Which approach should organizations use to implement an ISMS based on ISO/IEC 27001?
ISO/IEC 27001:2022 does not prescribe a specific approach for implementing an ISMS, but rather provides a set of requirements and guidelines that can be adapted to the organization's context, scope, and objectives. Therefore, organizations can use any approach that is suitable for their scope, as long as it meets the requirements of the standard and enables the achievement of the intended outcomes of the ISMS. The approach should also consider the needs and expectations of the interested parties, the risks and opportunities related to information security, and the legal and regulatory obligations of the organization.
Which of the following is NOT part of the steps required by ISO/IEC 27001 that an organization must take when a nonconformity is detected?
React to the nonconformity, take action to control and correct it, and deal with its consequences
Evaluate the need for action to eliminate the causes of the nonconformity so that it does not recur or occur elsewhere
Implement any action needed
Review the effectiveness of the corrective action
Make changes to the information security management system (ISMS) if necessary
Scenario 3: Socket Inc is a telecommunications company offering mainly wireless products and services. It uses MongoDB. a document model database that offers high availability, scalability, and flexibility.
Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.
Fortunately. Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.
To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.
Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.
Based on scenario 3, what would help Socket Inc. address similar information security incidents in the future?
In Scenario 3, the measure that would help Socket Inc. address similar information security incidents in the future is 'B. Using cryptographic keys to protect the database from unauthorized access.' Implementing cryptographic controls, including cryptographic key management, is a proactive measure to secure the data in the MongoDB database against unauthorized access. It ensures that even if attackers gain access to the database, they cannot read or misuse the data without the appropriate cryptographic keys. This approach aligns with best practices for securing sensitive data and is part of a comprehensive security strategy.
ISO 27001 - Annex A.10 -- Cryptography
ISO 27001 Annex A.10 - Cryptography | ISMS.online
ISO 27001 cryptographic controls policy | What needs to be included?
Following a repotted event, an Information security event ticket has been completed and its priority has been assigned. Then, the event has been evaluated to determine If it is an information security incident, which phase of the incident management has been completed?