Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Clause related to interested party
I want to ask clause related to interested party.
Answer:
The clause of ISO 27001:2013 related to interested parties is "4.2 Understanding the needs and expectations of interested parties", although clause "4.1 Understanding the organization and its contest" is also related with interested parties (for external context you can consider interested parties).
This article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And also this one Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Labelling of information
I want to ask you about Labelling of information in iso 27002. In iso 27002:2013 in 8.2.2 Establish information labeling procedures. Information marking procedures should apply to information and associated assets presented in a physical or electronic format if we say that the server (physical format) is information.
so how can we labeling a server ?
Answer:
I am sorry, but a server is not information, is an asset of type hardware that can have information (the information is another type of asset). But a server can contain another type of asset: software. How can we classify the information in electronic format- that contains a server? If is a document, you simply can include in the first page the type of classification, or if the information is in a data base (software) or other software, maybe you can include a message in the start of the operative system through a script- showing that the information on the server is confidential, or internal, etc.
By the way, information in physical format can be a physical paper, and a lso you can include on it in the first page- the type of classification.
This article about the classification of information can be interesting for you Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And also this article about the asset inventory How to handle Asset register (Asset inventery) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Differences between COBIT, ISO 20000-7, ITIL and Risk Management
clear distinction between cobit 5, iso 200007, itil and risk management
Answer:
COBIT 5 is a framework related to IT governance and include aspects of IT service management, information security, business continuity, etc. ISO 20000-7 is a code of best practices for the implementation of ISO 20000-1 in the cloud, ITIL is a code of best practices for the IT service management, and the risk management is a tool that you can use to analyze and treat risks (you can identify and reduce them in your business).
By the way, do you know how to write a risk assessment methodology? This article can be interesting for you How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Tools to audit compliance
Can you recommend tools to audit compliance?
Answer:
Sure, you can try our Internal Audit toolkit (you can see a free version clicking on Free Demo tab) ISO 27001/ISO 22301 Internal Audit Toolkit : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
You can also develop your own Internal Audit checklist reading this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Asset based or process based?
I need one clarification on risk assessment , risk treatment and SOA, for ISO27001:2013 is based on "Business process" or it is Asset base.
This is a confusion, some say's it is Asset base and some says as per new revision it is "business process base".
I need your audiences or related link for more information, on the said subject.
Answer:
ISO 27001:2013 is not based on asset and neither on business process, this mean that you are free to develop your methodology on the base that you want (asset or business process). Although generally is recommendable a risk methodology based on asset.
This article can be interesting for you What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
SoA - Confidential?
For this reason, we do not include sensitive information in our SoA. It is all well and good the certificate showing a company is compliant, but without visibility of the SoA we don't know the scope of that compliance, and the associated state of their security. A business could have marked all the key elements as not applicable, and been compliant. -
Additional controls
We had a situation in the recent surveillance audit and appreciate your input here.
One of our company's division handles non-voice KPO and it was certified for ISO 27001:2013 standard during May 2015 (Certification Upgrade Audit). However now we added a chunk of Heathcare domain to our KPO division. We connect to the customer's machines through VPN and process the records (no data is copied to our local machines) and the KPO bay is 'no mobile - no paper' zone. However just to track the progress of records we process, the team lead types the client's name in an excel sheet maintained in local machine followed by start date , target date of completion and to whom it is assigned.
Would like to know if I need to add any HIPPA control to my SOA in these scenarios. Can we use client's name alone in local machine for tracking ? what is the HIPPA Control when work is outsourced ?
P.S: The MSA says a generic statement " All relevant HIPPA Controls are applicable" But didn't say explicitly anything.
Answer:
Regarding the compliant with ISO 27001:2013 it is not strictly necessary to implement additional controls, I mean, with the 114 controls of the Annex A of the standard is enough, although the implementation of additional controls for example controls related to HIPAA- can be a best practice.
But if HIPAA applies to your business, effectively you can include controls related to this standard in the SoA of ISO 27001, so in this case you can have an unique ISMS with the controls of both standards.
Regarding the use of clients name alone in local machine, it is related to personal data, and depending of your country, a specific regulation can be apply, but generally you can use this information applying security controls established by the regulation of your country. Anyway, ISO 27001:2013 has in the Annex A the control "A.18.1.4 Privacy and protection of personally identifiable information", for the protection of this type of data. This article about the regulations and laws of many countries related to information security can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Regarding your last question, I am sorry but I am not expert in HIPAA but from my point of view if you have an external provider who is working with information protected by HIPAA, this provider need to apply controls of this standard.
You can find more information of HIPAA on the official site of U.S. Department of Health & Human Services : https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html -
Costs of implementation of controls
Aabout risk methodology must be include cost of implementation of controls. do you have any idea? About that implementation
Answer:
I suppose that your question is related to the risk treatment plan, if so, it is not strictly necessary that you include costs related to the implementation of security controls (it is not established in the ISO 27001:2013), although can be a best practice.
Anyway, the cost of the implementation of controls can depend of various parameters, for example: costs of human resources (internal or external), costs of services (internal or external), costs of equipment, etc.
This article about the risk treatment plan can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
And maybe can be useful for you ours templates for the risk treatment plan (you can see a free version clicking on Free Demo tab) Risk Treatment Plan : https://advisera.com/27001academy/documentation/risk-treatment-plan/ and also can be interesting for you our risk assessment and risk treatment methodology Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/ -
Roles in the ISMS
I wanna ask about the roles in ISO 27001 in the organization.
Answer:
The main role in an ISMS is the CISO, who can be someone of top management, but other roles can be people related to department involved in the scope of the ISMS: Head of IT Department and/or IT Expert, Head of Human Resources and/or experts, Head of Physical security and/or experts, Head of Legal Department and/or experts, etc. These roles can be described in different policies and procedures, so it is not necessary a central document with all this information.
By the way, have you read our article about roles and responsibilities of top management? Roles and responsibilities of top management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Formula for calculating RTO; using turnover
Answer:
The calculation of RTO/acceptable losses is best done when taking into account both financial and non-financial inputs. Non-financial could be the deterioration of the company image in the market, difficulty of catching up with the backlog of work, etc.
Regarding the financial turnover, you should calculate how much money did you lose if your company is not operational for e.g. 24 hours, and compare this to your company annual profit - then you should ask your executives which amount of loss is acceptable for them.
You'll find more examples in this article: How to implement business impact analys is (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/