Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mandatory documents
There are some requirements of procedures in 114 controls in the standard. Do we really need to make procedures? because someone told me that procedures are not required for the new version of 27001. And please tell me, if i cannot involve all the employees of the department for filling of the risk assessment sheet, how can i do it myself? who will be the asset owner and risk owner for people? (employees, contractors, visitors)
Answer:
Yes, there are some mandatory documents in ISO 27001:2013, including procedures, plans, policies, etc. For example is mandatory the Incident management procedure (clause A.16.1.5). Here you can see a list of mandatory documents (and also non-mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
You can perform the risk assessment by yourself, but you will need some information about the departments involved in the scope of the ISMS: assets, threats and vulnerab ilities, consequences and likelihood related to each asset. This article can be interesting for you How to assess consequences and likelihood in ISO 27001 risk analysis : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment And maybe this article can be also interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Generally the asset owner can be for example an IT administrator, and the risk owner can be the head of the IT department. For more information about the risk owners and asset owners, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Roles and responsibilities
How the people in this function get the specif task for doing the monitoring? I have two options:
1) They do it by themselves and they need to somehow capture it (I'm not sure what is the best way)
2) Someone is about to 'give them' the task (again not sure how to capture it)
Answer:
I am not sure if I have understood the question, but from my point of view is better option 2), because on this way you can have 2 levels: manager (coordinates and plans the execution of all tasks) and technical expert (perform technically all tasks). The last can be useful for example for the change management (clause A.12.1.2 ISO 27001:2013): an user identifies changes, the manager analyze and approve them and requests to a technical expert to do the necessary changes.
So from my point of view is very important to have clearly defined roles and responsibilities. These articles related to information security and ISO 27001- can be interesting for you :
What is the job of Chief Information Security Officer (CISO) in ISO 27001? : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Roles and responsibilities of top management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
"How to perform monitoring and measurement in ISO 27001" : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Template to write the Information Security Objectives and planning to achieve th
is there a template to write information security objectives and planning to achieve them; I mean planning needs to be elaborated while objectives should be written for Organizations' high level directions. so how to combine these two conflicts ? that's what made me confused.
Answer:
Yes, we have these templates, but before let me explain you some things: Usually objectives are set at two levels: 1) General ISMS level (for this you can use an Information Security Policy), and 2) Security controls (for this you can use the Statement of Applicability). So, for the point 1 you can use our template, you can see a free version clicking on Free Demo tab here Information Security Policy : https://advisera.com/27001academy/documentation/information-security-policy/
And for the point 2, you can see also a free version of this Statement of Applicability : https://advisera.com/27001academy/documentation/statement-of-applicability/
Regarding the Plan to achieve the objectives, you need the Risk Treatment plan, and you can also see a free version of our templete here Risk Treatment Plan : https://advisera.com/27001academy/documentation/risk-treatment-plan/
Finally, this article can be also interesting for you ISO 27001 control objectives Why are they important? : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Questions about risk management
I have some questions about information security management system. Thank you to answer these questions. I apologize for the lack of my english Writing
1. What is information security risk management process? (process of risk management)
2. What is the purpose and meaning of organize assets ? (organize assets)
3. What are methods of valuation of assets? (assets evaluations method)
4. what does the mean of this concepts: threats, vulnerabilities, control, accident and consequences ?
5. What is formula to calculate the risk?
6. What is strategy to deal with the risk?
Answers:
1.- With the process of risk management, basically you can identify risks related to information security- in your business and reduce them (with security controls). For more information about the process, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
2.- I suppose that your question is related to the inventory of assets, if so, the purpose and meaning of the inventory is to have identified and categorized all assets because they have a value for the business, and if you have based the risk management on assets, you can calculate risks related to them and protect them, although is not mandatory to perform the risk management based on assets, but is recommendable. This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
3.- Basically 3: quantitative, qualitative and semi-quantitative.
