Clause A.10.10 revolves around monitoring with the objective of detecting unauthorized information processing activities. Though there can be many ways to do the same, automation is the most preferred way to do so owing to the size and amount of logged data. It becomes humanly insane task to review logs manually.
But when I look at the various sub clauses of the Standard, I tend to infer the following points –
- It is not mandatory to have an SIEM or any automated solution for real time log collection and Analysis. Clause A.10.10.1 states – “Audit Logs recording User Activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.” That means logging is important whether or not you do it real time is not compulsory. A review is indeed required.
- Added to the above is Clause A.10.10.2 stating – “Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly”. Going by this the standard is not asserting on Automated or manual process, the organization may choose to do it manually or automate it depending on the business requirements. If in your procedures you mention out that the activity would be done on a manual basis, it would be fine as long as you can evidence that the logs are being reviewed and monitoring is being conducted with regular reports rolling.
- Nothing in ISO 27001 is mandatory. Not even the clause A.10.10, You may choose or not choose a control to adopt it and develop the “Statement of Applicability” limiting the Scope and extent of adopting ISO 27001 standard. The scope may be limited to geographic locations, systems, facilities, departments, personnel involved, operations etc. However, due caution needs to be taken while developing the Statement of Applicability to provide a valid business driven reason to exclude any of the controls and related scope. Be cautious that Auditors may call out the inter-dependencies of the systems and or operations citing the touch points and may therefore press that their is a non-conformity.
Overall, specifically with regards to the clause A.10.10, I see no problem with the manual approach as long as it is duly documented and followed. Auditors generally would tend to call out a “Need For Improvement” in their observations and there would be time given till re-certification Audit. It hence would be appropriate to define a plan and lay-out a way forward to achieve automation over a period of time. Auditors would be fine if they see that their is an intent to achieve and they would then Audit accordingly.
As I conclude, please note that ISO 27001 doesn’t tell you How to do it. The standards lays out What is to be done and that too from the Best Practice standpoint.
Comments
Nice posting ,Good info on ISO 27001 standards