Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Controls in progress
I have a question regarding, however, the certification audit process. Let's say I have defined my ISMS, I have a defined risk management process, and have selected x risks, assessed, analyzed and treated them, including writing action plans for them. When I defined my scope and wrote my SOA, there was about half controls listed which we selected for best practices purposes, and the other half based on risk treatment plan. In the process of audit for ISO27001, when we talk about Status of Implementation of these controls, can I receive the certificate if I have statuses marked as "In progress" instead of "Fully implemented"?
Answer:
From my point of view, generally it is not a problem to obtain the certificate, I mean, you can have controls in progress, but remember that you need to include in the Risk Treatment Plan, for each control, the deadline for his implementation, and also remember that you need to develop the Risk Treatment Plan after the SoA, and also remember that you need to implement all the controls that cover majo r risks before the certification. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment and also this article The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Declaring a Disaster
From my point of view, the best place to establish these clauses is the Service Level Agreement, and I would specify clearly that the RTO is 20 hours (and I would also include the RPO).
You can also include in the Service Level Agreement the "Response Time", which is the time from you receive an incident until you reply it (it is related only with the response, not with the resolution of the incident).
And to set the customers expectations, you have to perform the Business impact analysis to calculate the RTO - based on that RTO all the other response times need to be calculated.
Finally, this article about the Business impact analysis can be interesting for you "How to implement business impact analysis (BIA) according to ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
BIA and RA
https://folkd.com/user/custom_writings -
Online service
We are performing a risk assessment currently for a client who uses salesforce. Should we list the information contained within SalesForce as an asset with potential threats and vulnerabilities?
Answer:
I suppose that your question is related with an online service (www.salesforce.com) , if so, from my point of view your approach can be ok for the standard, I mean, you can have an asset (salesforce), asset type: information, and identify threats and vulnerabilities related to it. You can also consider to see it as an outsourced service asset (like Dropbox or Gmail).
For more information about the assets, threats and vulnerabilities, please read this article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ And this article can be also interesting for you How to handle Asse t register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
ISO 27005
Q1: Do we provide best practices reports in accordance with ISO 27005 ?
Q2: Is any kind of reports defined in ISO 27005 ?
Q3: I could not find any instruction in the ISO 27005 context regarding reporting ?
Answer:
A1: I am sorry but ISO 27005 is not related to best practices reports, is related to best practices about information security risk management.
A2: No, it is not defined in the ISO 27005
A3: I am not sure what you mean, but If you are interested in the monitoring and the measurement in information security, please read this article How to perform monitoring and measurement in ISO 27001 : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Frequency of updating the Statement of Applicability
The Statement of Applicability or SoA, just like any other documented information within the ISMS, needs to be reviewed for suitability and adequacy (Cl. 7.5.2, ISO/IEC 27001:2013).
When controls are added, excluded or modified, corresponding change must be effected to the SoA through proper change control mechanisms (Cl. 7.5.3.e, ISO/IEC 27001:2013).
Otherwise, the SoA would be not suitable or adequate to the organization anymore since it will contain outdated information.
Normally, I would have a policy that has a fixed and instant review points for documented information.
Fixed review could be an annual review by the document owner or process owner.
Instant review would be when there are changes to the ISMS that affects documented information e.g. changes in technology used; changes in personnel that are nominated in disaster recovery plans or business continuity plans; changes in legal requirements, etc. -
Risks database
Before calculate risks, you need to identify threats and vulnerabilities, and I am not sure if there are a public risks database, but you can find public catalogues of threats and vulnerabilities. For example, you can find a catalogue in the ISO 27005. And also you can find a public catalogue here "Catalogue of threats & vulnerabilities" : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
By the way, each country also has Computer Emergency Readiness Teams (CERT) which, among other things, distributes information about vulnerabilities and threats. One example can be the United States Computer Emergency Readiness Team (US-CERT): https://www.us-cert.gov -
CISA and CISM
Q1: The info you sent is all about training courses and exam. Because I am quite comfortable with many areas of 27001 I am just looking books to read and appear in an exam to certify as lead auditor or implementer.
Q2: Is there an exam such as the CISSP which you take after studying a body of knowledge/books written for ISO 27001 lead auditor exam
Answer:
A1: I am sorry but we do not have books directly related to ISO 27001, although this free ebook about cybersecurity can be interesting for you 9 Steps to Cybersecurity : https://advisera.com/books/9-steps-to-cybersecurity-managers-information-security-manual/
A2: After the ISO 27001 lead auditor exam, if you pass it, you can be ISO 27001 Lead Auditor, certified by an entity (for example by a certification body), but there are other certifications related to information security and ISO 27001, the more known are CISA and CISM, so after ISO 27001 lead auditor exam, with the knowledge of ISO 27001, some other important concepts about information security, and specific information about the certifications, you can become CISA or/and CISM (although you also need to pass an exam to become CISA or CISM, and you also need to demonstrate experience in information security).
We do not have information or books about this, but you can find information in the official page of ISACA (https://www.isaca.org/pages/default.aspx). Anyway, maybe this article can be interesting for you CISA vs. ISO 27001 Lead Auditor certification : https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
And also this article Qualifications for an ISO 27001 Internal Auditor : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
IT-GRC and ISO 27001
I need your little help, can you just tell me the relationship or difference between IT-GRC and ISO 27001 ?
IT-GRC is all about an integrated approach towards Governance, Risk management and Compliance, where ISO 27001 talks about all the aspects like top management and Risk management etc. So my doubt is why organizations are getting attracted towards the IT-GRC approch ? What is the main difference between them.?
Answer:
From my point of view, the main difference is that IT-GRC is related to the governance of IT, however it is not established in ISO 27001 (there are another standard for the IT governance: ISO 38500). On the other hand, the common point between both is that they are related with the risk management and the compliance of policies, procedures, laws and regulations.
Finally, IT-GRC approach can be interesting for companies that want a framework related to the governance of IT, and ISO 27001 is for companies that want to implement and certify an Information Security Management System (you cannot certify IT-GRC).
By th e way, do you know what are the 6 basic steps in the ISO 27001 risk assessment & treatment? Here you can see an interesting article ISO 27001 risk assessment & treatment 6 basic steps : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Business continuity and crisis management
Answer:
Yes, crisis management is included in the Business continuity plan template, which is part of our ISO 22301 Documentation Toolkit - https://advisera.com/27001academy/iso22301-documentation-toolkit/
Theoretically speaking, crisis management and business recovery are separate processes, but it is better if they work together, because during the larger crisis you will probably need to recover your business operations, and to recover business operations without crisis management would be very difficult.
If there are a small incident which affect the availability of an information system in a department, probably you will need the BCP (without CM). But if there is an earthquake and all departments of the main facility cannot work, you will need to mana ge a crisis, and for this, among other things, probably you will need a BCP.
Just to mention that crisis management is not explicitly mentioned in ISO 22301, but it is de facto required through clauses 8.4.2 Incident response structure, and 8.4.3 Warning and communication.