Solved

Scanning documents and ISO-27001

Posted on 2014-10-31
1
223 Views
Last Modified: 2014-12-03
We are planning to submit a project to our managers about scanning all our office papers and deal with PDF instead of physical-format documents.

For doing that, we are loooking for some support, if there is any, for claiming that scanning documents is a good practice that is aligned to ISO/IEC-27001 policies.

We know that the main purpose of an ISMS, based on ISO/IEC 27001 requirements, is to reduce the risk of loosing information or inauthorized access to it.

However, do you think that we could align the activity of scanning documents with ISO/IEC 27001 recommendations? We were thinking that getting PDF files reduce the risk of loosing physical-format documents, because file backup procedures are more secure than  protecting papers.
0
Comment
Question by:miyahira
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40416894
in fact, digital copy make it even more easier to be lost ...unless it is safeguarded with appropriate controls and measures.. digital is good for long term archival as compared to physical for audit trail and future investigation though, capacity planning ( to avoid unnecessary data flood or denial of service/outage due to storage and resource denial), and access right mgmt with identity tagged to each digital copy seamlessly for enterprise policy enforcement and tracking etc

Maybe, we can see from the other view instead ... to align best principle in security is data confidentiality, integrity and availability. So taking more into 27002 (practices instead) , you are looking at handling threat of data leakage and tamper. Note that 27001 key controls are "parked" under "Annex A  Reference control objectives and controls", which also aligned to 27002. Hence below can be some to consider for use case relevance.
 
27001
a) The results of the risk assessments and the decisions regarding risk treatment as part of the threat stated may be included the reason for scanned but as stated, the "new" scheme need to fulfil the principle also so that it is not opening another can of worms...

27002
a) Human resource security (Termination and change of employment, such as returning corporate information and equipment in their possession, updating their access rights)
b) Asset mgmt (Responsibility for assets, Information classification and Media handling)
c) Access control (Business requirements of access control, User access management and System and application access control)
d) Cryptography (Cryptographic controls on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management)
e) Operations management (Operational procedures and responsibilities, Logging and monitoring, Information systems audit considerations

Having the scanned version still able to achieve the "mouthful" above control measures...some technology such as digital right mgmt is also good to explore
e.g. Adobe DRM : https://www.adobe.com/manufacturing/resources/drm/
e.g. Lizard DRM: http://www.locklizard.com/pdf_security_drm.htm
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question