4.- threat: potential cause of an unwanted incident, which may result in harm to a system or organization; vulnerability: weakness of an asset or control that can be exploited by one or more threats; control: measure that is modifying risk; accident (is the same that an event): occurrence or change of a particular set of circumstances; consequence: outcome of an event affecting objectives.
5.- Depends on the methodology of risk management, an example can be: Risk = Consequences + likelihood. This free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
6.- Basically you have 4 options: reduce, accept, avoid or transfer. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Questionnaire before the implementation
kindly provide me the questionnaire regarding 20000 & 27000 what all questions come before or queries before implementation of given standard
Answer:
I am not sure what you mean, but the questionnaire that you can use before the implementation of ISO 27001 or ISO 20000 is for a gap analysis. If your question is related to the gap, this free tool can be useful for you Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ Or this one Free ISO 20000 Gap Analysis Tool : https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/
Another important thing before the implementation is to have an implementation checklist, so this article can be interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Or also this one ISO 20000 Implementation Project Checklist (Word) : https://advisera.com/20000academy/consultants/
Finally, this article about ISO 27001 and ISO 20000 maybe can be interesting for you How to implement ISO 27001 and ISO 20000 together : https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/ -
Auditors and certificates
How determines the auditor if a certificates is granted or not?
Answer:
The certification will be granted if there are no major nonconformities, anyway the final decision or determination is not performed by the auditor. The auditor only perform the certification audit, develop a final report, and made an evaluation about the compliance of the company. After this, in accordance with ISO 17021 (Requirements for bodies providing audit and certification of management systems), "the certification body shall ensure that the persons or committees that make the certification or recertification decisions are different from those who carried out the audits.
Maybe this article can be interesting for you How to get certified against ISO 27001? : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/
And also this one Becoming ISO 27001 certified How to prepare for certification audit : https://advisera.com/27001academy/iso-27001-certification/ -
Auditors and technical aspects
Does the auditor verify technical aspects, for example the quality of a network architecture from the security point of view, or the truth of information recorded in risk assessment table?
Answer:
Yes, an auditor can verify technical aspects, because there are technical controls (A.13.1.1, A.13.1.2, A.13.1.3, specific related to the network security management), and of course can verify the truth of the information registered in the risk assessment table, because the auditor needs evidences about the implementation and maintenance of the ISMS and needs to verify if your activities comply with your own documentation. This article can be interesting for you Infographic: The brain of an ISO auditor What to expect at a certification audit : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
BIA in a ISO 27001 implementation?
Could you kindly confirm me that for obtaining the ISO 27001 CERTIFICATION for organization Business impact analysis and BCP document aligned to IT service and recovery is mandatory.
Answer:
The Business Impact Analysis is not mandatory in the implementation of an ISO 27001 (although can be a best practice), regarding the BCP document, yes, is mandatory to have Business continuity procedures, and you can include on this a Business Continuity Plan, or a Disaster Recovery. You can also use ISO 22301 for the implementation of business continuity in ISO 27001, so this article can be interesting for you How to use ISO 22301 for the implementation of business continuity in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
And there is a list of mandatory document, you can see it here List of mandatory documents required by ISO 27001 (201 3 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Stage 1 audit - Internal audit performed?
For the stage 1 audit, should there be an internal audit performed? Or is having the documention available ok?
Answer:
Yes, should be performed. In accordance with the clause 9.2.3.1.1 g) of ISO 17021 (Requirements for bodies providing audit and certification of management systems) : "The stage 1 audit shall be performed to evaluate if the internal audits and management review are being planned and performed ..
Regarding the documentation, it is not mandatory to have a procedure in your ISMS for the internal audit (although can be a best practice), and it is mandatory to have the internal audit report (and the internal audit program). On this article you can see the list of mandatory documents of ISO 27001:2013 List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interes ting for you How to get certified against ISO 27001? : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/ -
BCP or DRP?
https://www.theverge.com/users/custom_write