Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How can a business measure and monitor the effectiveness of the ISMS?


    I would like to ask you the following question question pertaining to ISO 27001 ISMS.....
    How can a business measure & monitor the effectiveness of the the ISMS?
     

    Answer:

    Generally you need to to define what needs to be monitored/measured, which methods may be use, when monitoring/measurement must be done, when monitoring/measurement results must be analyzed and evaluated, who must analyze and evaluate monitoring/measurement results, etc.
    For more information, this article can be interesting for you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ 
    This free webinar can be also interesting “ISO 27001 and ISO 27004: How to measure the effectiveness of information security?” : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/

  • ISO 27001 and ISO 27002


    I'm a student of Computer Engineering, and in my final project I have to define a security policy to my School.
    So I have been analysed the ISO 27000 and COBIT, to see the differences between them and I decided that the ISO 27000 is the most benefit  to this project.
    So I'm trying to understand how the ISO 27000 works, I know that the ISO 27001 is referral to the implementation of one Information Security Management System and the ISO 27002 is referred to the elaboration of the Security Policy.
    Right know I'm trying to understand how the ISO 27002 works, and how can I construct my Security Policy.
    I don't have, yet, time to analyse the documentation that I've downloaded.
     

    Answer:

    You are partially ok, because ISO 27001 is an international standard with requisites for the implementation on an ISMS, but ISO 27002 is not only for the elaboration of the Security Policy. Let me explain the differences: The core of ISO 27001 is the risk management (you need to identify risks and reduce them) for the protection of the information. ISO 2700 2 has 114 security controls, which you can use to reduce risks (one of them is A.5.1.1 Policies for information security).
    So, with ISO 27001 you identify risks, and you need controls to reduce them, and you can do it with the security controls of ISO 27002. You can also see the same security controls in the Annex A of ISO 27001, although you can only see a brief description, in ISO 27002 you can see a guide of implementation of each control.
    This article about ISO 27001 and ISO 27002 can be interesting for you “ISO 27001 vs. ISO 27002” : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    And this free tutorial can be also interesting for you “How to write the information Security Policy According to ISO 27001” : https://advisera.com/27001academy/tutorial/free-tutorial-how-to-write-the-information-security-policy-according-to-iso-27001/

  • ISO 27001 and SOC 2


    I am looking for Information Security document templates to assist in my SOC 2 Type 1 audit process are you familiar with SOC 2? And will your ISO 27001 toolkit allow me to develop the policies required for IT for SOC 2?

     

    Answer:

    I am sorry but our templates are developed for ISO 27001. Anyway, this information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you (see the Excel “Trust Services Map to ISO 27001") : https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html
    As you can see in the Excel, there are some points in common between ISO 27001 and SOC 2, so for these points you can use our toolkit “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • How to protect secure areas


    I´m looking for more detail information linked to the Physical security in ISO 27001: How to protect the secure areas. I´d like to know either there are some more detailed information linked to the 4 level protection zones.

    What are the minimum protective measures for Level 1, 2,3 and 4 ? can  you share with me some example of proper zoning concept and its measures and Norm with chapter which is about this Topic.

     

    Answer:

    I am sorry but we do not have specific information about the 4 levels protection zones (level 1, 2, 3 and 4), and ISO 27001 does not use the zoning concept. Anyway, regarding the Annex A of ISO 27001:2013, A.11.1 Secure areas, you can find these controls and establish different levels of protection:

    A.11.1.1 Physical security perimeter: It is the reception, where any people can enter and says “I am Antonio Segovia, from ISO27001Academy, and I want to talk with Bill Gates"
    A.11.1.2 Physical entry controls: If the previous point is ok (Bill Gates knows me and approves my entry), they give me a card to pass the fir st physical entry control of Microsoft (by the way, my entry is registered: date, hour, etc). 
    A.11.1.3 Securing offices, rooms and facilities: Bill Gates is in the facility A of the Microsoft Campus, and in the entry of each facility there is another physical entry. But no problem, with my visit card I can enter (only to the facility A)
    A.11.1.5 Working in secure areas: Inside of each facility there are secure areas where people are working with very confidential information (for example working about prototypes, or working about military or governmental projects, etc) and additional security controls are necessary.

