search

When speaking to an organizations human resources department about information security an information security manager should focus on the need for?

1 Jahrs vor
Kommentare: 0
Ansichten: 72

What is the objective of Annex A.7.2 of ISO 27001:2013?

The objective in this Annex is to ensure that employees and contractors are aware of and fulfil their information security responsibilities during employment.

Show

A.7.2.1 Management responsibilities

A good control describes how employees and contractors apply information security in accordance with the policies and procedures of the organisation.

The responsibilities placed upon managers should include requirements to; Ensure that those they are responsible for understand the information security threats, vulnerabilities and controls relevant to their job roles and receive regular training (as per A7.2.2); Ensure buy-in to proactive and adequate support for relevant information security policies and controls; and Reinforce the requirements of the terms and conditions of employment.

Managers play a critical role in ensuring security consciousness and conscientiousness throughout the organisation and in developing an appropriate “security culture”.

A.7.2.2 Information Security Awareness, Education & Training

All employees and relevant contractors must receive appropriate awareness education and training to do their job well and securely. They must receive regular updates in organisational policies and procedures when they are changed too, along with a good understanding of the applicable legislation that affects them in the role.

It is common for the information security team to partner with HR or a Learning & Development team to carry out skills, knowledge, competence and awareness assessments and to plan and implement a programme of awareness, education and training throughout the employment lifecycle (not just at induction). You need to be able to demonstrate that training and compliance to auditors.

Also carefully consider how the training and awareness is delivered to give the staff and contractor resource the best chance of understanding and following it – this means careful attention to content and medium for delivery.

What is the objective of Annex A.7.3 of ISO 27001:2013?

Annex A.7.3 is about termination and change of employment. The objective in this Annex is to protect the organisation’s interests as part of the process of changing and terminating employment.

A.7.3.1 Termination or change of employment responsibilities

Information security responsibilities and obligation that remain valid after termination or change of employment must be defined, communicated to the employee or contractor and enforced. Examples include keeping information confidential and not leaving with information that belongs to the organisation.

It is really important to ensure that information remains protected after an employee or contractor leaves the organisation, as people themselves are walking data stores. The contractual terms & conditions should reinforce this, and the leaver’s process and/or contract termination process (including return of assets) should include a reminder to individuals that they have some responsibilities to the organisation even after they have left.

An auditor will want to see evidence of leavers having returned their assets and the process being closed off and documented to demonstrate assets are updated in the asset inventory (A8.1.1) where appropriate too.

This is not just about termination and exit. If an employee changes role e.g. moving from operations to sales, you should do a review to demonstrate they no longer have access to information assets that are not required in the new role, and are provisioned with access to information assets needed for the future.

A.7.2.3 Disciplinary Process

There needs to be a documented disciplinary process in place and communicated (in line with A7.2.2 above). Whilst focused here for disciplinary action following security breaches, it can also be dovetailed with other disciplinary reasons. If your organisation already has a recognised HR disciplinary process then ensure it covers information security in the manner required for the ISO 27001:2013 standard.

ISO 27001 policies, controls, and tools for Human Resource Security are included in ISMS.online. A perfect fusion of knowledge and technology for early ISO 27001 certification

Last Updated on December 22, 2021 by Admin

  • CISM : Part 1 - 40
  • CISA : Part 41 - 80

  • an adequate budget for the security program.
  • recruitment of technical IT employees.
  • periodic risk assessments.
  • security awareness training for employees.

Explanation:

An information security manager has to impress upon the human resources department the need for security awareness training for all employees. Budget considerations are more of an accounting function. The human resources department would become involved once they are convinced for the need of security awareness training. Recruiting IT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees. Periodic risk assessments may or may not involve the human resources department function.

  • CISM : Part 1 - 40
  • CISA : Part 41 - 80

When speaking to an organization's human resources department about information security an information security manager should focus on the need for?

Explanation: An information security manager has to impress upon the human resources department the need for security awareness training for all employees.

Which of the following is most important for a successful information security program?

Explanation: Sufficient senior management support is the most important factor for the success of an information security program.

Which of the following is most effective in preventing security weaknesses in operating systems?

Which of the following is MOST effective in preventing security weaknesses in operating systems? Explanation: Patch management corrects discovered weaknesses by applyinga correction (a patch) to the original program code. Change management controls the process of introducing changes to systems.

Which of the following devices should be placed within a demilitarized zone?

Explanation: A mail relay should normally be placed within a demilitarized zone (DMZ) to shield the internal network. An authentication server, due to its sensitivity, should always be placed on the internal network, never on a DMZ that is subject to compromise.

speaking organizations human resources department information security information security manager focus

zusammenhängende Posts

In the communication process, which of the following are types of feedback in public speaking?
In the communication process, which of the following are types of feedback in public speaking?

In which of the following examples does a person display trait anxiety related to public speaking
In which of the following examples does a person display trait anxiety related to public speaking

What three aspects of vocal delivery do you believe are most important to a speaker’s credibility?
What three aspects of vocal delivery do you believe are most important to a speaker’s credibility?

Which of the following is an accurate statement about communication skills in the workplace according to the Why Study Public Speaking video?
Which of the following is an accurate statement about communication skills in the workplace according to the Why Study Public Speaking video?

When considering the speaking situation you should ask yourself which of the following questions?
When considering the speaking situation you should ask yourself which of the following questions?

A preparation outline should be used as speaking notes when speakers are giving their speeches.
A preparation outline should be used as speaking notes when speakers are giving their speeches.

Which of the following is mentioned in your textbook as a guideline for effective informative speaking?
Which of the following is mentioned in your textbook as a guideline for effective informative speaking?

Which of the following aspects of public speaking is least likely to help strengthen your skills as a critical Thinke?
Which of the following aspects of public speaking is least likely to help strengthen your skills as a critical Thinke?

Which strategy would most help an English speaking nurse to communicate with a patient for whom English is a second language?
Which strategy would most help an English speaking nurse to communicate with a patient for whom English is a second language?

Werbung

NEUESTEN NACHRICHTEN

Kann man nur schwanger werden wenn man den eisprung hat
1 Jahrs vor . durch AmpleBonus
Was kostet windows 10 nach einem jahr
1 Jahrs vor . durch Anti-SovietCompleteness
Was passiert wenn ein Elektron aus der Hülle entfernt wird?
1 Jahrs vor . durch DefiniteConflagration
What is the relationship between unethical politicking and impression management quizlet?
1 Jahrs vor . durch HiddenSloth
For a person to be recognized as having a high degree of political skill, he or she must have the
1 Jahrs vor . durch IncipientMonument
Was bedeuted o7
1 Jahrs vor . durch UninformedMurderer
Wie erstelle ich einen Broadcast WhatsApp?
1 Jahrs vor . durch StructuredCriminality
Führerschein C1 171 Was darf ich fahren
1 Jahrs vor . durch DazedPlaying
Rezept rote beete carpaccio mit ziegenkäse
1 Jahrs vor . durch NastyStairway
When delivering a speech you should display visual aids only when discussing them?
1 Jahrs vor . durch TaxingUniversity

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjakoptzhhiittr
Urheberrechte © © 2024 paraquee Inc.