Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certifications and Training programs
I would like to check with you if the BSI Certifications and their Training program are worth and has value and recognition?
Also if there are any other options please advise.
Answer:
Without a doubt, their certifications and training programs have a great value and recognition, although there are other companies that also have a great value and recognition, so other options can be: Bureau Veritas, AENOR, SGS, etc.
This article can be interesting for you How to learn about ISO 27001 and BS 25999-2 : https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/
And also these articles:
How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/ -
Implement ISO 27001Identifying assets
the goal for me is to implement the iso 27001 in our data IP network with FIREWALL the question is: what do I h a v e to do?
Answer:
You can see the implementation as a project, so the first thing that you need is a project plan. You can find a free template for the project plan in our free download section Project plan for ISO 27001 / ISO 22301 implementation : https://advisera.com/27001academy/free-downloads/
Furthermore this article about the steps that are common in the implementation of ISO 27001 can be also interesting for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, this article about firewalls can be interesting for you "How to use firewalls in ISO 27001 and ISO 27002 implementation" : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/ We have received this question:
I am in the process of identifying assets for our organization. I ended up identifying several key IT s ervices which enable various business processes. For example:
IT Service: EMAIL
Information Assets: Supports Communication and storage of Customer Information
Application: MS Exchange
OS: Windows Server 2008 r2
Hardware: HP DL380
Facility: DataCenter
In my risk assessment where do I reference the IT Service and Information Assets line, or are they just ignored? Should I reference them in any other documents? I thought this was a helpful way to group as it shows relationships.
Answer:
From my point of view, you should not ignore the IT service, you can identify it as an asset of type service, and assign to it threats/vulnerabilities (in accordance with your methodology). You can reference this type of asset in the same document that you already have, I mean, in your asset inventory.
Finally, do you need information about threats and vulnerabilities that can affect to your assets? This article can be interesting for you Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Can be interesting for you these articles:
"How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
"ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Logs
which is the LOG SERVER requirement for the 27001 firewall ?
Answer:
I am not sure what you mean, but there is not specific requirement in ISO 27001 related to log firewalls, although you can find the control objective A.12.4 Logging and monitoring, which has controls for event logging, protection of logs, clock synchronization and administrator and operator logs. So there are requirements in the standard related to any type of logs.
Maybe this article about firewalls can be interesting for you How to use firewalls in ISO 27001 and ISO 27002 implementation : https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/ -
Outsourced components
We have outsourced a couple of components of our organization. The support of our server hardware and operating system is supported by 1 company, while the datacenter where these servers sit is supported by another company.
Question 1: How would I write this up for our asset inventory?
Question 2: Are the contracted companies asset owners or risk owners?
Question 3: Do I list the datacenter facility as a facility asset or simply identify the environmental threats for the servers there as having sharedoutsourced risks for their security control, and ensure our supplier contracts discuss mitigating those threats?
Question 4: For that matter should I ever list the facility as an asset, or simply the systems and information contained in the facility as assets?
Answers:
Answer 1: From my point of view, simply including them in your asset inventory (following your methodology), if these assets are related to the scope of your ISMS.
Answer 2: Yes, external companies can be asset owners and risk owners (even for those assets that are n ot part of the ISMS scope). For example, the asset owner of a server can be the IT administrator of the external company, and the risk owner can be the head of the IT department of the external company. For more information about these terms, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Answer 3: From my point of view it is better if you list the datacenter as facility asset. Here it is important to have an asset for the datacenter (type facility), because there are threats directly related to this type of asset (there are also other threats directly related to the servers), furthermore you need to ensure that your supplier contract discuss about risks and the mitigation of threats.
Answer 4: An approach can be: Identify the facility as an asset, and also the systems and information contained on it, because they are different type of assets and have different threats/vulnerabilities. Another approach can be: Identify an unique asset and assign to it all threats/vulnerabilities related to the facility, systems and information.
Finally, this article about the asset inventory can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Categorize software
Your documents reference software as being an asset, shall I document client pcs software individually as an asset(office, adobe ,etc), group them as a business productivity apps category, or ignore them altogether?
Answer:
Yes, we reference the software in our templates as a type of asset, and from my point of view the best is to document and group the software in categories (operative system, office, database, etc.)
By the way, do you know how to match assets, threats and vulnerabilities? This article can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
External vendor performing the Risk assessmentPhone handset, Asset?
Is there any part of the risk assessment methodology and process, per your template, that an external vendor performing the assessment and consulting on the isms can not do?
