Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documents from an external origin
We have acquired the ISO27001 Toolkit and started to fill out the documents.
Right from the first document (00_Verfahren_zur_Lenkung_von_Dokumenten_und_Aufzeichnungen_27001_EN) I have a question of understanding in Chapter 4. "Documents of external origin". Neither the standard nor the toolkit is clear enough for me what kind of documents it is "external documents". This is very important to us because we do not want to certify the entire company, but just a business unit. The secretariat/post office is not part of the scope and must be assigned an interface with the steering. That's why we want to spare ourselves something like an inbox register, or at least limit it to as few documents as possible.
After much internal discussion, we believe that these can only and exclusively be documents that are directly and directly related to the ISMS. So again to delineate clear: here is of documents and not records of the speech.
The standard says at this point:
"Documented information of external origin, which has been identified by the organization as necessary for the planning and operation of the ISMS must be appropriately identified and managed".
By planning and operating the ISMS we understand e.g. communication with the certification authority (sending the ISMS certificate) and any documents that are sent to us by authorities or lawyers and have a checking or changing an ISMS document result (legislative changes).
We are uncertain when handling customer and supplier orders. We are building the ISMS with the goal of making information security comprehensible to our customers in a single business area. From this point of view, the contracts with our customers and suppliers are the basis of our actions and the beginning of a relevant business process. But that's why such a contract would have to be regarded as a "record" and not as a "document". That We would not regulate this type of correspondence in the document handling document - external documents document but in the respective ISMS document (eg change management => recording of customer orders, invoices or supplier policy => recording supplier contracts), calculations, etc.)
Our actual question from this e-mail summarized again:
What type of documents must be included in the toolkit document "00" in the chapter "4. external origin "are mandatory to comply with the norm?
-
Risk transfer
Parte de la red de operaciones de la empresa XXXX es gestionada por una empresa externa, llamada XXXX, ubicada dentro de las instalaciones de la empresa XXXX: personal, sistemas e información. Todos los activos de esta red, son activos críticos y todos con un riesgo muy alto de amenazas. Algunos de estos activos tienen medidas aplicadas, algunas son insuficientes y deben mejorar. He identificado propietario del activo la empresa XXXX, propietario del riesgo, la empresa externa XXXX. Como comentamos, tendríamos dos opciones:- Desde la empresa XXXX tratar los riesgos e implementar los controles
- Desde la empresa XXXX, transferir el riesgo a la empresa XXXX que es quien deberá implementar los controles pero siguiendo el criterio de la empresa XXXX.
-
Career on information security
I've 14 yrs of experience in the IT Industry (Telco and Network Infra) and over 5 plus years of experience as a Business Analyst. Currently working as a Security Business Analyst. I'd like to continue my career in Infosec space where am enjoying the most. From Security Business Analyst what sort of roles I can aspire as a step up and what sort of skills/certifications are required?
I see the following roles like time to time on job portals and which is of my interest:
Risk and Compliance Specialist,
Security Assurance Advisor/Specialist
Security consultant etc.. -
Questions regarding 27001 implementation
I have some questions regarding 27001 implementation.
1 - In the datacentre we run there is a service called Remote hands, in which customers having their equipment there under a regime of colocation, meaning we have no logical access to data, we may do some wiring, etc. I know that other similar companies leave this service out of the scope. I understand this is the correct approach, but can you give me a good justification for this?
2 - In our Spanish office (not the datacentre) we have a person who is a relative of our boss, whose activity has nothing to do with the company but he acts as a contact person for some administration duties. He shares a connection to the internet with us but we set up a separate VLAN so he can´t access our networks. Of course, he has physical access to all resources in this office. Should we leave him out of the scope or otherwise include him?
3 - We have an extensive asset inventory that we use to calculate amortization but the woman in administration refuses to give me a copy so I can include it in the documentation. Management is not supporting me with this because this woman is not easy to deal with and no one wants to fight her. Any solution? Is it mandatory to have the inventory as a separate document in the IS system or we can refer to it as it is now?
