Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Responsibilities in the Information security policy
1. who is responsible for ensuring that the ISMS is implemented and maintained according Information Security Policy, and for ensuring all necessary resources are available?
2. who will define which information related to information security will be communicated to which interested party (both internal and external), by whom and when ?
3. who has to ensure that all employees of organization, as well as appropriate external parties are familiar with Information Security Policy?
4. who is an owner of Information Security Policy?
5. who is responsible for setting the method for measuring the achievement of the objectives?
6. who will analyze and evaluate the measurement results and report them to
top management as input materials for the Management review?
Answers:
Generally speaking, ISO 27001 does not prescribe who should be doing what in a particular company, so you should define the responsibi lities that fit the best your particular situation.
To answer your questions:
1) This would be typically Chief Information Security Officer (CISO), or some other person who is in charge of coordinating the information security.
2) CISO or a person in charge of corporate communications (e.g. public relation officer).
3) Usually CISO.
4) Usually CISO.
5) CISO or some other person in a company who is in charge of controlling.
6) CISO or some other person in a company who is in charge of controlling.
There articles will also help you:
What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Relationship between CE mark and ISO 27001?
wheter it is obligatory to be in full compliance with iso 27001 when we wabt to ce mark a Class 2a md which includes collection of data and doctors Reading data on computer
Answer:
I am sorry but I am not sure what you mean, but there is no relationship between CE mark and ISO 27001.
If your question is related to regulations, unless there is a regulation in your country related to the implementation/certification of ISO 27001 (some countries have regulation for the implementation of ISO 27001 in public entities), the compliance with it is not mandatory.
Here you can see a list of international regulations related to information security and business continuity, maybe can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
To make the documents helpful and ISO 27001 with other standards
I like your all three bullets of the topic to make the documents helpful. Its very interesting. By the way, I have plan to meet the top management to propose the ISO27001 certification project on a few days. Do you have any suggestions? I never ask about this topic to any person but your messages influence to change my mind.
I confuse the ISO 27001 required the related ISO standards. Can I implement the ISO27001 without comply to the ISO 22301, ISO 20000, and ISO 27005 or ISO 31000?
Answer:
The best recommendation is that you need to talk with the top management about the benefits of ISO 27001 implementation, which are mainly four: compliance, marketing edge, lowering the expenses and putting your business in order. This article can be interesting for you Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And also this free webinar ISO 27001 benefits: How to obtain management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
Regarding your second question, yes you can implement ISO 27001 without ISO 22301, ISO 20000, ISO 27005 or ISO 31000, although can be recommendable to use ISO 22301 for the implementation of business continuity in ISO 27001, or the integration of the implementation of ISO 27001 with ISO 20000 (or the integration of the 3 standards), and you can also use ISO 27005 or ISO 31000 as best practices for the risk management. These articles can be interesting for you:
How to use ISO 22301 for the implementation of business continuity in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
How to implement ISO 27001 and ISO 20000 together : https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Control A.5.1.1 Policies for information security - when to select it?
Answer:
I assume you refer to control A.5.1.1 Policies for information security - this control does not refer to high-level Information security policy, but to detailed policies like Access control policy, Acceptable use policy, Classification policy, etc.
As with other controls, you should select this control as applicable only if there are risks, some requirements, or if there is some other business reason. So if there are risks that require you to write the detailed policies, then you should select A.5.1.1 as applicable. See also this article: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
By the way, in the Statement of Applicability you choose the ISO 27001 Annex A controls, not ISO 27002 controls - although, the controls are basically the same. This article will help you: ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
Providing ISO 27001 audits for clients
Answer:
I assume you refer to our ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ - if you take this course, you will be able to provide internal audits for your client. However certification audits can be provided only by certified lead auditors who work for certification bodies - our internal auditor course was not designed for that purpose.
This article will help you: How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
BCP for the ISMS?
What needs to be in the BC plan for the ISMS, I could only think of the doc control system as being the key one for recovery. Is that correct?
Answer:
Really with a Disaster Recovery Plan you can cover the business continuity requirements in ISO 27001, so our template can be interesting for you (you can see a free version clicking on Free Demo tab) Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
Regarding the doc control system, I am not sure what you mean, but the main purpose of the document control is not related to the continuity or recovery of the business, so your second sentence is not correct, and keep in mind that the business continuity plan, the disaster recovery plan and the recovery are different things, so for more information about this you can read this article Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/ -
¿Qué procesos críticos seleccionar para la implementación de ISO 27001?
En la empresa en la que laboro, se han definido 10 procesos que son críticos desde el punto de vista del negocio. Para implementar el SGSI:
¿cómo identifico cual de los 10 procesos críticos considerar para implementar el SGSI? .
¿pudo considerar otros procesos distintos a los críticos?
mi consulta va dirigida dado que el ente regulador, al momento de la revisión nos preguntará cual fue el criterio de selección del proceso que se considero para realizar el SGSI, y porque no se considero el resto de los procesos.
Answer:
El principal objetivo de establecer el alcance del SGSI es definir qué información quieres o necesitas proteger en tu negocio, por tanto, necesitas identificar la información que tienen tus procesos y pensar qué información quieres proteger de esos 10 procesos. Y sí, puedes considerar todos los procesos -críticos y no críticos- pero desde mi punto de vista, generalmente los procesos críticos tienen información crítica que se debe de proteger.
El auditor certificador (con esto quiero decir el auditor de la entidad certificadora) revisará si toda la información incluida en el alcance está protegida, por tanto el criterio puede ser que incluyas en el alcance del SGSI aquellos procesos que tienen información relevante para el negocio y es necesario protegerla.
Este artículo sobre la definición del alcance puede ser interesante para ti How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Mandatory documents and Risk Treatment Plan table
I need to know what Mandatory Documentation is required in ISMS project? If possible also advise on the elements of a RTP table...?
Answer:
Here you can see a list with all mandatory documents of ISO 27001:2013 (and also non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding the RTP table (I suppose that you mean Risk Treatment Plan), you can include these elements: description of activities, responsible person of the activities, status of the actions, timeline, etc. For more information about the elements of a RTP table, you can see here a free version of our template (click on Free Demo tab) Risk Treatment Plan : https://advisera.com/27001academy/documentation/risk-treatment-plan/
By the way, this article can be also interesting for you "Risk Treatment Plan and risk treatment process - What's the difference?" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
And our online course can be also very interesting for you "ISO 27001:2013 Foundations Course" : https://advisera.com/training/iso-27001-foundations-course/ -
What standard for data center?
I would like to know which ISO standards should be apply for Data centers. Because my enterprise already started running public datacenter and trying to apply ISO standards as a benefit over competitors. Please kindly suggest me for which ISO we should choose and thanks you very much for your great courses about ISO.
Answer:
One of the ISO standards more focused on data centers is ISO 20000, because it is related to the management of IT services. So, maybe can be interesting for you our blog about ISO 20000 https://advisera.com/20000academy/blog/ and also this page What is ISO 20000? Learn why ISO 20000 can benefit your organization : https://advisera.com/20000academy/what-is-iso-20000/
Another standard related to data centers is the ANSI/TIA-942 although it is not ISO (is an American National Standard).
Anyway, if you want to focus more on security issues, then ISO 27001 might also be appropriate for a data center. So this article can be also interesting for you "What is ISO 27001?" : https://advisera.com/27001academy/what-is-iso-27001/ -
Internal and external issues, requirements of interested parties
Answer:
ISO 27001 does not require you to document internal and external issues, you only have to take them into account (doing this through the process of risk assessment is fine) - very often the auditors do not understand this so in your case I would challenge this auditor. This article can also help you: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Regarding requirements of interested parties, you should develop a list of all their requirements (which is also required by control A.18.1.1) - this ar ticle will help you: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//