    For more information about the implementation of these controls, you can read the ISO 27002:2013, which is a code of best practices for the implementation of the controls of the Annex A of ISO 27001:2013. And this article can be also interesting for you “Physical security in ISO 27001: How to protect the secure areas” : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
    Additionally from the software point of view, you need to implement security controls related to the access control, to avoid unauthorized access to the information (the information can be in servers, desktops, laptops, etc). For this, you can use the A.9 Access control of the Annex A of ISO 27001:2013 (and again ISO 27002:2013 for more information about the implementation of each control). This article can be also interesting for you “How to handle access control according to ISO 27001” : https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

  • Certify a group


    I'm interested in my group being certified rather than the company, is that possible?
     

    Answer:

    I am not sure what you mean, but you can certify any type of company or any type of business, but each certificate is issued for a specific company. So, if you have a group of companies, you can certify each company (one, various or all), or you can also certify the group as the main company, but in this way, the certificate is only for this main company, no for other companies of the group.
    This article about the scope of ISO 27001 can be interesting for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    And also this article about how to get certified “How to get certified against ISO 27001?” : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/

  • Organizational structure committees


    I am busy with the implementation of an ISMS at one of my clients and have a question to ask: What is the situation with regards to the organisational structure, e.g. committees, forums and workgroups etc? Should these all be described and documented. Maybe also include Terms of Reference for each and then explain reporting lines and decision making capabilities within each committee or forum?
     

    Answer:

    Yes, you can consider for the organizational structure committees, forums and workgroups, etc. Some companies use the term “Security committee”, although it only was mandatory in the old version of the ISO 27001:2005, in the current version ISO 27001:2013 it is just a best practice. So it is not necessary to be documented. Regarding your second question, I am not sure what you mean, but after each committee, forum or meeting it is important to generate minutes (these minutes can include reporting lines, decisions, conclusiones, etc), which can be used as evidences. This article can be interesting for you “Records management in ISO 270 01 and ISO 22301” : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
    And also this article about the list of mandatory documents and records of ISO 27001:2013 “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  • Interface between 22301 and corporate governance


    Answer:

    The definition of corporate governance is: "The system of rules, practices and processes by which a company is directed and controlled." Since ISO 22301 also sets the system or rules, practices and processes regarding business continuity, this means that the business continuity management system (BCMS) developed according to ISO 22301 is part of a wider corporate governance in a company.

    Top management has specific role within the BCMS that you can see here: Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ - therefore, as part of their duties in the corporate governance, board of directors will have to make some crucial decisions for business continuity.

  • Differences between ISO 9001 and ISO 27001


    What is the difference between ISO 9001 & 27001?
     

    Answer:

    Basically ISO 9001 is for the management of quality (in services, process, etc), and ISO 27001 is for the management of information security. Another important difference: Both standards talk about risks, although ISO 27001 is about risk management while ISO 9001 is about only risk analysis. 
    These articles can be interesting for you:
    “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/
    “What is ISO 9001?” : https://advisera.com/9001academy/what-is-iso-9001/ 
    “Methodology for ISO 9001 Risk Analysis” : https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ 
    And also can be interesting for you this “ISO 27001 vs. ISO 9001 matrix (PDF)”, you can download it here : https://advisera.com/27001academy/free-downloads

  • Context of the organizacion

    I am not sure if I have understood your question, but if you want to include a list of interested parties in your ISMS scope document, you can do it, but this does not mean that the interested parties are included in the scope of the ISMS, because the definition of the scope is about areas, information systems, services, etc. about your organization.

    Anyway, regarding the interested parties, the important is the identification of the requirements of the interested parties, and you can do it in an independent document. For example, you can use this template (you can see a free demo clicking on “Free demo” tab) “List of Legal, Regulatory, Contractual and Other Requirements” : https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

    This article can be useful for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    And also this one “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

    And our online course can be also interesting for you because we give more information about the ISMS scope and the interested parties “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Auditors can verify technical aspects¿?


    Does the auditor verify technical aspects, for example the quality of a network architecture from the security point of view, or the truth of information recorded in risk assessment table?
     

    Answer:

    The auditor can verify technical aspects for example the quality of a network architecture, because ISO 27001:2013 in the Annex A has controls related to IT, for example A.13.1.1, A.13.1.2, A.13.1.3 which are related to network security management, and also can verify the truth of information recorded in risk assessment table, because the auditor needs evidences about the implementation and maintenance of your ISMS.
    This article can be interesting for you “Infographic: The brain of an ISO auditor – What to expect at a certification audit” : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
Page 1036-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +