Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 templates for AWS environment
I'm just starting to look at the ISO27001 templates you provide. Do they apply if all of our IT infrastructure is based on AWS?
Answer:
Yes sure, our templates are developed for any type of business, including your company with your IT infrastructure based on AWS. Regarding the cloud computing, this article can be interesting for you Cloud computing and ISO 27001 / BS 25999 : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, lots of our clients are IT companies who use cloud infrastructure. If you want, we can organize a Skype call where we can show you how the documents look like, and to discuss how they can be used for the special circumstances in your company. -
Example of internal and external issues
Could you please provide all sample examples of internal and external issues?
Answer:
Examples about internal issues: you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities, capabilities, etc.
Examples about external issues: you simply need to identify interested parties and their requirements (interested parties can be employees, clients, suppliers and partners, etc)
For more information about internal and external issues, please read these articles:
Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Various questions about the ISMS
1. How do I determine/Estimate how long it will take for the project to complete for my presentation to management?
2. How do I estimate the cost of the ISMS?
3. I have a scope defined (regulatory based) it is mainly in xxxx and xxx and a XX branch - I need to tell management how I will manage that with the remote resources?
4. Also Do you offer pre-certification audit services?
5. How do I ensure that 3rd parties abide by the control standards we expect when providing us IT services, and how can we demonstrate this to Gambling and ISO 27001 auditor authorities?
Answers:
1.- I suppose that your question is related with the time of duration of the implementation of ISO 27001. If so, to determine this time, you need to identify the number of employees, number of departments, etc. This free tool can help you Free Calculator Duration of ISO 27001 / ISO 22301 Implementation : https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
2.- There are als o some questions that you need to consider: the size of your organization, the level of criticality of the information, the technology the organization is using, etc. For more information about this, please read this article How much does ISO 27001 implementation cost? : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
3.- From my point of view, here it is important that top management knows the remote resources, but it is not relevant that they know how you will manage them. Keep in mind that in accordance with the clause 5.1 Leadership and commitment c) Top management shall demonstrate leadership and commitment with respect to the information security management system by ensuring that the resources needed for the information security management system are available"
4.- No I am sorry, we only offer templates and support for the implementation. But before the certification is necessary to perform the internal audit (the pre-certification is not mandatory), so if you want to perform the internal audit this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
5.- To ensure that 3rd parties meets your requirements, you can perform reviews periodically (and of course it is very important to have agreements with the definition and level of the services - SLAs). To demonstrate this to the auditors, you need records, for example minutes of meeting. For more information about records, please read this article Records management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
Metodología de Gestión de Riesgos
Soy consultora y tengo mucha experiencia en ISO 9001 y en OHSAS 18000, pero no en 27000. Soy principiante en la implementación de la ISO 27001 en una empresa pequeña, mi pregunta es cual es la mejor metodología de gestión de riesgos. ¿Es necesario usar MAGERIT o otra metodología conocida? ¿O puedo definir una mixta con varias metodologías?
He visto toda la documentación que vendéis, es muy buena, pero debido a los costes no la puedo adquirir. Posiblemente si trabajo con más empresas sí pueda ser viable la compra.
Respuesta:
Puedes usar la metodología que quieras para la gestión de riesgos, incluso puedes desarrollar la tuya propia (por ejemplo basada en MAGERIT). MAGERIT (y su herramienta PILAR) es un ejemplo (muy usado en España), pero hay otras metodologías (OCTAVE, CRAMM, etc) que también pueden ser perfectamente válidas. En cualquier caso, mi recomendación es ISO 27005, que es una guía de buenas prácticas que puedes utilizar para el desarrollo de la metodología de gestión de riesgos (nuestra metodología está basada en I SO 27005). Este artículo puede ser interesante para ti (en inglés) How to write ISO 27001 risk assessment methodology : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/, y también este webinar (también en inglés) : Risk Management Part 1: Risk assessment methodology and risk assessment process : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Para la implementación del SGSI también puede ser interesante para ti este artículo "Lista de apoyo para implementación de ISO 27001" : https://advisera.com/27001academy/es/blog/2010/09/28/lista-de-apoyo-para-implementacion-de-iso-27001/iso-27001/
En relación al precio del paquete de documentos, ten en cuenta que el precio también incluye nuestro soporte (podemos revisar tus documentos), por tanto si tienes dudas durante tu primera implementación (muy habitual), podemos ayudarte.
Por último, puedes escribirnos en español, gustosamente también te atenderemos. -
Audit trail
"Do you have a definition and any examples of an "audit trial" used for ISO compliance?"
Answer:
I am sorry but this term is not used by ISO 27001, so it is not necessary for ISO 27001 compliance. Anyway, I suppose that you mean Audit trail that in information security means a chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event (Definition from Wikipedia), which is more related with forensic activities.
Audit trail is also a technique that an auditor can use in the internal and certification audit, but again, it is not necessary for the compliance of ISO 27001. An example: During the audit the auditor finds that certain system does not function properly - related to this issue he has found that people operating that system are not trained for using it, and they are not trained because HR department didn't receive enough funding. Therefore, the audit trail has followed three different activities in a company, and all of them are very closely re lated.
If you are interested in how to perform an internal audit, this article can be interesting for you : How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
And finally, if you need more information about ISO 27001, please read this article What is ISO 27001? : https://advisera.com/27001academy/what-is-iso-27001/ -
ISO 27007
I need help from you... am looking for standards and guidelines for the security audits. Need the same in the word files only.
