Solved

Scanning documents and ISO-27001

Posted on 2014-10-31
1
220 Views
Last Modified: 2014-12-03
We are planning to submit a project to our managers about scanning all our office papers and deal with PDF instead of physical-format documents.

For doing that, we are loooking for some support, if there is any, for claiming that scanning documents is a good practice that is aligned to ISO/IEC-27001 policies.

We know that the main purpose of an ISMS, based on ISO/IEC 27001 requirements, is to reduce the risk of loosing information or inauthorized access to it.

However, do you think that we could align the activity of scanning documents with ISO/IEC 27001 recommendations? We were thinking that getting PDF files reduce the risk of loosing physical-format documents, because file backup procedures are more secure than  protecting papers.
0
Comment
Question by:miyahira
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40416894
in fact, digital copy make it even more easier to be lost ...unless it is safeguarded with appropriate controls and measures.. digital is good for long term archival as compared to physical for audit trail and future investigation though, capacity planning ( to avoid unnecessary data flood or denial of service/outage due to storage and resource denial), and access right mgmt with identity tagged to each digital copy seamlessly for enterprise policy enforcement and tracking etc

Maybe, we can see from the other view instead ... to align best principle in security is data confidentiality, integrity and availability. So taking more into 27002 (practices instead) , you are looking at handling threat of data leakage and tamper. Note that 27001 key controls are "parked" under "Annex A  Reference control objectives and controls", which also aligned to 27002. Hence below can be some to consider for use case relevance.
 
27001
a) The results of the risk assessments and the decisions regarding risk treatment as part of the threat stated may be included the reason for scanned but as stated, the "new" scheme need to fulfil the principle also so that it is not opening another can of worms...

27002
a) Human resource security (Termination and change of employment, such as returning corporate information and equipment in their possession, updating their access rights)
b) Asset mgmt (Responsibility for assets, Information classification and Media handling)
c) Access control (Business requirements of access control, User access management and System and application access control)
d) Cryptography (Cryptographic controls on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management)
e) Operations management (Operational procedures and responsibilities, Logging and monitoring, Information systems audit considerations

Having the scanned version still able to achieve the "mouthful" above control measures...some technology such as digital right mgmt is also good to explore
e.g. Adobe DRM : https://www.adobe.com/manufacturing/resources/drm/
e.g. Lizard DRM: http://www.locklizard.com/pdf_security_drm.htm
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question