Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Varias preguntas relacionadas con la implementación de la ISO 22301
Generalmente con el BCM tratas actividades y procesos críticos, y esto es lo correcto con respecto al estándar ISO 22301, aunque también puedes tratar con activos (de la misma manera que en ISO 27001), lo cual te dará más información detallada sobre dónde están las vulnerabilidades. Este artículo te puede interesar “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
Y también nuestra base de conocimiento relativa a gestión de riesgos : https://advisera.com/27001academy/knowledgebase-category/risk-management/ -
Some types of assets
Answer:
Yes, you are right, one type of asset is the information, but there are others: people, services, hardware, software, etc. So, for the identification of assets, is important to establish a classification for all different type of assets. This article can help you for this classification “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And keep in mind that the classification can also mean the classification of the information, so you can also establish a classification for the information of your organization, because for example you can have confidential information, which access is completely different that public information (others type of information can be restricted, and internal use). For more information about this, please read this article “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And our online course can be also interesting for you, because we give more detailed information about the asset inventory “ISO 27001:”013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Opportunities in the methodology of risk assessment?
Kindly tell me one easy way to do it to fulfill the requirement of the standard. like can i describe that in the manual that opportunities are identified in the objectives and KPIs are set to achieve those objectives; opportunities?
Answer:
No, it is not necessary to put something related to opportunities in the methodology of risk assessment, because risks and opportunities are related to the objectives, and any action that you take, that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities. An example related to an opportunity can be: Your organization buys a cheap firewall which gives to your organization the opportunity to reduce risks, but this firewall can also produce increased risks due to low quality of the device.
One easy way to fulfill this requirement, related to opportunities, of the standard, is that you can document such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email), but from my point of view the methodology of risk assessment is not the best way.
And keep in mind that you should document your general information security objectives in the information security policy, and control specific information security objectives in the SOA (Statement of Applicability).
For more information about the objectives, please read this article “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
And our online course can be also interesting for you because we give detailed information about addressing risks and opportunities “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Controls for a cloud provider
Answer:
I am sorry but I am not sure if I have understood your question. The maturity is not a requirement of ISO 27001, and the basic logic is perform the risk assessment and apply the appropriate controls.
Anyway, if you have a standard SQL image into a cloud provider infrastructure, and you can manage for example the information and the software, these assets need to be included in your risks assessment, and security controls involved need to be implemented by your organization.
For others assets that you can not manage (for example the IT infrastructure of the cloud provider), if there are risks related to them, you can perform a treatment establishing during the risk assessment that you transfer to external company the risks related to these assets, which means that in this case the external company is responsible of the implementation of the security controls, although you can review if these controls are implemented.
Anyway, keep in mind that ISO 27001 is not specifically developed for the cloud, for this you can use ISO 27017, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
And this article related to the basic logic of ISO 27001 can be also interesting for you "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And also this article about handling supplier security "6-step process for handling supplier security according to ISO 27001" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
First things in ISO process
Answer:
I suppose that your question is related to the implementation process, if so, in the ISO process, for the implementation of an ISO standard, the first thing that you should look at is always related to obtain the management support. For this, is very important to show the 4 main benefits of the implementation of a ISO standard : compliance, marketing edge, lowering the expenses, and putting your business in order. For more information about this, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Another important thing is to see the implementation like a project, so this article can be also interesting for you “ISO 27001 project – How to make it wo rk” : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
By the way, in our free download section you can download a "Diagram of ISO 27001:2013 implementation (PDF)", and you can also download a "Project checklist for ISO 27001 implementation (MS Word)” : https://advisera.com/27001academy/free-downloads/
And this article gives you information about the ISO 27001 implementation checklist, establishing a priority order for all necessary steps “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, our online course can give you detailed information about the implementation process of ISO 27001:2013 in your organization “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Asset identification in risk assessment
Answer:
This is a question of your ISMS scope - obviously the hardware on which the software and applications are running will be outside of your ISMS scope since they are operated by company Y that is not included in your ISMS scope.
However, if you control the data and the applications, then they should be included in your scope even though they are hosted on a hardware that is outside of the scope.
So when you perform the risk assessment, then you should do the following:
1) For your data and for applications - you treat them as assets, and look for threats and vulnerabilities, and then assess impact and likelihood. This article will help you: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2) For the hardware outside of your scope, you do not treat it as asset, but as a service provided by third party - you need to assess the threats and vulnerabilities related to this service. This article will also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Main driving force for ISO 27001
Answer:
There are 4 main points, which are by the way the 4 main benefits of the implementation of ISO 27001 : compliance (to various regulations regarding data protection, privacy and IT governance), marketing edge, lowering expenses and putting your business in order. For more information about these benefits, please read this article “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Finally, if you are interested in the implementation of the ISO 27001:2013 in your organization, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Implementing risk management
Answer:
Implementing risk management exceeds the requirements of the ISO 9001 that only requires risk-based thinking. For implementing the risk management it is best to follow ISO 31000 that provides framework for selecting methodology, defining the scope and conducting risk management. The process of risk management includes several steps :
1. Establishing the context
2. Risk identification
3. Risk analysis
4. Risk evaluation
5. Risk treatment
6. Monitoring and review
For more information, see:
- Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- The Role of Risk Assessment in the QMS https://advisera.com/9001academy/blog/2014/01/07/role-risk-assessment-qms/ -
Work breakdown structure for ISO audits
Answer:
According to PMBOK 5, a work breakdown structure is “A hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables”.
So, we do not have a specific structure of this type for the definition of the work to be carried out during an audit, because it is not necessary in ISO audits, but we have this article that can help you to develop your own checklist for an audit “How to make an Internal Audit checklist for ISO 27001/ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
By the way, our online course can be also interesting for you because we talk in detail about how to perform an internal audit “ISO 27001:2013 Internal Audit Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Finally, you can use the Work Breakdown Structure (WBS) for the implementation of complex security controls, so this article can be interesting for you "ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS)" : https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/ -
Best practices in accessing business cloud applications
Answer:
Some best practices in accessing business cloud applications from mobile devices are:
- Use a secure channel for the connection (VPN, SSL, etc)
- Never store information related to your credentials of access in the device (avoid remember user/password in the device)
- Lock your device with a code, and also lock each app (above all the app that you use for accessing business cloud)
- Never share the device with another person
- Avoid Free public Wifi connections, or if you use one, be sure that your connection is protected by a secure channel (VPN)
By the way, we have a template related to the mobile devices, and although it is not mandatory in the standard ISO 27001, you can find it here “Mobile Device and Teleworking Policy” : https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
We also have the template Bring You r Own Device (BYOD) Policy, and again it is not mandatory in the standard, but you can find it here “Bring Your Own Device (BYOD) Policy” : https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
Maybe can be interesting for you the standard ISO 27017, which is specifically focused on the information security control for cloud services, so this article can be interesting for you “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, if you are interested in the security controls of ISO 27001, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/