ISO/IEC 27001 : 2013 is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted information security controls.

Dymar provides many of the solutions you need to comply with this ISO.

Regulation
Among the best practices called for in ISO/IEC 27001 are:

  • Data access controls
  • Cryptographic control of sensitive data
  • Management and protection of encryption keys
  • Recording and archiving “all significant events concerning the use and management of user identities and secret authentication information” and protecting those records from “tampering and unauthorized access.”

SO/IEC 27001 is an international standard used as a reference for controls when implementing an Information Security Management System, incorporating data access controls, cryptographic control of sensitive data and key management.

The following are some points to be able to comply with this ISO based on SNI ISO/IEC 27001 : 2013 document, Reference control objectives and controls table:

A.8 Asset management | A.8.3 Media handling | Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.9 Access control | A.9.4 System and application access control | Objective: To prevent unauthorized access to systems and applications.

A. 10 Cryptography | A.10.1 Cryptographic controls | Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

A.12 Operations security | A.12.2 Protection from malware | Objective: To ensure that information and information processing facilities are protected against malware. | A.12.4 Logging and monitoring | Objective: To record events and generate evidence.

A.13 Communications security | A.13.2 Information transfer | Objective: To maintain the security of information transferred within an organization and with any external entity.

A.14 System acquisition, development and maintenance | A.14.3 Test Data | Objective: To ensure the protection of data user for testing.

A.16 Information security incident management | A.16.1 Management of information security incidents and improvements | Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

Dymar solutions able to help your organization to comply some points of SNI ISO/IEC 27001 : 2013

A.8 Asset management | A.8.3 Media handling | Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.


A.9 Access control | A.9.4 System and application access control | Objective: To prevent unauthorized access to systems and applications.


A. 10 Cryptography | A.10.1 Cryptographic controls | Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.


A.12 Operations security | A.12.2 Protection from malware | Objective: To ensure that information and information processing facilities are protected against malware. | A.12.4 Logging and monitoring | Objective: To record events and generate evidence.


A.13 Communications security | A.13.2 Information transfer | Objective: To maintain the security of information transferred within an organization and with any external entity.


A.14 System acquisition, development and maintenance | A.14.3 Test Data | Objective: To ensure the protection of data user for testing.


A.16 Information security incident management | A.16.1 Management of information security incidents and improvements | Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

  • Sensitive data discovery and classifications
  • Data access controls and managing privileged access
  • Encryption and tokenization of the data
  • Encryption key management and protection
  • Logging of data access events

Developing an enterprise data encryption strategy

About setting and implementing an enterprise wide encryption strategy, one that will be used to guide and align each Line of Business (LoB), Application Owner, Database Administrator (DBA) and Developer toward achieving the goals and security requirements that you define and set forth as the model for your organization. A daunting task, for sure, but one that is certainly very achievable.

Download