the information, the
necessary technical knowledge, and the role in the organization. The
Communication Plan should be effective and addressed only to those who will
benefit from it or need to act based on it – e.g., different interested parties like users,
partners, internal and external service providers, regulating bodies, shareholders,
etc. See also this article: How to identify interested parties according to ISO 27001
and ISO 22301.
How? (process) The simplest and first way is the security policy and all the
documents that describe what to do (and how) to meet the objectives of the policy.
Messages should be prepared and approved, particularly in the case of incidents and
crises.
Defined channels (and protocols) should be utilized to make sure the
communication reaches the intended audience at the best moment and with the best
possible effectiveness. Examples: emails, pop-up screens, screensavers, posters,
audio messages, meetings, policies and directives, etc.
When? Communication should be both continuous and event-based (in reaction to
events).
You should make sure the communicated message is continuously retransmitted, for
example, to newcomers and at repeated intervals, to make sure it won’t get
forgotten.
You also should be able to modify the messages or introduce new messages or
formats and channels when the situation requires it. Communicating in normal
conditions might be seriously different in comparison to during incidents or in crises
5. The political situation in the country where the company operates – Correct!
2. A government agency for personal data protection - Compliance with the personal data
protection law
3. The company that supplies you with the materials for your production - Paying them on time and
for all the delivered goods, i.e., having correct and available information for your supplies and
deadlines for payment
2. Company X has implemented ISO 9001 and ISO 27001. – Incorrect! The scope should include the
services or products that the company provides, and the locations included in the scope.
3. The Information Security Management System (ISMS) applies to the provision of software
development and implementation, outsourcing of IT services including maintenance of hardware
and software, operating from the offices in London and Edinburgh. – Correct!
4. The ISMS has implemented all the controls from Annex A. – Incorrect! The scope should include
the services or products that the company provides, and the locations included in the scope.
How can top management demonstrate leadership and commitment to the
Information Security Management System? Choose the correct
statements:
1. Ensuring resources necessary for the ISMS – Correct!
2. Creating exceptions to the security rules for top management – Incorrect! Top management should
give good example for the rest of the employees and follow the ISMS rules and communicate the
importance of information security to all employees.
4. Dedicating one week a year for information security, while the rest of the time is dedicated to
everyday activities – Incorrect! Top management should make sure that the ISMS is integrated within
the company processes, not treat the ISMS as an isolated matter.
3. It should include relevant technical details and security rules. – Incorrect! This policy is a top-
level policy and it shouldn’t be too detailed. The details about the information security controls and rules
should be prescribed in detailed policies and procedures.
5. It must include the ISMS scope. – Incorrect! There is no such requirement for the Information
Security Policy.
Which of the following responsibilities and authorities are relevant for the
person responsible for reporting on the performance of the ISMS to top
management?
1. Prepares input for management review meeting – Correct!
4. Conducts a campaign for ISMS awareness raising – Incorrect! Awareness raising is ensuring that
the ISMS fulfills the requirements of ISO 27001.
3. Improve the incident management – Incorrect! This information security objective is not complete;
a description of what it means to improve the incident management (decrease number of incidents, time to
solve them, resources used, etc.), a measurable target, and a timeframe are missing.
4. Increase the awareness raising training for 2 hours per employee annually - Correct!
5. Increase the frequency of backup by 50% for the next year - Correct!
6. Strengthen the overall capabilities of the Information Security Management System in the next
six months - Incorrect! This information security objective is too general and doesn’t provide a
measurable target.
2. Available time for top management to coordinate the implementation of the procedure –
Incorrect! Top management should make the decision to implement such procedure and approve the
procedure and the necessary budget, not coordinate the process.
4. Available time for all employees to pass short training on how to use the incident management
software for reporting incidents. – Correct!
5. Dedicated budget for licenses for the chosen incident management software – Correct!
3. Define the information security competences for all persons working for your company –
Correct!
4. All employees shall have university degrees – Incorrect! The standard requires for the company to
determine the necessary competences; it doesn’t indicate specific competences.
Information security awareness raising helps improve the information
security in the company by:
1. Helping employees understand their role and the impact they have on ISMS – Correct!
2. Helping employees understand the consequences if they don’t follow the ISMS rules – Correct!
3. Helping employees become information security experts – Incorrect! Awareness raising campaigns
help employees understand information security better, but that doesn’t make them experts on the topic.
4. Why information security objectives are important – Incorrect! This is an important message to be
communicated; however, it is not a rule for communication.
When creating a new document, you should take into consideration the
following aspects:
1. Writing your name in the author section on the first page of the document, as defined in the
template you use – Correct!
2. Writing it in English because that is the official language of your firm – Correct!
3. Storing the document wherever is suitable for you - Incorrect! Documents should be stored as
prescribed by the company; for example, electronic information is stored in shared folders on the
company file server or in a folder in the cloud.
5. When finished, submitting the document for review and approval – Correct!
6. The document is very well written, so it doesn’t need a title. It is pretty much obvious what it is –
Incorrect! A title of the document is probably the first thing that the readers are looking for.
2. False – Correct!
3. Activities that are carried out by your organization and the activities performed by other
organizations, such as partners, associates, or an outsourcing company; how those activities are
related; and how they depend on each other. – Correct!
4. Information security objectives – Incorrect! The information security objectives are established after
the scope is set, taking into consideration the defined scope.
5. The number of employees in the company – Incorrect! The number of employees doesn’t influence
the ISMS scope.
2. They should be documented together with the information security risk treatment – Incorrect!
There is no such requirement in ISO 27001; objectives and the risk treatment plan are two separate
documents.
4. They should be updated in order to reflect the current situation of the company and its ISMS. –
Correct!
6. They should be defined for a period of one year. – Incorrect! The time frame for completion of
objectives can be set by the company itself; it is not defined by the standard.
2. Identify the needed resources for the Information Security Management System – Correct!
4. Ensure they are available for continual improvement of the ISMS – Correct!
5. Define an annual budget for the ISMS – Incorrect! ISO 27001 doesn’t have such requirement. The
annual budget can be used as a tool for managing and controlling financial resources; however, it is not a
requirement.
2. Regularly test the employees to check their competences – Incorrect! This is not a requirement
from the standard.
3. Send employees to training every month – Incorrect! This is not a requirement from the standard.
4. Make sure that employees have the appropriate training and experience – Correct!
5. Keep documented evidence that the employees really have the required competences – Correct!