Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27018
As we are a public cloud provider I am keen to get an understanding what it would take to get ISO27018:2014 compliant.
Microsoft boost that they are the only 27018 compliant cloud company. If you see the link the refer to ISO 27018 adds controls to the ISO/IEC 27001/27002 standards to address processing personally identifiable information (PII) in a cloud computing environment.
Could we add these "controls" to the SOA and get the same results? Ie get these controls included in the SOA and also say that we are adhering to ISO27018?
You wouldn't happen to have templates that adress these controls?
Answer:
From my point of view, you can use the security controls of ISO 27018 (which is simply a code of best practices, similar to ISO 27002 but focused on the protection of personally identifiable information) and include them in your SoA (obviously if you have implemented an ISMS), specifying that they are included for the compliance with the best practices of ISO 27018. After this, will be recommendable to pass an audit from an exte rnal entity (certification audit), and after this you could say to your customers that your business is compliant with the best practices of ISO 27002 and ISO 27018.
So, if you have an ISMS implemented, you could include the security controls of ISO 27018, but remember, you can not certify ISO 27018 (neither ISO 27002), because it is only a code of best practices.
And I am sorry, but we do not have specific templates for this standard, although you can download the ISO 27018 from the official site of iso.org: https://www.iso.org/standard/61498.html -
ISO 27001 training vs awareness
We have a couple of staff members that have quite a few opinions that we are not training' anybody, just making them aware, which for the most part, I agree with.
Answer:
From the ISO 27001 perspective, training is education - this means during the training you provide additional knowledge and skills to your employees. Example of training is ISO 27001 Lead Implementer Course.
As opposed to trainings, which give an answer to the question How?, awareness must give an answer to the questi on Why? that is, explain to your employees why they should accept information security or business continuity rules.
You'll learn more here: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
By the way clause 5.1.1 from ISO 27001:2013 does not speak about training and awareness - this is specified in clauses 7.2, 7.3 and control A.7.2.2 -
ISO 27001 or ISO 27018?
I need to ask you the following question. A particular client is very interested of deploying a particular policy for his business. Presently he only offers a SAAS (Software as a Service) and therefore I would like to know if the ISO 27001 or 27018 will be appropriate for such a business policy.
Answer:
I think this is both marketing and security question.
From the marketing point of view, your client needs to assess which standard brings them more benefits - although, you have to bear in mind that you can get certified against ISO 27001 but not against ISO 27018; you can only claim compliance with ISO 27018 without third-party confirmation.
From the security point of view, ISO 27018 does not introduce any new controls - it simply provides additional guidance for existing controls in ISO 27001/ISO 27002. Since ISO 27018 provides only a list of controls without giving you a clue on how to manage your securi ty, it is limited in its scope the same way as ISO 27002 (see the explanation here: ISO 27001 vs ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/).
So basically you have 3 options:
1) Implement ISO 27018 only - you won't get certified and won't know how to manage the security, but you will have technical controls focused on the cloud
2) Implement ISO 27001 only - you will get certified and know how to manage your security, but you won't have the technical controls focused on the cloud
3) Implement both ISO 27001 and ISO 27018 - actually it's rather easy because ISO 27018 is a complement to ISO 27001/ISO 27002, and you'll get the best out of both standards. -
ISO 27001 Lead Implementer
Thanks for your email and support on ISO 27001 online training, I actually have series of Technical background in Information Technology and intend going into Information Security Management and enrol for series of certification within the Security area.i believe with this online training will give me better understanding on how to go about achieving my desires in the world of Security. kindly give me detailed information on how to get certified with ISO 27001 Implementer and how to do compliance check as well.
Answer:
If you want to become ISO 27001 implementer, you need experience in information security (it is also good to have experience in information technology, although is not strictly necessary), and can be recommendable to have qualifications. For more detailed information about this, please read this article How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
You can also see this free webinar How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
Regarding your question how to do compliance check as well , I suppose that you mean that you want to become Lead Auditor, if so, you also need experience and qualifications. In this case, this article can be also interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
PBX system, it can be an asset?
