Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Assistance on nonconformities
1. Finding:
Although the principles for engineering secure system is in place, however the same is not documented and maintained.
A. 14.2.5
On reviewing the SOA it was found that secure system engineering principles is applicable , however the same is not available for review.
2. Finding :
Although bcp has been consolidated however test records for the scenarios where the probability is high is not evident.
Req: A14.1.5
Objective evidence:
On reviewing the business continuty plan & risk assessment register it was found that fire were identified under high risk category and suppose to be tested.
Answer:
Regarding finding #1, you need to document your secure engineering principles, this article will help you: What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
Regarding finding #2, you need to perform exercising and testing of your Business continuity plan, where you will focus on scenario that is based on your biggest risk(s) - this article will help you: How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/ -
Backup policy vs. Backup procedure
From my point of view it is better if you put all information in the same document, I mean in the backup policy. You can include in the backup policy the details of frequency of the different activities, it is not a problem.
Regarding your second question, from my point of view, the document could be written by the responsible of backups (or by an IT expert in backups), and could be reviewed and/or approved by the CISO or by the Head of IT department.
This article about the CISO can be interesting for you "What is the job of Chief Information Security Officer (CISO) in ISO 27001?" : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
How to record measurements against ISMS Metrics
You should show it in any way that is convenient for you - for example, if you have a software that automatically creates reports or dashboards, then you can show the results to the auditor in that way.
On the other hand, if you prepare some more complex results manually, than you can use some form or a report (for more complex measurements).
In other words, every ISMS measurement must be documented, but not every ISMS measurement must be written in some form. -
Implement ISO 27001 in a small business
I'm working through the process with the help of a consultant, and we have some general questions about applying 27K to a small hosting business like mine. I run a small hosting business focusing on email and also offering web hosting and similar services.
1) How should we apply the standard to a small business with limited checks and balances? In my case, there are currently just three of us with access to the systems. As the business owner I have access to basically everything (servers running the services, as well as billing records), and I have one other administrator with admin access to most of the servers, and a support person with more limited admin access. In particular for my access, it's hard to define limitations to access or .
2) How should we describe our use of 27K in our marketing, if we adopt the structure and complete the documentation but don't go through a formal 3rd party certification audit?
Answers:
1) In your case I think that you need to decrease the number of documents to a minimum, so you only need to d evelop the mandatory documents. Here you can see the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ Remember that you can also exclude controls, for example the A.6.1.2 Segregation of duties (conflicting duties and areas of responsibilities shall be segregated).
2) If you implement ISO 27001 without the certification, you will need to demonstrate to your customers that your ISMS is implemented in accordance with ISO 27001 requirements, and it is not easy. So from my point of view, if you want ISO 27001 for marketing purposes, you need the certificate. Maybe this article can be interesting for you Should your company go for the ISO 27001 / ISO 22301 certification? : https://advisera.com/27001academy/iso-27001-certification/ -
Keys risks for DRP
what are the key risks you consider for DRP review?
Answer:
I am not sure what you mean, but risks are related to the Risk assessment & treatment, not for the DRP. Some important things in the DRP are the definition of the Recovery Time Objective (RTO), the recovery strategy, the recovery plan, the minimum capacity that is required immediately after a disaster, necessary resources, etc. And these parameters are specific of each business, so, I would consider these things in a DRP review.
Anyway, this article can be interesting for you How to write business continuity plans? : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
And take care, it is not the same Business Continuity Plan and Business Impact Analysis Disaster recovery vs Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
You can also learn how to define the RTOs from this article "How to implement business impact analysis (BIA) according to ISO 22301" : https://adviser a.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
And this article can be also interesting for you "Understanding IT disaster recovery according to ISO 27031" : https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
Residual Risk Management
I did a delay risks analysis and then It's difficult for me to define residual risk management
Answer:
Basically there are 3 options for the residual risk management:
a.- If the level of risk is below the acceptable level of risk, everything is ok, so you do nothing
b.- If the level of risk is above, you need to find out some new way to mitigate the risk
c.- If the level of risk is above, but the organization cannot assume the costs related to the mitigation of the risk, the risk need to be accepted.
This article can be interesting for you Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Procedures and documented procedures
Do we have to make procedures for all below controls?
A 8.2.2 labeling of info
A 8.2.3 handling of assets
A 8.3.1 mgt of removable media
A 8.3.2 disposal of media
A 9.4.2 secure log-on procedures
A 11.1.5 working in secure areas
A 12.5.1 installation of software on operational system
A 13.2.1 info transfer policy & proc
A 14.2.2 system change control
A 15.2.2 managing changes to supplier services
A 16.1.1 responsibilities and proc
A 16.1.5 response to information security incident (done)
A 16.1.7 collection of evidence
A 17.1.2 info sec continuity
A 18.1.2 intellectual property rights
As in the explanation of all these controls, its mentioned that we need to create some procedures
Answer:
Yes, you are right you need procedures for these controls, but this does not mean that you need a document. A procedure is the way that you have to perform an activity, and the documented procedure is the procedure written in a document. It is only mandatory to have a document in the controls (and clauses) where you can read The organization shall document , so for example is mandatory to have a document for the A.16.1.5 and for the A.17.1.2. Here you can see the list of mandatory documents and records of ISO 27001:2013 (and non-mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you "Explanation of the basic terminology in ISO standards" : https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
Health and Safety Policy
Can I add a Health and Safety Policy to the ISO 27001 toolkit. There is not currently such a policy listed
Answer:
Yes, sure, you can add it, although it is not necessary for the implementation of the ISO 27001 (because of this, it is not included in our toolkit). Here you can see a list of mandatory documents and records List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And you can buy our Health and Safety Policy here (you can see a free version clicking on "Free Demo" tab) : https://advisera.com/18001academy/documentation/ohs-policy/ -
Options to treat risks associated with a project
how can i determine and describe options to treat risks associated with a project
Answer:
Generally, there are 4 general options for the treatment of any type of risk: Apply controls (or actions) to reduce the risk, transfer the risk, avoid the risk or accept the risk. For more information, maybe this article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Finally, remember that the Annex A of ISO 27001:2013 has the control A.6.1.5 Information security in project management, which is related to the integration of the information security with project management activities, and there are several ways for this: including information security objectives in project activities, perform a risk assessment in an early stage of the project, perform treatment of the identified risks (4 options above), etc. So this article can be also interesting for you How to manage sec urity in project management according to ISO 27001 A.6.1.5 : https://advisera.com/27001academy/what-is-iso-27001/ -
Qualitative and quantitative risk assessment methodologies
Name few Qualitative and Quantitative Risk Assessment methodologies in the market which i could use for implementation ISO 27001.
Answer:
Examples of Qualitative Risk Assessment methodologies can be CRAMM, OCTAVE, NIST 800-30, while examples of quantitative Risk Assessment methodologies can be PILAR, or SOMAP.
Have you seen our methodology? It is based on qualitative method (more easy). Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
ISO 27005 is a code of best practices for risk management, and the appendices provide guidance on using qualitative and quantitative approaches, so maybe can be interesting for you. You can buy and download it from the official site of iso.org : https://www.iso.org/standard/56742.html
Finally, this article can be also intere sting for you "How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/