Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Lead Implementer
Thanks for your email and support on ISO 27001 online training, I actually have series of Technical background in Information Technology and intend going into Information Security Management and enrol for series of certification within the Security area.i believe with this online training will give me better understanding on how to go about achieving my desires in the world of Security. kindly give me detailed information on how to get certified with ISO 27001 Implementer and how to do compliance check as well.
Answer:
If you want to become ISO 27001 implementer, you need experience in information security (it is also good to have experience in information technology, although is not strictly necessary), and can be recommendable to have qualifications. For more detailed information about this, please read this article How to become an ISO 27001 / ISO 22301 consultant : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
You can also see this free webinar How to become an ISO 27001 / BS 25999-2 consultant : https://advisera.com/27001academy/webinar/become-iso-27001-bs-25999-2-consultant-free-webinar/
Regarding your question how to do compliance check as well , I suppose that you mean that you want to become Lead Auditor, if so, you also need experience and qualifications. In this case, this article can be also interesting for you How to become ISO 27001 Lead Auditor : https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
PBX system, it can be an asset?
We have received another question related to the PBX system:
>
When you say "Anyway, from my point of view you need to consider, as independent assets, the software, the hardware and the information related to the pbx system."
Could you please elaborate on what you mean by consider? Do you mean to look at the threats for all three of those components of the PBX?
Answer:
I mean that the PBX system really is composed by, for example:
- Asterisk (Software)
- Server HP DL 380 (Hardware where the software is installed)
- Register of information related to the calls (Information that the software stores in his data base)
So as you see there are 3 different assets related to the PBX system, and you can identify threats/vulnerabilities related to each one.
This article can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Changes in the asset inventory
So if changes happen to the Asset Inventory, how does this impact the RTP, the risk report or the SoA. What are centering documents, like the measures document?
Answer:
If there are changes in the asset inventory (for example you add a new asset), you will need to update your risk assessment, because there will be new risks. If these risks are above of the aceptable level, you will also need to update the Risk Treatment Plan (RTP), and probably you will need to update the SoA if there are necessary new security controls.
Regarding centering documents, I am not sure what you mean, but you could have in the same document information about the risk assessment (including the asset inventory) and the risk treatment (it is better if you have an independent document for the SoA).
Finally, this article about asset inventory can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
ISMS scope
thank you for your help I benefited a lot from your information,you are collaborator....
I want to ask you about the boundaries and interfaces where can I write them in ISMS scope document.
Answer:
You can include a section in the ISMS scope document and include there information about boundaries (referencing for example to a exclusion from the scope) and interfaces (referencing for example to organizational units, networks and IT infrastructure, processes and services, etc).
By the way all our templates have the same structure, and in the section 3 is included information about the main issues, so in the case of the ISMS Scope Document we define the boundaries and interfaces in the section 3.
Finally this article can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Risk assessment using our toolkit methodology
In performing my risk assessment using your toolkits methodology, how do I go about identifying organization risks such as lack of security incident policy or change management process or not classifying confidentiality levels of documents, when I am using an asset based approach?
Answer:
In the asset-based methodology it is possible to relate each of the vulnerabilities you have mentioned to particular assets. So for instance, lack of security incident policy can be related to your internal network, databases, software, etc.
Anyway, to identify organization risks, first you need to identify threats/vulnerabilities related to assets (in our methodology you can calculate risks based on the consequences and likelihood of threats/vulnerabilities), here you can see an example Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Have you seen our methodology? Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : http:/ /advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
Finally, this article can be also interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Questionnaire for the Risk Assessment
1.- When performing the risk assessment and interviewing asset owners, is there a template of questions I should ask the asset owner to evaluate risks to that asset?
2.- Also beyond a template, what is the best way to create an asset owner questionnaire which includes technology specific risks?
3.- For example some of the technologies I am needing to evaluate for risk includes windows servers and sharepoint, how do I ensure to capture and ask security risk questions specific to that technology?
Answers:
1.- We dont have a template of questions related to assets owners to evaluate risks, but assets owners simply can identify threats/vulnerabilities that can affect to their assets, so you can use a catalogue of threats/vulnerabilities and ask them what are applicable for their assets, asking also about consequences and likelihood. You can use for example this catalogue Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
2.- A questionnaire which includes technology spe cific risks is not necessary for the implementation of the ISO 27001, so we do not have this information because we are focused on the requirements of the standard. In this case, with the catalogue of my last answer is enough.
