Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
People asset
It is possible or even likely that a company would not have any people assets with respect to knowing information which is not found anywhere else? The company is about 100 people in scope? If I may be missing something, what would be the best method for determining if a person needs to be listed as an information asset?
Answer:
I am not sure what you mean, but generally is not possible that a company haven't people assets with critical information which is not found anywhere else. All companies have a hierarchy, and generally the top of the organization has information about the business that dont know normal employees (neither external people). So all people related to the scope of the ISMS- it is important for the risk assessment, so it is important to identify them in your inventory asset.
Regarding your last question, the best method for determining if a person needs to be listed as an information asset is to know is this person is affected by the scope of the ISMS (if is working in the ISMS, or has any responsibility, or ha s information about the business related with the ISMS, or perform activities related to the scope of the ISMS, etc).
Finally maybe this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 31000 and ISO 27001
transition from ISO 27001 risk assessment (asset based) to ISO 31000 based risk assessment (context based)? please share the sample format?
Answer:
There is no requirement to use ISO 31000 risk assessment methodology in when implementing ISO 27001, both are different standards: ISO 27001 establishes requisites for a Information Security Management System, and ISO 31000 is a guideline for the risk management.
Anyway, ISO 27001:2013 not requires you to use a specific model based methodology, so if you want, in ISO 27001:2013 you can use an asset based methodology, or if you want, you can use a process based methodology, or any other.
It is important to say here that ISO 27005 is very similar to ISO 31000, but ISO 27005 is focused on risks related to information security (ISO 31000 is for any type of risks).
Finally, I am not sure what you mean with sample format, but we have a template for the methodology of the risk management (asset based), you can see a free version here clicking on Free Demo tab Risk Assessment and Risk Tr eatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You can also read these articles:
How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Política de escritorio limpio
que es la politica de escritorio limpio
Respuesta:
Generalmente esta política establece que los escritorios necesitan estar limpios de información, teniendo en cuenta la clasificación de la información, los requerimientos legales y contractuales y los correspondientes aspectos de riesgos y culturales de la organización. Por tanto, no es una buena idea dejar usuarios/contraseñas, información de clientes, acuerdos, etc. en tu escritorio, principalmente porque podrían ser accesible por personas no autorizadas.
Este artículo sobre la clasificación de la información puede ser interesante para ti (en inglés) Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Finalmente, nosotros tenemos una plantilla para esta política, puedes ver una versión gratuita clickeando en la pestaña "Demostración gratis" aquí Política de pantall a y escritorio limpios : https://advisera.com/27001academy/es/documentation/politica-de-pantalla-y-escritorio-limpios/ -
Questions about assets
Question 1: I don't know how to list people as asset, do I just count numbers of workers and write out what they do?
Question 2: Also, wouldn't hw/sw owner be my company? (Since individual departments do not own them) I'm a bit confused about that.
Question 3: After tightening up these documents, do you have a recommendation to how to get ready for the internal audit?
Answers:
Answer 1: It is important. You can make groups of assets, for example, if you have a number of employees in the IT department you can have the asset "IT employees, and you can also add a brief description about this asset (writing out what they do, and also you can include the number of employees). You can do this because all these assets have the same threats/vulnerabilities and also the same risks, so the logical is to group them. Maybe these articles can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ . How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ And also this free webinar The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Answer 2: From my point of view it is not recommendable, the asset owner should be an employee that manages the asset on a day-to-day basis, for example the IT administrator. But you can also assign as risk owner the head of a department. For more information about this, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Answer 3: Yes, my recommendation is to review the main steps of the implementation process to know if all are completed. This article can be useful for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ You can also review if you have all mandatory documents required by ISO 27001:2013, so please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Guidance for Information Security Policy
I was wondering where I can find some guidance with regard to Point A.5 Draft Information Security Policy? Is this an Information Security Charter? We plan to set up an Information Security Steering Committee. Should this be included here as well or better a seperate document
Answer:
I am sorry but I am not sure what you mean with Information Security Charter, but at the highest level, organizations should define an "Information security policy" which is approved by top management and which sets out the organizations approach to managing its information security objectives, main responsibilities, etc. Separate from this top-level policy the companies usually develop detailed policies (like Backup policy, Access control policy, etc.).
