Solved

Scanning documents and ISO-27001

Posted on 2014-10-31
1
224 Views
Last Modified: 2014-12-03
We are planning to submit a project to our managers about scanning all our office papers and deal with PDF instead of physical-format documents.

For doing that, we are loooking for some support, if there is any, for claiming that scanning documents is a good practice that is aligned to ISO/IEC-27001 policies.

We know that the main purpose of an ISMS, based on ISO/IEC 27001 requirements, is to reduce the risk of loosing information or inauthorized access to it.

However, do you think that we could align the activity of scanning documents with ISO/IEC 27001 recommendations? We were thinking that getting PDF files reduce the risk of loosing physical-format documents, because file backup procedures are more secure than  protecting papers.
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40416894
in fact, digital copy make it even more easier to be lost ...unless it is safeguarded with appropriate controls and measures.. digital is good for long term archival as compared to physical for audit trail and future investigation though, capacity planning ( to avoid unnecessary data flood or denial of service/outage due to storage and resource denial), and access right mgmt with identity tagged to each digital copy seamlessly for enterprise policy enforcement and tracking etc

Maybe, we can see from the other view instead ... to align best principle in security is data confidentiality, integrity and availability. So taking more into 27002 (practices instead) , you are looking at handling threat of data leakage and tamper. Note that 27001 key controls are "parked" under "Annex A  Reference control objectives and controls", which also aligned to 27002. Hence below can be some to consider for use case relevance.
 
27001
a) The results of the risk assessments and the decisions regarding risk treatment as part of the threat stated may be included the reason for scanned but as stated, the "new" scheme need to fulfil the principle also so that it is not opening another can of worms...

27002
a) Human resource security (Termination and change of employment, such as returning corporate information and equipment in their possession, updating their access rights)
b) Asset mgmt (Responsibility for assets, Information classification and Media handling)
c) Access control (Business requirements of access control, User access management and System and application access control)
d) Cryptography (Cryptographic controls on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management)
e) Operations management (Operational procedures and responsibilities, Logging and monitoring, Information systems audit considerations

Having the scanned version still able to achieve the "mouthful" above control measures...some technology such as digital right mgmt is also good to explore
e.g. Adobe DRM : https://www.adobe.com/manufacturing/resources/drm/
e.g. Lizard DRM: http://www.locklizard.com/pdf_security_drm.htm
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question