Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IT controls in non-IT departments
Answer:
ISO 27001 is not an IT standard - only ca 50% of the controls are IT related, which means that non-IT departments can implement many controls as well - e.g. classification of the information, access control, physical security, etc. After you perform the risk assessment for your department, you will know exactly which controls to implement.
These articles will help you:
- Information security or IT security? https://advisera.com/27001academy/blog/2010/03/01/information-security-or-it-security/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Regarding the risk assessment of contractors and subcontractors, first you have to assess which incidents can happen, and then ask the contractors through the contract to resolve those risks - this article will give you the guidelines: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
This free ISO 27001 Foundations Online Course will also help you: https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and ISO 27002
I have the standard BS ISO IEC 27002-2005 BS 7799-1-2005, which defines all the risk events and controls for IS. How does this compare with 27001:2013. and which of the new standards also lists the risk events and control?
Answer:
I am sorry but ISO 27002 is not about risks, is only about security controls. You can use these security controls to reduce risks, but the standard that is about information security risks is ISO 27001.
Basically, ISO 27001 provides you tools to identify risks, and ISO 27002 help you to reduce these risks with controls. This article can be interesting for you “ISO 27001 vs. ISO 27002” : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
By the way, the last version of ISO 27001 and ISO 27002 is from 2013 (ISO 27001:2013 and ISO 27002:2013), and they are the more important ISO standards related to risks and controls, although others standards related to information security risks are ISO 27005 (best practices for the development of the information security risk management) and ISO 31000 (the same that ISO 27005 but for any type of risk), although they are not new. And others new standards related to security controls are ISO 27017 (information security controls for cloud services) and ISO 27018 (protection of the privacy in the cloud).
These articles can be interesting for you:
"ISO 27001 risk assessment & treatment - 6 basic steps" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
"ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, maybe our online course can be interesting for you “ISO 27001: 2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISMS for a cloud provider
We're implementing an ISMS for a cloud Provider. Our client provides Housing services (Clients bring their own Device to the Data Center), Hosting services (web hosting, etc), Cloud services (SaaS, IaaS). Virtual machines are managed by the client: they can install whatever they want on the machine even the OS. the problem is while identifying the assets, how do we deal with Virtual machines management? Is the VM owned by the Cloud Provider or the Client.
Answer:
First of all you need to define clearly the scope of the ISMS, because if the scope is limited to the Housing services, maybe there are no assets related to virtual machines. However, if the scope includes the Hosting services and/or Cloud services, from my point of view the virtual machines managed by the client need to be identified as assets in the risk assessment, because there are risks related to them that can affect to the business of the Cloud provider (if the hosting service is provided through virtual machines, and they are stopping, the service cannot be provided).
Anyway, if the virtual machines are not managed by the cloud provider, I recommend you to exclude them from the scope of the ISMS.
This article about the scope can be interesting for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And this article about assets can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
By the way, these articles about ISO 27001 and cloud computing can be also interesting for you:
“ISO 27001 vs. ISO 27017 - Information security for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
“Cloud computing and ISO 27001 / BS 25999” : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Process in ISO 27001?
my question is about opportunity in clause 6 of ISO 27k it seems no clear for me to develop it
second did we need to develop process for our ISMS ?
Answer:
I am sorry but I am not sure if I have understood your questions. Regarding the clause 6, I suppose that you mean “6.1 Actions to address risks and opportunities”, if so, risks and opportunities are related to the objectives, and any action that you take that is related to the achievement of the security objectives, but is not related to the risk management, can be considered to be addressing the opportunities (An example related to an opportunity: Your organization buy a cheap firewall which gives your organization the opportunity to reduce risks, but it can produce increased risks due to low quality of the device). You can document such actions in your Management review minutes, corrective actions, or any other records or documents that you use in your company.
Regarding the process for your ISMS, again I am not sure what you mean, but really a process is a set of interrelated or interacting activities which transforms inputs into outputs, so in accordance with this you can define the process that you want to implement the ISMS (some examples: information security risk assessment process, risk treatment process, audit process, etc).
You can also see the implementation of the ISMS as a global process, so this free webinar can be also interesting for you “ISO 27001: An overview of the ISMS implementation process” : https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
And this article about objectives can be interesting for you “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Roles for ISO 27k, how many layers are needed?
quite easily formalise additional roles if it needed. One single person might have more than one role.
Answer:
For such a small company you basically need only one additional role - a person who will coordinate the implementation of ISO 27001 (i.e. project manager), and this person can be at the same time the security manager (i.e. CISO). Of course, these roles can be performed by some of your existing employees, probably someone from the top management (it will take him/her perhaps 20% of the time).
All the other security roles will be included in the responsibilities of existing employee s/managers - e.g. for passwords or for the backup, the responsible person will be the person in charge of the IT. You should formalize those responsibilities throughout various ISMS policies and procedures.
