{"id":13493,"date":"2021-11-29T09:45:30","date_gmt":"2021-11-29T06:45:30","guid":{"rendered":"https:\/\/www.arab-academy.com\/?p=13493"},"modified":"2021-11-30T09:33:54","modified_gmt":"2021-11-30T06:33:54","slug":"information-security-reviews-iso-27001-standard-certification","status":"publish","type":"post","link":"https:\/\/www.arab-academy.com\/en\/information-security-reviews-iso-27001-standard-certification\/","title":{"rendered":"Information security reviews as per ISO 27001 standard Clause A.18.2"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column width=&#8221;3\/4&#8243;][vc_custom_heading text=&#8221;Information security reviews ISO 27001 &#8211; Clause A.18.2&#8243; font_container=&#8221;tag:h1|text_align:left&#8221; use_theme_fonts=&#8221;yes&#8221;][vc_single_image image=&#8221;13496&#8243; img_size=&#8221;large&#8221;][vc_column_text]<\/p>\n<h2 style=\"text-align: justify;\"><strong><u>Information security reviews<\/u><\/strong><\/h2>\n<p style=\"text-align: justify;\">The objective here from the information security review is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures and as per ISO 27001.<\/p>\n<p style=\"text-align: justify;\">this article will be useful for people or organization looking for implementation of <a href=\"https:\/\/www.arab-academy.com\/en\/iso-27001-information-security-management-system\/\">ISO 27001<\/a> for certification purpose, and it will cover the requirements of Clause A.18.2 Information security reviews<\/p>\n<h2 style=\"text-align: justify;\">Independent review of information security<\/h2>\n<p style=\"text-align: justify;\">The organization\u2019s approach (and the need for any change) to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) are reviewed independently at planned intervals, or when significant changes occur.<\/p>\n<p style=\"text-align: justify;\">Such an independent review is necessary to ensure the continuing suitability, adequacy, and effectiveness of the organization&#8217;s approach to managing information security. The review also includes assessing opportunities for improvement.<\/p>\n<p style=\"text-align: justify;\">Periodic independent information security reviews are carried out at an interval of 12 months (1 year). We also undertake such independent reviews when significant changes to the information security implementation occur.<\/p>\n<p style=\"text-align: justify;\">Independent reviews are carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or a third party organization specializing in such reviews. We also ensure that the individuals carrying out these reviews have appropriate skills and experience.<\/p>\n<p style=\"text-align: justify;\">The organization that seeking for ISO 27001 certification (ISMS) shall maintains a \u2018Master List of Independent Information Security Reviewers.<\/p>\n<p style=\"text-align: justify;\">For each independent review, the certified <a href=\"https:\/\/www.arab-academy.com\/en\/consulting\/iso-consulting\/\">ISO<\/a> 27001 organization chooses reviewer(s) from its \u2018Master List of Independent Information Security Reviewers\u2019 and gets the review done.<\/p>\n<p style=\"text-align: justify;\">Reports submitted by the independent reviewers shall discussed immediately with the top management and the concerned department within the organization, and, necessary corrective and\/or preventive actions are taken.<\/p>\n<p style=\"text-align: justify;\">The outcome of independent review and actions taken would be discussed in the subsequent management review as well.<\/p>\n<h2 style=\"text-align: justify;\">Compliance with security policies and standards<\/h2>\n<p style=\"text-align: justify;\">Head of department should be involved and committed to regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.<\/p>\n<p style=\"text-align: justify;\">If any non-compliance is found as a result of the review, Head of departments would:<\/p>\n<ol style=\"text-align: justify;\">\n<li>Determine the causes of the non-compliance<\/li>\n<li>Evaluate the need for actions to ensure that non-compliance do not recur<\/li>\n<li>Determine and implement appropriate corrective action, and<\/li>\n<li>Review the corrective action taken.<\/li>\n<\/ol>\n<h2 style=\"text-align: justify;\">Technical compliance review<\/h2>\n<p style=\"text-align: justify;\">Information systems are regularly reviewed for compliance with the organization\u2019s information security policies and standards.<\/p>\n<p style=\"text-align: justify;\">Technical compliance review is performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and\/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist.<\/p>\n<p style=\"text-align: justify;\">If penetration tests or vulnerability assessments are used, due caution is exercised as such activities could lead to a compromise of the security of the system. Such tests are planned, documented and repeatable.<\/p>\n<p style=\"text-align: justify;\">Technical compliance reviews are carried out only by competent, authorized persons, or under the supervision of such persons.<\/p>\n<p>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/4&#8243;][stm_sidebar sidebar=&#8221;11735&#8243;][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column width=&#8221;3\/4&#8243;][vc_custom_heading text=&#8221;Information security reviews ISO 27001 &#8211; Clause A.18.2&#8243; font_container=&#8221;tag:h1|text_align:left&#8221; use_theme_fonts=&#8221;yes&#8221;][vc_single_image image=&#8221;13496&#8243; img_size=&#8221;large&#8221;][vc_column_text] Information security reviews The objective here from the information security review is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures and as per ISO 27001. this article will be useful for people [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":13496,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[301],"tags":[],"class_list":["post-13493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iso-27001-certification"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/posts\/13493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/comments?post=13493"}],"version-history":[{"count":0,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/posts\/13493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/media\/13496"}],"wp:attachment":[{"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/media?parent=13493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/categories?post=13493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.arab-academy.com\/en\/wp-json\/wp\/v2\/tags?post=13493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}