ISO 27001 Annex A 8.21 Security of Network Services Explained скачать в хорошем качестве

ISO 27001 Annex A 8.21 Security of Network Services Explained

ISO 27001 Security of Network Services is ensuring you have service level agreements in place and that you have implemented the other network security annex a controls. ► ISO 27001 Security of Network Services Guide: https://hightable.io/iso27001-annex-a... ► Do It Yourself ISO 27001 - ISO 27001 Toolkit: https://hightable.io/product/iso-2700... Chapters 00:00 ISO 27001 Annex A 8.21 Security of Network Services 00:46 What is ISO 27001 Annex A 8.21 Security of Network Services? 00:56 How to implement ISO 27001 Annex A 8.21 Security of Network Services 03:20 Do you need a network security professional? 03:42 Summary Implementation Steps 04:00 How to pass the audit of ISO 27001 Annex A 8.21 Security of Network Services 04:59 Conclusion ISO 27001 Annex A 8.21 Security of Network Services This section of the standard focuses on using service level agreements to manage the security of network services. Instead of looking at the technical details, the goal is to show that you have agreements in place that cover key security points. If you can provide evidence of these agreements, you'll meet the standard's requirements. You'll also need to set up regular reviews with your service providers, whether they are internal or external. These reviews ensure that network services are working as they should and that your management system is effective. Key Requirements The official definition for this requirement is: "Security mechanisms, service levels, and service requirements of network services should be identified, implemented, and monitored." To meet this, you'll need the help of your network professionals. They can help you understand what services they provide and put together the necessary information. This process is often easier if you have an external, or outsourced, provider, as they usually have this documentation ready. Here are some of the key areas to address in your service level agreements: Access to Networks and Services: Your agreements should specify the level of network access provided. This relates to Annex A.5.15 (Access Control) and Annex A.5.18 (Access Rights). Authentication: The requirements for authenticating users to access services should be clearly defined. This links to Annex A.5.17 (Authentication Information). Authorization: You must have procedures that determine who can access networks and services. This is also covered under Annex A.5.15 (Access Control). Technical Controls: Your agreements should cover technical controls for network management, including processes for accessing connections. This ties in with Annex A.8.20 (Network Security). Access Types: You'll need to define how access is granted, whether through a physical network, wireless network, or a VPN. Monitoring and Logging: Your service agreements and reviews should include monitoring and logging. While this was also covered in Annex A.8.16 (Monitoring Activities), here you'll focus on recording the time, location, and other key details of users who access the network. Security Features: The network's security features, such as encryption, firewalls, and intrusion detection, must be identified, implemented, and properly documented. The ISO 27001 standard requires a lot of documentation, so make sure these are included. Finally, a network security professional should be involved in this process. Even if your services are outsourced, someone in your organization should have a basic understanding of network security to ensure the agreement is effective and to participate in the reviews. The Audit Process When an auditor checks for compliance, they will look at a few things. First, they will want to see your documentation. Do you have the service level agreements in place? Can you prove that you've held regular reviews? What were the results, and if there were any issues, how did you fix them? The auditor will also check the implementation of network security in relation to your service agreements. They will want to see that the controls you've put in place align with the agreements you've created and the reviews you've conducted. As with all parts of the standard, the auditor will check that you've performed internal audits. This is part of continuous improvement. You should audit everything at least once a year, or more often depending on the level of risk. In short, this is not a difficult requirement to meet. Simply document what you do, do what you say you do, and you will be in a great position. #iso27001 #iso27001certification