Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Guidance for Information Security Policy
I was wondering where I can find some guidance with regard to Point A.5 Draft Information Security Policy? Is this an Information Security Charter? We plan to set up an Information Security Steering Committee. Should this be included here as well or better a seperate document
Answer:
I am sorry but I am not sure what you mean with Information Security Charter, but at the highest level, organizations should define an "Information security policy" which is approved by top management and which sets out the organizations approach to managing its information security objectives, main responsibilities, etc. Separate from this top-level policy the companies usually develop detailed policies (like Backup policy, Access control policy, etc.).
ISO 27001 does not require Information Security Steering Committee, and smaller companies typically do not have such a body - if you decide to setup such body, it can be defined in the Information security policy.
For more information about the Information Security Policy, please read this article One Information Security Policy, or several policies? : https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
And also this article can be interesting for you Information security policy how detailed should it be? : https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/ -
Asset, threat, vulnerability
Thanks for the reply! Just to make sure I understand, my risk identification would look like the following, with these broader organizational risks identified and repeated for each asset?
Asset Threat Vulnerability
Database Accidental-Privileged User Lack of Change Management
Database Accidental-Privileged User Lack of Security Incident Process
Database Adversarial-Insider Lack of HR Screening Process
Windows Server Accidental-Privileged User Lack of Change Management
Windows Server Accidental-Privileged User Lack of Security Incident Process
Windows Server Adversarial-Insider Lack of HR Screening Process
Answer:
Yes, you are in the right way, although from my point of view the threat Adversarial-Insider could be also related with the vulnerability Lack of Information Security Awareness.
Finally, this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://ad visera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Controls to address personal data
I have a question concerning ISO 27002. Does ISO 27002 address controls that support the privacy of data (such as PHI and PII)?
Answer:
Yes, ISO 27002 has the control A.18.1.4 Privacy and protection of personally identificable information, which can be applicable for the protection of any type of personal data. Regarding PHI Protected Health Information", keep in mind that there are another standard that is specifically related with the information security management in health including personal health information- using ISO 27002. This standard is the ISO 27799:2008, and you can download it from the official site of ISO : https://www.iso.org/standard/41298.html
Finally this list of laws and regulations related to information security and business continuity can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
Gap analysis ISO 27001:2005
Hi Marie, I had an initial gap assessment done in 2012 under iso27001:2005 is this still valid do I need to do / can I switch to 2013?
Answer:
Gap analysis according to 2005 revision of ISO 27001 cannot be use any more because ISO 27001:2005 is not valid any more. If you need more information about the transition between the 2 versions of the standard, this article can be interesting for you How to make a transition from ISO 27001 2005 revision to 2013 revision: https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
By the way, this free tool can help you to perform the gap analysis Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
ISO 27018
As we are a public cloud provider I am keen to get an understanding what it would take to get ISO27018:2014 compliant.
Microsoft boost that they are the only 27018 compliant cloud company. If you see the link the refer to ISO 27018 adds controls to the ISO/IEC 27001/27002 standards to address processing personally identifiable information (PII) in a cloud computing environment.
Could we add these "controls" to the SOA and get the same results? Ie get these controls included in the SOA and also say that we are adhering to ISO27018?
You wouldn't happen to have templates that adress these controls?
Answer:
From my point of view, you can use the security controls of ISO 27018 (which is simply a code of best practices, similar to ISO 27002 but focused on the protection of personally identifiable information) and include them in your SoA (obviously if you have implemented an ISMS), specifying that they are included for the compliance with the best practices of ISO 27018. After this, will be recommendable to pass an audit from an exte rnal entity (certification audit), and after this you could say to your customers that your business is compliant with the best practices of ISO 27002 and ISO 27018.
So, if you have an ISMS implemented, you could include the security controls of ISO 27018, but remember, you can not certify ISO 27018 (neither ISO 27002), because it is only a code of best practices.