These articles will also help you:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- ISO 27001 Implementation Checklist: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, you might be interested in this free online course: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementar Seguridad de la Información
soy estudiante de seguridad informatica y quiero implementar un SGSI de la seguridad informatica a una empresa, por eso quiero capacitarme en esta norma y lo que tenga que ver para asegurar la informacion . quedo atento de su comentarios, si es posible hablar con el asesor es mucho mejor, no hablo ingles.
Respuesta:
Antes de nada, aclarar que la seguridad de la información no es lo mismo que la seguridad informática, es muy importante tener claro esta distinción: la seguridad de la información básicamente está relacionada con la protección de la información (es un término genérico, e incluye, entre otras cosas, la seguridad informática), y la seguridad informática básicamente está relacionada con TI (servidores, hacking, etc). Por tanto, un SGSI está relacionado con la seguridad de la información.
Con respecto a la implementación de la ISO 27001, este artículo puede ser interesante para ti “Lista de apoyo para implementación de ISO 27001” : https://advisera.com/27001academy/es/blog/2010/09/28/lista-de-apoyo-para-implementacion-de-iso-27001/ iso-27001/
Y si eres nuevo en seguridad de la información, nuestros recursos te ayudarán a aprender más sobre la ISO 27001, por tanto, por favor visita estos enlaces:
“¿Qué es norma ISO 27001?” : https://advisera.com/27001academy/es/que-es-iso-27001/
“Webinars sobre ISO 27001 e ISO 22301” : https://advisera.com/27001academy/es/webinars/
Por último, recordarte que nosotros tenemos un paquete de documentos que contiene todo lo necesario para implementar la ISO 27001, el cual puedes encontrar en español aquí (puedes descargarte una versión gratuita pulsando en el botón "DESCARGAR DEMOSTRACIÓN GRATIS"):
"Paquete de documentos sobre ISO 27001" : https://advisera.com/27001academy/es/paquete-de-documentos-sobre-iso-27001/ -
Resources about Internal Auditor
I need to get some good guidance on internal auditing for ISO 27001 as I am tasked with internal auditing as we have almost completed our development of ISMS.
If you have any tips/training videos etc for internal auditing of SOA/controls that would be very timely for me.
Answer:
Yes, sure, we have resources to help you with the internal audit. One of the resources that you can use is a checklist, so this article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Although you can also use our template for the checklist (you can see a free version clicking on “Free Demo” tab), which has questions related to all clauses and controls of ISO 27001 that you can use during the internal audit “Internal Audit Checklist” : https://advisera.com/27001academy/documentation/internal-audit-checklist/
And of course, you can also use our Internal Audit Toolkit (you can also see a free version) “ISO 27001/ISO 22301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
And remember that we can also have an online course about the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Finally, maybe this article about how to become internal auditor can be interesting for you “How to become ISO 27001 Lead Auditor” : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Aspect and Impact Analysis in the new version (2015)
Answer:
New version of ISO 14001 did not bring many changes regarding identification and evaluation of environmental aspects and impacts. However there is now emphasis to take into account the changes in processes, activities and products or services when conducting the evaluation as well as abnormal conditions and reasonably foreseeable emergency situations.
So if you took into account these two topics, you can keep your old evaluation as still valid. You only need to adapt your procedure to align it with the new version of the standard.
For more information, see this free webinar:
- ISO 14001: Identification and evaluation of environmental aspects https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ -
SOC II and ISO 22301
How similar are 22301 and SOC II? We are already doing SOC II. Will we be able to leverage some of the work we've done for SOC II for 22301?
Answer:
SOC II has some points where speaks about availability (references CC3.3 and A1.1 in SOC 2), system recovery, recovery plans (references A1.1, A1.2, A1.3 in SOC 2), etc. Which are directly related to ISO 22301 (mainly with the section 8), although ISO 27001 has more common points with SOC II. So, if you have implemented SOC II, the implementation of ISO 27001 will be more easy that ISO 22301 (although ISO 22301 will be also easy).
This information, from the official site of American Institute of CPAs, about SOC II and ISO 27001 can be interesting for you (please see at the end of the page the Excel “Trust Services Map to ISO 27001”) : https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html
By the way, as you know, you can implement ISO 27001 and ISO 22301 together, and the integration with SOC II would be also very easy. -
ISO 27001 and HITRUST
How does it relate to HITRUST? I am getting ready to start an accreditation
Answer:
Sincerely I am not an expert in HITRUST, but it is related to the information security in health information systems environments, and ISO 27001 is an international standard (also has similarities with HIPAA), and is related to information security, so probably can help you to implement the Common Security Framework (CSF) of HITRUST, because there are common areas.
If you are interested in the help of ISO 27001, maybe our templates can be interesting for you, so you can download a free version here clicking on “DOWNLOAD FREE TOOLKIT DEMO” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
By the way, ISO 27799, which is similar to ISO 27001, is an international standard that also focus on information security for health organizations.