Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to protect secure areas
I´m looking for more detail information linked to the Physical security in ISO 27001: How to protect the secure areas. I´d like to know either there are some more detailed information linked to the 4 level protection zones.
What are the minimum protective measures for Level 1, 2,3 and 4 ? can you share with me some example of proper zoning concept and its measures and Norm with chapter which is about this Topic.
Answer:
I am sorry but we do not have specific information about the 4 levels protection zones (level 1, 2, 3 and 4), and ISO 27001 does not use the zoning concept. Anyway, regarding the Annex A of ISO 27001:2013, A.11.1 Secure areas, you can find these controls and establish different levels of protection:
A.11.1.1 Physical security perimeter: It is the reception, where any people can enter and says I am Antonio Segovia, from ISO27001Academy, and I want to talk with Bill Gates"
A.11.1.2 Physical entry controls: If the previous point is ok (Bill Gates knows me and approves my entry), they give me a card to pass the fir st physical entry control of Microsoft (by the way, my entry is registered: date, hour, etc).
A.11.1.3 Securing offices, rooms and facilities: Bill Gates is in the facility A of the Microsoft Campus, and in the entry of each facility there is another physical entry. But no problem, with my visit card I can enter (only to the facility A)
A.11.1.5 Working in secure areas: Inside of each facility there are secure areas where people are working with very confidential information (for example working about prototypes, or working about military or governmental projects, etc) and additional security controls are necessary.
For more information about the implementation of these controls, you can read the ISO 27002:2013, which is a code of best practices for the implementation of the controls of the Annex A of ISO 27001:2013. And this article can be also interesting for you Physical security in ISO 27001: How to protect the secure areas : https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Additionally from the software point of view, you need to implement security controls related to the access control, to avoid unauthorized access to the information (the information can be in servers, desktops, laptops, etc). For this, you can use the A.9 Access control of the Annex A of ISO 27001:2013 (and again ISO 27002:2013 for more information about the implementation of each control). This article can be also interesting for you How to handle access control according to ISO 27001 : https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/ -
Certify a group
I'm interested in my group being certified rather than the company, is that possible?
Answer:
I am not sure what you mean, but you can certify any type of company or any type of business, but each certificate is issued for a specific company. So, if you have a group of companies, you can certify each company (one, various or all), or you can also certify the group as the main company, but in this way, the certificate is only for this main company, no for other companies of the group.
This article about the scope of ISO 27001 can be interesting for you How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And also this article about how to get certified How to get certified against ISO 27001? : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/ -
Organizational structure committees
I am busy with the implementation of an ISMS at one of my clients and have a question to ask: What is the situation with regards to the organisational structure, e.g. committees, forums and workgroups etc? Should these all be described and documented. Maybe also include Terms of Reference for each and then explain reporting lines and decision making capabilities within each committee or forum?
Answer:
Yes, you can consider for the organizational structure committees, forums and workgroups, etc. Some companies use the term Security committee, although it only was mandatory in the old version of the ISO 27001:2005, in the current version ISO 27001:2013 it is just a best practice. So it is not necessary to be documented. Regarding your second question, I am not sure what you mean, but after each committee, forum or meeting it is important to generate minutes (these minutes can include reporting lines, decisions, conclusiones, etc), which can be used as evidences. This article can be interesting for you Records management in ISO 270 01 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
And also this article about the list of mandatory documents and records of ISO 27001:2013 List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Interface between 22301 and corporate governance
Answer:
The definition of corporate governance is: "The system of rules, practices and processes by which a company is directed and controlled." Since ISO 22301 also sets the system or rules, practices and processes regarding business continuity, this means that the business continuity management system (BCMS) developed according to ISO 22301 is part of a wider corporate governance in a company.
Top management has specific role within the BCMS that you can see here: Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ - therefore, as part of their duties in the corporate governance, board of directors will have to make some crucial decisions for business continuity. -
Differences between ISO 9001 and ISO 27001
What is the difference between ISO 9001 & 27001?
Answer:
Basically ISO 9001 is for the management of quality (in services, process, etc), and ISO 27001 is for the management of information security. Another important difference: Both standards talk about risks, although ISO 27001 is about risk management while ISO 9001 is about only risk analysis.
These articles can be interesting for you:
What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
What is ISO 9001? : https://advisera.com/9001academy/what-is-iso-9001/
Methodology for ISO 9001 Risk Analysis : https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
And also can be interesting for you this ISO 27001 vs. ISO 9001 matrix (PDF), you can download it here : https://advisera.com/27001academy/free-downloads -
Context of the organizacion
I am not sure if I have understood your question, but if you want to include a list of interested parties in your ISMS scope document, you can do it, but this does not mean that the interested parties are included in the scope of the ISMS, because the definition of the scope is about areas, information systems, services, etc. about your organization.
Anyway, regarding the interested parties, the important is the identification of the requirements of the interested parties, and you can do it in an independent document. For example, you can use this template (you can see a free demo clicking on “Free demo” tab) “List of Legal, Regulatory, Contractual and Other Requirements” : https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
This article can be useful for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And also this one “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And our online course can be also interesting for you because we give more information about the ISMS scope and the interested parties “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Auditors can verify technical aspects¿?
Does the auditor verify technical aspects, for example the quality of a network architecture from the security point of view, or the truth of information recorded in risk assessment table?
Answer:
The auditor can verify technical aspects for example the quality of a network architecture, because ISO 27001:2013 in the Annex A has controls related to IT, for example A.13.1.1, A.13.1.2, A.13.1.3 which are related to network security management, and also can verify the truth of information recorded in risk assessment table, because the auditor needs evidences about the implementation and maintenance of your ISMS.
This article can be interesting for you Infographic: The brain of an ISO auditor What to expect at a certification audit : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
Clause related to interested party
I want to ask clause related to interested party.
Answer:
The clause of ISO 27001:2013 related to interested parties is "4.2 Understanding the needs and expectations of interested parties", although clause "4.1 Understanding the organization and its contest" is also related with interested parties (for external context you can consider interested parties).
This article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And also this one Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Labelling of information
I want to ask you about Labelling of information in iso 27002. In iso 27002:2013 in 8.2.2 Establish information labeling procedures. Information marking procedures should apply to information and associated assets presented in a physical or electronic format if we say that the server (physical format) is information.
so how can we labeling a server ?
Answer:
I am sorry, but a server is not information, is an asset of type hardware that can have information (the information is another type of asset). But a server can contain another type of asset: software. How can we classify the information in electronic format- that contains a server? If is a document, you simply can include in the first page the type of classification, or if the information is in a data base (software) or other software, maybe you can include a message in the start of the operative system through a script- showing that the information on the server is confidential, or internal, etc.
By the way, information in physical format can be a physical paper, and a lso you can include on it in the first page- the type of classification.
This article about the classification of information can be interesting for you Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And also this article about the asset inventory How to handle Asset register (Asset inventery) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Differences between COBIT, ISO 20000-7, ITIL and Risk Management
clear distinction between cobit 5, iso 200007, itil and risk management
Answer:
COBIT 5 is a framework related to IT governance and include aspects of IT service management, information security, business continuity, etc. ISO 20000-7 is a code of best practices for the implementation of ISO 20000-1 in the cloud, ITIL is a code of best practices for the IT service management, and the risk management is a tool that you can use to analyze and treat risks (you can identify and reduce them in your business).
By the way, do you know how to write a risk assessment methodology? This article can be interesting for you How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/