Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Scanning documents and ISO-27001

Posted on 2014-10-31
1
Medium Priority
?
232 Views
Last Modified: 2014-12-03
We are planning to submit a project to our managers about scanning all our office papers and deal with PDF instead of physical-format documents.

For doing that, we are loooking for some support, if there is any, for claiming that scanning documents is a good practice that is aligned to ISO/IEC-27001 policies.

We know that the main purpose of an ISMS, based on ISO/IEC 27001 requirements, is to reduce the risk of loosing information or inauthorized access to it.

However, do you think that we could align the activity of scanning documents with ISO/IEC 27001 recommendations? We were thinking that getting PDF files reduce the risk of loosing physical-format documents, because file backup procedures are more secure than  protecting papers.
0
Comment
Question by:miyahira
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40416894
in fact, digital copy make it even more easier to be lost ...unless it is safeguarded with appropriate controls and measures.. digital is good for long term archival as compared to physical for audit trail and future investigation though, capacity planning ( to avoid unnecessary data flood or denial of service/outage due to storage and resource denial), and access right mgmt with identity tagged to each digital copy seamlessly for enterprise policy enforcement and tracking etc

Maybe, we can see from the other view instead ... to align best principle in security is data confidentiality, integrity and availability. So taking more into 27002 (practices instead) , you are looking at handling threat of data leakage and tamper. Note that 27001 key controls are "parked" under "Annex A  Reference control objectives and controls", which also aligned to 27002. Hence below can be some to consider for use case relevance.
 
27001
a) The results of the risk assessments and the decisions regarding risk treatment as part of the threat stated may be included the reason for scanned but as stated, the "new" scheme need to fulfil the principle also so that it is not opening another can of worms...

27002
a) Human resource security (Termination and change of employment, such as returning corporate information and equipment in their possession, updating their access rights)
b) Asset mgmt (Responsibility for assets, Information classification and Media handling)
c) Access control (Business requirements of access control, User access management and System and application access control)
d) Cryptography (Cryptographic controls on the use of encryption, plus cryptographic authentication and integrity controls such as digital signatures and message authentication codes, and cryptographic key management)
e) Operations management (Operational procedures and responsibilities, Logging and monitoring, Information systems audit considerations

Having the scanned version still able to achieve the "mouthful" above control measures...some technology such as digital right mgmt is also good to explore
e.g. Adobe DRM : https://www.adobe.com/manufacturing/resources/drm/
e.g. Lizard DRM: http://www.locklizard.com/pdf_security_drm.htm
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question