Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
¿Qué procesos críticos seleccionar para la implementación de ISO 27001?
En la empresa en la que laboro, se han definido 10 procesos que son críticos desde el punto de vista del negocio. Para implementar el SGSI:
¿cómo identifico cual de los 10 procesos críticos considerar para implementar el SGSI? .
¿pudo considerar otros procesos distintos a los críticos?
mi consulta va dirigida dado que el ente regulador, al momento de la revisión nos preguntará cual fue el criterio de selección del proceso que se considero para realizar el SGSI, y porque no se considero el resto de los procesos.
Answer:
El principal objetivo de establecer el alcance del SGSI es definir qué información quieres o necesitas proteger en tu negocio, por tanto, necesitas identificar la información que tienen tus procesos y pensar qué información quieres proteger de esos 10 procesos. Y sí, puedes considerar todos los procesos -críticos y no críticos- pero desde mi punto de vista, generalmente los procesos críticos tienen información crítica que se debe de proteger.
El auditor certificador (con esto quiero decir el auditor de la entidad certificadora) revisará si toda la información incluida en el alcance está protegida, por tanto el criterio puede ser que incluyas en el alcance del SGSI aquellos procesos que tienen información relevante para el negocio y es necesario protegerla.
Este artículo sobre la definición del alcance puede ser interesante para ti How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Mandatory documents and Risk Treatment Plan table
I need to know what Mandatory Documentation is required in ISMS project? If possible also advise on the elements of a RTP table...?
Answer:
Here you can see a list with all mandatory documents of ISO 27001:2013 (and also non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding the RTP table (I suppose that you mean Risk Treatment Plan), you can include these elements: description of activities, responsible person of the activities, status of the actions, timeline, etc. For more information about the elements of a RTP table, you can see here a free version of our template (click on Free Demo tab) Risk Treatment Plan : https://advisera.com/27001academy/documentation/risk-treatment-plan/
By the way, this article can be also interesting for you "Risk Treatment Plan and risk treatment process - What's the difference?" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
And our online course can be also very interesting for you "ISO 27001:2013 Foundations Course" : https://advisera.com/training/iso-27001-foundations-course/ -
What standard for data center?
I would like to know which ISO standards should be apply for Data centers. Because my enterprise already started running public datacenter and trying to apply ISO standards as a benefit over competitors. Please kindly suggest me for which ISO we should choose and thanks you very much for your great courses about ISO.
Answer:
One of the ISO standards more focused on data centers is ISO 20000, because it is related to the management of IT services. So, maybe can be interesting for you our blog about ISO 20000 https://advisera.com/20000academy/blog/ and also this page What is ISO 20000? Learn why ISO 20000 can benefit your organization : https://advisera.com/20000academy/what-is-iso-20000/
Another standard related to data centers is the ANSI/TIA-942 although it is not ISO (is an American National Standard).
Anyway, if you want to focus more on security issues, then ISO 27001 might also be appropriate for a data center. So this article can be also interesting for you "What is ISO 27001?" : https://advisera.com/27001academy/what-is-iso-27001/ -
Internal and external issues, requirements of interested parties
Answer:
ISO 27001 does not require you to document internal and external issues, you only have to take them into account (doing this through the process of risk assessment is fine) - very often the auditors do not understand this so in your case I would challenge this auditor. This article can also help you: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Regarding requirements of interested parties, you should develop a list of all their requirements (which is also required by control A.18.1.1) - this ar ticle will help you: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Basic requirements and documents of ISO 22301
I would really like to know what the basic requirements and document set is if I was going to go for ISO22301 certification.
Answer:
The basic requirements about ISO 22301 basically are established from clause 4 to clause 10 in the standard. These clauses are:
4.- Context of the organization
5.- Leadership
6.- Planning
7.- Support
8.- Operation
9.- Performance evaluation
10.- Improvement
For more detailed information about the requirements, you need to see the standard. And article that can give you more information about ISO 22301 is "What is ISO 22301" : https://advisera.com/27001academy/what-is-iso-22301/
Regarding the documents, you can see a list of mandatory documents in this article Mandatory document required by ISO 22301 : https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Finally, this article about the implementation of ISO 22301 can be also interesting for you "17 steps for implementing ISO 22301" : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/ -
Appendix 4: Examples of disruptive incidents scenarios
What is the meaning of Appendix 4: Examples of disruptive incidents scenarios?
Answer:
The purpose of the Appendix 4 is to present the most likely incidents and their impacts to the organization. This appendix is directly related to the paragraph 3.2 Risk management of the document Business Continuity Strategy, because for all risks/incidents identified it is necessary to prepare event scenarios which describe how much incidents could affect to the organization.
You can find the template of the Business Continuity Strategy here (you can see a free version clicking on Free Demo tab) Business Continuity Strategy : https://advisera.com/27001academy/documentation/business-continuity-strategy/ -
Difference between information asset and IT asset?
what is the different between information asset and IT asset? information asset what is that? I want to take asset inventory, what are the thing i have to look in?
Answer:
Information asset is a term used in ISO 27001 and it is related to the assets of type information, but IT asset is not used in ISO 27001, although from my point of view is related to IT, and there are some type of assets related to this, mainly hardware and software. So, an information asset can be the information included in databases, files in PDF, word, excel, etc. But also the information included in paper and other forms.
For the asset inventory first it is important to establish type of assets (information, hardware, software, infrastructure, people, outsource services), and based on this, identify all assets that you have in your business, those that have value to the organization, and are included in the scope of the ISMS. This article can be very interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Difference between total risk and residual risk
difference between total risk and residual risk?
Answer:
I am sorry but ISO 27001 uses the term risk and residual risk (total risk is not used). A risk is the effect of uncertainty on objectives, while residual risk is the risk remaining after the risk treatment. So, basically before implement the security controls you have risks related to information security in your business (you need to reduce them), and after implementing controls the reduced risk is the residual risk (keep in mind that generally you cannot eliminate absolutely the risk).
Maybe this article about the residual risk can be interesting for you Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Standard for protection of personally identifiable information
Any standard or guidelines by ISO for protection of personally identifiable information (PII) other than 27018 i mean not for cloud
Answer:
The standard ISO with guidelines about the protection of personally identifiable information is ISO 27002. This standard has the control "18.1.4 Privacy and protection of personally identifiable information, which is exactly what you need. You can download and buy the standard from the official site of ISO.org : https://www.iso.org/standard/54533.html
Finally, keep in mind that most of countries in the world have laws related to the protection of personal data, so maybe this list of laws and regulations on information security in most important countries can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
ISO 27001 - Document Control on non-ISMS documentation
In accordance with the clause "7.5.3 Control of documented information" : "Documented information required by the information security management system and by this International Standard shall be controlled...". So it is not necessary that non-ISMS documents follow the control of documented information, although from my point of view can be a best practice. So, "document coding", "classification", "Change history block", "distribution", etc. are not strictly necessary for non-ISMS documents, but can be useful and a best practices for your business.
This article can be interesting for you "Document management in ISO 27001 & BS 25999-2" : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/