Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk management based on assets?
Assets are usually used to perform the risk assessment although not mandatory by ISO 27001:2013
How will i take risk assessment ? I mean based on what . Can I do implement ISo27001 with out asset management and risk assessment ?
Answer:
The recommendable is to have a risk management based on assets, although you are right, it is not mandatory. Another approach is to base your risk management in process, but generally it is for big companies. So, you can implement ISO 27001 without a risk management based on assets, although it is not recommendable (most of methodologies are based on assets). Anyway, the asset management is an important issue in ISO 27001, and you can do it independently of the risk management. Furthermore it is mandatory to have a document for the inventory of assets.
You can see here the list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
And this article can be also interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
How works ISO 27001?
some question in my minds please clear me how is works 20001 & 27001 and what is the benefits after taking and what about the profits after implementation
Answer:
ISO 27001 works establishing requisites for the implementation of an Information Security Management System (ISMS), so basically here it is important to identify risks and reduce them, for the protection of the information. For more information, please see this What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/
Regarding 20001 I am sorry but it is not a standard. You mean ISO 20000-1 or ISO 22301?
Regarding benefits and profits after implementation, generally you can consider 4: compliance, marketing edge, lowering the expenses and putting your business in order. For more information about this, please read this article Four key benefits of ISO 27001 implementation : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
And this free webinar can be also interesting for you ISO 27001 benefits: How to obta in management support : https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/ -
Perform the risk assessment
1. How do you carry out risk assessment?
2. Can you recommend further reading on ISO27001?
Answers:
1.- There are some steps that you need to perform during the risk assessment, we can resume these steps in 6, you can find more information here ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
2.- Sure, you can find many information in our blog, for example What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/ , you can also read our recent articles : https://advisera.com/27001academy/blog/ or you can also see our webinars : https://advisera.com/27001academy/webinars/ , or you can also see our section of free downloads : https://advisera.com/27001academy/free-downloads/ -
Checklist for a self audit
Is there a checklist available that can be used when performing a self audit?
Answer:
Yes, you can use this Internal Audit Checklist Internal Audit Checklist : https://advisera.com/27001academy/documentation/internal-audit-checklist/ , although every company is different, and you can also develop your own checklist following this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
How many papers to get certified?
How many papers i have to pass to get certified?
Answer:
Generally you need to pass an unique exam to get certified, so this free webinar can be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
And maybe this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
And also this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
The best for you would be to contact some of the certification bodies in your country that provide such services, they will give you more detailed information about the course. Biggest certification bo dies are usually DNV, SGS, Bureau Veritas, and BSI - I'm sure at least one of them will be present in your country. -
Obligatoriedad de cumplimiento
Favor aclarar sobre la obligatoriedad de cumplimiento de algunos aspectos de esta norma para proveedores de alguna empresa que la esté adoptando..
Respuesta:
Si has implementado ISO 27001 en tu negocio, todas las obligaciones y requerimientos de ISO 27001 son para tu negocio, pero puedes establecer y acordar requerimientos con tus proveedores (por ejemplo a través de SLAs), y también puedes solicitar a tus proveedores que implementen y certifiquen ISO 27001.
Este artículo puede ser interesante para ti (en inglés) 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Activities, MAO and RTO
1/ How to includes all activities which support the provision of key products and services.
2/ How to defines maximum tolerable periods of disruption (maximum acceptable outages) for each activity and sets recovery priorities accordingly.
3/ How to defines the recovery time objective for each activity.
Answers:
I suppose that you mean how to define activities , if so, there are basically two options: a.- Determine your activities based on process, or b) Determine your activities based on organizational units. If you need more information, please read this article How to define activities when implementing business continuity according to ISO 22301 : https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/
Regarding the Maximum Tolerable periods of disruption and the Recovery Time Objective, there are various ways to define them and set recovery priorities, but basically you need to analyze how the disruption of each activity affect to your busin ess, so you can make some questions like How will your clients react to a disruption?, What will be the impact to other activities?, etc. Here you can find more information How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ And this article can be also interesting for you Five tips for Successful Business Impact Analysis : https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/ -
Save time with ISO 27001
i allready have been Certified with ISO 27001. May i use any documents of this in order to save time and what are the additional different documents?
Answer:
Absolutely, if you have implemented and certified ISO 27001 in your company, you will save many time in the implementation of ISO 22301, because there are many things in common (Risk Assessment & Treatment, Incident Management, Internal Audit, Management Review, etc), so you can implemented them together, although there are some specific requirements in ISO 22301 (for example the BIA). For more information about this, you can see this free webinar ISO 27001 & ISO 22301: Why is it better to implement them together? : https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
Finally, this article can be also interesting for you "How to use ISO 22301 for the implementation of business continuity in ISO 27001" : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
Risks for data center
Answer:
I'm not sure if I understood your question correctly, but typically in the data center you have to assess the risks related to your servers, telecommunications, and the infrastructure (power supply and air conditioning). The threats related to these assets are very different, ranging from environmental (floods, earthquakes), to man-made (hacker attacks, negligence, etc.).
The point is - you have to assess what is applicable for your particular data center. Here are some articles that can help you:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
ISO 27001 C ase study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Mandatory ISO 27001 documents and major nonconformity
* Scope of the ISMS (clause 4.3)
* Information security policy and objectives (clauses 5.2 and 6.2)
* Risk assessment and risk treatment methodology (clause 6.1.2)
* Statement of Applicability (clause 6.1.3 d)
* Risk treatment plan (clauses 6.1.3 e and 6.2)
* Risk assessment report (clause 8.2)
* Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
* Inventory of assets (clause A.8.1.1)
* Acceptable use of assets (clause A.8.1.3)
* Access control policy (clause A.9.1.1)
* Operating procedures for IT management (clause A.12.1.1)
* Secure system engineering principles (clause A.14.2.5)
* Supplier security policy (clause A.15.1.1)
* Incident management procedure (clause A.16.1.5)
* Business continuity procedures (clause A.17.1.2)
* Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
* Monitoring and measurement results (clause 9.1)
* Internal audit program (clause 9.2)
* Results of internal audits (clause 9.2)
* Results of the management review (clause 9.3)
* Results of corrective actions (clause 10.1)
* Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
please explain me how can I determine which of this mandatory DOCs are minor and witch of them is major? and I have to prepare all of these DOCs and if i don't have one of them the external audit maybe don't accept and get a Certifation or it is not important if we don't have all of these procedure in our company??
Answer:
I'm not sure what do you mean by "major" and "minor" documents? All the documents and records that you listed are mandatory according to ISO 27001, so if you don't have any of them the certification auditor will raise a major nonconformity.
These articles will help you:
8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/