Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS scope
thank you for your help I benefited a lot from your information,you are collaborator....
I want to ask you about the boundaries and interfaces where can I write them in ISMS scope document.
Answer:
You can include a section in the ISMS scope document and include there information about boundaries (referencing for example to a exclusion from the scope) and interfaces (referencing for example to organizational units, networks and IT infrastructure, processes and services, etc).
By the way all our templates have the same structure, and in the section 3 is included information about the main issues, so in the case of the ISMS Scope Document we define the boundaries and interfaces in the section 3.
Finally this article can be interesting for you "How to define the ISMS scope" : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Risk assessment using our toolkit methodology
In performing my risk assessment using your toolkits methodology, how do I go about identifying organization risks such as lack of security incident policy or change management process or not classifying confidentiality levels of documents, when I am using an asset based approach?
Answer:
In the asset-based methodology it is possible to relate each of the vulnerabilities you have mentioned to particular assets. So for instance, lack of security incident policy can be related to your internal network, databases, software, etc.
Anyway, to identify organization risks, first you need to identify threats/vulnerabilities related to assets (in our methodology you can calculate risks based on the consequences and likelihood of threats/vulnerabilities), here you can see an example Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Have you seen our methodology? Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : http:/ /advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
Finally, this article can be also interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Questionnaire for the Risk Assessment
1.- When performing the risk assessment and interviewing asset owners, is there a template of questions I should ask the asset owner to evaluate risks to that asset?
2.- Also beyond a template, what is the best way to create an asset owner questionnaire which includes technology specific risks?
3.- For example some of the technologies I am needing to evaluate for risk includes windows servers and sharepoint, how do I ensure to capture and ask security risk questions specific to that technology?
Answers:
1.- We dont have a template of questions related to assets owners to evaluate risks, but assets owners simply can identify threats/vulnerabilities that can affect to their assets, so you can use a catalogue of threats/vulnerabilities and ask them what are applicable for their assets, asking also about consequences and likelihood. You can use for example this catalogue Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
2.- A questionnaire which includes technology spe cific risks is not necessary for the implementation of the ISO 27001, so we do not have this information because we are focused on the requirements of the standard. In this case, with the catalogue of my last answer is enough.
3.- Again it is not necessary. You can search threats related to software, for example: software errors, unauthorized use of software, unauthorized installation of software, etc.
Finally, this article can be interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Basic steps of a Gap Analysis
What are the basic steps of a gap analysis, and what are the differences between GAP analysis and Risk Assessment?
Answer:
You can see the GAP analysis as an internal audit, because is very similar, the difference is that the GAP analysis is performed at the beginning of the project (at this moment, most of the things are not implemented), while the internal audit is performed when the management system is implemented, so you can follow the same steps, therefore you can read this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
And this free tool can be also interesting for you Free ISO 27001 Gap Analysis Tool : https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Regarding the differences between the Gap analysis and the risk assessment, basically the gap tells you how far you are from ISO 27001 requirements, while the risk assessment tells you which incidents can h appen, anyway this article can be interesting for you ISO 27001 gap analysis vs. Risk assessment : https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/ -
When to use tools for ISO 27001
Ive already downloaded you template previews, and were about to buy the set. Now I wonder how I can manage and publish the resulting documents.
Ive had a look at some Content Management Systems, but there are just so many, and finding the right information on them is quite difficult.
I want a CMS to help me
- view and edit MS Office documents right from the tool,
- version my documents,
- support a document approval workflow,
- publish current versions of my documents to just the intended audience, but some public documents should be available without authentication
- grant certain users edit rights on certain documents,
- grant certain users to publish their documents under certain folders,
- notify authorized users of new publications and versions,
- reminds me when documents reach the end of their review cycle.
Do you have any recommendations on a CMS (or similar) which gives me this functionality (and anything beyond which I might have missed in my listing)?
I would very mu ch appreciate an answer from you.
