Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Templates for technical controls
The templates were very helpful especially the statement of applicability for the security policy Which will help in implementing security in our environment.
Could you advice on other material that can be helpful in securing information, network security, Access control and system security.
Answer:
Yes, sure. Regarding securing information, network security, access control and system security, they are related to information security controls, and you can find in our toolkit templates about this. You can find these templates here (tab Information Security Controls) ISO 27001 Documentation Toolkit : https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Important: You can see a free version of each document clicking on Free Demo tab.
This article can be also interesting for you "How to structure the documents for ISO 27001 Annex A controls" : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Finally, our section of free downloads can be also interesting for you: https://advisera.com/27001academy/free-downloads/ -
Nonconformities and incidents
I am re-using in ISMS a QMS procedure for nonconformities management. May I merge incident management with nonconformities management in the same procedure?
Answer:
From my point of view it is not recommendable, because they are different things from information security point of view. Anyway, in ISO 27001 it is not mandatory to have a documented procedure for nonconformities management (only is mandatory to have records about results of corrective actions). So, will be better if you maintain your incident management as independent procedure documented, although you can use you QMS procedure for nonconformities management, but remember, in ISO 27001 is not mandatory to have a documented procedure for this.
To know the list of mandatory documents and records of ISO 27001:2013, this article can be interesting for you List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, this article can be also int eresting for you "How to handle incidents according to ISO 27001 A.16" : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/ -
Implementation method and status of controls in Statement of Applicability
For example, for A.9.4.3 Password Management System, we typically use LastPass to store and when necessary share passwords. We do not have a formal Access Control Policy but we plan to develop one in the coming months.
So in a case like this, what should we include in the Implementation Method and Status columns? Should Status reflect that we recognize the current implementation needs to be improved?
Answer:
In this particular case you should write that the implementation method is "Installation of LastPass and writing the Access Control Policy", and your current status would be "Partially implemented." Of course, after you write your Access Control Policy, you would change the status to "Implemented." -
Handling documents of external origin
Could this section be scoped only to related records of external origin? I'm not sure how relevant this is for what we manage. I work for a cloud software company, so we're mostly managing documentation and artifacts related to our infrastructure.
Thanks for any feedback or examples of how others have handled this.
Answer:
In its clause 7.5.3, ISO 27001:2013 explicitly requires you to control documents of external origin that are important for your ISMS. So basically you have to decide what's important, so you might control notifications about the vulnerabilities, communication with your clients related to security issues, etc. In other words, you don't have to control everything.
Incoming m ail register is not a mandatory document, you can simply have a table where you register who received some important external document, or where such document is stored. -
Assistance on nonconformities
1. Finding:
Although the principles for engineering secure system is in place, however the same is not documented and maintained.
A. 14.2.5
On reviewing the SOA it was found that secure system engineering principles is applicable , however the same is not available for review.
2. Finding :
Although bcp has been consolidated however test records for the scenarios where the probability is high is not evident.
Req: A14.1.5
Objective evidence:
On reviewing the business continuty plan & risk assessment register it was found that fire were identified under high risk category and suppose to be tested.
Answer:
Regarding finding #1, you need to document your secure engineering principles, this article will help you: What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
Regarding finding #2, you need to perform exercising and testing of your Business continuity plan, where you will focus on scenario that is based on your biggest risk(s) - this article will help you: How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/ -
Backup policy vs. Backup procedure
From my point of view it is better if you put all information in the same document, I mean in the backup policy. You can include in the backup policy the details of frequency of the different activities, it is not a problem.
Regarding your second question, from my point of view, the document could be written by the responsible of backups (or by an IT expert in backups), and could be reviewed and/or approved by the CISO or by the Head of IT department.
This article about the CISO can be interesting for you "What is the job of Chief Information Security Officer (CISO) in ISO 27001?" : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
How to record measurements against ISMS Metrics
You should show it in any way that is convenient for you - for example, if you have a software that automatically creates reports or dashboards, then you can show the results to the auditor in that way.
On the other hand, if you prepare some more complex results manually, than you can use some form or a report (for more complex measurements).
In other words, every ISMS measurement must be documented, but not every ISMS measurement must be written in some form. -
Implement ISO 27001 in a small business
I'm working through the process with the help of a consultant, and we have some general questions about applying 27K to a small hosting business like mine. I run a small hosting business focusing on email and also offering web hosting and similar services.
1) How should we apply the standard to a small business with limited checks and balances? In my case, there are currently just three of us with access to the systems. As the business owner I have access to basically everything (servers running the services, as well as billing records), and I have one other administrator with admin access to most of the servers, and a support person with more limited admin access. In particular for my access, it's hard to define limitations to access or .
2) How should we describe our use of 27K in our marketing, if we adopt the structure and complete the documentation but don't go through a formal 3rd party certification audit?
Answers:
1) In your case I think that you need to decrease the number of documents to a minimum, so you only need to d evelop the mandatory documents. Here you can see the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ Remember that you can also exclude controls, for example the A.6.1.2 Segregation of duties (conflicting duties and areas of responsibilities shall be segregated).
2) If you implement ISO 27001 without the certification, you will need to demonstrate to your customers that your ISMS is implemented in accordance with ISO 27001 requirements, and it is not easy. So from my point of view, if you want ISO 27001 for marketing purposes, you need the certificate. Maybe this article can be interesting for you Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/ -
Keys risks for DRP
what are the key risks you consider for DRP review?
Answer:
I am not sure what you mean, but risks are related to the Risk assessment & treatment, not for the DRP. Some important things in the DRP are the definition of the Recovery Time Objective (RTO), the recovery strategy, the recovery plan, the minimum capacity that is required immediately after a disaster, necessary resources, etc. And these parameters are specific of each business, so, I would consider these things in a DRP review.
Anyway, this article can be interesting for you How to write business continuity plans? : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
And take care, it is not the same Business Continuity Plan and Business Impact Analysis Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
You can also learn how to define the RTOs from this article "How to implement business impact analysis (BIA) according to ISO 22301" : https://adviser a.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And this article can be also interesting for you "Understanding IT disaster recovery according to ISO 27031" : https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
Residual Risk Management
I did a delay risks analysis and then It's difficult for me to define residual risk management
Answer:
Basically there are 3 options for the residual risk management:
a.- If the level of risk is below the acceptable level of risk, everything is ok, so you do nothing
b.- If the level of risk is above, you need to find out some new way to mitigate the risk
c.- If the level of risk is above, but the organization cannot assume the costs related to the mitigation of the risk, the risk need to be accepted.
This article can be interesting for you Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/