Establishing Current Status of Organizational Security Management (Assessment Process)

Establishing Current Status of Organizational
Security Management (Assessment Process)
The discovery process to obtain these details takes place in two macro-phases: background
discovery and compliance level discovery.
3.4.1 Background Discovery
The background discovery task begins by learning more about the organization,
organizational goals, mission, operations, general background, role of security,
and overall cultural perception of security. Background discovery gathers these
details by way of questionnaire or survey. Many of the questions in background
discovery are not traceable to the ISO standards; however, they still represent
important information to assist in determining the current compliance level (the
next discovery phase) and ultimately generate the documentation necessary for
ISO 27001 certification.


AU3648_C003.indd 68 10/22/07 4:44:37 PM
Foundational Concepts and Tools for an ISMS  n 69 Organization Background Information
Background information includes what the organization is; who the major players
are, including executives, decision makers, authorizers, and deciders with respect
to security; and why security is important to the organization. Additionally, background
discovery discerns where security is important, including physical and
cyber locations. Background discovery details include at least the following:
Organization name with address of each facility and/or site
Organizational charts; management hierarchy
Legal structure; e.g., holding company with separate legal entities versus
single legal entities
Name of the CxOs with contact information, including CEO, COO,
CFO, CIO, CSO, etc.
Name of security management personnel with contact information, including
relationship to CxOs, both formal and informal
Name of IT managers with contact information
Name of security managers with contact information
Name and contact information of emergency contact persons in all locations
Number of employees in each site
History of information security, including any problems and where they
Main activity in each facility and/or site
Emergency telephone numbers for all facilities
Range of hours of operation for each site
Location of areas containing sensitive material
Location of areas containing the most valuable assets
Location of central computer systems and backup systems
Description of connectivity with other departments and partners
Data center locations
Network maps
Entry/exit points to/from the network, e.g., Internet, virtual private networks
Relationship of external connector, e.g., ISP, partner, vendor, customer
Role of technology in operations
Voice communication details
PBX locations, voice services to the organization, role of voice communications
in operations


Leave Comment

Your email address will not be published. Required fields are marked *