Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data center relocated
Our data center relocated from one place to another, Can you have any check list through which we assess DC Migration, OR Post DC Migration checklist.
Answer:
I am not sure what you mean, but we do not have this specific checklist. Anyway, if you have relocated your data center, generally it is recommendable to perform again the risk assessment & treatment. You can use our methodology for this, which is composed by a Risk Assessment Table, Risk Treatment Table, Risk Assessment and Treatment Report, Statement of Applicability and Risk Treatment Plan. You can download a free version of our Risk Assessment Toolkit clicking on Free Demo tab here ISO 27001/ISO 22301 Risk Assessment Toolkit : https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
We also have a checklist for the internal audit "Internal Audit Checklist" : https://advisera.com/27001academy/documentation/internal-audit-checklist/ -
Legislation starter list
do you have relevant legislation starter lists ?
Answer:
Yes, we have an article where you can find a list of laws and regulations related to information security of various countries. You can see it here Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Implementer training for ISO 27001
I was wondering if you might have recommendations for implementer training for ISO 27001? My employer is pondering pursuing certification and I've not fully kept up with the standard the past few years. I did implementer training via BSi about 10 years ago, but things have obviously changed since then. Also, the BSi training was quite boring.
Answer:
There are many entities, mainly certification bodies like BSI, that has courses about ISO 27001 Lead Implementer (and also ISO 27001 Lead Auditor). Examples: Bureau Veritas, AENOR, SGS, etc.
Our recommendation is that the company that offers the course has an accreditation (for example IRCA). Anyway, this article can be interesting for you How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Finally, maybe can be interesting for you to know changes in the new ISO 27001:2013, so this article can be interesting for you Infographic: New ISO 27001 2013 revision What has changed? : https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ -
Exclude controls
The scope of our certification is IT Customer Operation Department including Internal IT, Engineering and Infrastructure HR and Legal are excluded from the scope. My question is if I can exclude all the controls which are in their responsibility for example Securing Offices, Disciplinary Process or Identification of applicable legislation
Thank you in advance for your opinion,
One more question do you also offer consultation?
Answer:
You can exclude controls only if there are no risks which would require such controls. So if after the risk assessment & treatment you do not need these controls to reduce risks, you can exclude them.
Anyway, from my point of view generally you cannot exclude controls related to compliance, laws or applicable legislation, because they are requirements of the business.
This article can be interesting for you ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
And also this article How to defin e the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Regarding your last question, yes we offer consultant services for the implementation of ISO 27001 in your business if you buy our toolkit, although you can also ask us questions related to ISO 27001 and/or ISO 22301 without cost. -
PECB, IRCA, ISO and RABQSA
There are many organization issued ISO 270001 Certification like PECB, IRCA , ISO and RABQSA. Which one is the best?
Answer:
They are different things (PECB, IRCA, ISO and RABQSA). Certification bodies can issue a certificate of ISO 27001 for a company; some certification bodies: PECB, Bureau Veritas, BSI, AENOR, SGS, etc. But IRCA, ISO or RABQSA are not certification bodies that can issue certificates for companies, although IRCA and RABQSA can certify individual professionals (ISO 27001 Lead Auditor, Lead Implementer, etc).
So basically a certification body (for example PECB) can certify companies in ISO 27001, but these entities need to be accredited in each country by an accreditation body (In United Kingdom for example is UKAS : https://www.ukas.com).
Also it is important to know that ISO is not a certification body, neither accreditation body, it is only a standardization body that develops and publishes standards (ISO 27001, ISO 22301, ISO 9001, etc).
To know what is the best certification body for your business, there ar e some parameters like reputation, accreditation, etc. For more information please read this article How to choose a certification body : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
Activity Recovery Plan Section 8
I'm sorry for responding this late.
I didn't quite understand your question - in our template, we have "Recovery steps for the activity" in section 6, and section prior to this is called "Necessary resources".
In any case, in the "Recovery steps" section you should describe exactly what your employees will need to do to resume their business operations - e.g. travel to the alternative location, purchase missing equipment, find additional human resources, restart key software applications, return all the data from the backup, test is some data is missing, etc. -
System admin requires ISO 27001 certification?
hi, i am working as manager system admin and having 14 years operations experience, can you share the justification that why system admin require ISO 27001 certification and training and how this course help them to implement best practices and compliance up to mark.
Answer:
It is not established in ISO 27001 that a specific profile (system admin or any other) needs to have an ISO 27001 certification, but obviously if a company wants to implement ISO 27001 needs to have people with experience and knowledge about ISO 27001, so in this case it is necessary training about the standard for those people involved in the implementation (if they do not have the necessary knowledge), and can be interesting to obtain the ISO 27001 Lead implementer, although it is not mandatory.
The course of ISO 27001 Lead Implementer will help to you employees to give them the necessary information to the implementation and to be compliant with the requisites of the standard in your organization, taking into account that ISO 27001 is a standard about Inform ation Security Management Systems.
To implement best practices about information security, the best is to have knowledge about ISO 27002, which basically is a code of best practices about information security, so if you are interested in best practices, it is better training about ISO 27002.
Finally, these articles can be interesting for you:
"How to learn about ISO 27001 and BS 25999-2" : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
"Lead Auditor Course vs. Lead Implementer Course - Which one to go for?" : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Certifications and Training programs
I would like to check with you if the BSI Certifications and their Training program are worth and has value and recognition?
Also if there are any other options please advise.
Answer:
Without a doubt, their certifications and training programs have a great value and recognition, although there are other companies that also have a great value and recognition, so other options can be: Bureau Veritas, AENOR, SGS, etc.
This article can be interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
And also these articles:
How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/ -
Implement ISO 27001Identifying assets
the goal for me is to implement the iso 27001 in our data IP network with FIREWALL the question is: what do I h a v e to do?
Answer:
You can see the implementation as a project, so the first thing that you need is a project plan. You can find a free template for the project plan in our free download section Project plan for ISO 27001 / ISO 22301 implementation : https://advisera.com/27001academy/free-downloads/
Furthermore this article about the steps that are common in the implementation of ISO 27001 can be also interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, this article about firewalls can be interesting for you "How to use firewalls in ISO 27001 and ISO 27002 implementation" : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/ We have received this question:
I am in the process of identifying assets for our organization. I ended up identifying several key IT s ervices which enable various business processes. For example:
IT Service: EMAIL
Information Assets: Supports Communication and storage of Customer Information
Application: MS Exchange
OS: Windows Server 2008 r2
Hardware: HP DL380
Facility: DataCenter
In my risk assessment where do I reference the IT Service and Information Assets line, or are they just ignored? Should I reference them in any other documents? I thought this was a helpful way to group as it shows relationships.
Answer:
From my point of view, you should not ignore the IT service, you can identify it as an asset of type service, and assign to it threats/vulnerabilities (in accordance with your methodology). You can reference this type of asset in the same document that you already have, I mean, in your asset inventory.
Finally, do you need information about threats and vulnerabilities that can affect to your assets? This article can be interesting for you Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Can be interesting for you these articles:
"How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
"ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Logs
which is the LOG SERVER requirement for the 27001 firewall ?
Answer:
I am not sure what you mean, but there is not specific requirement in ISO 27001 related to log firewalls, although you can find the control objective A.12.4 Logging and monitoring, which has controls for event logging, protection of logs, clock synchronization and administrator and operator logs. So there are requirements in the standard related to any type of logs.
Maybe this article about firewalls can be interesting for you How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/