Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Categorize software
Your documents reference software as being an asset, shall I document client pcs software individually as an asset(office, adobe ,etc), group them as a business productivity apps category, or ignore them altogether?
Answer:
Yes, we reference the software in our templates as a type of asset, and from my point of view the best is to document and group the software in categories (operative system, office, database, etc.)
By the way, do you know how to match assets, threats and vulnerabilities? This article can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
External vendor performing the Risk assessmentPhone handset, Asset?
Is there any part of the risk assessment methodology and process, per your template, that an external vendor performing the assessment and consulting on the isms can not do?
Answer:
I am not sure what you mean, but any part of the risk assessment methodology and process of our templates can be done by any person that knows your business, so you can have external help for this (although the evaluation of impact and likelihood in most cases cannot be done by external consultant), but it wont be necessary because if you buy our templates you will have our support.
Generally if you hire an external company, or external experts, to perform all activities related to the risk assessment, it will be most expensive.
Finally, these articles can be interesting for you:
5 criteria for choosing an ISO 22301 / ISO 27001 consultant : https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
Do you really need a consultant for ISO 27001 / BS 25999 implementation? : https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/ We have received this question:
Would a phone handset be considered an asset falling under the jurisdiction of iso 27001?
Answer:
From my point of view, generally no. In accordance with ISO 27000 (this standard defines terms of information security) an asset is anything that has value to the organisation, and I think that a phone handset has low value for an organization, although can be important to consider phones, smartphones, etc.
Anyway if you want, or if in your business a phone handset is important, you can have in your asset inventory this asset.
Regarding the asset inventory, this article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
People asset
It is possible or even likely that a company would not have any people assets with respect to knowing information which is not found anywhere else? The company is about 100 people in scope? If I may be missing something, what would be the best method for determining if a person needs to be listed as an information asset?
Answer:
I am not sure what you mean, but generally is not possible that a company haven't people assets with critical information which is not found anywhere else. All companies have a hierarchy, and generally the top of the organization has information about the business that dont know normal employees (neither external people). So all people related to the scope of the ISMS- it is important for the risk assessment, so it is important to identify them in your inventory asset.
Regarding your last question, the best method for determining if a person needs to be listed as an information asset is to know is this person is affected by the scope of the ISMS (if is working in the ISMS, or has any responsibility, or ha s information about the business related with the ISMS, or perform activities related to the scope of the ISMS, etc).
Finally maybe this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 31000 and ISO 27001
transition from ISO 27001 risk assessment (asset based) to ISO 31000 based risk assessment (context based)? please share the sample format?
Answer:
There is no requirement to use ISO 31000 risk assessment methodology in when implementing ISO 27001, both are different standards: ISO 27001 establishes requisites for a Information Security Management System, and ISO 31000 is a guideline for the risk management.
Anyway, ISO 27001:2013 not requires you to use a specific model based methodology, so if you want, in ISO 27001:2013 you can use an asset based methodology, or if you want, you can use a process based methodology, or any other.
It is important to say here that ISO 27005 is very similar to ISO 31000, but ISO 27005 is focused on risks related to information security (ISO 31000 is for any type of risks).
Finally, I am not sure what you mean with sample format, but we have a template for the methodology of the risk management (asset based), you can see a free version here clicking on Free Demo tab Risk Assessment and Risk Tr eatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You can also read these articles:
How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
ISO 31000 and ISO 27001 How are they related? : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ -
Política de escritorio limpio
que es la politica de escritorio limpio
Respuesta:
Generalmente esta política establece que los escritorios necesitan estar limpios de información, teniendo en cuenta la clasificación de la información, los requerimientos legales y contractuales y los correspondientes aspectos de riesgos y culturales de la organización. Por tanto, no es una buena idea dejar usuarios/contraseñas, información de clientes, acuerdos, etc. en tu escritorio, principalmente porque podrían ser accesible por personas no autorizadas.
