Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about risk management
I have some questions about information security management system. Thank you to answer these questions. I apologize for the lack of my english Writing
1. What is information security risk management process? (process of risk management)
2. What is the purpose and meaning of organize assets ? (organize assets)
3. What are methods of valuation of assets? (assets evaluations method)
4. what does the mean of this concepts: threats, vulnerabilities, control, accident and consequences ?
5. What is formula to calculate the risk?
6. What is strategy to deal with the risk?
Answers:
1.- With the process of risk management, basically you can identify risks related to information security- in your business and reduce them (with security controls). For more information about the process, please read this article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
2.- I suppose that your question is related to the inventory of assets, if so, the purpose and meaning of the inventory is to have identified and categorized all assets because they have a value for the business, and if you have based the risk management on assets, you can calculate risks related to them and protect them, although is not mandatory to perform the risk management based on assets, but is recommendable. This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
3.- Basically 3: quantitative, qualitative and semi-quantitative.
4.- threat: potential cause of an unwanted incident, which may result in harm to a system or organization; vulnerability: weakness of an asset or control that can be exploited by one or more threats; control: measure that is modifying risk; accident (is the same that an event): occurrence or change of a particular set of circumstances; consequence: outcome of an event affecting objectives.
5.- Depends on the methodology of risk management, an example can be: Risk = Consequences + likelihood. This free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
6.- Basically you have 4 options: reduce, accept, avoid or transfer. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Questionnaire before the implementation
kindly provide me the questionnaire regarding 20000 & 27000 what all questions come before or queries before implementation of given standard
Answer:
I am not sure what you mean, but the questionnaire that you can use before the implementation of ISO 27001 or ISO 20000 is for a gap analysis. If your question is related to the gap, this free tool can be useful for you Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ Or this one Free ISO 20000 Gap Analysis Tool : https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/
Another important thing before the implementation is to have an implementation checklist, so this article can be interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Or also this one ISO 20000 Implementation Project Checklist (Word) : https://advisera.com/20000academy/consultants/
Finally, this article about ISO 27001 and ISO 20000 maybe can be interesting for you How to implement ISO 27001 and ISO 20000 together : https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/ -
Auditors and certificates
How determines the auditor if a certificates is granted or not?
Answer:
The certification will be granted if there are no major nonconformities, anyway the final decision or determination is not performed by the auditor. The auditor only perform the certification audit, develop a final report, and made an evaluation about the compliance of the company. After this, in accordance with ISO 17021 (Requirements for bodies providing audit and certification of management systems), "the certification body shall ensure that the persons or committees that make the certification or recertification decisions are different from those who carried out the audits.
Maybe this article can be interesting for you How to get certified against ISO 27001? : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/
And also this one Becoming ISO 27001 certified How to prepare for certification audit : https://advisera.com/27001academy/iso-27001-certification/ -
Auditors and technical aspects
Does the auditor verify technical aspects, for example the quality of a network architecture from the security point of view, or the truth of information recorded in risk assessment table?
Answer:
Yes, an auditor can verify technical aspects, because there are technical controls (A.13.1.1, A.13.1.2, A.13.1.3, specific related to the network security management), and of course can verify the truth of the information registered in the risk assessment table, because the auditor needs evidences about the implementation and maintenance of the ISMS and needs to verify if your activities comply with your own documentation. This article can be interesting for you Infographic: The brain of an ISO auditor What to expect at a certification audit : https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
BIA in a ISO 27001 implementation?
Could you kindly confirm me that for obtaining the ISO 27001 CERTIFICATION for organization Business impact analysis and BCP document aligned to IT service and recovery is mandatory.
Answer:
The Business Impact Analysis is not mandatory in the implementation of an ISO 27001 (although can be a best practice), regarding the BCP document, yes, is mandatory to have Business continuity procedures, and you can include on this a Business Continuity Plan, or a Disaster Recovery. You can also use ISO 22301 for the implementation of business continuity in ISO 27001, so this article can be interesting for you How to use ISO 22301 for the implementation of business continuity in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
And there is a list of mandatory document, you can see it here List of mandatory documents required by ISO 27001 (201 3 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Stage 1 audit - Internal audit performed?
For the stage 1 audit, should there be an internal audit performed? Or is having the documention available ok?
Answer:
Yes, should be performed. In accordance with the clause 9.2.3.1.1 g) of ISO 17021 (Requirements for bodies providing audit and certification of management systems) : "The stage 1 audit shall be performed to evaluate if the internal audits and management review are being planned and performed ..
Regarding the documentation, it is not mandatory to have a procedure in your ISMS for the internal audit (although can be a best practice), and it is mandatory to have the internal audit report (and the internal audit program). On this article you can see the list of mandatory documents of ISO 27001:2013 List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interes ting for you How to get certified against ISO 27001? : https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/ -
BCP or DRP?
https://www.theverge.com/users/custom_write -
Risk management based on assets?
Assets are usually used to perform the risk assessment although not mandatory by ISO 27001:2013
How will i take risk assessment ? I mean based on what . Can I do implement ISo27001 with out asset management and risk assessment ?
Answer:
The recommendable is to have a risk management based on assets, although you are right, it is not mandatory. Another approach is to base your risk management in process, but generally it is for big companies. So, you can implement ISO 27001 without a risk management based on assets, although it is not recommendable (most of methodologies are based on assets). Anyway, the asset management is an important issue in ISO 27001, and you can do it independently of the risk management. Furthermore it is mandatory to have a document for the inventory of assets.
You can see here the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And this article can be also interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
How works ISO 27001?
some question in my minds please clear me how is works 20001 & 27001 and what is the benefits after taking and what about the profits after implementation
Answer:
ISO 27001 works establishing requisites for the implementation of an Information Security Management System (ISMS), so basically here it is important to identify risks and reduce them, for the protection of the information. For more information, please see this What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
Regarding 20001 I am sorry but it is not a standard. You mean ISO 20000-1 or ISO 22301?
Regarding benefits and profits after implementation, generally you can consider 4: compliance, marketing edge, lowering the expenses and putting your business in order. For more information about this, please read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you ISO 27001 benefits: How to obta in management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Perform the risk assessment
1. How do you carry out risk assessment?
2. Can you recommend further reading on ISO27001?
Answers:
1.- There are some steps that you need to perform during the risk assessment, we can resume these steps in 6, you can find more information here ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
2.- Sure, you can find many information in our blog, for example What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/ , you can also read our recent articles : https://advisera.com/27001academy/blog/ or you can also see our webinars : https://advisera.com/27001academy/webinars/ , or you can also see our section of free downloads : https://advisera.com/27001academy/free-downloads/