We have received another question related to the PBX system:
>
When you say "Anyway, from my point of view you need to consider, as independent assets, the software, the hardware and the information related to the pbx system."
Could you please elaborate on what you mean by consider? Do you mean to look at the threats for all three of those components of the PBX?
Answer:
I mean that the PBX system really is composed by, for example:
- Asterisk (Software)
- Server HP DL 380 (Hardware where the software is installed)
- Register of information related to the calls (Information that the software stores in his data base)
So as you see there are 3 different assets related to the PBX system, and you can identify threats/vulnerabilities related to each one.
This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Changes in the asset inventory
So if changes happen to the Asset Inventory, how does this impact the RTP, the risk report or the SoA. What are centering documents, like the measures document?
Answer:
If there are changes in the asset inventory (for example you add a new asset), you will need to update your risk assessment, because there will be new risks. If these risks are above of the aceptable level, you will also need to update the Risk Treatment Plan (RTP), and probably you will need to update the SoA if there are necessary new security controls.
Regarding centering documents, I am not sure what you mean, but you could have in the same document information about the risk assessment (including the asset inventory) and the risk treatment (it is better if you have an independent document for the SoA).
Finally, this article about asset inventory can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
ISMS scope
thank you for your help I benefited a lot from your information,you are collaborator....
I want to ask you about the boundaries and interfaces where can I write them in ISMS scope document.
Answer:
You can include a section in the ISMS scope document and include there information about boundaries (referencing for example to a exclusion from the scope) and interfaces (referencing for example to organizational units, networks and IT infrastructure, processes and services, etc).
By the way all our templates have the same structure, and in the section 3 is included information about the main issues, so in the case of the ISMS Scope Document we define the boundaries and interfaces in the section 3.
Finally this article can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Risk assessment using our toolkit methodology
In performing my risk assessment using your toolkits methodology, how do I go about identifying organization risks such as lack of security incident policy or change management process or not classifying confidentiality levels of documents, when I am using an asset based approach?
Answer:
In the asset-based methodology it is possible to relate each of the vulnerabilities you have mentioned to particular assets. So for instance, lack of security incident policy can be related to your internal network, databases, software, etc.
Anyway, to identify organization risks, first you need to identify threats/vulnerabilities related to assets (in our methodology you can calculate risks based on the consequences and likelihood of threats/vulnerabilities), here you can see an example Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Have you seen our methodology? Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : http:/ /advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
Finally, this article can be also interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Questionnaire for the Risk Assessment
1.- When performing the risk assessment and interviewing asset owners, is there a template of questions I should ask the asset owner to evaluate risks to that asset?
2.- Also beyond a template, what is the best way to create an asset owner questionnaire which includes technology specific risks?
3.- For example some of the technologies I am needing to evaluate for risk includes windows servers and sharepoint, how do I ensure to capture and ask security risk questions specific to that technology?
Answers:
1.- We dont have a template of questions related to assets owners to evaluate risks, but assets owners simply can identify threats/vulnerabilities that can affect to their assets, so you can use a catalogue of threats/vulnerabilities and ask them what are applicable for their assets, asking also about consequences and likelihood. You can use for example this catalogue Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
2.- A questionnaire which includes technology spe cific risks is not necessary for the implementation of the ISO 27001, so we do not have this information because we are focused on the requirements of the standard. In this case, with the catalogue of my last answer is enough.
3.- Again it is not necessary. You can search threats related to software, for example: software errors, unauthorized use of software, unauthorized installation of software, etc.
Finally, this article can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Basic steps of a Gap Analysis
What are the basic steps of a gap analysis, and what are the differences between GAP analysis and Risk Assessment?
Answer:
You can see the GAP analysis as an internal audit, because is very similar, the difference is that the GAP analysis is performed at the beginning of the project (at this moment, most of the things are not implemented), while the internal audit is performed when the management system is implemented, so you can follow the same steps, therefore you can read this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
And this free tool can be also interesting for you Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Regarding the differences between the Gap analysis and the risk assessment, basically the gap tells you how far you are from ISO 27001 requirements, while the risk assessment tells you which incidents can h appen, anyway this article can be interesting for you ISO 27001 gap analysis vs. Risk assessment : https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/