Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope with limited resources
I have an unavoidably large scope but limited resources. My risk treatment plan has an overwhelming number of items that need to be treated. I have already prioritized treatment based on risk level but I dont have sufficient resources to treat all of them in a timely manner. How should I proceed? For example: Is it okay to simply accept some of the risks in the treatment plan with a view to reducing or transferring them at a later date?
Answer:
If you cannot reduce risks, other options are: accept, avoid or transfer them. It is related with the Risk treatment process. So, now you need to select an option for each risk (for example accept those that you cannot reduce), and when you perform again the risk assessment (generally 1 per year) you need to select again an option (can be the same, for example accept them, or can be different, for example reduce or transfer them).
The best approach for me would be, considering your case: now accept risks, and in the next cycle of the risk assessment reduce them (obviously if you can, i f not, you can again accept, or avoid or transfer them).
This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Predefined time for CCTV camera
Is there any predefined time period for CCTV Camera logs retention according to best practice or law or guidelines. I tried to find out but no where getting specific time period. Or it will be based on contract or service obligation, business need.
Answer:
If your question is about logs related to the control of the software of the CCTV camera (registration of user access, shutdowns of the system, incidents, etc.) there is no predefined time period, so it depends on the interests of each organization.
But if your question is about recorded images, it can be related with personal data, and generally each country has laws (related to personal data) to establish a time limit to maintain these images (in Europe in some countries is 30 days)
This list about laws, related to information security, of each country can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Key concept of ISMS
Could you share the key concept of ISMS?
Answer:
From my point of view, the key concept of an ISMS is the information (and its protection). And it is also one of the more important things in our current age (information age). How can we protect the information? Basically identifying risks and reducing them, and it is also covered by an ISMS (the risk is also an important concept in an ISMS).
This article about the basic logic of ISO 27001 can be interesting for you The basic logic of ISO 27001: How does information security work? : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Data center assets
data center assets, threats and vulnerabilities?
What's assets and common security threats and vulnerabilities in data centers?
Answer:
In accordance with the definitions of ISO 27000, an asset is anything that has value to the organization. So, from my point of view you can identify: servers, switches, routers, Access points, operative systems, databases, employees, facilities, etc. This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And there are not common threats and vulnerabilities related to data centers, but you can use a catalogue and select those that can affect to your assets. Here you can find a catalogue of threats and vulnerabilities Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Finally, I think that this article can be also interesting for you ISO 27001 risk assessment: H ow to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Company that does not develop software
I am implementing ISO 27001:2013 for one company. They do not develop any software but they use out of the box softwares for internal usage. Rest they have typical IT network (Switches, Routers, Email etc).
Are below mentioned controls applicable?
A. 14.2.5 Secure System Engineering Principles
A. 14.2.6 Secure Development Environment
A. 14.2.8 System Security Testing
A. 14.2.9 System Acceptance Testing
A. 14.3.1 Protection of Test Data
A. 10.1.1 Policy on the use of Cryptographic Control
Answer:
The decisions about if these controls apply, needs to be made after the risk assessment & treatment. So, if there are no risks related to the develop of software, or with cryptographic controls, you dont need to apply them.
Finally these articles can be interesting for you:
ISO 27001 risk assessment 6 treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
"The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Risk Assessment Toolkit
I downloaded the free version of the application Risk Assessment Toolkit. My question is the following: the application is helpful only for the preparation of the documents?
Performs cross-checking specific (for example 6.1.3 / Annex A)?
Answer:
I am not sure what you mean, but with our Risk Assessment Toolkit you have all necessary documents to perform the risk assessment and the risk treatment, so you can comply with clauses 6.1.2, 6.1.3 e), 6.2 and 8.2 of ISO 27001:2013. Is a requisite in the standard to have documented these clauses.
Here you can see a list of mandatory documents List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Finally, if you buy the toolkit you will receive 60-day access to these tutorials that will show you how to fill in the documentation templates:
(1) Video tutorial: How to Write the ISO 27001 Risk Assessment Methodology, (2) Video tutorial: How to Implement Risk Assessme nt According to ISO 27001, (3) Video tutorial: How to Implement Risk Treatment According to ISO 27001, (4) Video tutorial: How to Write ISO 27001 Risk Assessment Report, (5) Video tutorial: How to Write ISO 27001 Statement of Applicability, (6) Video tutorial: How to Write ISO 27001 Risk Treatment Plan, (7) Webinar on demand: Risk Management Part 1, and (8) Webinar on demand: Risk Management Part 2 -
Group of assets
I have a question about listing assets for the risk assessment. Is it acceptable to list similar assets under a single asset item (e.g. "laptops") instead of listing every item individually?
Assuming this might be ok, is it then acceptable to add more specific items to the same list. E.g. "All Dell laptops" or "Jane Smith's laptop"? Otherwise it seems that the list of assets and risk assessment items could easily grow to impractical or unmanageable proportions.
Answer:
Yes, you can create group of assets, for example laptops if they have the same threats/vulnerabilities and also the same risk. Regarding your second question, you need to take care, because you can have laptops located in others facilities or other companies- which can have different threats/vulnerabilities and risks, so in this case you cannot include them in the same group laptops. It is also important to think about the data that the laptop has: If Jane Smith is for example the head of HR Department, maybe has confidential information (which is not in oth er laptop) and is critical for the business. So from my point of view in this case will be better to have an individual asset.
This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Many documents
I am conscious that this process generates a lot of paperwork, and one of the push backs from the business is that it will become too cumbersome to manage and things will get missed / ignored because it is unrealistic to maintain and make people aware of everything. Ultimately, we dont want this just to become a tick box exercise and lose sight of why we are doing it. I would be interested in knowing how other companies have addressed this i.e. have they consolidated all the documents into a single document or grouped certain policies and documents together?
Answer:
Generally the number and complexity of documents is adapted to the particular needs of each company, please read this article for more information 8 criteria to decide which ISO 27001 policies and procedures to write : https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
By the way, in accordance with ISO 27001, there are some mandatory documents, you can see the list here List of mandatory documen ts required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Questions for HR team during the Internal Audit
Can you please give me some ideas on what kind of questions can be asked while I perform the internal audit to the HR team, Testing team
Answer:
Generally you need to verify if the HR team is compliant with the domain "A.7 Human resource security , which is included in the Annex A of ISO 27001:2013, and is composed by the objective control "A.7.1 Prior to employment", "A.7.2 During employment" and "A.7.3 Termination and change of employment". In some cases, can be also necessary ask to them questions related to legal obligations (domain A.18), if the HR team is responsible for these issues.
So basically you need to ask questions related to the compliant of controls included in the domain A.7.
Finally, this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Data center relocated
Our data center relocated from one place to another, Can you have any check list through which we assess DC Migration, OR Post DC Migration checklist.
Answer:
I am not sure what you mean, but we do not have this specific checklist. Anyway, if you have relocated your data center, generally it is recommendable to perform again the risk assessment & treatment. You can use our methodology for this, which is composed by a Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. You can download a free version of our Risk Assessment Toolkit clicking on Free Demo tab here ISO 27001/ISO 22301 Risk Assessment Toolkit : https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
We also have a checklist for the internal audit "Internal Audit Checklist" : https://advisera.com/27001academy/documentation/internal-audit-checklist/