Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Process in ISO 27001?
my question is about opportunity in clause 6 of ISO 27k it seems no clear for me to develop it
second did we need to develop process for our ISMS ?
Answer:
I am sorry but I am not sure if I have understood your questions. Regarding the clause 6, I suppose that you mean “6.1 Actions to address risks and opportunities”, if so, risks and opportunities are related to the objectives, and any action that you take that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities (An example related to an opportunity: Your organization buy a cheap firewall which gives your organization the opportunity to reduce risks, but it can produce increased risks due to low quality of the device). You can document such actions in your Management review minutes, corrective actions, or any other records or documents that you use in your company.
Regarding the process for your ISMS, again I am not sure what you mean, but really a process is a set of interrelated or interacting activities which transforms inputs into outputs, so in accordance with this you can define the process that you want to implement the ISMS (some examples: information security risk assessment process, risk treatment process, audit process, etc).
You can also see the implementation of the ISMS as a global process, so this free webinar can be also interesting for you “ISO 27001: An overview of the ISMS implementation process” : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
And this article about objectives can be interesting for you “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Roles for ISO 27k, how many layers are needed?
quite easily formalise additional roles if it needed. One single person might have more than one role.
Answer:
For such a small company you basically need only one additional role - a person who will coordinate the implementation of ISO 27001 (i.e. project manager), and this person can be at the same time the security manager (i.e. CISO). Of course, these roles can be performed by some of your existing employees, probably someone from the top management (it will take him/her perhaps 20% of the time).
All the other security roles will be included in the responsibilities of existing employee s/managers - e.g. for passwords or for the backup, the responsible person will be the person in charge of the IT. You should formalize those responsibilities throughout various ISMS policies and procedures.
These articles will also help you:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- ISO 27001 Implementation Checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, you might be interested in this free online course: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementar Seguridad de la Información
soy estudiante de seguridad informatica y quiero implementar un SGSI de la seguridad informatica a una empresa, por eso quiero capacitarme en esta norma y lo que tenga que ver para asegurar la informacion . quedo atento de su comentarios, si es posible hablar con el asesor es mucho mejor, no hablo ingles.
Respuesta:
Antes de nada, aclarar que la seguridad de la información no es lo mismo que la seguridad informática, es muy importante tener claro esta distinción: la seguridad de la información básicamente está relacionada con la protección de la información (es un término genérico, e incluye, entre otras cosas, la seguridad informática), y la seguridad informática básicamente está relacionada con TI (servidores, hacking, etc). Por tanto, un SGSI está relacionado con la seguridad de la información.
Con respecto a la implementación de la ISO 27001, este artículo puede ser interesante para ti “Lista de apoyo para implementación de ISO 27001” : https://advisera.com/27001academy/es/blog/2010/09/28/lista-de-apoyo-para-implementacion-de-iso-27001/ iso-27001/
Y si eres nuevo en seguridad de la información, nuestros recursos te ayudarán a aprender más sobre la ISO 27001, por tanto, por favor visita estos enlaces:
“¿Qué es norma ISO 27001?” : https://advisera.com/27001academy/es/que-es-iso-27001/
“Webinars sobre ISO 27001 e ISO 22301” : https://advisera.com/27001academy/es/webinars/
Por último, recordarte que nosotros tenemos un paquete de documentos que contiene todo lo necesario para implementar la ISO 27001, el cual puedes encontrar en español aquí (puedes descargarte una versión gratuita pulsando en el botón "DESCARGAR DEMOSTRACIÓN GRATIS"):
"Paquete de documentos sobre ISO 27001" : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/ -
Resources about Internal Auditor
I need to get some good guidance on internal auditing for ISO 27001 as I am tasked with internal auditing as we have almost completed our development of ISMS.
If you have any tips/training videos etc for internal auditing of SOA/controls that would be very timely for me.
Answer:
Yes, sure, we have resources to help you with the internal audit. One of the resources that you can use is a checklist, so this article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Although you can also use our template for the checklist (you can see a free version clicking on “Free Demo” tab), which has questions related to all clauses and controls of ISO 27001 that you can use during the internal audit “Internal Audit Checklist” : https://advisera.com/27001academy/documentation/internal-audit-checklist/
And of course, you can also use our Internal Audit Toolkit (you can also see a free version) “ISO 27001/ISO 22301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And remember that we can also have an online course about the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Finally, maybe this article about how to become internal auditor can be interesting for you “How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Aspect and Impact Analysis in the new version (2015)
Answer:
New version of ISO 14001 did not bring many changes regarding identification and evaluation of environmental aspects and impacts. However there is now emphasis to take into account the changes in processes, activities and products or services when conducting the evaluation as well as abnormal conditions and reasonably foreseeable emergency situations.