Answer:
I am not sure what you mean, but any part of the risk assessment methodology and process of our templates can be done by any person that knows your business, so you can have external help for this (although the evaluation of impact and likelihood in most cases cannot be done by external consultant), but it wont be necessary because if you buy our templates you will have our support.
Generally if you hire an external company, or external experts, to perform all activities related to the risk assessment, it will be most expensive.
Finally, these articles can be interesting for you:
5 criteria for choosing an ISO 22301 / ISO 27001 consultant : https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
Do you really need a consultant for ISO 27001 / BS 25999 implementation? : https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/ We have received this question:
Would a phone handset be considered an asset falling under the jurisdiction of iso 27001?
Answer:
From my point of view, generally no. In accordance with ISO 27000 (this standard defines terms of information security) an asset is anything that has value to the organisation, and I think that a phone handset has low value for an organization, although can be important to consider phones, smartphones, etc.
Anyway if you want, or if in your business a phone handset is important, you can have in your asset inventory this asset.
Regarding the asset inventory, this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
People asset
It is possible or even likely that a company would not have any people assets with respect to knowing information which is not found anywhere else? The company is about 100 people in scope? If I may be missing something, what would be the best method for determining if a person needs to be listed as an information asset?
Answer:
I am not sure what you mean, but generally is not possible that a company haven't people assets with critical information which is not found anywhere else. All companies have a hierarchy, and generally the top of the organization has information about the business that dont know normal employees (neither external people). So all people related to the scope of the ISMS- it is important for the risk assessment, so it is important to identify them in your inventory asset.
Regarding your last question, the best method for determining if a person needs to be listed as an information asset is to know is this person is affected by the scope of the ISMS (if is working in the ISMS, or has any responsibility, or ha s information about the business related with the ISMS, or perform activities related to the scope of the ISMS, etc).
Finally maybe this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 31000 and ISO 27001
transition from ISO 27001 risk assessment (asset based) to ISO 31000 based risk assessment (context based)? please share the sample format?
Answer:
There is no requirement to use ISO 31000 risk assessment methodology in when implementing ISO 27001, both are different standards: ISO 27001 establishes requisites for a Information Security Management System, and ISO 31000 is a guideline for the risk management.
Anyway, ISO 27001:2013 not requires you to use a specific model based methodology, so if you want, in ISO 27001:2013 you can use an asset based methodology, or if you want, you can use a process based methodology, or any other.
It is important to say here that ISO 27005 is very similar to ISO 31000, but ISO 27005 is focused on risks related to information security (ISO 31000 is for any type of risks).
Finally, I am not sure what you mean with sample format, but we have a template for the methodology of the risk management (asset based), you can see a free version here clicking on Free Demo tab Risk Assessment and Risk Tr eatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You can also read these articles:
How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Política de escritorio limpio
que es la politica de escritorio limpio
Respuesta:
Generalmente esta política establece que los escritorios necesitan estar limpios de información, teniendo en cuenta la clasificación de la información, los requerimientos legales y contractuales y los correspondientes aspectos de riesgos y culturales de la organización. Por tanto, no es una buena idea dejar usuarios/contraseñas, información de clientes, acuerdos, etc. en tu escritorio, principalmente porque podrían ser accesible por personas no autorizadas.
Este artículo sobre la clasificación de la información puede ser interesante para ti (en inglés) Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Finalmente, nosotros tenemos una plantilla para esta política, puedes ver una versión gratuita clickeando en la pestaña "Demostración gratis" aquí Política de pantall a y escritorio limpios : https://advisera.com/27001academy/es/documentation/politica-de-pantalla-y-escritorio-limpios/ -
Questions about assets
Question 1: I don't know how to list people as asset, do I just count numbers of workers and write out what they do?
Question 2: Also, wouldn't hw/sw owner be my company? (Since individual departments do not own them) I'm a bit confused about that.
Question 3: After tightening up these documents, do you have a recommendation to how to get ready for the internal audit?
Answers:
Answer 1: It is important. You can make groups of assets, for example, if you have a number of employees in the IT department you can have the asset "IT employees, and you can also add a brief description about this asset (writing out what they do, and also you can include the number of employees). You can do this because all these assets have the same threats/vulnerabilities and also the same risks, so the logical is to group them. Maybe these articles can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ . How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ And also this free webinar The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Answer 2: From my point of view it is not recommendable, the asset owner should be an employee that manages the asset on a day-to-day basis, for example the IT administrator. But you can also assign as risk owner the head of a department. For more information about this, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Answer 3: Yes, my recommendation is to review the main steps of the implementation process to know if all are completed. This article can be useful for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ You can also review if you have all mandatory documents required by ISO 27001:2013, so please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/