3.- Again it is not necessary. You can search threats related to software, for example: software errors, unauthorized use of software, unauthorized installation of software, etc.
Finally, this article can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Basic steps of a Gap Analysis
What are the basic steps of a gap analysis, and what are the differences between GAP analysis and Risk Assessment?
Answer:
You can see the GAP analysis as an internal audit, because is very similar, the difference is that the GAP analysis is performed at the beginning of the project (at this moment, most of the things are not implemented), while the internal audit is performed when the management system is implemented, so you can follow the same steps, therefore you can read this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
And this free tool can be also interesting for you Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Regarding the differences between the Gap analysis and the risk assessment, basically the gap tells you how far you are from ISO 27001 requirements, while the risk assessment tells you which incidents can h appen, anyway this article can be interesting for you ISO 27001 gap analysis vs. Risk assessment : https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/ -
When to use tools for ISO 27001
Ive already downloaded you template previews, and were about to buy the set. Now I wonder how I can manage and publish the resulting documents.
Ive had a look at some Content Management Systems, but there are just so many, and finding the right information on them is quite difficult.
I want a CMS to help me
- view and edit MS Office documents right from the tool,
- version my documents,
- support a document approval workflow,
- publish current versions of my documents to just the intended audience, but some public documents should be available without authentication
- grant certain users edit rights on certain documents,
- grant certain users to publish their documents under certain folders,
- notify authorized users of new publications and versions,
- reminds me when documents reach the end of their review cycle.
Do you have any recommendations on a CMS (or similar) which gives me this functionality (and anything beyond which I might have missed in my listing)?
I would very mu ch appreciate an answer from you.
Answer:
I am sorry but this question is out of our support because it is not directly related with our purpose. Anyway, I think that Microsoft SharePoint is compliant with most of all your requirements, and you can use it for the implementation of the ISO 27001. You can find more information about SharePoint in the official site of Microsoft : https://products.office.com/e*****************************
Anyway, maybe these articles can be interesting for you:
When to use tools for ISO 27001/ISO 22301 and when to avoid them : https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Integrate documentation
We would like to integrate documentation with regards to ISO 9001:2015 and ISO 27001, however, we have technical problem how to do it. There are several procedures that are common for ISO 9001 and ISO 27001, but there also separate procedures for each of these standards. We do not know how to title these procedures it should be Quality Management System and Information Security System according to EN ISO 9001, EN ISO 13485, EN ISO 17100 and EN ISO 27001 even if this particular procedure does not apply to ISO 27001 or ISO 9001? Or maybe Quality Management System procedure and later refer to relevant standards?
Answer:
You can follow the way that you want, which means that you can follow the way more easy for you. If you have various Management Systems, for me the best way is to establish an Integrated Management System, developing an unique document for those that are common: Integrated Policy, Integrated Internal Audit, Integrated Management Review, etc. And for those that are not common, you can include in the title the name of the Management System related: ISMS Risk Management, QMS Supplier Management, or even if you have 3 system and a procedure not apply to the others, you can refer in the title to the 2 systems: ISMS-QMS-name-procedure.
Finally, this procedure can be interesting for you Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Proposal for ISO 27001 implementation
I have to submit a proposal to a large organization for conducting an assessment of their ISMS based on ISO27001.
Can you please provide me with a template or a sample proposal?
Can you also please advise what are the international standard for charging for such assignments?
Answer:
Yes of course, you can find in our section of free downloads a project proposal for ISO 27001 / ISO 22301 implementation (in a word format and also in a power point format). Here is our section of free downloads: https://advisera.com/27001academy/free-downloads/
Regarding your last question, there is no a standard, but generally the proposal is based on terms of time, so you need to calculate the estimated time for the implementation. Obviously while the consultant have more experience and skills in ISO 27001, the pay/rate will be more high (you can analyze and compare the pay/rate of various consultants with ISO 27001 experience). For the estimation of the time, this free tool can be also interesting for you Free Calculator Duration of ISO 27001/ISO 22301 Implementation : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/