Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Save time with ISO 27001
i allready have been Certified with ISO 27001. May i use any documents of this in order to save time and what are the additional different documents?
Answer:
Absolutely, if you have implemented and certified ISO 27001 in your company, you will save many time in the implementation of ISO 22301, because there are many things in common (Risk Assessment & Treatment, Incident Management, Internal Audit, Management Review, etc), so you can implemented them together, although there are some specific requirements in ISO 22301 (for example the BIA). For more information about this, you can see this free webinar ISO 27001 & ISO 22301: Why is it better to implement them together? : https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
Finally, this article can be also interesting for you "How to use ISO 22301 for the implementation of business continuity in ISO 27001" : https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
Risks for data center
Answer:
I'm not sure if I understood your question correctly, but typically in the data center you have to assess the risks related to your servers, telecommunications, and the infrastructure (power supply and air conditioning). The threats related to these assets are very different, ranging from environmental (floods, earthquakes), to man-made (hacker attacks, negligence, etc.).
The point is - you have to assess what is applicable for your particular data center. Here are some articles that can help you:
Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
ISO 27001 C ase study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
Mandatory ISO 27001 documents and major nonconformity
* Scope of the ISMS (clause 4.3)
* Information security policy and objectives (clauses 5.2 and 6.2)
* Risk assessment and risk treatment methodology (clause 6.1.2)
* Statement of Applicability (clause 6.1.3 d)
* Risk treatment plan (clauses 6.1.3 e and 6.2)
* Risk assessment report (clause 8.2)
* Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
* Inventory of assets (clause A.8.1.1)
* Acceptable use of assets (clause A.8.1.3)
* Access control policy (clause A.9.1.1)
* Operating procedures for IT management (clause A.12.1.1)
* Secure system engineering principles (clause A.14.2.5)
* Supplier security policy (clause A.15.1.1)
* Incident management procedure (clause A.16.1.5)
* Business continuity procedures (clause A.17.1.2)
* Statutory, regulatory, and contractual requirements (clause A.18.1.1)
And here are the mandatory records:
Records of training, skills, experience and qualifications (clause 7.2)
* Monitoring and measurement results (clause 9.1)
* Internal audit program (clause 9.2)
* Results of internal audits (clause 9.2)
* Results of the management review (clause 9.3)
* Results of corrective actions (clause 10.1)
* Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
please explain me how can I determine which of this mandatory DOCs are minor and witch of them is major? and I have to prepare all of these DOCs and if i don't have one of them the external audit maybe don't accept and get a Certifation or it is not important if we don't have all of these procedure in our company??
Answer:
I'm not sure what do you mean by "major" and "minor" documents? All the documents and records that you listed are mandatory according to ISO 27001, so if you don't have any of them the certification auditor will raise a major nonconformity.
These articles will help you:
8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/ -
Asset owner and custodians
In your risk assessment templates, you have used the term Asset Owner. It occurred to me that this might not be the same person as the person to which the asset is assigned.
For example, a Chief of Operations role might be specified as the Asset Owner of all laptops but individual staff members may be indicated as Custodian for each laptop.
Is there a definition of Asset Owner in the context of ISO27001?
Is the term Custodian ever used in this context for ISO27001 or does the term always need to be Asset Owner?
Answer:
There is no specific definition for the asset owner in ISO 27001:2013, although in the ISO 27002:2013 (control 8.1.2 Ownership of assets), you can read that the asset owner can be either an individual or an entity who should be responsible for the proper management of an asset over the whole asset lifecycle, so if the asset is assigned to a person and this person is responsible of the management of the asset, this person should be the asset owner.
The same point of ISO 27002:2013 also defines that t he routine tasks may be delegated to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner, so custodian is used but not in ISO 27001:2013, is used in ISO 27002:2013.
So the Chief of Operations could be the asset owner if he is responsible of the management of the asset, and generally individual staff members can be custodians.
It is also important to know the term risk owner (new term introduced in the new ISO 27001:2013), which in accordance with ISO 27000:2014 is a person or entity with the accountability and authority to manage a risk"). If you want to know more information about asset owners and risk owners, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
ISMS implementation project vs DLP software purchase
- are there any risk of interdependence between the three projects? because the three projets are for the web application
- or we have to wait the implimentation of DLP and source code audit to start the projet ISMS because the objective of three projets is secure the web applications.
Answer:
The best would be to start first the ISMS implementation project because it will give you clear idea on what security controls you need, which also means you will get a clear picture on what kind of DLP software and source code audit soft ware you need.
If you can't wait with the purchase of these two software, then I think it would be best to wait with the ISMS implementation after this purchase is made. -
Implement all the controls before certification audit?
Answer:
If you go for the certification audit, you should have most of your controls implemented, and make sure that controls that mitigate the biggest risks are fully implemented.
In other words, you can leave only smaller number of less significant controls to be implemented after the certification. In such case, you have to ask risk owners to accept the residual risks. -
ISO 27001/ISO 22301 Toolkit for SAAS environtments
My customer queried whether the current 27001/22301 kit also caters for SAAS environments. I'd appreciate a swift reply on this one.
Answer:
I am not sure what you mean, but our ISO 27001/22301 Toolkit is developed for any type of business, mainly for small and medium companies. So, you can use it for the implementation of ISO 27001/ISO 22301 in SAAS environments.
This article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, it is important to know that many of our toolkit customers are providing cloud services, here you can see their testimonials: https://advisera.com/27001academy/testimonials/ -
Scope with limited resources
I have an unavoidably large scope but limited resources. My risk treatment plan has an overwhelming number of items that need to be treated. I have already prioritized treatment based on risk level but I dont have sufficient resources to treat all of them in a timely manner. How should I proceed? For example: Is it okay to simply accept some of the risks in the treatment plan with a view to reducing or transferring them at a later date?
Answer:
If you cannot reduce risks, other options are: accept, avoid or transfer them. It is related with the Risk treatment process. So, now you need to select an option for each risk (for example accept those that you cannot reduce), and when you perform again the risk assessment (generally 1 per year) you need to select again an option (can be the same, for example accept them, or can be different, for example reduce or transfer them).
The best approach for me would be, considering your case: now accept risks, and in the next cycle of the risk assessment reduce them (obviously if you can, i f not, you can again accept, or avoid or transfer them).
This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Predefined time for CCTV camera
Is there any predefined time period for CCTV Camera logs retention according to best practice or law or guidelines. I tried to find out but no where getting specific time period. Or it will be based on contract or service obligation, business need.
Answer:
If your question is about logs related to the control of the software of the CCTV camera (registration of user access, shutdowns of the system, incidents, etc.) there is no predefined time period, so it depends on the interests of each organization.
But if your question is about recorded images, it can be related with personal data, and generally each country has laws (related to personal data) to establish a time limit to maintain these images (in Europe in some countries is 30 days)
This list about laws, related to information security, of each country can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Key concept of ISMS
Could you share the key concept of ISMS?
Answer:
From my point of view, the key concept of an ISMS is the information (and its protection). And it is also one of the more important things in our current age (information age). How can we protect the information? Basically identifying risks and reducing them, and it is also covered by an ISMS (the risk is also an important concept in an ISMS).
This article about the basic logic of ISO 27001 can be interesting for you The basic logic of ISO 27001: How does information security work? : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/