Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Arriving on an SOA
Please fill out this form to get live consultation: https://advisera.com/27001academy/consultation/
And here's the article which best describes what is the process of getting all the information important for the Statement of Applicability: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
SOA for two sites?
Answer:
From my point of view it is not necessary, I mean, you do not need to have 2 different SOA, but in your unique SOA you can add specific information about each site when a control is implemented in a different way in both sites (although I think that generally the implementation of controls will be equal or similar in both sites). So, you can add a column in your SOA document.
This article about the SOA can be interesting for you “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And our online course can be also interesting for you because we give more information about the SOA “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Asset-based risk assessment
Answer:
From my point of view, the term “risk based risk assessment” is not correct, because you cannot based the risk assessment on a risk to calculate it (has no sense). On the other hand, the asset based risk assessment means that you use assets of your organization to determine and calculate risks.
Important, ISO 27001:2013 does not require an asset based risk assessment, or any other specific method, so you can perform the risk assessment for example with a process based, although our recommendation is the asset based methodology.
If you are interested to write an asset based methodology, this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
And our on line course can be also interesting for you because we give more information about the asset based methodology “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Deadline in the List of legal, regulatory, contractual and other requirements
Answer:
In the column "Deadline" of "List of legal, regulatory, contractual and other requirements" you should fill in a deadline until which the compliance job needs to be finished - e.g. if you have a contractual obligation, you should set a date until all the information security obligations must be fulfilled - for example, a client of yours might ask you to implement a special type of authentication when working with them. -
Server hardening and ISO 27001
Answer:
ISO 27001 does not require 100% conformity with environment hardening, although you can perform the environment hardening as a best practice. On the other hand, the implementation of ISO 27001 is based on processes and procedures, which can include process to ensure server environment hardening, although this process is not mandatory in ISO 27001 (I mean, it is not mandatory to have specific process to ensure the server environment hardening, although can be a best practice). So, during the review of the implementation of the ISO 27001, all processes and procedures will be reviewed, including process to ensure server environment hardening, obviously if you have implemented it.
Finally, our online course can give you detailed information about the ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Best practice to communicate
We didn't include the Communication Plan in the ISO 27001 toolkit because it is not a mandatory document, and more importantly we think this document would not be very convenient for smaller or mid-sized companies. The problem is - such central document would be very difficult to maintain, because every change in some policy or a procedure would require this plan to change as well.
Much better approach would be to use the elements from the article my colleague has referred to, and place them in particular documents - e.g. in the policy itself define who is in charge of communication, what has to be communicated and to whom. -
Who is accountable and responsible for applications and for the operating system
Answer:
ISO 27001 doesn't distinguish between persons accountable and person responsible for assets - the only thing that is required by the standard is to define the asset owners, who are responsible for those assets (control A.8.1.2).
In your case, there are different options possible:
a) That the same person or organizational unit is owner of the server and of all applications
b) That one person or organizational unit is owner of the server, and other person/unit is the owner of all applications
c) That one person/unit is responsible for the ser ver, and that each application has different owner
For each change process, it is crucial that one person approves the change (e.g. Head of IT department), and that the other person executes the change (e.g. the IT administrator). This is one of the reasons why it is much better to have persons as asset owners, not organizational units. -
International laws on hazardous substances
Answer:
International laws on hazardous substances are conventions signed by countries that regulate handling of hazardous substances, some of them are binding for all UN nations and some are binding only for the countries that signed the convention. For example there is The Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and their Disposal, The Rotterdam Convention on the Prior Informed Consent Procedure for Certain Hazardous Chemicals and Pesticides in International Trade and many more.
If some international convention is signed by your country, it is probably incorporated in your state legislation. The best way to identify them and address them is to contact your local authority and see what legislation are covering your field of industry and that is practically all you need to follow.
For more information, see Demystification of legal req uirements in ISO 14001 https://advisera.com/14001academy/blog/2014/10/01/demystification-legal-requirements-iso-14001/ -
Implementing ISMS for systems with different cyber security risks
Answer:
I'm not sure if I understood your question correctly, but if you are asking how to cover the cyber security risks with ISO 27001 implementation for two different systems within the company, the answer is the following: one of the first steps in ISO 27001 implementation is to perform the risk assessment. Once you know which risks you have in those two systems, then you'll choose appropriate security controls that would fit either first or second system, or both. You'll have to list all of those controls in the Statement of Applicability, and make sure you define for which system is particular control intended for.
In other words, ISO 27001 does not prescribe upfront certain safeguards for certain systems, you have to find out the controls yourself through the analysis called risk assessment - you'll find more information here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This article will also help you: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
ISO 27001 for an University
Answer:
Yes, sure, ISO 27001 is sufficient to protect the information security related to any type of business, including an Examination Cell of an University. There are more ISO standards that you can implement in your University (for example ISO 22301 for business continuity, ISO 9001 for quality management, etc), but the best ISO standard related to the information security is the ISO 27001.
If you decide to implement it, maybe our toolkit can be useful for you, because it has all necessary documents, and furthermore you will have our support during the implementation. You can download a free demo here “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This page can be also useful for you “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/
And our online course can be also interesting for you, b ecause we give detailed information about the implementation of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/