Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISO IEC 27002 (ISO-17799) assistance please.

From: chief () infodit in
Date: 12 Jan 2008 10:31:21 -0000
Hello Chris,
With reference to ISO 27001: 2005
Section A.11.3.2 - Users shall ensure that unattended equipment has appropriate protection.
Section A.11.5.5 - Inactive sessions shall shut down after a defined period of inactivity.
 
The fundamental of ISO 27001 controls is that it needs to be applied based on risk assessment only. Only if your 
situation warrants and only if the control justifies the risk it is addressing, and the cost of the control justifes 
its benefits shall the controls be applied.
 
I m sure the Consultant your organisation has engaged has made his recomendations based on risk assessment he would 
have performed on your Operating System Access Control. All controls should necessarily be based on RA.
 
You mentioning that you have you have proved your Consultant wrong or right seems to be out of place as this is not 
warranted if you would have reffered to the Risk Assessement done by you or your process owners. May be, you have not 
done your risk assessment correct or else you would have had any scope for proving or disproving anyone. 

Chief Consultant
Infodit Global
Previous By Date Next
Previous By Thread Next

Current thread: