Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implement ISO 27001 in a small business
I'm working through the process with the help of a consultant, and we have some general questions about applying 27K to a small hosting business like mine. I run a small hosting business focusing on email and also offering web hosting and similar services.
1) How should we apply the standard to a small business with limited checks and balances? In my case, there are currently just three of us with access to the systems. As the business owner I have access to basically everything (servers running the services, as well as billing records), and I have one other administrator with admin access to most of the servers, and a support person with more limited admin access. In particular for my access, it's hard to define limitations to access or .
2) How should we describe our use of 27K in our marketing, if we adopt the structure and complete the documentation but don't go through a formal 3rd party certification audit?
Answers:
1) In your case I think that you need to decrease the number of documents to a minimum, so you only need to d evelop the mandatory documents. Here you can see the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ Remember that you can also exclude controls, for example the A.6.1.2 Segregation of duties (conflicting duties and areas of responsibilities shall be segregated).
2) If you implement ISO 27001 without the certification, you will need to demonstrate to your customers that your ISMS is implemented in accordance with ISO 27001 requirements, and it is not easy. So from my point of view, if you want ISO 27001 for marketing purposes, you need the certificate. Maybe this article can be interesting for you Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/ -
Keys risks for DRP
what are the key risks you consider for DRP review?
Answer:
I am not sure what you mean, but risks are related to the Risk assessment & treatment, not for the DRP. Some important things in the DRP are the definition of the Recovery Time Objective (RTO), the recovery strategy, the recovery plan, the minimum capacity that is required immediately after a disaster, necessary resources, etc. And these parameters are specific of each business, so, I would consider these things in a DRP review.
Anyway, this article can be interesting for you How to write business continuity plans? : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
And take care, it is not the same Business Continuity Plan and Business Impact Analysis Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
You can also learn how to define the RTOs from this article "How to implement business impact analysis (BIA) according to ISO 22301" : https://adviser a.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And this article can be also interesting for you "Understanding IT disaster recovery according to ISO 27031" : https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
Residual Risk Management
I did a delay risks analysis and then It's difficult for me to define residual risk management
Answer:
Basically there are 3 options for the residual risk management:
a.- If the level of risk is below the acceptable level of risk, everything is ok, so you do nothing
b.- If the level of risk is above, you need to find out some new way to mitigate the risk
c.- If the level of risk is above, but the organization cannot assume the costs related to the mitigation of the risk, the risk need to be accepted.
This article can be interesting for you Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Procedures and documented procedures
Do we have to make procedures for all below controls?
A 8.2.2 labeling of info
A 8.2.3 handling of assets
A 8.3.1 mgt of removable media
A 8.3.2 disposal of media
A 9.4.2 secure log-on procedures
A 11.1.5 working in secure areas
A 12.5.1 installation of software on operational system
A 13.2.1 info transfer policy & proc
A 14.2.2 system change control
A 15.2.2 managing changes to supplier services
A 16.1.1 responsibilities and proc
A 16.1.5 response to information security incident (done)
A 16.1.7 collection of evidence
A 17.1.2 info sec continuity
A 18.1.2 intellectual property rights
As in the explanation of all these controls, its mentioned that we need to create some procedures
Answer:
Yes, you are right you need procedures for these controls, but this does not mean that you need a document. A procedure is the way that you have to perform an activity, and the documented procedure is the procedure written in a document. It is only mandatory to have a document in the controls (and clauses) where you can read The organization shall document , so for example is mandatory to have a document for the A.16.1.5 and for the A.17.1.2. Here you can see the list of mandatory documents and records of ISO 27001:2013 (and non-mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you "Explanation of the basic terminology in ISO standards" : https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
Health and Safety Policy
Can I add a Health and Safety Policy to the ISO 27001 toolkit. There is not currently such a policy listed
Answer:
Yes, sure, you can add it, although it is not necessary for the implementation of the ISO 27001 (because of this, it is not included in our toolkit). Here you can see a list of mandatory documents and records List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And you can buy our Health and Safety Policy here (you can see a free version clicking on "Free Demo" tab) : https://advisera.com/18001academy/documentation/ohs-policy/ -
Options to treat risks associated with a project
how can i determine and describe options to treat risks associated with a project
Answer:
Generally, there are 4 general options for the treatment of any type of risk: Apply controls (or actions) to reduce the risk, transfer the risk, avoid the risk or accept the risk. For more information, maybe this article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Finally, remember that the Annex A of ISO 27001:2013 has the control A.6.1.5 Information security in project management, which is related to the integration of the information security with project management activities, and there are several ways for this: including information security objectives in project activities, perform a risk assessment in an early stage of the project, perform treatment of the identified risks (4 options above), etc. So this article can be also interesting for you How to manage sec urity in project management according to ISO 27001 A.6.1.5 : https://advisera.com/27001academy/what-is-iso-27001/ -
Qualitative and quantitative risk assessment methodologies
Name few Qualitative and Quantitative Risk Assessment methodologies in the market which i could use for implementation ISO 27001.
Answer:
Examples of Qualitative Risk Assessment methodologies can be CRAMM, OCTAVE, NIST 800-30, while examples of quantitative Risk Assessment methodologies can be PILAR, or SOMAP.
Have you seen our methodology? It is based on qualitative method (more easy). Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
ISO 27005 is a code of best practices for risk management, and the appendices provide guidance on using qualitative and quantitative approaches, so maybe can be interesting for you. You can buy and download it from the official site of iso.org : https://www.iso.org/standard/56742.html
Finally, this article can be also intere sting for you "How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ -
Survey to interested parties
I'm looking for questions to prepare a survey to interested parties to provide feedback on the ISMS. To get feedback from interested parties (9.3 ISMS Management Review) we are planning to create a survey. Do you have a template or suggestions on a good set of questions?
Answer:
No I am sorry, we do not have this template. Anyway, you can perform questions related to your ISMS and each interested party: Have you identified and established requirements for the ISMS? Have you identified any weakness in our ISMS? Any improvement? Any threat/vulnerability that we do not have identified in our risk management yet? Have you identified any new asset in your business/area/department that is related to our ISMS? Do you have access to our Information Security Policy? Etc.
This article related to interested parties can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Unique Risk Management Framework for ISO 27001, ISO 22301 and ISO 9001
Can we have single Risk Management Framework to meet the requirements of ISO27001, ISO22301 and ISO9001:2015. I am aware and have experience in ISO27001 Risk Management Requirements. But how can we enhance it to cover ISO22301 and ISO9001 as the ISO9001 also requires Risk Management to followed.
Answer:
Yes, from my point of view you can have an unique Risk Management Framework for ISO 27001, ISO 22301 and ISO 9001, but considering differences between these standards, because for example can be considered different risks in ISO 27001 (information security), ISO 22301 (business continuity), and ISO 9001 (quality). But you can define general steps: Establish the context, Risk identification, risk analysis, risk evaluation, risk treatment, etc (although the details can be very different: the identification of risk in information security is very different that in quality)
This article can be interesting for you Can ISO 27001 risk assessment be used for ISO 22301? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section22
By the way, ISO 31000 is a guide of best practices for the risk management, and you can use it for any type of risk. You can download and buy this standard from the official site of iso.org : https://www.iso.org/standard/43170.html
This article can be also interesting for you ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Setting Active Directory
Yes this is related to AD computer's, what setting do they need to become complaint for ISO 27002.
I need all the specfic setting for both Linux and Windows. For example what file permissions like 600 for /etc/shadow file in linux and what registry setting do all the computers that all windows machines needs to be. I need specfic details for this. So when I conduct a pre-inspection I know what to look for.
Answer:
You need to be compliant with ISO 27001:2013, ISO 27002 is only a code of best practices, so you can only certify ISO 27001. To be compliant with ISO 27001 there are many requirements that you need to implement, but you can do it technically like you want. For example, the control of the Annex of ISO 27001:2013 "A.9.2.1 User registration and de-registration: A formal user registration and de-registration process shall be implemented to enable assignment of access rights. You can implement it with Active Directory or OpenLdap, or any other LDAP software. The external auditor will verify if you have implemented the contr ol, and he can ask you how it is implemented (can also give you some tips to improve the control), but nothing more.
Anyway, from my point of view permissions like 600 (or 400 for only read) for the /etc/shadow file in Linux is a best practice, although I think that can be better if you also encrypt the hard drive (and the same for Windows) and set a BIOS password.
And if you have Linux and Windows systems, can be a good idea to add Linux systems to the Windows domain, and include Linux users in the AD.
Finally, remember that the Access Control Policy is a mandatory document in ISO 27001 (you can see the entire list of mandatory documents here List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/) , so maybe this template can be interesting for you (you can see a free version clicking on Free Demo tab) Access Control Policy : https://advisera.com/27001academy/documentation/access-control-policy/