Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is ISO 27001:2013 consistent with HLS?
Answer:
Yes, ISO 27001:2013 is consistent with HLS (High Level Structure), this means that ISO 27001:2013, ISO 9001:2015, ISO 14001:2015, ISO 22301:2012, etc. have the same structure: 0. Introduction, 1. Scope, 2. Terms and definitions, 4. Context of the organization, 5. Leadership, 6. Planning, 7. Support, 8. Operation, 9. Performance evaluation, 10. Improvement.
It is also known as “Annex SL” of ISO/IEC Directives, so this article can be interesting for you “Has the PDCA Cycle been removed from the new ISO standards?” : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
And if you are interested in ISO 27001:2013, our online course can give you a good knowledge about the standard “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
¿Se tienen en cuenta los activos en ISO 27001:2013?
Respuesta:
En la nueva ISO 27001:2013 no es obligatorio trabajar con activos durante la gestión de riesgos (esta es una diferencia importante con respecto a la versión anterior del estándar), pero desde nuestro punto de vista, una metodología basada en activos es un enfoque sencillo, y nuestra recomendación es mantenerla. En cualquier caso, puedes trabajar también sin activos, calculando los riesgos sin activos, aunque esto no es nuestra recomendación.
Por tanto, este artículo sobre los cambios que se han producido sobre la gestión de riesgos te puede interesar "What has changed in risk assessment in ISO 27001:2013" : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Y también te puede interesar nuestro curso online porque también te puede dar información sobre la gestión de riesgos en la versión actual de la norma , aunque el curso de momento sólo está disponible en inglés “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Terms and Definitions
It is not a requirement of the standard so it is up to organization to decide whether to have them or not. If you find them useful then keep them. -
Company Profile
Having documented company profile is not a requirement of the standard. However, it is very common to have short description of the company and its business in the Quality Manual -
Including employees in the inventory of assets
Answer:
In its control A.8.1.1 ISO 27001 requires you to develop inventory of assets with all assets - since your employees are an asset, you should list them in the inventory. However, the standard doesn't say you need to have only one inventory, so if you already listed your employees in some human resources database, then you can simply refer to that database as the list of your employees.
See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Templates review and auditing
I have completed 9 templates and am working on Customer Delivery (we do not do Product delivery).
I have a few questions:
1. How much do you charge to review our templates and provide feedback?
2. Do you do audits? If not, can you recommend someone in Denver or Colorado Springs, CO, or Los Angeles, CA?
3. Are the audits really expensive and rigorous?
Answer:
1. The price of our toolkit includes review of three of your documents by your choice. So you can send me the documents and I will give you a feedback within 48 hours.
2. Unfortunately we do not provide audit services, but if you think about the internal audit, it is best to do it by yourself. We offer free online training for internal auditors, you can find the course on this link:
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ . If you are asking about certification bodies, I can't r eally recommend you anybody because I don't have experience with certification bodies in your region.
3. I assume that you mean certification audit. Certification audits are not so rigorous, certification bodies have positive approach wen conducting the audit meaning that they are looking to find conformity to the standard and not nonconformity. But it doesn't mean that they will issue you a certificate if you are not compliant with the standard.
The price of the certification audit varies depending on the number of employees and locations your organization have, so it is best to collect at least several offers from certification bodies. Important thing is to make sure that they are accredited for issuing the certificate for your industry. For more information, see: How should you pick an ISO 9001 certification body? https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Security controls for E-Commerce?
2. what is the basic difference between threat and risk..?
Answers:
1.- I am sorry but in the Annex A of ISO 27001:2013 there is no specific control related to security protocols in E-commerce, although you can use the control “14.1.2 Securing application services on public networks”, and “A.14.1.3 Protecting application services transactions" which are related to the protection of application services and application services transactions, that you can use for e-commerce.
2.- The basic difference is that the threat can harm a system or your organization, and the risk can give you information about what parts of your organization need to be protected implementing security controls, reducing the probability that a threat be materialized. About the threats, you can see here a list of most common “Catalog of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
This article about the risk asses sment, where we talk about risks and threats can be also interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, our online course can be also interesting for you because we give more information about risks and threats “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Security policy for thousands of employees
How can i make my staffs aware of the policies to obey without using many resources because we have over 1000 staff?
Answer:
Regarding your first question, the best way is through the top management, I mean, the top management shall ensure that the security policy is available as documented information, and it is communicated within the organization (and also is available to interested parties). Top management can do the communication through emails, meetings, information published in the intranet, etc.
Regarding your second question, from my point of view in your case can be interesting an internal online course; you can use this online course for the awareness about information security of your staff, and you can also use this internal course to show to your staff all policies of the system. The course can be developed and performed by the most important employees, who also should write and/or maintain the policies and procedures. Th is article can be interesting for you “How to perform training & awareness for ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
We have a presentation, in our free downloads section, that you can use to prepare your internal course, you can find it here “Why ISO 27001 – Awareness presentation” : https://advisera.com/27001academy/free-downloads/
Finally, our online course can be also interesting for you, because we give detail information about foundations of ISO 27001:2013 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Questions about the backup policy
Do we need to check if these back-ups are running properly Or is that something that the service provider needs to do? As per ISO27001, is it sufficient if we regularly back-up our data, and do some mock-drill once in a while, OR do we need to check every month if these back-ups are ok?
Answer:
Yes, you need to check if your backups are running properly, it is one of the points that you need to consider when designing a backup plan (this is the common document that most of companies use basically to define when and how perform the backups and tests). Tests can help you to avoid backups with errors, which means you can avoid to lose information. And if the backup is performed by a service provider, you can request records that show you that the backup was performed correctly.
By the way, the backup policy is not a mandatory document, but it can be a best practice for your company, so maybe our template can help you (you can see a free ver sion clicking on “Free demo” tab) “Backup policy” : https://advisera.com/27001academy/documentation/backup-policy/
Regarding your second question, in the Annex A of ISO 27001 you have the control A.12.3.1, which establishes in a clear way that the backup should be taken and tested regularly in accordance with an agreed backup policy, so you can establish the frequency that you want for the the backups (and test), so every month can be good to check your backups, anyway, this article can help you to determine the frequency “Backup policy – How to determine backup frequency” : https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
Finally, our only course can be also interesting for you because we give interesting information about the security controls of the Annex A of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Knowledgebase in ISO 20000
Answer:
ISO 20000 does not set direct requirements towards Knowledge Management i.e. knowledgebase like e.g. ITIL does. Since you will have a lot of inputs for your knowledgebase - it's recommended to preserve it. If you use a tool to support your ISO 20000 implementation, many of your data/information will be saved inside the tool.
This article can help you: "ITIL – Implementing Knowledge Management" https://advisera.com/20000academy/blog/2014/12/09/itil-implementing-knowledge-management/