1.1.6 Requirement to review firewall and router rule sets at least every six months
1.1.6.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.
1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months.
Iso 27001 vs PCI-DSS
Hi there,
If you stumble across a policy (based on ISO 27001) saying that firewall rules should be reviewed regularly, although it doesn’t specifically mandate a 6 month period interval, would you consider it a non-compliance?
The requirement is a policy that the rules are reviewed at least every 6 months. A policy that does not state that is non-compliant. It goes on to say that the actual review must also occur at least every 6 months and you must cite evidence that the review actually took place.
Hi Roger, thanks for that. Does it necessarily have to be a policy? What if operators have a procedure mandating the 6 months review?
Thanks for the insight.
Earth, Air, Fire.
To qualify as a policy it must have management approval and oversight. If the procedure has visibility up into management, who ensures that it is both correct and accomplished, then it qualifies.