And I am sorry, but we do not have specific templates for this standard, although you can download the ISO 27018 from the official site of iso.org: https://www.iso.org/standard/61498.html -
ISO 27001 training vs awareness
We have a couple of staff members that have quite a few opinions that we are not training' anybody, just making them aware, which for the most part, I agree with.
Answer:
From the ISO 27001 perspective, training is education - this means during the training you provide additional knowledge and skills to your employees. Example of training is ISO 27001 Lead Implementer Course.
As opposed to trainings, which give an answer to the question How?, awareness must give an answer to the questi on Why? that is, explain to your employees why they should accept information security or business continuity rules.
You'll learn more here: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
By the way clause 5.1.1 from ISO 27001:2013 does not speak about training and awareness - this is specified in clauses 7.2, 7.3 and control A.7.2.2 -
ISO 27001 or ISO 27018?
I need to ask you the following question. A particular client is very interested of deploying a particular policy for his business. Presently he only offers a SAAS (Software as a Service) and therefore I would like to know if the ISO 27001 or 27018 will be appropriate for such a business policy.
Answer:
I think this is both marketing and security question.
From the marketing point of view, your client needs to assess which standard brings them more benefits - although, you have to bear in mind that you can get certified against ISO 27001 but not against ISO 27018; you can only claim compliance with ISO 27018 without third-party confirmation.
From the security point of view, ISO 27018 does not introduce any new controls - it simply provides additional guidance for existing controls in ISO 27001/ISO 27002. Since ISO 27018 provides only a list of controls without giving you a clue on how to manage your securi ty, it is limited in its scope the same way as ISO 27002 (see the explanation here: ISO 27001 vs ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/).
So basically you have 3 options:
1) Implement ISO 27018 only - you won't get certified and won't know how to manage the security, but you will have technical controls focused on the cloud
2) Implement ISO 27001 only - you will get certified and know how to manage your security, but you won't have the technical controls focused on the cloud
3) Implement both ISO 27001 and ISO 27018 - actually it's rather easy because ISO 27018 is a complement to ISO 27001/ISO 27002, and you'll get the best out of both standards. -
ISO 27001 Lead Implementer
Thanks for your email and support on ISO 27001 online training, I actually have series of Technical background in Information Technology and intend going into Information Security Management and enrol for series of certification within the Security area.i believe with this online training will give me better understanding on how to go about achieving my desires in the world of Security. kindly give me detailed information on how to get certified with ISO 27001 Implementer and how to do compliance check as well.
Answer:
If you want to become ISO 27001 implementer, you need experience in information security (it is also good to have experience in information technology, although is not strictly necessary), and can be recommendable to have qualifications. For more detailed information about this, please read this article How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
You can also see this free webinar How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
Regarding your question how to do compliance check as well , I suppose that you mean that you want to become Lead Auditor, if so, you also need experience and qualifications. In this case, this article can be also interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
PBX system, it can be an asset?
We have received another question related to the PBX system:
>
When you say "Anyway, from my point of view you need to consider, as independent assets, the software, the hardware and the information related to the pbx system."
Could you please elaborate on what you mean by consider? Do you mean to look at the threats for all three of those components of the PBX?
Answer:
I mean that the PBX system really is composed by, for example:
- Asterisk (Software)
- Server HP DL 380 (Hardware where the software is installed)
- Register of information related to the calls (Information that the software stores in his data base)
So as you see there are 3 different assets related to the PBX system, and you can identify threats/vulnerabilities related to each one.
This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Changes in the asset inventory
So if changes happen to the Asset Inventory, how does this impact the RTP, the risk report or the SoA. What are centering documents, like the measures document?
Answer:
If there are changes in the asset inventory (for example you add a new asset), you will need to update your risk assessment, because there will be new risks. If these risks are above of the aceptable level, you will also need to update the Risk Treatment Plan (RTP), and probably you will need to update the SoA if there are necessary new security controls.
Regarding centering documents, I am not sure what you mean, but you could have in the same document information about the risk assessment (including the asset inventory) and the risk treatment (it is better if you have an independent document for the SoA).
Finally, this article about asset inventory can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/