Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How many papers to get certified?
How many papers i have to pass to get certified?
Answer:
Generally you need to pass an unique exam to get certified, so this free webinar can be interesting for you ISO 27001 Lead Auditor Course preparation training : https://advisera.com/training/iso-27001-lead-auditor-course/
And maybe this article can be also interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
And also this article Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
The best for you would be to contact some of the certification bodies in your country that provide such services, they will give you more detailed information about the course. Biggest certification bo dies are usually DNV, SGS, Bureau Veritas, and BSI - I'm sure at least one of them will be present in your country. -
Obligatoriedad de cumplimiento
Favor aclarar sobre la obligatoriedad de cumplimiento de algunos aspectos de esta norma para proveedores de alguna empresa que la esté adoptando..
Respuesta:
Si has implementado ISO 27001 en tu negocio, todas las obligaciones y requerimientos de ISO 27001 son para tu negocio, pero puedes establecer y acordar requerimientos con tus proveedores (por ejemplo a través de SLAs), y también puedes solicitar a tus proveedores que implementen y certifiquen ISO 27001.
Este artículo puede ser interesante para ti (en inglés) 6-step process for handling supplier security according to ISO 27001 : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Activities, MAO and RTO
1/ How to includes all activities which support the provision of key products and services.
2/ How to defines maximum tolerable periods of disruption (maximum acceptable outages) for each activity and sets recovery priorities accordingly.
3/ How to defines the recovery time objective for each activity.
Answers:
I suppose that you mean how to define activities , if so, there are basically two options: a.- Determine your activities based on process, or b) Determine your activities based on organizational units. If you need more information, please read this article How to define activities when implementing business continuity according to ISO 22301 : https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/
Regarding the Maximum Tolerable periods of disruption and the Recovery Time Objective, there are various ways to define them and set recovery priorities, but basically you need to analyze how the disruption of each activity affect to your busin ess, so you can make some questions like How will your clients react to a disruption?, What will be the impact to other activities?, etc. Here you can find more information How to implement business impact analysis (BIA) according to ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ And this article can be also interesting for you Five tips for Successful Business Impact Analysis : https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/ -
Save time with ISO 27001
i allready have been Certified with ISO 27001. May i use any documents of this in order to save time and what are the additional different documents?
Answer:
Absolutely, if you have implemented and certified ISO 27001 in your company, you will save many time in the implementation of ISO 22301, because there are many things in common (Risk Assessment & Treatment, Incident Management, Internal Audit, Management Review, etc), so you can implemented them together, although there are some specific requirements in ISO 22301 (for example the BIA). For more information about this, you can see this free webinar ISO 27001 & ISO 22301: Why is it better to implement them together? : https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
Finally, this article can be also interesting for you "How to use ISO 22301 for the implementation of business continuity in ISO 27001" : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
Risks for data center
Answer:
I'm not sure if I understood your question correctly, but typically in the data center you have to assess the risks related to your servers, telecommunications, and the infrastructure (power supply and air conditioning). The threats related to these assets are very different, ranging from environmental (floods, earthquakes), to man-made (hacker attacks, negligence, etc.).
The point is - you have to assess what is applicable for your particular data center. Here are some articles that can help you:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
ISO 27001 C ase study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Mandatory ISO 27001 documents and major nonconformity
* Scope of the ISMS (clause 4.3)
* Information security policy and objectives (clauses 5.2 and 6.2)
* Risk assessment and risk treatment methodology (clause 6.1.2)
* Statement of Applicability (clause 6.1.3 d)
* Risk treatment plan (clauses 6.1.3 e and 6.2)
* Risk assessment report (clause 8.2)
* Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
* Inventory of assets (clause A.8.1.1)
* Acceptable use of assets (clause A.8.1.3)
* Access control policy (clause A.9.1.1)
* Operating procedures for IT management (clause A.12.1.1)
* Secure system engineering principles (clause A.14.2.5)
* Supplier security policy (clause A.15.1.1)
* Incident management procedure (clause A.16.1.5)
* Business continuity procedures (clause A.17.1.2)
* Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
* Monitoring and measurement results (clause 9.1)
* Internal audit program (clause 9.2)
* Results of internal audits (clause 9.2)
* Results of the management review (clause 9.3)
* Results of corrective actions (clause 10.1)
* Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
please explain me how can I determine which of this mandatory DOCs are minor and witch of them is major? and I have to prepare all of these DOCs and if i don't have one of them the external audit maybe don't accept and get a Certifation or it is not important if we don't have all of these procedure in our company??
Answer:
I'm not sure what do you mean by "major" and "minor" documents? All the documents and records that you listed are mandatory according to ISO 27001, so if you don't have any of them the certification auditor will raise a major nonconformity.
These articles will help you:
8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
Asset owner and custodians
In your risk assessment templates, you have used the term Asset Owner. It occurred to me that this might not be the same person as the person to which the asset is assigned.
For example, a Chief of Operations role might be specified as the Asset Owner of all laptops but individual staff members may be indicated as Custodian for each laptop.
Is there a definition of Asset Owner in the context of ISO27001?
Is the term Custodian ever used in this context for ISO27001 or does the term always need to be Asset Owner?
Answer:
There is no specific definition for the asset owner in ISO 27001:2013, although in the ISO 27002:2013 (control 8.1.2 Ownership of assets), you can read that the asset owner can be either an individual or an entity who should be responsible for the proper management of an asset over the whole asset lifecycle, so if the asset is assigned to a person and this person is responsible of the management of the asset, this person should be the asset owner.
The same point of ISO 27002:2013 also defines that t he routine tasks may be delegated to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner, so custodian is used but not in ISO 27001:2013, is used in ISO 27002:2013.
So the Chief of Operations could be the asset owner if he is responsible of the management of the asset, and generally individual staff members can be custodians.
It is also important to know the term risk owner (new term introduced in the new ISO 27001:2013), which in accordance with ISO 27000:2014 is a person or entity with the accountability and authority to manage a risk"). If you want to know more information about asset owners and risk owners, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
ISMS implementation project vs DLP software purchase
- are there any risk of interdependence between the three projects? because the three projets are for the web application
- or we have to wait the implimentation of DLP and source code audit to start the projet ISMS because the objective of three projets is secure the web applications.
Answer:
The best would be to start first the ISMS implementation project because it will give you clear idea on what security controls you need, which also means you will get a clear picture on what kind of DLP software and source code audit soft ware you need.
If you can't wait with the purchase of these two software, then I think it would be best to wait with the ISMS implementation after this purchase is made. -
Implement all the controls before certification audit?
Answer:
If you go for the certification audit, you should have most of your controls implemented, and make sure that controls that mitigate the biggest risks are fully implemented.
In other words, you can leave only smaller number of less significant controls to be implemented after the certification. In such case, you have to ask risk owners to accept the residual risks. -
ISO 27001/ISO 22301 Toolkit for SAAS environtments
My customer queried whether the current 27001/22301 kit also caters for SAAS environments. I'd appreciate a swift reply on this one.
Answer:
I am not sure what you mean, but our ISO 27001/22301 Toolkit is developed for any type of business, mainly for small and medium companies. So, you can use it for the implementation of ISO 27001/ISO 22301 in SAAS environments.
This article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, it is important to know that many of our toolkit customers are providing cloud services, here you can see their testimonials: https://advisera.com/27001academy/testimonials/