Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Examples of goals for the ISMS
When implemented an ISMS, you have no historical data to talk "reduction" inincidents properly. Do you have examples of reasonable goals for ISMS in its first cycle of operation?
For example:
"Achieving a measurement of security incident information to establish a set of values to establish a" baseline "".
"Achieving a complete cycle of continuous improvement of the ISMS on all controls applied to -
Catalogue of threats/vulnerabilities
I have a question for you regarding ISO 27002 controls and the 'business risk' associated with
failure/non-implementation of the controls - is there a catalog (or resource) for the type of risk
findings shown here (as an example) -
-Asset management program is informal and applied inconsistently across the enterprise.
Failure to track all assets could lead to incomplete application of security programs (e.g., patch management), inadequate level of security (controls) for sensitive assets, and increased spending on unnecessary assets.
-Formal data classification schema does not exist (currently in development).
Without a data classification standard in place, [Client] may not fully understand the risk presented by specific data, leading to incomplete labeling and handling of assets (i.e., inadequate security controls).
-Incident response (IR) responsibilities are only communicated through training without an overarching IR plan in place.
The lack of a formal incident response plan could lead to confusion over management and employee r esponsibilities during an incident, causing untimely or inappropriate handling of incidents that pose an immediate risk.
-Site specific business continuity plans do not include required security controls identified through business impact analysis (BIA) assessments.
Failure to identify (BIA) and incorporate security requirements (controls) within site business continuity plans could lead to an inadequate level of security during events that trigger the business continuity program.
Answer:
There is not a specific catalogue (or resource) for the type of risk, but there are catalogues of threats/vulnerabilities that you can use to calculate the risks, which can help you for the risk management. Here you can find an interesting catalogue of threats/vulnerabilities related to information security: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Keep in mind that ISO 27001/ISO 27002 are standards related to risks about information security, not for global business risks.
Finally, this article can be interesting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Necessary documents
What are the necessary documents that an organization needs in order to become ISO27001 certified? Lastly, when and audit is updated to to changes in technology or employee status etc, what do you name that document, does it simply becomes an audit document with a version number or does it now become the main document, or is it and all the others that follow now non conformance documents?
Answer:
Regarding the first question, there are a list of mandatory documents that you need to obtain the ISO 27001 certificate. Here you can see this list List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding your second question, if I understood your question correctly, you are asking about the internal audit documentation - once the audit process is finished, you need to produce the Internal audit report and initiate the corrective actions. The status of these corrective actions needs to be updated according to your Corrective action procedure, however the Internal audit report does not change. Once you perform the internal audit next year, then you will write a completely new Internal audit report. This article will also help you: Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Controls in progress
I have a question regarding, however, the certification audit process. Let's say I have defined my ISMS, I have a defined risk management process, and have selected x risks, assessed, analyzed and treated them, including writing action plans for them. When I defined my scope and wrote my SOA, there was about half controls listed which we selected for best practices purposes, and the other half based on risk treatment plan. In the process of audit for ISO27001, when we talk about Status of Implementation of these controls, can I receive the certificate if I have statuses marked as "In progress" instead of "Fully implemented"?
Answer:
From my point of view, generally it is not a problem to obtain the certificate, I mean, you can have controls in progress, but remember that you need to include in the Risk Treatment Plan, for each control, the deadline for his implementation, and also remember that you need to develop the Risk Treatment Plan after the SoA, and also remember that you need to implement all the controls that cover majo r risks before the certification. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment and also this article The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Declaring a Disaster
From my point of view, the best place to establish these clauses is the Service Level Agreement, and I would specify clearly that the RTO is 20 hours (and I would also include the RPO).
You can also include in the Service Level Agreement the "Response Time", which is the time from you receive an incident until you reply it (it is related only with the response, not with the resolution of the incident).
And to set the customers expectations, you have to perform the Business impact analysis to calculate the RTO - based on that RTO all the other response times need to be calculated.
Finally, this article about the Business impact analysis can be interesting for you "How to implement business impact analysis (BIA) according to ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
BIA and RA
https://folkd.com/user/custom_writings -
Online service
We are performing a risk assessment currently for a client who uses salesforce. Should we list the information contained within SalesForce as an asset with potential threats and vulnerabilities?
Answer:
I suppose that your question is related with an online service (www.salesforce.com) , if so, from my point of view your approach can be ok for the standard, I mean, you can have an asset (salesforce), asset type: information, and identify threats and vulnerabilities related to it. You can also consider to see it as an outsourced service asset (like Dropbox or Gmail).
For more information about the assets, threats and vulnerabilities, please read this article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ And this article can be also interesting for you How to handle Asse t register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
ISO 27005
Q1: Do we provide best practices reports in accordance with ISO 27005 ?
Q2: Is any kind of reports defined in ISO 27005 ?
Q3: I could not find any instruction in the ISO 27005 context regarding reporting ?
Answer:
A1: I am sorry but ISO 27005 is not related to best practices reports, is related to best practices about information security risk management.
A2: No, it is not defined in the ISO 27005
A3: I am not sure what you mean, but If you are interested in the monitoring and the measurement in information security, please read this article How to perform monitoring and measurement in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Frequency of updating the Statement of Applicability
The Statement of Applicability or SoA, just like any other documented information within the ISMS, needs to be reviewed for suitability and adequacy (Cl. 7.5.2, ISO/IEC 27001:2013).
When controls are added, excluded or modified, corresponding change must be effected to the SoA through proper change control mechanisms (Cl. 7.5.3.e, ISO/IEC 27001:2013).
Otherwise, the SoA would be not suitable or adequate to the organization anymore since it will contain outdated information.
Normally, I would have a policy that has a fixed and instant review points for documented information.
Fixed review could be an annual review by the document owner or process owner.
Instant review would be when there are changes to the ISMS that affects documented information e.g. changes in technology used; changes in personnel that are nominated in disaster recovery plans or business continuity plans; changes in legal requirements, etc. -
Risks database
Before calculate risks, you need to identify threats and vulnerabilities, and I am not sure if there are a public risks database, but you can find public catalogues of threats and vulnerabilities. For example, you can find a catalogue in the ISO 27005. And also you can find a public catalogue here "Catalogue of threats & vulnerabilities" : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
By the way, each country also has Computer Emergency Readiness Teams (CERT) which, among other things, distributes information about vulnerabilities and threats. One example can be the United States Computer Emergency Readiness Team (US-CERT): https://www.us-cert.gov