Can u able to forward to me or please give the link. Will connect and review the same
Answer:
I think that the standard that you need is ISO 27007, which is a Guideline for information security management systems auditing. You can download the standard here (keep in mind that has copyright and if you want the standard you need to buy it) : https://www.iso.org/standard/42506.html
Anyway, if you want to perform information security audits this article can be interesting for you How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, have you seen our ISO 27001/ISO 22301 Internal Audit Toolkit? Maybe can be also interesting, you can see a free version clicking on Free Demo tab here ISO 27001/ISO 22301 Internal Audit Toolkit": https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/ -
Changes in ISO 27001
I will admit, I am fairly new to the non-technical side of IT (Infosec/compliance) and so there is/has certainly been a learning curve. Right now I am just trying to compare the 2005 and 2013 versions of 27001/27002 to see which clauses and controls have been changed (that are incorporated into our own standards) - more specifically how they have changed and how that affects my environment. I am trying to put together a findings and recommendations report and struggling. I work in a University on a very small team. Of course I've gone through your site and Googled, which has helped some, though do you know of any other resources that compare the two versions and break down the changes a little more in-depth and maybe how they affect the rest of the surrounding content? (if that makes sense?!)
Answer:
Welcome to the non-technical side of IT, your technical knowledge is very important for ISO 27001. I am sorry, but we do not have a specific resource that compare in detail both standards, but one of the more important changes in ISO 2 7001:2013 is related with the risk management: In ISO 27001:2005 you need an asset based methodology, but in ISO 27001:2013 it is not necessary (the methodology for the risk management can be based on assets, or process, or other), so the new version is more flexible in the key point of the standard (risk management). To know more in detail the changes in the risk assessment, please read this article What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Another important change is related with the security controls of the ISO 27002 (and Annex A of ISO 27001), so this article can be also interesting for you Main changes in the new ISO 27002 : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
Regarding your question how they affect the rest of the surrounding content?, I am not sure what you mean but some changes can affect to an ISO 27001:2005 implementation, because there are some things that now are not mandatory (for example, ISO 27001:2013 has not preventive actions, so it is not necessary and you can remove them if you have implemented ISO 27001:2005)
Finally, this free webinar can help you to know in detail the main changes, and also can help you to do the transition How to make the transition from ISO 27001 2005 to 2013 revision : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/ And also this article How to make a transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ (At the end of this article, you can find a link to the free white paper Twelve-step transition process from ISO 27001 2005 revision to 2013, which you can find in our free downloads section : https://advisera.com/27001academy/free-downloads/).
And also see this article "Infographic: New ISO 27001 revision - What has changed?" : https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/ -
ITIL and ISO 27001
May I request you to please advise on a case where client wants to maintain the IT Polices and Procedures Manual which follows best practices like ITIL V3 for IT Service Management as well as ISMS based on ISO 270001.
Please advise if we can combine these best practices and have one common IT Manual as its a small organization? Any thoughts?
Answer:
From my point of view there is no problem to maintain IT Policies and Procedures Manual which follow best practices like ITIL V3. You can integrate these best practices in the ISMS, but keep in mind that if you want to implement ISO 27001, you need to comply their requirements. There are some common points (change management, capacity management, etc) but because ISO 27001 is specifically related to information security there are also some points that you cannot find them in ISO 20000 (access control, cryptography, physical and environmental security, etc). So yes, you can maintain and use all documents and procedures related to ITIL for the implementation of ISO 27001, but you need to implement their specific requirements. Regarding the common IT Manual, really is not necessary to have a manual in ISO 27001:2013, but the small organization can maintain his IT Manual (although could be interesting to include important points about ISO 27001). This article can be interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
We do not have a comparison about ISO 27001 and ITIL, but ITIL is very similar to ISO 20000, so this article can be interesting for you How to implement ISO 27001 and ISO 20000 together : https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
By the way, you can also use ISO 27013, which is a guideline for the integrated implementation of ISO 27001 and ISO 20000-1, you can see it in the official page of ISO : https://www.iso.org/standard/43753.html -
Requirements of interested parties
Clause 4.2 has a note says : The requirements of interested parties may include legal and regulatory requirements and contractual obligations.
Can you explain more about this note and if possible give some example. Is it means the interested parties should have agreement to fulfil their expectations ?
Answer:
The note means that in the requirements of interested parties you need to include the identification of legal and regulatory requirements and also the contractual obligations, but you do not need to have an agreement with all interested parties (families of employees can be an interested party for ISO 27001). Anyway, you can find an example in our template (you can see a free version clicking on Free Demo tab) Procedure for Identification of Requirements : https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
Also is important to identify laws and regulations about information security, you will find here a complete list classified by country Laws and regulations on information sec urity and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Finally, this article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
ROSI
I'm interested in ROSI, I mean malicious activity and unintentional human error and natural disaster and force majeure
Answer:
ROSI (Return on Security Investment) is a parameter that relates the investment on information security with the economic benefits that this will bring to the business. The calculation of the ROSI can be based on:
- Costs of an incident by taking into account all the relevant costs if an incident occurs and the probability of incident. There are some type of incidents: Malicious activity (virus, trojan horses, etc.), unintentional human error (delete critical information by error, etc.), system errors/malfunctions (hardware failure, etc.), natural disaster & force majeure (earthquake, flood, etc.)
- Costs of security measures/controls and the level to which the risk of this incident would decrease because of such mitigation
Do you need to calculate the ROSI? This free tool can be very useful for you Free Return on Security Investment Calculator : https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
And this article can be also interesting for you Is it possible to calculate the Return on Security Investment (ROSI)? : https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/