Answer:
I am sorry but this question is out of our support because it is not directly related with our purpose. Anyway, I think that Microsoft SharePoint is compliant with most of all your requirements, and you can use it for the implementation of the ISO 27001. You can find more information about SharePoint in the official site of Microsoft : https://products.office.com/e*****************************
Anyway, maybe these articles can be interesting for you:
When to use tools for ISO 27001/ISO 22301 and when to avoid them : https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Integrate documentation
We would like to integrate documentation with regards to ISO 9001:2015 and ISO 27001, however, we have technical problem how to do it. There are several procedures that are common for ISO 9001 and ISO 27001, but there also separate procedures for each of these standards. We do not know how to title these procedures it should be Quality Management System and Information Security System according to EN ISO 9001, EN ISO 13485, EN ISO 17100 and EN ISO 27001 even if this particular procedure does not apply to ISO 27001 or ISO 9001? Or maybe Quality Management System procedure and later refer to relevant standards?
Answer:
You can follow the way that you want, which means that you can follow the way more easy for you. If you have various Management Systems, for me the best way is to establish an Integrated Management System, developing an unique document for those that are common: Integrated Policy, Integrated Internal Audit, Integrated Management Review, etc. And for those that are not common, you can include in the title the name of the Management System related: ISMS Risk Management, QMS Supplier Management, or even if you have 3 system and a procedure not apply to the others, you can refer in the title to the 2 systems: ISMS-QMS-name-procedure.
Finally, this procedure can be interesting for you Document management in ISO 27001 & BS 25999-2 : https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Proposal for ISO 27001 implementation
I have to submit a proposal to a large organization for conducting an assessment of their ISMS based on ISO27001.
Can you please provide me with a template or a sample proposal?
Can you also please advise what are the international standard for charging for such assignments?
Answer:
Yes of course, you can find in our section of free downloads a project proposal for ISO 27001 / ISO 22301 implementation (in a word format and also in a power point format). Here is our section of free downloads: https://advisera.com/27001academy/free-downloads/
Regarding your last question, there is no a standard, but generally the proposal is based on terms of time, so you need to calculate the estimated time for the implementation. Obviously while the consultant have more experience and skills in ISO 27001, the pay/rate will be more high (you can analyze and compare the pay/rate of various consultants with ISO 27001 experience). For the estimation of the time, this free tool can be also interesting for you Free Calculator Duration of ISO 27001/ISO 22301 Implementation : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/ -
Risk Assessment and Risk Treatment Methodology
Which business unit operations do we make the most money from?. There are also different business continuity rules that apply, depending upon the nature of the services that are be provided to the client company. So, again our management feels comfortable if certain services are being detained, due to whatever cause, but our main service must not be disrupted.
Our company employee count is seasonal and will vary from xxx to yyy, depending on the time of the year. We are also subject to HIPAA/HITECH regulations. So, our enterprise risk management environment is a little more complex.
Do you have any recommendations on reasonably low-cost tools that can be used for risk assessment to help standardize the way it is be done, from one business unit to another?
Answer:
You can use our easy methodology, which has tools for the risk assessment & treatment, and you can buy independently of our complete toolkit, and you will also have our support in the development of your risk assessment & treatment, so I think that can be an interest ing and economical alternative for you. Here you can see a free version of our methodology clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You can also find here our ISO 27001/ISO 22301 Risk Assessment Toolkit, and you can also see a free version clicking on "Free Demo" tab "ISO 27001/ISO 22301 Risk Assessment Toolkit" : https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
Data/Information Classification in Asset Value
1.- ¿Which is the input of which? or both are independent parameters? Or what is their relationship?
2.- How to use these two values in the Asset Valuation final?
Answer:
1.- They are independent parameters, but they are related because you can match an asset value in terms of confidentiality with the information classification, I mean, if you have a data base, the information classification can be Top Secret, which can be associated with the highest value in terms of confidentiality during the assessment of assets.
2.- You can establish the same criteria for the classification and for the asset valuation, so for example: Public = 1, Internal Use = 2, Top Secret = 3.
Finally, this article can be interesting for you "Information classification according to ISO 27001" : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Managing the audit process
I would like to ask some references for managing the audit process based on ISO/IEC 27001, what is the most important thing? And I should start from where?
Answer:
For managing the audit process based on ISO/IEC 27001 the most important thing is to have a procedure where you can define the steps that you need to perform each audit, although it is not mandatory to have this procedure documented. By the way, here you can see the list of mandatory documents (and non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
So you can start establishing this procedure, defining the audit plan, the qualification of auditors, the report of the audit, etc.
You can also use our Internal Audit Toolkit, you can see a free version clicking on Free Demo tab : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
Finally, these articles can be interesting for you:
How to mak e an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/