So if you took into account these two topics, you can keep your old evaluation as still valid. You only need to adapt your procedure to align it with the new version of the standard.
For more information, see this free webinar:
- ISO 14001: Identification and evaluation of environmental aspects https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ -
SOC II and ISO 22301
How similar are 22301 and SOC II? We are already doing SOC II. Will we be able to leverage some of the work we've done for SOC II for 22301?
Answer:
SOC II has some points where speaks about availability (references CC3.3 and A1.1 in SOC 2), system recovery, recovery plans (references A1.1, A1.2, A1.3 in SOC 2), etc. Which are directly related to ISO 22301 (mainly with the section 8), although ISO 27001 has more common points with SOC II. So, if you have implemented SOC II, the implementation of ISO 27001 will be more easy that ISO 22301 (although ISO 22301 will be also easy).
This information, from the official site of American Institute of CPAs, about SOC II and ISO 27001 can be interesting for you (please see at the end of the page the Excel “Trust Services Map to ISO 27001”) : https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html
By the way, as you know, you can implement ISO 27001 and ISO 22301 together, and the integration with SOC II would be also very easy. -
ISO 27001 and HITRUST
How does it relate to HITRUST? I am getting ready to start an accreditation
Answer:
Sincerely I am not an expert in HITRUST, but it is related to the information security in health information systems environments, and ISO 27001 is an international standard (also has similarities with HIPAA), and is related to information security, so probably can help you to implement the Common Security Framework (CSF) of HITRUST, because there are common areas.
If you are interested in the help of ISO 27001, maybe our templates can be interesting for you, so you can download a free version here clicking on “DOWNLOAD FREE TOOLKIT DEMO” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
By the way, ISO 27799, which is similar to ISO 27001, is an international standard that also focus on information security for health organizations. -
My organization can be certified by ISO 27001?
Kindly advise me if our organisation can be certified by ISO/IEC 27001 or not and do advise me if not which certification is better for our organisation. Below is our company details
Answer:
Yes, of course. ISO 27001 is developed for any type of business, included the sector of Network & Security, Software & Website development, so you can certify your organization. Obviously, if you want to certify ISO 27001, first you need to implement it, so maybe this free webinar can be interesting for you “ISO 27001: An overview of the ISMS implementation process” : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
Keep in mind that many of our clients are IT companies.
By the way, this article can be also interesting for you "ISO 27001 implementation checklist" : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Protect information through email
I am working on a ISO 27001. The company is using email for many purposes. They are using to exchange some confidential records / documents internally and also with external parties. Just wanna know what type of control should be put on e-mail . Encryption for outlook is not very easy.
Could you please advise ?
Answer:
In ISO 27001 you can implement the solution that you want to protect the confidential information, and there are many options. In your specific case, if the information transferred are files, you can encrypt these files with utilities software (for example AES Crypt, which is free), and you can send the encrypt file through email. Maybe this option can be more easy for you that configure Outlook to encrypt the emails, although it is also a good and a very common option.
If the information transferred is only text, maybe you can include the text in a Microsoft Word, encrypt the file and send it in the same way that I said before.
By the way, the control in the Annex A of ISO 27001 related to emails is the 13.2.3 Electr onic messaging, although here is not mandatory to encrypt the information, but is very recommendable, because you need to ensure the protection of the information from unauthorized access.
Here is also important to keep care with the management of external parties, so this article can be interesting for you “6-step process for handling supplier security according to ISO 27001” : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Finally, maybe our online course can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Procedure for the information security incidents
How to prepare a procedure to identify and quantify the information security incidents based on their type, volume and costs.
Control No.13.2.2- Learning from information security incidents.
Answer:
For the preparation of this procedure you can include information about the notification of the incident, classification of the incident, treatment of the incident, close the incident and knowledge base (these are also the main steps for the management of incidents). This article related to steps of the management of information security incidents, responsibilities, and classifications (based on the impact and the urgency of the incident, by the way, the impact can be related to costs), can be also interesting for you “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
By the way, the control 13.2.2 is related to the previous version of ISO 27001 (published in 2005), which is obsolete. The current version of the standard is the ISO 270 01:2013 and the control related to “Learning from information security incidents” is the A.16.1.6. This article can be interesting for you “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Regarding the procedure, you can use our template for the management of information security incidents according to ISO 27001:2013 A.16.1.6, you can see a free version clicking on “Free Demo” tab here “Incident Management Procedure” : https://advisera.com/27001academy/documentation/Incident-Management-Procedure/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/