Este artículo sobre la clasificación de la información puede ser interesante para ti (en inglés) Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Finalmente, nosotros tenemos una plantilla para esta política, puedes ver una versión gratuita clickeando en la pestaña "Demostración gratis" aquí Política de pantall a y escritorio limpios : https://advisera.com/27001academy/es/documentation/politica-de-pantalla-y-escritorio-limpios/ -
Questions about assets
Question 1: I don't know how to list people as asset, do I just count numbers of workers and write out what they do?
Question 2: Also, wouldn't hw/sw owner be my company? (Since individual departments do not own them) I'm a bit confused about that.
Question 3: After tightening up these documents, do you have a recommendation to how to get ready for the internal audit?
Answers:
Answer 1: It is important. You can make groups of assets, for example, if you have a number of employees in the IT department you can have the asset "IT employees, and you can also add a brief description about this asset (writing out what they do, and also you can include the number of employees). You can do this because all these assets have the same threats/vulnerabilities and also the same risks, so the logical is to group them. Maybe these articles can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ . How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ And also this free webinar The basics of risk assessment and treatment according to ISO 27001 : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Answer 2: From my point of view it is not recommendable, the asset owner should be an employee that manages the asset on a day-to-day basis, for example the IT administrator. But you can also assign as risk owner the head of a department. For more information about this, please read this article Risk owners vs. Asset owners in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Answer 3: Yes, my recommendation is to review the main steps of the implementation process to know if all are completed. This article can be useful for you ISO 27001 implementation checklist : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ You can also review if you have all mandatory documents required by ISO 27001:2013, so please read this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Guidance for Information Security Policy
I was wondering where I can find some guidance with regard to Point A.5 Draft Information Security Policy? Is this an Information Security Charter? We plan to set up an Information Security Steering Committee. Should this be included here as well or better a seperate document
Answer:
I am sorry but I am not sure what you mean with Information Security Charter, but at the highest level, organizations should define an "Information security policy" which is approved by top management and which sets out the organizations approach to managing its information security objectives, main responsibilities, etc. Separate from this top-level policy the companies usually develop detailed policies (like Backup policy, Access control policy, etc.).
ISO 27001 does not require Information Security Steering Committee, and smaller companies typically do not have such a body - if you decide to setup such body, it can be defined in the Information security policy.
For more information about the Information Security Policy, please read this article One Information Security Policy, or several policies? : https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
And also this article can be interesting for you Information security policy how detailed should it be? : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/ -
Asset, threat, vulnerability
Thanks for the reply! Just to make sure I understand, my risk identification would look like the following, with these broader organizational risks identified and repeated for each asset?
Asset Threat Vulnerability
Database Accidental-Privileged User Lack of Change Management
Database Accidental-Privileged User Lack of Security Incident Process
Database Adversarial-Insider Lack of HR Screening Process
Windows Server Accidental-Privileged User Lack of Change Management
Windows Server Accidental-Privileged User Lack of Security Incident Process
Windows Server Adversarial-Insider Lack of HR Screening Process
Answer:
Yes, you are in the right way, although from my point of view the threat Adversarial-Insider could be also related with the vulnerability Lack of Information Security Awareness.
Finally, this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://ad visera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Controls to address personal data
I have a question concerning ISO 27002. Does ISO 27002 address controls that support the privacy of data (such as PHI and PII)?
Answer:
Yes, ISO 27002 has the control A.18.1.4 Privacy and protection of personally identificable information, which can be applicable for the protection of any type of personal data. Regarding PHI Protected Health Information", keep in mind that there are another standard that is specifically related with the information security management in health including personal health information- using ISO 27002. This standard is the ISO 27799:2008, and you can download it from the official site of ISO : https://www.iso.org/standard/41298.html
Finally this list of laws and regulations related to information security and business continuity can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Gap analysis ISO 27001:2005
Hi Marie, I had an initial gap assessment done in 2012 under iso27001:2005 is this still valid do I need to do / can I switch to 2013?
Answer:
Gap analysis according to 2005 revision of ISO 27001 cannot be use any more because ISO 27001:2005 is not valid any more. If you need more information about the transition between the 2 versions of the standard, this article can be interesting for you How to make a transition from ISO 27001 2005 revision to 2013 revision: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
By the way, this free tool can help you to perform the gap analysis Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/