Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment and Risk Treatment Methodology
Which business unit operations do we make the most money from?. There are also different business continuity rules that apply, depending upon the nature of the services that are be provided to the client company. So, again our management feels comfortable if certain services are being detained, due to whatever cause, but our main service must not be disrupted.
Our company employee count is seasonal and will vary from xxx to yyy, depending on the time of the year. We are also subject to HIPAA/HITECH regulations. So, our enterprise risk management environment is a little more complex.
Do you have any recommendations on reasonably low-cost tools that can be used for risk assessment to help standardize the way it is be done, from one business unit to another?
Answer:
You can use our easy methodology, which has tools for the risk assessment & treatment, and you can buy independently of our complete toolkit, and you will also have our support in the development of your risk assessment & treatment, so I think that can be an interest ing and economical alternative for you. Here you can see a free version of our methodology clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
You can also find here our ISO 27001/ISO 22301 Risk Assessment Toolkit, and you can also see a free version clicking on "Free Demo" tab "ISO 27001/ISO 22301 Risk Assessment Toolkit" : https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ -
Data/Information Classification in Asset Value
1.- ¿Which is the input of which? or both are independent parameters? Or what is their relationship?
2.- How to use these two values in the Asset Valuation final?
Answer:
1.- They are independent parameters, but they are related because you can match an asset value in terms of confidentiality with the information classification, I mean, if you have a data base, the information classification can be Top Secret, which can be associated with the highest value in terms of confidentiality during the assessment of assets.
2.- You can establish the same criteria for the classification and for the asset valuation, so for example: Public = 1, Internal Use = 2, Top Secret = 3.
Finally, this article can be interesting for you "Information classification according to ISO 27001" : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Managing the audit process
I would like to ask some references for managing the audit process based on ISO/IEC 27001, what is the most important thing? And I should start from where?
Answer:
For managing the audit process based on ISO/IEC 27001 the most important thing is to have a procedure where you can define the steps that you need to perform each audit, although it is not mandatory to have this procedure documented. By the way, here you can see the list of mandatory documents (and non mandatory) List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
So you can start establishing this procedure, defining the audit plan, the qualification of auditors, the report of the audit, etc.
You can also use our Internal Audit Toolkit, you can see a free version clicking on Free Demo tab : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
Finally, these articles can be interesting for you:
How to mak e an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Examples of goals for the ISMS
When implemented an ISMS, you have no historical data to talk "reduction" inincidents properly. Do you have examples of reasonable goals for ISMS in its first cycle of operation?
For example:
"Achieving a measurement of security incident information to establish a set of values to establish a" baseline "".
"Achieving a complete cycle of continuous improvement of the ISMS on all controls applied to -
Catalogue of threats/vulnerabilities
I have a question for you regarding ISO 27002 controls and the 'business risk' associated with
failure/non-implementation of the controls - is there a catalog (or resource) for the type of risk
findings shown here (as an example) -
-Asset management program is informal and applied inconsistently across the enterprise.
Failure to track all assets could lead to incomplete application of security programs (e.g., patch management), inadequate level of security (controls) for sensitive assets, and increased spending on unnecessary assets.
-Formal data classification schema does not exist (currently in development).
Without a data classification standard in place, [Client] may not fully understand the risk presented by specific data, leading to incomplete labeling and handling of assets (i.e., inadequate security controls).
-Incident response (IR) responsibilities are only communicated through training without an overarching IR plan in place.
The lack of a formal incident response plan could lead to confusion over management and employee r esponsibilities during an incident, causing untimely or inappropriate handling of incidents that pose an immediate risk.
-Site specific business continuity plans do not include required security controls identified through business impact analysis (BIA) assessments.
Failure to identify (BIA) and incorporate security requirements (controls) within site business continuity plans could lead to an inadequate level of security during events that trigger the business continuity program.
Answer:
There is not a specific catalogue (or resource) for the type of risk, but there are catalogues of threats/vulnerabilities that you can use to calculate the risks, which can help you for the risk management. Here you can find an interesting catalogue of threats/vulnerabilities related to information security: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Keep in mind that ISO 27001/ISO 27002 are standards related to risks about information security, not for global business risks.
Finally, this article can be interesting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Necessary documents
What are the necessary documents that an organization needs in order to become ISO27001 certified? Lastly, when and audit is updated to to changes in technology or employee status etc, what do you name that document, does it simply becomes an audit document with a version number or does it now become the main document, or is it and all the others that follow now non conformance documents?
Answer:
Regarding the first question, there are a list of mandatory documents that you need to obtain the ISO 27001 certificate. Here you can see this list List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding your second question, if I understood your question correctly, you are asking about the internal audit documentation - once the audit process is finished, you need to produce the Internal audit report and initiate the corrective actions. The status of these corrective actions needs to be updated according to your Corrective action procedure, however the Internal audit report does not change. Once you perform the internal audit next year, then you will write a completely new Internal audit report. This article will also help you: Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Controls in progress
I have a question regarding, however, the certification audit process. Let's say I have defined my ISMS, I have a defined risk management process, and have selected x risks, assessed, analyzed and treated them, including writing action plans for them. When I defined my scope and wrote my SOA, there was about half controls listed which we selected for best practices purposes, and the other half based on risk treatment plan. In the process of audit for ISO27001, when we talk about Status of Implementation of these controls, can I receive the certificate if I have statuses marked as "In progress" instead of "Fully implemented"?
Answer:
From my point of view, generally it is not a problem to obtain the certificate, I mean, you can have controls in progress, but remember that you need to include in the Risk Treatment Plan, for each control, the deadline for his implementation, and also remember that you need to develop the Risk Treatment Plan after the SoA, and also remember that you need to implement all the controls that cover majo r risks before the certification. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment and also this article The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Declaring a Disaster
From my point of view, the best place to establish these clauses is the Service Level Agreement, and I would specify clearly that the RTO is 20 hours (and I would also include the RPO).
You can also include in the Service Level Agreement the "Response Time", which is the time from you receive an incident until you reply it (it is related only with the response, not with the resolution of the incident).
And to set the customers expectations, you have to perform the Business impact analysis to calculate the RTO - based on that RTO all the other response times need to be calculated.
Finally, this article about the Business impact analysis can be interesting for you "How to implement business impact analysis (BIA) according to ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
BIA and RA
https://folkd.com/user/custom_writings -
Online service
We are performing a risk assessment currently for a client who uses salesforce. Should we list the information contained within SalesForce as an asset with potential threats and vulnerabilities?
Answer:
I suppose that your question is related with an online service (www.salesforce.com) , if so, from my point of view your approach can be ok for the standard, I mean, you can have an asset (salesforce), asset type: information, and identify threats and vulnerabilities related to it. You can also consider to see it as an outsourced service asset (like Dropbox or Gmail).
For more information about the assets, threats and vulnerabilities, please read this article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ And this article can be also interesting for you How to handle Asse t register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/