4 - Security records. What happens if we don´t have any (as such format) prior to the certification audit?
5 - Legal requirements doc: should all customers be listed? How often should it be updated then? Can we refer this item to our CRM software?
-
Treatment and management of risks
Hola, tengo las siguientes preguntas en referencia al tratamiento y gestion de riesgos: me podeis ayudar con la respuesta? Gracias anticipadas!! Pregunta 1. En un mismo activo puedo tener ya aplicado un control o medidas de seguridad existentes y al mismo tiempo, podre decidir aplicar un nuevo control? Activo: servidor Nivelo de riesgo muy alto Medidas de seguridad existentes: Actualmente ya existe un equipo redundante y en caso de averia, entraría en funcionamiento, falta mejorar la seguridad del CPD donde se ubica el equipo. A aplicar: Aquí es donde debemos aplicar el DOMINIO o el control/ controles? Pregunta 2. Exactamente tomando el mismo ejemplo que en la pregunta anterior, el dominio aplicar podría ser A9, pero únicamente aplicar el control A.92. Es decir, hasta que punto debo concretar si aplico el dominio o el control o los controles necesarios para cada activo?> Pregunta 3. Las medidas de seguridad que la empresa ya tiene aplicadas en los activos críticos, deben especificarse exactamente en referencia a un control o pueden detallarse en el documento, sin relacionarlo con un dominio o control especifico? Pregunta 4. Hemos seleccionado únicamente los activos con riesgo alto y muy alto. Estos activos pueden tener: Medidas de seguridad aplicadas y necesitar aumentarlas con nuevos controles Medidas de seguridad aplicadas y NO necesitar nuevos controles ¿es correcto este? No tener ninguna medida para reducir el riesgo y requiere aplicación de controles. Es correcto?<p> Pregunta 5. Los activos con riesgo resultante: bajo y medio, es aceptado por la organización. Que hay que hacer con ellos? Teniendo en cuenta que únicamente trataremos los riesgos alto y muy alto y aplicaremos controles a estos activos, el resto de los activos, desaparece del tratamiento y gestion? Se trata de un riesgo que se asume pero no se aplican medidas para reducirlo o es necesario aplicar y detallar las medidas para todos los activos, sea cual sea el nivel de riesgo resultante? Pregunta 6. De las 4 maneras definidas para tratar el riesgo, solo aplicaría controles en la opción de aplicar controles, en las otras 3 opciones elegibles, no se aplican controles, es correcto? Ejemplo, activo: fuego en el CPD/ riesgo alto Existen medidas de seguridad para detección de incendios pero no para extinción de incendios. En caso de fuego, la información esta en la nube y no se veria afectada…. Podriamos seleccionar transferir el riesgo a la compañía de seguros por que en caso de fuego, asumen el coste de la operativa? Es correcto? -
Security Master Plan
I owe you a lot and thank you for your informative website. I have a question that baffling my mind. What is a Security Master Plan? Is it relevant to ISMS or 27001? Do we need it during Implementation? Could you explain it to me? I always hear in workgroups that where is your Security Master Plan? And I said we implement controls from ISO 27001 and this is enough. Am I right? -
Studying for certification
Could you please advise me on the best steps to undertake to obtain the following certifications? Probably, Online studies would suit me best...And I'd like to acquire them in the order specified below: 1. ISO 27001 2. PCI DSS 3. CISM & CISSP -
Integrating ISO 27001 and ISO 13485
Do have any advice for implementing ISO27k into an existing ISO13485 certified QMS?
-
Questions about certification
- How many organizations implemented ISO 27001 and got certificated?
- How long to get ISO 27001 certification?
- How much cost for ISO 27001 certification?
-
Business continuity and ISO 27001
How business continuity management is represented in the ISO 27001 track and if these business continuity practices can be joined with those from other standards (like the BIR 31111 & ISO 22301 ) in order to come up with the best practices for BCM?