ISO 27001 does not require Information Security Steering Committee, and smaller companies typically do not have such a body - if you decide to setup such body, it can be defined in the Information security policy.
For more information about the Information Security Policy, please read this article One Information Security Policy, or several policies? : https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
And also this article can be interesting for you Information security policy how detailed should it be? : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/ -
Asset, threat, vulnerability
Thanks for the reply! Just to make sure I understand, my risk identification would look like the following, with these broader organizational risks identified and repeated for each asset?
Asset Threat Vulnerability
Database Accidental-Privileged User Lack of Change Management
Database Accidental-Privileged User Lack of Security Incident Process
Database Adversarial-Insider Lack of HR Screening Process
Windows Server Accidental-Privileged User Lack of Change Management
Windows Server Accidental-Privileged User Lack of Security Incident Process
Windows Server Adversarial-Insider Lack of HR Screening Process
Answer:
Yes, you are in the right way, although from my point of view the threat Adversarial-Insider could be also related with the vulnerability Lack of Information Security Awareness.
Finally, this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://ad visera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Controls to address personal data
I have a question concerning ISO 27002. Does ISO 27002 address controls that support the privacy of data (such as PHI and PII)?
Answer:
Yes, ISO 27002 has the control A.18.1.4 Privacy and protection of personally identificable information, which can be applicable for the protection of any type of personal data. Regarding PHI Protected Health Information", keep in mind that there are another standard that is specifically related with the information security management in health including personal health information- using ISO 27002. This standard is the ISO 27799:2008, and you can download it from the official site of ISO : https://www.iso.org/standard/41298.html
Finally this list of laws and regulations related to information security and business continuity can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Gap analysis ISO 27001:2005
Hi Marie, I had an initial gap assessment done in 2012 under iso27001:2005 is this still valid do I need to do / can I switch to 2013?
Answer:
Gap analysis according to 2005 revision of ISO 27001 cannot be use any more because ISO 27001:2005 is not valid any more. If you need more information about the transition between the 2 versions of the standard, this article can be interesting for you How to make a transition from ISO 27001 2005 revision to 2013 revision: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
By the way, this free tool can help you to perform the gap analysis Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
ISO 27018
As we are a public cloud provider I am keen to get an understanding what it would take to get ISO27018:2014 compliant.
Microsoft boost that they are the only 27018 compliant cloud company. If you see the link the refer to ISO 27018 adds controls to the ISO/IEC 27001/27002 standards to address processing personally identifiable information (PII) in a cloud computing environment.
Could we add these "controls" to the SOA and get the same results? Ie get these controls included in the SOA and also say that we are adhering to ISO27018?
You wouldn't happen to have templates that adress these controls?
Answer:
From my point of view, you can use the security controls of ISO 27018 (which is simply a code of best practices, similar to ISO 27002 but focused on the protection of personally identifiable information) and include them in your SoA (obviously if you have implemented an ISMS), specifying that they are included for the compliance with the best practices of ISO 27018. After this, will be recommendable to pass an audit from an exte rnal entity (certification audit), and after this you could say to your customers that your business is compliant with the best practices of ISO 27002 and ISO 27018.
So, if you have an ISMS implemented, you could include the security controls of ISO 27018, but remember, you can not certify ISO 27018 (neither ISO 27002), because it is only a code of best practices.
And I am sorry, but we do not have specific templates for this standard, although you can download the ISO 27018 from the official site of iso.org: https://www.iso.org/standard/61498.html -
ISO 27001 training vs awareness
We have a couple of staff members that have quite a few opinions that we are not training' anybody, just making them aware, which for the most part, I agree with.
Answer:
From the ISO 27001 perspective, training is education - this means during the training you provide additional knowledge and skills to your employees. Example of training is ISO 27001 Lead Implementer Course.
As opposed to trainings, which give an answer to the question How?, awareness must give an answer to the questi on Why? that is, explain to your employees why they should accept information security or business continuity rules.
You'll learn more here: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
By the way clause 5.1.1 from ISO 27001:2013 does not speak about training and awareness - this is specified in clauses 7.2, 7.3 and control A.7.2.2